Informational Confusion about Risks for Processes in ISO 9001:2015

[armani]

I am very confused about "risks" in this new ISO standard. For what processes do I have to identify the risks (e.g. production process, suport processes)...any (non) exhaustive list of processess for which ISO 9001:2015 says I shall identify risks?
And do u have any risk identification example for a process (not for Purchasing, this is a frequent example)?

 

[rob73]

The fundamental change in ISO 9001 is to apply "risk based thinking" across the whole organisation, but this does not mean you need to do a full risk analysis on every process or procedure you use.
Have a good read of this discussion thread: Risk Management Implementation for ISO 9001:2015. It may help you.

 

[armani]

And the selected processes depends on what? I must have some criterie to choose those processes??

 

[rob73]

the point is "risk based thinking" is applied across the WHOLE orgainsation. The first step is consideration of risks, it will be up to you to decide how deep you go, some will only need a "what if.....", others a more rigorous study.

 

[armani]

But the point is I have to identify risks for ALL processes (including communication, change process etc.)...for every process to the extent I determine, but for ALL! Am I right?

 

[rob73]

Not sure if you have seen this in another thread, but it does explain how risk based thinking can be (and probably already is) implemented in a system.

http://asq.org/quality-progress/2016/06/standards-outlook/prove-it.html

 

[tony s]

I'm afraid that we have to identify risks as specified by ISO 9001:2015 clause 4.4.1f which says:
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
f) address the risks and opportunities as determined in accordance with the requirements of 6.1

Some examples of risks:

• Human Resource - hiring of persons with derogatory character;
• Documentation - use of obsolete documents for the current operation;
• Finance - inaccurate billing;
• Internal Audit - baseless audit findings;
• Management Review - uncommitted top management;
• Communication - incomplete data;
• Inspection - good products judged as bad or vice versa;
• Sales - forgot to bring product catalog

 

[Kchnwtch]

I'm afraid that we have to identify risks as specified by ISO 9001:2015 clause 4.4.1f which says:
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
f) address the risks and opportunities as determined in accordance with the requirements of 6.1"

Some examples of risks:

• Human Resource - hiring of persons with derogatory character;
• Documentation - use of obsolete documents for the current operation;
• Finance - inaccurate billing;
• Internal Audit - baseless audit findings;
• Management Review - uncommitted top management;
• Communication - incomplete data;
• Inspection - good products judged as bad or vice versa;
• Sales - forgot to bring product catalog

Well, 6.1 cites 4.1 and 4.2, which give specific lists of places to look for risks and opportunities -- to your interested parties (4.2) and your external and internal business operations (4.1) which it lists as things like legal, market, cultural, values, and performance.

I'm wondering if maybe your list might be a little overly specific. Most of these risks would already be addressed in your QMS documentation; for example, human resources probably has job descriptions, and ways to check an employee's job references; the finance department has a billing strategy, or probably a computer system that regulates billing; your internal audit staff has been trained not to waste time on baseless findings.

This list might be a good check of whether the systems you have in place would take care of these issues, but IMO they seem too small to be listed as risks for your QMS. What are the terrible ramifications if a salesperson forgets the catalog? They can drive back to the office and pick it up, and get back on their sales route, or they can refer a client to a web catalog. Putting the sales catalog online might well be an opportunity that would be worth investigating, but because it would be really beneficial to your customer--not just to make sure that one sales guy doesn't have to waste gas.

The CEO of my company is a really great worrier, and could make a list of the most infinitesimal of risks--he puts himself in a tailspin all the time when he thinks of them, and tends to trip up the workflow by interfering when he panics. I think the standard intends to set a larger sense of risk, and especially to direct the majority of risk-based thinking towards the customer and what the customer wants.

 

[rob73]

I think a lot of people are getting to worked up about "identify risk" as a new requirement of the standard, this is wrong, risk management has always been in there just disguised as capa, audits, calibration etc etc. The standard does not even require you to document risks only the fact that they should be considered at all levels! A few tweaks in your QMS and you are there.
Please have a good read of this thread Informational - Risk Management Implementation for ISO 9001:2015

 

[DRAMMAN]

From what I have gathered through a few on-line reviews, reading all the ISO RBT material, and reading my CB's ISO9001:2015 interpretation guide auditors will be checking throughout the audit s to if your organization is utilizing RBT. It will be a judgement call. They could bring the topic up during all interviews. My specific CB sid that if your organization is doing any FMEA's then you will meet the RBT requirement. There are no specific requirements like you must to a formal documented risk analysis for every process.