ISO 9001:2015 – Newsletter – Issue 84


 

 

Issue 84 – “Risk”, what’s the big deal?

 

ISO 9001:2015…

“Risk”, what’s the big deal?

 

I appreciate receiving emails with questions and/or comments from readers of this Newsletter… please continue to do so since it provides me with direction on where to aim the content of these publications.  In my last Newsletter (ISO 9001:2015 Newsletter Issue 83) we discussed the topic of  “Company Spotlight:  Armour Valve, Toronto, Ontario, Canada”, and now in this Newsletter we will discuss “Risk, what’s the big deal?“.

 

The ISO 9001 Element numbering…

Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement

 

Clause 6.1  Actions to address risks and opportunities consists of two (2) Sub-Clauses as listed below:

6.1.1  [no title]  When planning for the quality management system…

6.1.2  [no title]  The organization shall plan…

 

Sub-Clause 6.1.1  – This sub-clause asks you to refer back to the issues in Clause 4.1 (Understanding the Organization and its Context) and the requirements in Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) as part of your “planning” process, and then continues on to explain why you need to address risks and opportunities, in sub-clause 6.1.1 parts [a] through [d].

Let’s take a moment and talk about “risk”… I continue to hear ongoing discussions (lots and lots of discussions) in online forums, and elsewhere, debating the terms “risk” and “risk-based thinking”, what theses words mean, and what can be shown to an auditor as objective evidence.

 

Let’s begin with some words taken DIRECTLY from the ISO 9001:2015 Standard…

From Annex A.4:
One of the key purposes of a quality management system is to act as a preventive tool.  Consequently, this International Standard does not have a separate clause or subclause on preventive action.  The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.”

Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process.  Organizations can decide whether or not to develop a more extensive risk management methodology than is required by the ISO 9001:2015 International Standard, e.g. through the application of other guidance or standards.”

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations.  Under the requirements of 6.1 the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.”

 

The above paragraphs come directly from the ISO 9001:2015 document… it’s their words, not mine… I’ve simply bolded some phrases to bring attention to the message being sent… that being said, it is completely up to each individual organization on how THEY decide to address risks & opportunities for THEIR business.

 

Also, here are some additional facts derived directly from the ISO 9001:2015 Standard…
Other than Clause 5.1.1 d), there are NO other “shall” requirements for risk-based thinking in the entire ISO 9001:2015 Standard.  Not one other “shall”… period… and Clause 5.1.1 d) simply asks top management to promote the use of risk-based thinking… that’s it… “promote the use”… and NO documented information is required.

 

Let me continue…
The single word “risk” (not risk-based thinking) shows up in only eight (8) sentences as a requirement within ISO 9001:2015, but NOT ONE of these 8 sentences ask for “documented information”, NOT ONE, which means verbal-only evidence will have to be acceptable to an auditor.
NOTE – These 8 sentences can be found in the following sub-clauses: 4.4.1 f); 5.1.2 b); 6.1.1; 6.1.2 a); 6.1.2-last sentence; 9.1.3 e); 9.3.2 e); 10.2.1 e)

 

Let me summarize then by saying that this new ISO 9001:2015 Standard has eliminated the Preventive Action clause and replaced it with a concept called “risk-based thinking”.  I say “concept” because there is no teeth to it, no requirements exist other than to promote the concept within the organization, and no requirement to show documented proof that you have implemented “risk-based thinking” (even the old Preventive Action clause required a controlled record to be kept!).

As a long time ISO 9001 Auditor, I fully recognize the predicament this places the Auditor in, and two words come to mind, “flexible” and “open-minded”, because that’s what it will take to assess whether an organization has complied with these weak “risk” requirements.

As a consultant I’ve worked with a number of my Clients on addressing “risk”, and my advice is to begin by understanding how your organization currently deals with risks and opportunities, as an ongoing business issue (i.e. business or strategic planning).  Resist the urge to implement some new process or activity since it will likely not last if the business process owners don’t see inherent value in doing it, year after year, after year.  If your organization has weak business planning practices then look to your existing Quality Management System (QMS) since it primarily functions as a “risk” mitigating tool.  Keep in mind that your current QMS also has ways of uncovering “opportunities” as well.

I recommend that once you’ve decided how you will address the terms “risk”, “risk-based thinking” and “opportunities”, then document your interpretation of these words within your Quality Manual.  This is a good way to guide the Auditor (Internal or External) on how your organization has chosen to address these topics, and doing so should help prevent future disputes during audits of your QMS.

 

Sub-Clause 6.1.2  – This sub-clause asks you to [a] “plan” actions for risks & opportunities, and [b] “plan” how you will weave these actions into your QMS (and then “plan” how to check whether these actions worked).  They finish off in the last sentence reminding you that it is completely your decision on how big or how small these actions will be.

Depending on what you discovered when you investigated how your business currently handles risks and opportunities (as I discussed above), this will dictate how you address the requirements within sub-clause 6.1.2.  If you have a Strategic Plan, or a Business Plan, and/or a SWOT Analysis (ISO 9001:2015 Newsletter Issue 4), then make reference to that activity within your Quality Manual.  Otherwise, follow my advice above and USE YOUR EXISTING QMS as your risk & opportunity tool.  Brainstorm a list of EXISTING methods/processes that address RISK, and then create another list that addresses OPPORTUNITIES.  Make sure that whatever you mention (such as Internal Audits) is already referenced somewhere in your current QMS; that the method causes “actions” to be taken; and that the method/actions are evaluated for effectiveness.  Once these two lists (Risks; Opportunities) are completed, simply insert them into your Quality Manual and point to them any time an Auditor mentions the words “risks & opportunities”!

Finally, within the ISO 9001:2015 Standard they’ve also added a couple of “NOTES” at the end which attempt to clarify the words in this Clause, and although they are nice sounding words, they don’t really help much… and remember that a “NOTE” is not a requirement within the ISO 9001:2015 Standard.

 

Be sure to watch for our next Newsletter issue where I will be answering some of the questions that I get from Readers of my Newsletters about how to implement the requirements of ISO 9001:2015 in a specific and practical way, that will also help improve business performance…

 

To view all of our past Newsletters or to sign up to receive them… click here

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Need Help?

ISO 9001:2015 Internal Audit Outsourcing (we can do it for you OR with you!)

For cost effectiveness, the Internal Audit function can be outsourced to an external experienced auditor on a periodic basis. This will provide an independent and objective assessment to management, of where process issues may exist, along with identifying opportunities for improvement.  It will also provide the evidence needed to satisfy the Internal Audit requirements in the ISO Standards.  We have used two different approaches with this service: a) We conduct the entire audit ourselves, or b) We act as the lead auditor, and along with your Team of internal auditors, we complete the entire audit together.  This latter approach allows your people to receive guidance and direction from an experienced lead auditor while at the same time maintaining significant involvement in the internal audit process.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Internal Process Auditor Training for ISO 9001:2015

The two (2) day Internal Process Auditing for ISO 9001:2015 Training Session is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Until next time…

Tim Renaud

www.isosupport.com

Helping Business Professionals Reduce Risk and Remove Waste!