Informational Confusion about Risks for Processes in ISO 9001:2015

[Ninja]

Totally agree.
(And I meant to write up above that I hope Top Management was NOT confused in the first place....I left out the important word...

... If the organization really is dealing with risk on a regular basis, top management would most likely be able to give both verbal and written evidence. Records of management reviews and analysis of data would probably include this information because it makes sense for the organization to use it for effective communication and follow-up (not just for the auditor).

Makes sense to me...but we should all keep in mind that the written record is not required.
I agree that there will likely be documented evidence from normal day to day activities...but documenting it just to have something to show an auditor is a waste of time.
...my opinion anyway...

 

[Jen Kirley]

I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.

Since no single format for evidencing RBT is required, a wide range of methods can be selected from. That may happen at a strategic level, in top management - a SWOT analysis seems like a good addition to Management Review - and a checklist to help prevent omissions can work well at the tactical (process) level. Such things have been happening in many places, but may not be evident or recognized for what they are: trying to control the effects of uncertainty.

"Demonstrate" can be verified through documented information, interviews, and the auditor's personal observation of conditions. To successfully demonstrate conformity, these should support each other. That is, top management shouldn't be claiming how much they support the QMS through active involvement while the rest of auditees say "Top management doesn't give a hoot about anything but production, production, production..."

To demonstrate their awareness of RBT, auditees should be ready to describe what happens in their processes in order to achieve desired outcomes. They don't need to use jargon or possess mystical skills, or apply complex tools.

 

[tony s]

a checklist to help prevent omissions can work well at the tactical (process) level. Such things have been happening in many places, but may not be evident or recognized for what they are: trying to control the effects of uncertainty.

I agree. The fact that controls are specified in procedures is because they are intended to control the effects of uncertainty.

 

[armani]

From what I have gathered through a few on-line reviews, reading all the ISO RBT material, and reading my CB's ISO9001:2015 interpretation guide auditors will be checking throughout the audit s to if your organization is utilizing RBT. It will be a judgement call. They could bring the topic up during all interviews. My specific CB sid that if your organization is doing any FMEA's then you will meet the RBT requirement. There are no specific requirements like you must to a formal documented risk analysis for every process.

Will it be too much for you if I will ask to post the material here (CB's interpretation guide) for informal purpose??

 

[tony s]

Will it be too much for you if I will ask to post the material here (CB's interpretation guide) for informal purpose??

I'm interested.

 

[howste]

Will it be too much for you if I will ask to post the material here (CB's interpretation guide) for informal purpose??

In another thread, DRAMMAN said that the guide was purchased, so it is most likely copyrighted and can't be posted here.

I recently purchased my Registrar's Interpretation document.

 

[LUV-d-4UM]

I always believe that to have a valid statement of NC, at least two important information must be presented:

• Audit criteria - i.e. policy, procedure or requirement - exactly what the organization has committed itself to fulfill;
• Audit evidence - records, statements of fact or other info w/c are relevant to the audit criteria and verifiable - exactly what the organization has or hasn't done that cause the non-fulfillment of the audit criteria.

I would expect any NC statement has clearly indicated both to make it valid.

If an auditor claims that I am not using an FMEA or SWOT or Risk Matrix or a documented risk management process, then he has to point me where are those in any applicable requirement that we need to fulfill?

Beware of auditor-made-rules. When you see one, APPEAL!

 

[Jen Kirley]

Will it be too much for you if I will ask to post the material here (CB's interpretation guide) for informal purpose??

The guides I can recommend come from the Auditing Practices Group, not the CBs, whose interpretations may vary though the accreditation process is support to help reduce that.

These guidance documents are not "shalls" but should help understand the intent of the standard and empower us to avoid taking one person's word as gospel. Oh, how I wish I knew about this site when I was an internal auditor!

Element 6.1 of ISO 9001:2015 does not require or recommend any specific approaches, nor require documentation of actions to address risks and opportunities. ISO 14001:2015 does require documentation (6.1.1), which might be confusing some auditors who operate to more than one standard. We have to be careful not to muddle the differences between the standards... But I am thinking you are asking about the quality standard only, yes?

If a CB is trying to issue a nonconformity for lack of documentation to 6.1.1 or 6.1.2 of ISO 9001:2015, you have the right to dispute. And I hope you do, as the auditor should be stopped from repeating this error.

 

[Jen Kirley]

For those who want to use a tool for managing (and documenting) their risks, I made a Risk Based Planner. It is meant to also work with systems integrating environmental and/or health and safety.

Please note the Instruction page also has hyperlinks to some very helpful web sites I found, as certainly we have choices in how to approach risk - for example, SWOT and checklists. Also please note this spreadsheet has macros.

I hope this helps!

 

[JoShmo]

"The guides I can recommend come from the Auditing Practices Group, not the CBs, whose interpretations may vary though the accreditation process is support to help reduce that."

Aren't these guides writen for registers, but register auditors? Corrie works for BSI, Ezrakhovich work(ed) for SAI global etc. They see things through registers eye's and who else would disagree with them? WHen one of their guides is entitled "dealing with consultants"...