The Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Cove Discussion Forums Main Page
UL - Underwriters Laboratories - Health Sciences
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > National and International Business System Standards > ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

How the addition of "Risk" will affect ISO 9001:2015 - Page 3


Elsmar XML RSS Feed
Elsmar Cove Forum RSS Feed

Monitor the Elsmar Forum
Sponsor Links




Courtesy Quick Links


Links that Cove visitors will find useful in your quest for knowledge:

International Standards Bodies - World Wide Standards Bodies

ASQ - American Society for Quality

International Standards Organization - ISO Standards and Information

Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC


NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags (Not all threads are Tagged)
iso 31000 - risk management, iso 9001 - quality management systems, iso 9001:2015, risk based thinking (rbt), risk management and analysis
Reply
 
Thread Tools Search this Thread Rating: Thread Rating: 2 votes, 5.00 average. Display Modes
  Post Number #17  
Old 12th September 2014, 03:47 AM
pldey42's Avatar
pldey42

 
 
Total Posts: 429
Re: How the addition of "Risk" will affect ISO 9001:2015

I think the inclusion of "risk" will bring quality into the real world - where in many cases it has always been.

For example, many organizations use FMEA to identify and mitigate the risks in their designs. Supply chain management, too, is often risk-based; insisting on duplicate suppliers is an element of risk management.

Further, risk management was in the old standard, but disguised in arcane language as "preventive action" that was often misunderstood.

I think the inclusion of "risk" will in some cases enable quality to get alongside real business practice and, in so doing, win management commitment where previously it was lacking.

For example, some believe as Deming and Crosby preached, that quality is meeting customer requirements. Which is fine, except some business leaders know that if they take a few shortcuts on quality of product and service, they can get to market faster, capture market share, and fix quality later. To some quality people that's anathema, yet it's a common business strategy. The business leaders are acknowledging the risk of poor customer satisfaction and betting they'll win in the long run. With the new ISO 9001, the risk can be put on the risk register and managed with everyone's buyin - including quality's - instead of hoping the CEO gets it right.

Risk isn't always negative, even though it's uncertain. Semiconductor companies bet their existence on Moore's Law (bang for the buck doubles every 18 months). So do their clients. It's not certain, but it's worked for several decades. The opportunity for some is to design products now that won't work until, in 18 months time, more power comes along. Waiting for the more powerful product is less risky in a technical sense, but more risky because competitors that took the gamble will get market share first.

For technology companies there's single and dual sourcing: if you know your competitors are always safe and use multi-sourced components, you might have an opportunity to get ahead by using something innovative, newly patented, and only available from one source. You use risk management to decide whether to take the risk and if so, how to manage it. Long term, for example, you might ask (or if you're big enough, demand) that your supplier license the technology to alternative suppliers. The semiconductor industry license eachother's products, so they all earn money from innovation and at the same time mitigate supplier risks.

Another example. Many are taking the opportunity to manufacture in low cost areas like China - but there are well-known risks attached, which they have to mitigate.

Another example: there are reportedly concerns over information security and the possibility of problems with Huawei products which, some think might be used by the Chinese to spy on the West. The UK telecom provider BT has historically bought a lot of Huawei product (because it's cheap) and claims to be proactively managing the security risks - which BT claim are not an issue.

The new ISO 9001 will enable such risks and opportunities to be managed within the QMS (which for some they always were) and bring quality people into the loop.

For some of us, that will mean letting go of "quality means meeting customer requirements" in favour of, maybe, "quality means meeting customer requirements - eventually."

Just 2c
Pat

Sponsored Links
  Post Number #18  
Old 12th September 2014, 01:57 PM
John Broomfield's Avatar
John Broomfield

 
 
Total Posts: 2,459
Unhappy Re: How the addition of "Risk" will affect ISO 9001:2015

Pat,

Yes, it is only a matter of time before quality professionals are asked to participate in risk assessments before shipping nonconforming product.

