ISO 9001:2015 – Newsletter – Issue 84

Issue 84 – “Risk”, what’s the big deal?

ISO 9001:2015…

“Risk”, what’s the big deal?

I appreciate receiving emails with questions and/or comments from readers of this Newsletter… please continue to do so since it provides me with direction on where to aim the content of these publications.  In my last Newsletter (ISO 9001:2015 Newsletter Issue 83) we discussed the topic of  “Company Spotlight:  Armour Valve, Toronto, Ontario, Canada”, and now in this Newsletter we will discuss “Risk, what’s the big deal?“.

The ISO 9001 Element numbering…

Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement

Clause 6.1  Actions to address risks and opportunities consists of two (2) Sub-Clauses as listed below:

6.1.1  [no title]  When planning for the quality management system…

6.1.2  [no title]  The organization shall plan…

Sub-Clause 6.1.1  – This sub-clause asks you to refer back to the issues in Clause 4.1 (Understanding the Organization and its Context) and the requirements in Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) as part of your “planning” process, and then continues on to explain why you need to address risks and opportunities, in sub-clause 6.1.1 parts [a] through [d].

Let’s take a moment and talk about “risk”… I continue to hear ongoing discussions (lots and lots of discussions) in online forums, and elsewhere, debating the terms “risk” and “risk-based thinking”, what theses words mean, and what can be shown to an auditor as objective evidence.

Let’s begin with some words taken DIRECTLY from the ISO 9001:2015 Standard…

From Annex A.4:
“One of the key purposes of a quality management system is to act as a preventive tool.  Consequently, this International Standard does not have a separate clause or subclause on preventive action.  The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.”

“Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process.  Organizations can decide whether or not to develop a more extensive risk management methodology than is required by the ISO 9001:2015 International Standard, e.g. through the application of other guidance or standards.”

“Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations.  Under the requirements of 6.1 the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.”

The above paragraphs come directly from the ISO 9001:2015 document… it’s their words, not mine… I’ve simply bolded some phrases to bring attention to the message being sent… that being said, it is completely up to each individual organization on how THEY decide to address risks & opportunities for THEIR business.

Also, here are some additional facts derived directly from the ISO 9001:2015 Standard…
Other than Clause 5.1.1 d), there are NO other “shall” requirements for risk-based thinking in the entire ISO 9001:2015 Standard.  Not one other “shall”… period… and Clause 5.1.1 d) simply asks top management to promote the use of risk-based thinking… that’s it… “promote the use”… and NO documented information is required.

Let me continue…
The single word “risk” (not risk-based thinking) shows up in only eight (8) sentences as a requirement within ISO 9001:2015, but NOT ONE of these 8 sentences ask for “documented information”, NOT ONE, which means verbal-only evidence will have to be acceptable to an auditor.
NOTE – These 8 sentences can be found in the following sub-clauses: 4.4.1 f); 5.1.2 b); 6.1.1; 6.1.2 a); 6.1.2-last sentence; 9.1.3 e); 9.3.2 e); 10.2.1 e)

Let me summarize then by saying that this new ISO 9001:2015 Standard has eliminated the Preventive Action clause and replaced it with a concept called “risk-based thinking”.  I say “concept” because there is no teeth to it, no requirements exist other than to promote the concept within the organization, and no requirement to show documented proof that you have implemented “risk-based thinking” (even the old Preventive Action clause required a controlled record to be kept!).

As a long time ISO 9001 Auditor, I fully recognize the predicament this places the Auditor in, and two words come to mind, “flexible” and “open-minded”, because that’s what it will take to assess whether an organization has complied with these weak “risk” requirements.

As a consultant I’ve worked with a number of my Clients on addressing “risk”, and my advice is to begin by understanding how your organization currently deals with risks and opportunities, as an ongoing business issue (i.e. business or strategic planning).  Resist the urge to implement some new process or activity since it will likely not last if the business process owners don’t see inherent value in doing it, year after year, after year.  If your organization has weak business planning practices then look to your existing Quality Management System (QMS) since it primarily functions as a “risk” mitigating tool.  Keep in mind that your current QMS also has ways of uncovering “opportunities” as well.

I recommend that once you’ve decided how you will address the terms “risk”, “risk-based thinking” and “opportunities”, then document your interpretation of these words within your Quality Manual.  This is a good way to guide the Auditor (Internal or External) on how your organization has chosen to address these topics, and doing so should help prevent future disputes during audits of your QMS.

Sub-Clause 6.1.2  – This sub-clause asks you to [a] “plan” actions for risks & opportunities, and [b] “plan” how you will weave these actions into your QMS (and then “plan” how to check whether these actions worked).  They finish off in the last sentence reminding you that it is completely your decision on how big or how small these actions will be.

Depending on what you discovered when you investigated how your business currently handles risks and opportunities (as I discussed above), this will dictate how you address the requirements within sub-clause 6.1.2.  If you have a Strategic Plan, or a Business Plan, and/or a SWOT Analysis (ISO 9001:2015 Newsletter Issue 4), then make reference to that activity within your Quality Manual.  Otherwise, follow my advice above and USE YOUR EXISTING QMS as your risk & opportunity tool.  Brainstorm a list of EXISTING methods/processes that address RISK, and then create another list that addresses OPPORTUNITIES.  Make sure that whatever you mention (such as Internal Audits) is already referenced somewhere in your current QMS; that the method causes “actions” to be taken; and that the method/actions are evaluated for effectiveness.  Once these two lists (Risks; Opportunities) are completed, simply insert them into your Quality Manual and point to them any time an Auditor mentions the words “risks & opportunities”!

Finally, within the ISO 9001:2015 Standard they’ve also added a couple of “NOTES” at the end which attempt to clarify the words in this Clause, and although they are nice sounding words, they don’t really help much… and remember that a “NOTE” is not a requirement within the ISO 9001:2015 Standard.