Informational Confusion about Risks for Processes in ISO 9001:2015

[Jen Kirley]

"The guides I can recommend come from the Auditing Practices Group, not the CBs, whose interpretations may vary though the accreditation process is support to help reduce that."

Aren't these guides writen for registers, but register auditors? Corrie works for BSI, Ezrakhovich work(ed) for SAI global etc. They see things through registers eye's and who else would disagree with them? WHen one of their guides is entitled "dealing with consultants"...

That's a fair question. They are written for registrars but are made available for public view, aren't they? that means their information is not limited to registrars - nor should it be. These are guidelines for applying the "shalls" and as such are made available for all of us. For what specific reason I can't say, but I feel thankful it is the case and I think ti is fair for the guidance to be made available to everyone. This should not be a game show.

 

[Kronos147]

That finding (hypothetical as it is), would be very sad.
Top Management deals with risk and mitigates risk on an hourly basis...
Financial Risk, Liability Risk, Employee retention risk, sales risk, investment risk, commodity stability risk, it is endless.

Write some examples into the Management Review notes and call it a day, then.

Sometimes the challenge is capturing the records of activities we conduct on a regular basis.

 

[Marc]

I made a Risk Based Planner

I believe this is appreciated by all. The 'problem' is it can become a big overhead if one tries to define 'risks' for every department, every job, every process. Add to that - What about revisions? I can see this for some products and standards. It is harder to justify for ISO 9001 companies which are not making 'critical' parts/products.

If the auditor asks the right questions, and the organization answers them, there will generally be no problem.

That is what people are confused about. What questions will auditors ask?

I would tend to do 'training' at all levels to explain what risk is and to ensure all employees are ready to respond to an auditor questions related to 'risk'.

As I sit here I can imagine such training were I to write it. I would relate risk to every employee in a way they can understand in the context of their own life - How they address risk in their lives yet do not necessarily realize it. In that way, one can transfer to each employee how, when they do their job, they do risk assessments. The idea is to get every employee to have the word 'risk' in their everyday thoughts so that an auditor question doesn't put them into a "deer in the headlights" scenario.

Example: Every person has assessed, whether they are cognizant of it or not, the risks in driving to the local store to buy something. There is the risk they will be in an accident. There is a risk their auto will break down. These days there is the risk of a road rage incident. And, especially in today's world, there is even a general risk which may be associated with skin color - Seven-year-old girl shot dead after man opens fire on car in Texas just going for coffee.

Once a person gets the word 'risk' into their every day use and thinking, they can relate it to their job duties. I remember when I worked with companies that made 'critical' parts/products, they had documented risk analysis for many processes, for example, but not for every process. One company I worked with did this during employee orientation. The word RISK was used daily and before you were even allowed to go to the production facilities you had to go through the orientation. At ICI Explosives it was a fireable offense if a person did not back their car into a parking place because there was a high RISK of explosion - Their evacuation plan required it.

Just a few thoughts...

 

[Jen Kirley]

My Risk-Based Planner is absolutely not a one-size-fits-all approach. Some people do find t a poor fit, and your question about revisions is valid.

I have spent the last 2 years encouraging my people to take credit for that which they are doing, as organizations have a great deal of freedom to use methods that suit them and no clear requirement to document any of it exists.

So people need to recognize that the risk concept in 9001 dos not mean we are all sky diving, and auditors need to acknowledge that FMEAs are not required. If they fail at that, organizations need to push back so errant auditors can be stopped. While this cycle goes on, we will eventually get used to the risk concept (I hope) so we can stop wasting energy with this concept's confusion.

 

[Marc]

I like your planner. It gives food for thought to people. I'm a bit biased, in a way, because I got into 'quality' in high reliability, high risk parts and products and spent much of my working life in it. I have no doubt that is why I often take it as a given.

In the past I have used the "if you're only making children's bathtub rubber ducks..." example of a low risk toy where risk isn't that significant. But these days I realize I was wrong. I remember a toy company out-sourcing a basic child's toy to a company. The company did not specify what type of paint to use. The company that actually made the toy used a lead based paint. So, even in such a product, risk can be significant. Lead Paint Prompts Mattel to Recall 967,000 Toys