RM may dilute the principles of prevention and the principle of keeping promises.

Our management systems are meant to help salespeople make better promises than the competition and to keep them.

Compromise may be the result of more risk management.

John
Sponsored Links

  Post Number #19  
Old 13th September 2014, 05:14 AM
pldey42's Avatar
pldey42

 
 
Total Posts: 429
Re: How the addition of "Risk" will affect ISO 9001:2015

Good points John.

In information security, where ISO 27001 requires formal risk assessment, as an auditor I've seen several systems where the risk assessment was done by a consultant, often using risk assessment software, appeared on paper to meet the requirements and actually missed risks that were obvious.

BP claimed to have done risk assessments prior to the Deepwater Horizon incident in the Gulf and, if I recall correctly, they had - and then had failed to put mitigations in place.

So yes, risk assessment can be made, by unscrupulous managements, into another arcane process to hide behind; but equally, I think it can be valuable to real-world management teams trying to do the right thing in an uncertain world.

Another example comes to mind, to your point. I worked once in a software company that found it hard to keep its promises, because we wrote bespoke software and sometimes underestimated the difficulty of the job. We introduced the usual planning processes including contingency planning but that still wasn't enough. So we introduced risk management. At the start of a project we got the team together and asked them to identify risks to successful completion, on time. For each significant risk we made a contingency plan and costed it in man-days. Then, if the risk-weighted sum of contingency plans exceeded the estimated overtime available (project plans were based upon normal, 7.5 hour days) the project manager knew that something had to be done. In the extreme, the project manager was in a position to call the customer and apologise for the unforeseen problem and agree a way out.

So we tried to use risk management to keep our promises. (

Did it work? Sorta. But the company had more fundamental problems and went out of business before we had time to work these ideas through. I think they were good ideas, though, which we had stolen from a software management text book whose title, sorry, escapes me.)

Pat

Last edited by pldey42; 13th September 2014 at 05:15 AM. Reason: spelling error
  Post Number #20  
Old 13th September 2014, 09:57 AM
John Broomfield's Avatar
John Broomfield

 
 
Total Posts: 2,459
Lightbulb Re: How the addition of "Risk" will affect ISO 9001:2015

Risk management has its place but so do absolutes when it comes to honoring the promises made with every contract.

RM should make us more careful about the promises we make; another principal of prevention.

Right now the authors are repeatedly saying ISO 9001:2015 requires no preventive action. But this is baloney. TC176 may have remove the clause specifying preventive action but for RM to be effective it must predominantly be preventive.
  Post Number #21  
Old 13th September 2014, 10:54 AM
pldey42's Avatar
pldey42

 
 
Total Posts: 429
Re: How the addition of "Risk" will affect ISO 9001:2015

Marc's earlier post said:

Also notice opportunities in 6.1 a)

?The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.

For me, this is the equivalent of the old preventive action requirement, but now (assuming it stays in something like this form) explicitly basing preventive actions on risk assessments.

For someone to say that the new ISO 9001 requires no preventive action is, I think, misleading.

While some may indeed use RM to dodge difficult contract conditions, I don't think that's the intent. I do think it's trying (perhaps with clumsy wording, but RM is an ill-defined art) to capture what responsible organisations have been doing all along, with process capability measures, risk-based supply chain management, FMEA and so forth.

For software I think this will be helpful. Very few software orgs in my experience use FMEA even though it's common in manufacturing. Now, they'll have to do something like it. The same will be true , I think, of services industries.

The Quality Digest article does raise the possibility of attracting legal problems by documenting risks and that could, perhaps, be a minefield. Yet public companies already have to disclose risks to shareholders, so I'm not sure that it's a real problem.

I think there are some precedents for this being set in ISO 27001, information security management. It's often used as a contractual condition to safeguard sensitive data, especially when it's personal information which is governed in the UK by the Data Protection Act and governed by a regulator called the Information Commissioner. My understanding is that the information commissioner does not expect perfect security, nor zero risk. Rather, as the standard requires, proportionate controls and risk mitigations are expected. ISO 22301, business continuity, is similar.

