The Cove Business Standards Discussion Forums More Free Files Forum Discussion Thread Post Attachments Listing Cove Discussion Forums Main Page
UL - Underwriters Laboratories - Health Sciences
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > National and International Business System Standards > ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

How the addition of "Risk" will affect ISO 9001:2015 - Page 4


Elsmar XML RSS Feed
Elsmar Cove Forum RSS Feed

Monitor the Elsmar Forum
Sponsor Links




Courtesy Quick Links


Links that Cove visitors will find useful in your quest for knowledge:

International Standards Bodies - World Wide Standards Bodies

ASQ - American Society for Quality

International Standards Organization - ISO Standards and Information

Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC


NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Related Topic Tags
iso 31000 - risk management, iso 9001 - quality management systems, iso 9001:2015, risk based thinking (rbt), risk management and analysis
Reply
 
Thread Tools Search this Thread Rating: Thread Rating: 2 votes, 5.00 average. Display Modes
  Post Number #25  
Old 13th September 2014, 05:54 PM
Sidney Vianna's Avatar
Sidney Vianna

 
 
Total Posts: 8,448
Re: How the addition of "Risk" will affect ISO 9001:2015

Quote:
In Reply to Parent Post by Jennifer Kirley View Post

My question, as always, will be "What does that look like?"

I feel sure many people are already doing this but not writing it down. Despite appearances, most of us really don't blunder along with our eyes closed. We are just going to ask for evidence to show it's happening.
what does that look like? If I were an auditee I would not know how to answer that question. If it is happening, what is the value of documenting it? Just to appease an external auditor?

Let me throw this scenario for your consideration: imagine you are auditing Boeing Commercial Airplanes in early 2013. Their flagship program, the 787, was finally getting under control, after a 3+ years of delayed deliveries. 3 + years. Did Boeing do a bad job of managing the risks associated with the 787 development? Would you write BCA for not having RISK BASED THINKING? You, as an auditor spending a week on site can determine if the thousands of meetings associated with the program were not risk based managed?

I am concerned that the challenge associated with effectively implementing and auditing preventive actions will be nothing compared with RISK BASED THINKING.

And, if at the end of the day, the external auditor accepts anything the organization presents as evidence of RBT, what is the point?
Thanks to Sidney Vianna for your informative Post and/or Attachment!

Sponsored Links
  Post Number #26  
Old 13th September 2014, 07:10 PM
John Broomfield's Avatar
John Broomfield

 
 
Total Posts: 2,456
Yin Yang Re: How the addition of "Risk" will affect ISO 9001:2015

It seems to me that TC176 members were influenced more by the banks failure to manage risk than what is widely accepted as good quality management practices.

Specifying use of failure modes analysis to drive preventive action in the design of services, products and their processes would have been better than attempting to replace preventive action with risk based thinking.

And making sure that opportunities and risks are assessed as part of planning to fulfill those opportunities may have more closely represented the well-established standards-making process...

...never to lead the way, always to spread good practice.
Thanks to John Broomfield for your informative Post and/or Attachment!
Sponsored Links

  Post Number #27  
Old 14th September 2014, 03:34 AM
pldey42's Avatar
pldey42

 
 
Total Posts: 429
Re: How the addition of "Risk" will affect ISO 9001:2015

ISO Guide 73:2009 defines risk management as "systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk."

This is the defininition of RM used in ISO 27001. Given that RBT also appears to include action as well as thinking, I don't see a material difference between RM and RBT.

But, regardless, yes, auditing risk management is fraught with difficulties.

TC 176 were influenced by Annex SL of ISO's guidance to itself on writing management system standards, previously known as Guide 83.

http://www.irca.org/en-gb/resources/...-ISO-Guide-83/

I doubt whether it's much based upon the meltdown of risk management at the banks, not least because they themselves are still in denial and appear to have learned little. I believe that Annex SL draws heavily upon established risk management practices in ISO 14000, 18000 and 27001. It also refers to the ISO 31000 series of standards on risk management.

For quality, I don't think RM is just about product and service design, although that's a large part. It's also about resilience of the supply chain, assuring on-time delivery in full, packaging, assuring continued availability of critical know-how, assuring continuity of supply despite disruptive events (e.g. switching manufacturing from one plant to another) and more. While FMEA is one valuable technique, it's not always applicable. For example, in ISO 27001, some analysis methods go into detail such as threat (what could cause an undesired event, a thief for example) and vulnerability that the threat could exploit (an open door, for example). they then plan mitigations that are proportional to the strength and determination of the threat (we need stronger defences against organized crime, if they're a real threat, than the local kids).

Which of course makes RM hard to audit - but independent review of RM is vital, because when they must document their RM activities, there is a temptation for some to under-report risks, so as to make mitigations cheaper. Not only is it hard for auditors from a time and effort perspective, but - even harder - they must do it objectively.

In the ISO 27001 world, the 2005 version of the standard made objective auditing of RM possible by demanding a documented method for risk assessment - which often looked like FMEA, but modified to take account of threats and vulnerabilities. But the 2013 version of ISO 27001 dispensed with the requirement for formal risk assessment methods (because some organisations simply employed, for example, an ex-policeman with experience of organised crime who could advise appropriate mitigations). So objective auditing of RM, I think, will rely upon either a documented method, or records of RM competency.

