Informational Confusion about Risks for Processes in ISO 9001:2015

[tony s]

Be careful with this line of thinking. Certification bodies issue certificates based on evidence of conformity to requirements. While the types of activities and evidence are not specified for this requirement of the standard, the CB will issue NO certificate if there is NO evidence of conformity.

I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.

 

[Stijloor]

I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.

Managers and Employees will be interviewed. The "fun" starts when they can not provide adequate explanations how this is implemented. The worst experience I had was when they start contradicting each other.

The documented information requirement may have been diluted in the 2015 version, but consistent explanations and results of addressing risks and opportunities must still be demonstrated.

If not, wait until NC's are written.

 

[randomname]

FMEAs are mentioned often because there are one of the most widely used tools for looking for detailed risks within QMS processes. Automotive has required them since at least the 1980's, and Q9 for pharma and they're also for meeting ISO 14971 requirements. No, they aren't required under 9001 but if people know about them they can better know when they might be useful.

And risk registers are a tool used by senior management to document and track high-level risks. Anything we do regarding risk in QM that is similar to what senior management uses is likely to be better understood and accepted. Having a list of key QMS risks that are reviewed at the MR meeting is one way of meeting the RBT requirements.

 

[tony s]

If not, wait until NC's are written.

I always believe that to have a valid statement of NC, at least two important information must be presented:

• Audit criteria - i.e. policy, procedure or requirement - exactly what the organization has committed itself to fulfill;
• Audit evidence - records, statements of fact or other info w/c are relevant to the audit criteria and verifiable - exactly what the organization has or hasn't done that cause the non-fulfillment of the audit criteria.

I would expect any NC statement has clearly indicated both to make it valid.

If an auditor claims that I am not using an FMEA or SWOT or Risk Matrix or a documented risk management process, then he has to point me where are those in any applicable requirement that we need to fulfill?

 

[howste]

I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.

Here's an example:

Requirement: "6.1.1 When planning for the quality management system, the organization shall... determine risks and opportunities that need to be addressed..."

Finding: There was no evidence found that the organization has determined risks to be addressed.

Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).

 

[tony s]

Here's an example:

Requirement: "6.1.1 When planning for the quality management system, the organization shall... determine risks and opportunities that need to be addressed..."

Finding: There was no evidence found that the organization has determined risks to be addressed.

Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).

Specifically, this NC will be raised against 6.1.1?

 

[howste]

Specifically, this NC will be raised against 6.1.1?

That's where I put it in this hypothetical NC. You could probably make a case for other clauses too.

 

[Ninja]

...
Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).

That finding (hypothetical as it is), would be very sad.
Top Management deals with risk and mitigates risk on an hourly basis...
Financial Risk, Liability Risk, Employee retention risk, sales risk, investment risk, commodity stability risk, it is endless.

The only way to get written up with that finding is for the top management person being interviewed to be confused about what the auditor is asking...
Methinks that this happens all too often...

I would hope the auditor would recognize that there is a failure to communicate (both ways) and work to reestablish clarity of communication.
(I would also hope that Top Management would be confused about this in the first place...)

 

[tony s]

That's where I put it in this hypothetical NC. You could probably make a case for other clauses too.

Thanks howste. I'm interested in this because I have previously performed an initial gap assessment for a solar panel manufacturer here in the Philippines in their transition effort. One of my issues that I raised concerns about the absence of documented information regarding actions on risks and opportunities as part of the records of their management review. Here's my finding statement (though it was raised as an OFI):

Ensure that Management Review records include the results of the review of the effectiveness of the actions taken to address risks and opportunities. This will support the fulfillment of the following requirements:

- Cl. 6.1.2a – “The organization shall plan actions to address risks and opportunities”;​

- Cl. 9.1.3e – “The organization shall analyze and evaluate appropriate data…the results shall be used to…the effectiveness of actions taken to address risks and opportunities”;​

- Cl. 9.3.2e – “The management review shall…take into consideration…the effectiveness of actions taken to address risks and opportunities”;​

- Cl. 9.3.3 – “The organization shall retain documented information as evidence of the results of management reviews”.​

 

[howste]

That finding (hypothetical as it is), would be very sad.
Top Management deals with risk and mitigates risk on an hourly basis...
Financial Risk, Liability Risk, Employee retention risk, sales risk, investment risk, commodity stability risk, it is endless.

I agree that the NC as written is unlikely to happen. I was responding to this statement:

I've once read before, and agree, that the challenge is not with the auditee to prove that they are using RBT but with the auditors to prove that an organization don't use RBT.

If an organization was uncooperative and played games to "make the auditor prove we don't use RBT" then this could happen.

If the auditor asks the right questions, and the organization answers them, there will generally be no problem. If the organization really is dealing with risk on a regular basis, top management would most likely be able to give both verbal and written evidence. Records of management reviews and analysis of data would probably include this information because it makes sense for the organization to use it for effective communication and follow-up (not just for the auditor).