Risk Identification and Risk Assessment for any Process - Is it necessary?

morteza

Trusted Information Resource
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
 
Last edited:

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Risk identification and risk assessment for any process. Is it necessary?

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.
You can ask the question 2 million times and get conflicting, unclear, misleading answers. Because the standard writers failed to deliver a clearly written, auditable requirement, people will have wide ranging views of "RBT". Even worse, the "clarification" documents are also inconclusive and non pragmatic.

People here will offer opinions, some more educated than others. At the end of the day, you will have to determine YOUR interpretation and move forward. If you are being audited and your auditor does not agree with your interpretation, you must demand, what requirement is not being complied with.
 
T

Tyler C

Are you currently certified to ISO 9001:2008? If so, what do you do for Preventive Action? If you look at Annex A (A.4), it talks a little about RBT.

It goes on to say that RBT has always been implicit in previous editions of the standard. They say the key purpose of a QMS is to act as a preventive tool, and the concept of Preventive Actions are expressed through the use of RBT. They say this gives it better flexibility, and to Sidney's point, I think that is why they left it so vague.

From Annex A, "Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process..." "...the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks."

I would suggest reading A.4, then going to your registrar and ask for guidance documentation from them. If they can't provide this, listen to Sidney and determine it yourself, for your organization. To help you with this, look at how you handle Preventive Actions and adapt it as you see necessary. Whether it needs to be as deep as every single individual process, or otherwise, is up to you.
 

John Broomfield

Leader
Super Moderator
So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?

I agree with your interpretation.

As always, put nothing in your management system to pass an audit.

For your colleagues to enthusiastically use and improve their management system it must help them to fulfill the organization's mission and their contributory objectives.

Given this, your colleagues will defend their management system in explaining how it assures quality while helping them to address the risks when planning and realizing opportunities.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
I am sorry you did not get a satisfactory answer on the first try.

While it is true that the standard did not very specifically define where and how to identify risks, the
ISO 9001 Technical Committee's ISO TC/176/SC2 Home Page does include a guidance document on risk that says risks are inherent in processes as well as having an effect on objectives. Risk is defined as the effect of uncertainty.

Because of the confusion, the
ISO 9001 Auditing Practices Group published guidance documents, including one on Risk Based Thinking. It includes a number of ways to accomplish it and demonstrate it for audit purposes.

I hope this helps!

 

morteza

Trusted Information Resource
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
 
R

rkk2014

Risk assessment for other processes or I feel every process is possible. Since standard has not specified any specific guideline for risk analysis, make your own logical guidelines and do the analysis
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.
 

morteza

Trusted Information Resource
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.

Hi Jen

Thanks for your detailed explanation.
As you mentioned we do some actions in our processes based on risk consideration, such as supplier assessment in purchasing process.

We provided a detailed risk assessment (through a risk assessment form) on our quality objectives and documented it. In this assessment we defined some actions for addressing risks which should be implemented through processes and projects. we did not do such assessment for processes. One auditor said us that it is an ISO 9001 requirement to do risk assessment for process objectives, although it is not necessary to document it. Truly, we did not do such assessment for processes.

So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes? I know that we usually do risk assessment in some ways.
 

Marc

Fully vaccinated are you?
Leader
I think Jen is saying that you already do it, but can you explain how to an auditor.

I'm not really into ISO 9001:2015 but when reading about this stuff when I did implementations the biggest part was usually explaining to someone in a company how they were already, in most things, doing what the standard required. I would say you are doing this and this is what the standard requires. We usually did a cross-matrix to the clause in the standard to their process(es) and procedures which fulfilled the requirement of the standard. Key was the person in the company who could speak with the auditor about the requirements of the standard.

I would do the same today - In the case of Risk Based Thinking I would have a list of things, such as aspects Jen mentioned in her post so that when the auditor wanted to discuss compliance, you can say "We do this, and we do this, and we do this".

I do feel that the 2015 version is - Well, Sidney has made quite a few posts in which he for all intents and purposes has said that this version is poorly written (to say the least). From what I have read I agree. Then again, it is being audited to and auditors are asking questions. Think about what questions auditors are asking.

If it was me, I'd do a lead auditor course (again). I did my first one in 1994. I think I did it again in 1998. I did an "update" again for the 2000 version and I did a "transition" course for the 2000 version. These are a few of them: https://elsmar.com/Certificates-Marc_T_Smith/ It's a tough week, but part of what you learn is what questions to ask and expected/acceptable responses. Afterward, you should be able to come back and use that to audit your company. That, in turn, prepares you.

And of course the internet has expanded so much and these days there is so much written about things like RBT that there are a lot of discussions about it. I agree with Jennifer in that many people are over thinking it and making it seem more complex than it is.

As to
So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes?
you are doing it is my bet. In some areas you're documenting risks analysis you do and in others it may not be documented, but you're doing it. Jen has started you out with a few examples. Now, make up a list of all the examples you can think of. If it was me I'd probably have a list of departments and processes and such, and list some of the things your company does in each. With that you will be ready to discuss with the auditor how you comply, the things you do. My bet is once you start listing things you do to address risk in various parts of the company's business systems, you'll see and be able to talk about what your company does to address risk.

Like I say - The internet is vast these days and there is tons of articles and such you can read to help you think about RBT and how it is being audited. An example: http://rube.asq.org/audit/2015/01/a-risk-based-thinking-model-for-iso-9001-2015.pdf

and https://www.qualitydigest.com/inside/risk-management-column/030216-what-risk-based-thinking.html

NQA also has a decent write-up: https://www.nqa.com/en-us/resources/blog/july-2016/risk-based-thinking - Note where they say
Understand the standards. You need to correctly interpret the terminology applied to ISO management systems. Risk is not always stated explicitly in each ISO standard. Terms like “suitable” and “appropriate” will often imply that you need to demonstrate a balanced approach towards risk based thinking.
which is what I am referring to above in this post and why I suggest there is value in a lead auditor course.

I will say that what they are calling RBT has been part of most of the companies I have actually worked in going back to the 1980's. I have worked in aerospace, automotive, and explosives to name a few. At one time I had an entire wall in my garage that had shelves filled with training and information materials, such as Hazardous Operations and Process Design in Explosives Manufacturing. I was doing FMEAs, or variants of risk analysis, years ago.

Anyway - Just a few thoughts, and my Thanks to Jennifer for her posts on RBT in this thread and in others here.
 
Top Bottom