The problem BP had in the Gulf was an extreme example of doing it wrong, and not in the spirit called for. They were drilling deeper than ever before, and despite having done risk assessments, they had no meaningful risk mitigation plan. So they wrote to the relevant US regulator and said, "We have no risk mitigation plan, as required by the regulations. Can we start drilling anyhow please?" The regulator wrote back: "Yeah, ok." Both BP and the regulator (which at that time also collected taxes due on oil revenues, and has since been relieved of that duty by the Obama administration) wanted the money more than the risk mitigation.

So yes, I agree, in the wrong hands it'll go wrong. But the wrong hands will always find a way.

For those organizations that want to keep their promises, I can only see RM as a good thing for increasing their chances of doing so in an uncertain world. For example, some organizations are using business continuity and its risk-based approach to maintain on-time delivery schedules despite disruptive events like losing electric power, flooding and so forth - especially important when they're saving money by manufacturing in places where labour is cheap, and infrastructure is weak.

Pat
Thanks to pldey42 for your informative Post and/or Attachment!
  Post Number #22  
Old 13th September 2014, 01:58 PM
Sidney Vianna's Avatar
Sidney Vianna

 
 
Total Posts: 8,659
Re: How the addition of "Risk" will affect ISO 9001:2015

Quote:
In Reply to Parent Post by pldey42 View Post

While some may indeed use RM to dodge difficult contract conditions, I don't think that's the intent. I do think it's trying (perhaps with clumsy wording, but RM is an ill-defined art) to capture what responsible organisations have been doing all along, with process capability measures, risk-based supply chain management, FMEA and so forth.
I think it is critical to realize that ISO 9001:2015 will have has no requirements for risk MANAGEMENT, but, and instead, RISK BASED THINKING, something that, while hugely desirable, seems to be extremely challenging from an auditability perspective. As I said a couple of times already, RISK BASED THINKING, in my opinion, would have been much better placed as another QMS principle in ISO 9000, and not as a "requirement" in 9001. The hyperlinked ISO paper above has some interesting information.

Last edited by Sidney Vianna; 13th September 2014 at 02:24 PM.
Thank You to Sidney Vianna for your informative Post and/or Attachment!
  Post Number #23  
Old 13th September 2014, 02:32 PM
Stijloor's Avatar
Stijloor

 
 
Total Posts: 15,186
Re: How the addition of "Risk" will affect ISO 9001:2015

RBT is too ambiguous and not auditable.
Thanks to Stijloor for your informative Post and/or Attachment!
  Post Number #24  
Old 13th September 2014, 04:49 PM
Jen Kirley's Avatar
Jen Kirley

 
 
Total Posts: 5,979
Re: How the addition of "Risk" will affect ISO 9001:2015

My question, as always, will be "What does that look like?"

I feel sure many people are already doing this but not writing it down. Despite appearances, most of us really don't blunder along with our eyes closed. We are just going to ask for evidence to show it's happening.
Thank You to Jen Kirley for your informative Post and/or Attachment!
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > National and International Business System Standards > ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
Easy Way of "Implementing" Risk in ISO 9001 2015 QAMTY ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7 3rd April 2017 01:50 AM
Including the Word "Risk" into the Quality Policy (ISO 9001:2015)? QAMTY ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4 15th February 2017 04:26 PM
What can be considered a "Post Delivery Activity" (ISO 9001:2015 Clause 8.5) kcoryell1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5 4th February 2017 09:54 AM
"Partial Design" Designation and Applicable ISO 9001:2015 Exemptions MichelleMcR ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11 10th January 2017 10:41 AM
ISO 9001:2015 4.4.1 - Providing Evidence of QMS Processes "Shalls" ogghall ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9 3rd October 2016 02:02 AM



The time now is 02:07 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.


 
 


NOTE: This forum uses "Cookies" - A Peachfarm Internet Property