Is Risk Identification and Treatment a Process?

armani

Quite Involved in Discussions
Do the organisation have to treat risk identification and treatment as a process?
Consequently, if yes, this process must be treated according to 4.4.1?
 

dsanabria

Quite Involved in Discussions
Do the organisation have to treat risk identification and treatment as a process?
Consequently, if yes, this process must be treated according to 4.4.1?

The short answer is NO - risk is embedded into all of your processes.

ISO:9001:2015
0.3.3 Risk-based thinking

Risk-based thinking (see Clause A.4) is essential for achieving an effective quality management system. The concept of risk-based thinking has been implicit in previous editions of this International Standard including, for example, carrying out preventive action to eliminate potential nonconformity, analyzing any nonconformity that do occur, and taking action to prevent recurrence that is appropriate for the effects of the nonconformity.

To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.

Opportunities can arise as a result of a situation favorable to achieving an intended result, for example, a set of circumstances that allow the organization to attract customers, develop new products and services, reduce waste or improve productivity. Actions to address opportunities can also include consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities.
 

Mike S.

Happy to be Alive
Trusted Information Resource
What is a process? Activity that takes an input and turns it into an output.

Is risk identification and treatment, the way it is performed in your organization, performed in this way?

When you are determining the risks that need to be addressed, is this a process?

If you are planning actions to address risks, is this a process?

Look at 8.1.1 – is there a process there?

8.1.1 Operation risk management

The organization shall plan, implement and control a process for managing operation risks…
 

armani

Quite Involved in Discussions
What is a process? Activity that takes an input and turns it into an output.

Is risk identification and treatment, the way it is performed in your organization, performed in this way?

When you are determining the risks that need to be addressed, is this a process?

If you are planning actions to address risks, is this a process?

Look at 8.1.1 – is there a process there?

8.1.1 Operation risk management

The organization shall plan, implement and control a process for managing operation risks…

So, the answer is YES?
 

Mike S.

Happy to be Alive
Trusted Information Resource
I think you have to answer that for yourself; for many companies I think it is yes.
 
A

Alienraver

Take a look in the standard, Annex A4. In that annex it clearly states that a formal, documented process is not required. However it does state that the organization can decide the level of what is needed, so you will want to take into consideration what you produce. If you make anything with critical components that may result in loss of life if they don't function properly, then yes, I would have a formal management process. Otherwise if you are making printed circuit boards where there are tons of subsequent tests or other avenues to prevent failure from escaping then no, you wouldn't need one. Your QMS should inherently have risk mitigation built in. This one of it's main purposes.
 
R

randomname

Yes, it is a process. Read the Preventive Action clause of the 2008 edition.

Identify potential risks, evaluate whether treatment is required, treat if so, then determine whether treatment was effective. PDCA.

However, various components will be imbedded in different clauses of the QMS.
 
R

randomname

The thing I keep trying to get across to quality professionals is stop worrying about the ISO requirements and look at what your senior management pays attention to. In a public company risk management is a big concern, and the government just mandated it for federal agencies with the revision of A-123.

So if you want to gain greater credibility learn about risk management, then utilize ISO as a way to support it with the QMS.
 

Sidney Vianna

Post Responsibly
Leader
Admin
I think you just encapsulated the wishful thinking of many "risk management" professionals. Hijack 9001:2015 as a platform to support risk management consulting.

Forget the ISO 9001 requirements? Wouldn't that be risky? :rolleyes:
 
Top Bottom