Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo including content not in the forum - Search results with No ads.

Dilemma about choosing the most applicable clause related to Risk

I audited Quoting and Customer Service and found that Quoting guys had assessed risk and loaded applicable info into the system, but after the customer order is received, CS would not review the risk from there and neither communicate it to the areas involved (such as production, purchasing, scheduling, etc). We also have an internal instruction that requires risk monitoring and communication.

I have raised an audit nonconformance about risk not being reviewed and communicated, against internal requirements and when I got to add the clause from ISO 9001:2015, I had troubles trying to figure out what clause would be the most appropriate to use in this case: 4.4.1 f), 5.1.2 b) or 6.1.2 b)1) ??

I would very much appreciate the help, because really... I am quite troubled about the fact that sometimes I think it's one clause, later I choose another one and after a while return to the first choice, etc... to me, the standard does not appear very clear about some references to risk.

John Broomfield

Staff member
Super Moderator

Having priced for adverse risks and beneficial risks, Quoting have made this information (the basis for pricing) available on the system so it can be used by all the other folk in understanding and fulfilling customer requirements?

Under what circumstances would you expect the other areas to consult this basis for the pricing?

Then we can see if we have a failure to communicate what needs to be communicated (7.4a).


Per our internal instruction CS has to review the risk assessed and communicate it, but it does not happen.

Information posted by Quoting is saved in the system but if nobody knows about it how are they supposed to take actions (either those in the initial mitigation or other)? Quoting and CS have different areas to post information, and everybody checks the information under the order not under the quote. I had the idea to flag those items with risk, to be visible to all... but this is part of the corrective action (beside training and maybe others that we'll decide as a team).

I tried to analyse what clause in the standard would fit this. To me it seems that "we do not take actions" because in this instance communication is also part of the action. Also it may be that we have a problem with "implementation" or about not "addressing risks"... so I am very confused...
I also thought about using "communication" clause but CS did not review the risk + communicate so in the end we did not take actions about the risks we assessed... Right?
Also, only CS may know how to retrieve the quote, nobody else would be able to retrieve the quote for a certain order (different numbers in the system)
Last edited:

John Broomfield

Staff member
Super Moderator

So, Quoting prices for the risks but the quotes are inaccessible to the team responsible for fulfilling the quote, is that right?

I see little point in CS reviewing the results of the risk assessment after the quote has been sent to the customer.

It would though be handy for the realization team to know the risks so they can watch out for any unforeseen risks.

The nature of the nonconformity is a failure to communicate. What’s more is a failure of management to monitor and correct this particular communication process.

The communication of risks determined by Quoting is ineffective and this would appear to be a 7.4d nonconformity.

But you may also want to find out if management knew this and failed to correct it.


Sidney Vianna

Post Responsibly
Staff member
Michelle, whenever the organization establishes a process/procedure, but it is not followed, you can claim that the method needed to ensure the effective operation of the processes is not being applied, which violates the (high level) requirement contained in ISO 9001:2015 4.4.1c). You can also look at 4.4.1f) for this specific case.

Sometimes, we get too hung up in finding a pidgeon hole for a finding, non-conformity, observation, etc...The key issue is to report what you found and IF TOP MANAGEMENT IS SERIOUS about the audit results, they will take appropriate action for the sake of business performance.

A very strong suggestion I have for you is to make it clear to TOP MANAGEMENT the problems with CS not doing their share of updating risks along the life cycle of the order. Until you can PROVE, with EXAMPLES (the most recent, the better) of snafus, customer dissatisfaction, financial losses, etc, the issue is REAL, top management might not pay attention to what you are reporting. In other words, what are the REAL BUSINESS IMPLICATIONS for the lack of discipline in CS, in terms of risk updating? They might consider that part of the process a valueless bureaucracy that just drain time (resources) without adding any significant business benefit. Connect the dots to management, if you have actual data. Otherwise, chances are, you might be deemed a nit-picker....

Good luck.
Another place to look would be Management Review. 9.3.2e requires discussion of effectiveness of actions taken to address risk. In your case it appears that no action was taken at all.

Jim Wynne

Super Moderator
So, Quoting prices for the risks but the quotes are inaccessible to the team responsible for fulfilling the quote, is that right?
I'm not seeing where the recording of risk by CS had anything to do with pricing. In fact, at this point we don't know what types of risks are involved, so it would be good if the OP could explain. Also, it's almost never a good idea to cite the standard in internal audit NC reports. The organization's own requirements should be cited, in which case it should be clear what requirement was unfulfilled. It should be noted that the organization's internal requirements might not (in some cases) be traceable to the standard at all.
Thank you all very much for your help, your advice is so much appreciated!

All written above actually prove that this type of issue may belong to multiple areas, be either communication or actions not completed or risk effectiveness. I know for sure that this is a nonconformance against internal requirements, was just worried about the clause from the standard that I would choose (I know that sometimes we may not have an applicable clause for an internal requirement, but in this case I had a very strong feeling that we had...)
I've already talked with several managers about this and everybody understood the issue, we even talked about some possible solutions, e.g. adding more controls to the process + training/retraining CS. What is the purpose to assess risk if nobody knows about it?? CS personnel receive the orders and are supposed to review that risk, that maybe changed since the Quote was sent, could be either higher or lower or no risk at all... If they are the only ones able to retrieve the quotes, they have to inform those implicated. I think we also need to work more on "how they would inform others".

Again, thank you very much.
Top Bottom