Informational Confusion about Risks for Processes in ISO 9001:2015

[tony s]

I think the standard intends to set a larger sense of risk, and especially to direct the majority of risk-based thinking towards the customer and what the customer wants.

I agree. But I'm answering the original poster's question:

do u have any risk identification example for a process (not for Purchasing, this is a frequent example)?

Would you care to share just a few of your identified risk to help us better understand those risks that should be acted on and integrated into the QMS processes?

 

[DRAMMAN]

You do not necessarily nee dot have documented identified risks. The auditors will mostly be checking if everyone is taking risk into account. Examples from a project management perspective may be doing a simple list of potential risks of project failures. A specific example risk may be that the customer requirements are incorrect. The mitigation plan could be to document the requirements and have the customer sighn-off. A financial risk may be what if customers do not pay their bills. The mitigation plan could be that you established an accounts payable process and metrics to track delinquent status. The list of potential risks is endless. This is one of the reasons I do not like this requirement. It is way too vague.

They will be looking that you incorporate risk analysis into your different processes. To what detail does the evidence nee dot be is not clear to me.

 

[Randy]

Good Lord, it's always been about managing risks of one kind or another, it just has a name now, get past it!....Quit dribbling with minutiae

 

[DRAMMAN]

I think we all get that, but for allot of people this is going to be confusing as to how to handle the audit to avoid non-conformances. Even the CB's have a hard time explaining how they are going to evaluate organizations.

 

[Kchnwtch]

Yes, Dramman is right (as is Randy) that you don't have to list them out. Ours are taken care of in management review meetings (minutes). Here are two examples of ours (over-narrated, of course, and my apologies for that...)

One of our identified risks is with a provider of black oxide coating. As the result of a recent storm, the provider lost power for four business days, resulting in a delay of approximately a week on our parts due to their need to heat up tanks, etc. While we do nearly all of our business with this one black oxider, we realized we need to maintain a relationship with another black oxider so that we can meet our customer's schedule even if events happen that are outside the first company's control. So we made a plan to hire another supplier and send 20% of our black oxide orders to them during the year to maintain the relationship, so that if we run into problems again the new provider might be willing to "fit in" a last minute request in an urgent situation (properly compensated, of course).

Another risk: our salesperson landed a set of jobs with a subcontractor, who gave us the contract their customer gave them so we could work from the original. But the subcontractor failed to tell us that we needed to thoroughly understand the notes and references on the contract, which were located on a centralized website. We completed the job without having reviewed the notes, (D'oh!) and the subcontractor rejected our work because it did not comply with the other website references. In addition to remaking the parts to correct the error, we realized we had to re-create our review process for contracts so that the notes and references would not be missed the next time the subcontractor puts out RFQs.

Now, these are not the brightest moves we've made, and they really come out of NCs, but they are long term fixes that we're bound to encounter again. I really do miss the PA part of CAPA...

 

[armani]

Well...but why so much fuss about FMEA, risk register etc. if they are not necessary?? ....

 

[Kchnwtch]

My theory is that so many people calculate risk with more precision by nature of their jobs (engineers, manufacturers, AS, TS) that they are comfortable with using their own tools. The nebulous "thinking" flies in the face of precision. But ISO 9001:2015 only requires thinking, not the use of any precise tools. And auditors are still deciding what that should look like in a QMS. I don't know many folks who are comfortable with uncertainty...it's such a risk...

 

[DRAMMAN]

Te fus sis because people are confused on how they are going ot meet the standard. Noone wants to get non-conformances. In many companies (right or wrong) getting a NC is a VERY bad thing. The question becomes what do i need to do to be in compliance with the standard.

Would it be good enough to simply train everyone in how to respond when the RBT questions come up or do I need specific evidence such as FMEA's or "Risk Trackers"?

 

[tony s]

Since ISO 9001:2015 Annex A.4 clearly stated that "there is no requirement for formal methods for risk management or a documented risk management process", therefore auditors cannot and should not raise an issue if an organization doesn't use any structured approaches such as FMEA, SWOT, or Risk Matrix to demonstrate RBT.

I've once read before, and agree, that the challenge is not with the auditee to prove that they are using RBT but with the auditors to prove that an organization don't use RBT.

 

[howste]

I've once read before, and agree, that the challenge is not with the auditee to prove that they are using RBT but with the auditors to prove that an organization don't use RBT.

Be careful with this line of thinking. Certification bodies issue certificates based on evidence of conformity to requirements. While the types of activities and evidence are not specified for this requirement of the standard, the CB will issue NO certificate if there is NO evidence of conformity.