To the example of BCA, if mitigations fail, that's not necessarily an indicator of ineffective RM. Indeed, I think the general requirement to measure the effectiveness of processes will have to make an exception for RM - because mitigations sometimes fail, that's life. I think the test of effective RM is, when something bad happens, "hands on hearts, can we stand up in Court and say truthfully that did we do our best?" Which of course isn't auditable. But that's the reality. Suppose we determine that flood is a risk to one of our facilities, with bad consequences both for the environment when our toxic waste gets into the flood waters, and for on-time delivery because we can't manufacture. Suppose also that our mitigation is flood defences - walls, run-off areas and so forth. We build our flood defences assuming the water might rise 10 feet. But it rises 15 feet and we still get flooded. I think for auditors to write that up as ineffective is unhelpful: we got flooded, we know it didn't work. Rather, as auditors, we'd look for lessons learned - how did we get the figures wrong? Did we get the figures wrong or was this a freak? Might it happen again? What more can be done?

So yes, auditing RM will be hard and in my experience of ISO 27001 auditors do get it wrong. We're not helped either by risk assessment methods that obscure the risks by listing hundreds in abstract terms. Nevertheless, as the banks showed spectacularly, if risks aren't monitored and independently audited, avoidable trainwrecks can occur. (Sorry about the mixed metaphor.)

One consequence, then, I think is that auditors will need more time for audits, and the competency to understand RM techniques and the risk landscape applicable to the sector they're auditing.

In a world that's uncertain, where almost everything is subcontracted, often to facilities half way across the globe, I think it's a challenge to which we need to rise.

Pat
Thank You to pldey42 for your informative Post and/or Attachment!
  Post Number #28  
Old 14th September 2014, 04:20 AM
John Broomfield's Avatar
John Broomfield

 
 
Total Posts: 2,456
Lightbulb Re: How the addition of "Risk" will affect ISO 9001:2015

Pat,

When you were talking about ISO 27001 I thought you were going to refer to its Annex A Statement of Applicability:

http://www.iso27001security.com/ISO27k_gap_analysis.xls

This makes the ISMS and the results of risk assessment very auditable.

We have no such requirement in the DIS 9001.

But we do see a requirement to design services which could include continuity of supply and on time delivery.

John
  Post Number #29  
Old 14th September 2014, 09:27 AM
Jen Kirley's Avatar
Jen Kirley

 
 
Total Posts: 5,916
Re: How the addition of "Risk" will affect ISO 9001:2015

"What does that look like?" is an entry question. No, I don't expect documentation just to appease an auditor. Far from it. People can also show me outcomes, describe examples, we can review projects, etc. Unless records are required, of course. And there will be the clause requiring documentation to help control things as needed, similar to 14001 approach. I'm more comfortable with that than some auditees will be if they never worked with 14001 or 18001.

As for Boeing, my understanding is they operate to the aerospace standard, yes? I'm not an aerospace auditor but my guess is that they have project requirements like automotive does. If I was auditing the 787 project it is indeed worth looking at whether or not they applied risk based thinking. Did they just pick any old supplier or did they qualify the supplier first? Did they try to anticipate the inherent challenges of all that production outsourcing, and other issues? If they used an FMEA approach then they applied risk based thinking. As an auditor I am chartered with having enough imagination to consider whether the auditee's approach conforms to the standard, why or why not.

Last edited by Jen Kirley; 14th September 2014 at 09:36 AM.
Thank You to Jen Kirley for your informative Post and/or Attachment!
  Post Number #30  
Old 14th September 2014, 09:43 AM
Stijloor's Avatar
Stijloor

 
 
Total Posts: 15,122
Re: How the addition of "Risk" will affect ISO 9001:2015

Quote:
In Reply to Parent Post by Jennifer Kirley View Post

<snip>As an auditor I am chartered with having enough imagination to consider whether the auditee's approach conforms to the standard, why or why not.
You may be Jennifer, but considering how poorly many organizations and internal/external auditors have addressed the "Process Approach" (even after 14 years), I am very concerned. Unless there is a standard audit approach based on actual RBT evidence rather than auditor's opinion, I am not convinced that this RBT is a good idea.
Thank You to Stijloor for your informative Post and/or Attachment!
  Post Number #31  
Old 14th September 2014, 09:48 AM
Jen Kirley's Avatar
Jen Kirley

 
 
Total Posts: 5,916
Re: How the addition of "Risk" will affect ISO 9001:2015

You are right to be concerned. Observing the variation that I do even in document control expectations, this one is going to be hard. Auditors are notoriously difficult to calibrate. I see it all the time.
Thanks to Jen Kirley for your informative Post and/or Attachment!
  Post Number #32  
Old 14th September 2014, 09:54 AM
Jen Kirley's Avatar
Jen Kirley

 
 
Total Posts: 5,916
Re: How the addition of "Risk" will affect ISO 9001:2015

When I finish my move to SC I think I will, in time make an auditor training curriculum and offer internal auditor classes. I have been biding my time while I do my CB work.

I got to the end of the line in pursuing a Training Manager job with my CB. It came down to me and him, and they selected the other guy. I was disappointed of course, because naturally I have some ideas of where to reduce the variation. But I will need to be patient I guess. I'm in this for the long game.
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > National and International Business System Standards > ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
"Context of the Organization" in 4.1 of ISO 9001:2015 Mike S. ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 87 15th January 2017 08:44 PM
"Partial Design" Designation and Applicable ISO 9001:2015 Exemptions MichelleMcR ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11 10th January 2017 10:41 AM
ISO 9001:2015 4.4.1 - Providing Evidence of QMS Processes "Shalls" ogghall ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9 3rd October 2016 02:02 AM
Differences between "Hazard" and "Risk" in ISO 22000 Ka Pilo Food Safety - ISO 22000, HACCP (21 CFR 120) 4 22nd November 2010 05:19 AM
How do you see the "Risk Analysis" issue in the ISO 9001 context? Henriqued ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6 7th January 2003 06:25 AM



The time now is 02:16 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.


 
 


NOTE: This forum uses "Cookies" - A Peachfarm Internet Property