Dilemma about choosing the most applicable clause related to Risk

[MichelleN]

It could be related to material or product/production/equipment or Quality, etc.
Thanks, I believe I have my answers now.

 

[skb76]

all,

(I had troubles trying to figure out what clause would be the most appropriate to use in this case: 4.4.1 f), 5.1.2 b) or 6.1.2)
(I audited Quoting and Customer Service and found that Quoting guys had assessed risk and loaded applicable info into the system...);
~i guess the Quote guy already fulfill the 6.1.2 (at the first place)

(CS would not review the risk from there and neither communicate it to the areas involved)
~4.4, ~5.1.2 is more on 'Top Management'; to plan and address the r&o..my guess)
so, if the (CS would not review..) down to a person/department; how about considering clause 8.2.3 (if really want issue NC)

#and by the way, should every 'single' quote needs to address risk at the first place? ..

And, if overall; as many suggested, 7.4 suitable in this case ...

And, if you insist, 6.1.2/or whatever is right clause, then i guess when external audit, you have concrete answer to 'counter' them ..

as usual,

p/s advise

thanks in advance!..

 

[Tagin]

...but after the customer order is received, CS would not review the risk from there and neither communicate it to the areas involved (such as production, purchasing, scheduling, etc). We also have an internal instruction that requires risk monitoring and communication...

...CS personnel receive the orders and are supposed to review that risk, that maybe changed since the Quote was sent, could be either higher or lower or no risk at all... If they are the only ones able to retrieve the quotes, they have to inform those implicated. I think we also need to work more on "how they would inform others"..

It sounds simply like: 1) you have a process in place that CS was supposed to be following, and 2) they are not following it. (The fact that what they were not following had to do with risk is somewhat besides the point.) If so, I see this as falling under some or all of:

• 8.5.1c - the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs...have been met
• 8.5.1e - the appointment of competent persons, including any required qualification
• 8.5.1g - the implementation of actions to prevent human error
• 7.2b - ensure that these persons are competent on the basis of appropriate education, training, or experience;

 

[qualprod]

I audited Quoting and Customer Service and found that Quoting guys had assessed risk and loaded applicable info into the system, but after the customer order is received, CS would not review the risk from there and neither communicate it to the areas involved (such as production, purchasing, scheduling, etc). We also have an internal instruction that requires risk monitoring and communication.

I have raised an audit nonconformance about risk not being reviewed and communicated, against internal requirements and when I got to add the clause from ISO 9001:2015, I had troubles trying to figure out what clause would be the most appropriate to use in this case: 4.4.1 f), 5.1.2 b) or 6.1.2 b)1) ??

I would very much appreciate the help, because really... I am quite troubled about the fact that sometimes I think it's one clause, later I choose another one and after a while return to the first choice, etc... to me, the standard does not appear very clear about some references to risk.

MichelleN
I think that instead of trying to find the real cause, it may be of more benefits to redefine the risk process.I don't know what your businesses is, but trying to evaluate/manage the risk in each customer order , really it can be very disappointed for people, it's a crazy activity, very time consuming and that doesn't add value.
Maybe is better to define a practice to evaluate risks, maybe in orders of certain products or price (e.g. $10,000 and up), you re not going to evaluate risk in a customer order of $300 USD .
Establish a criteria for risk in CS.
Hope this helps

 

[tony s]

I tried to analyse what clause in the standard would fit this. To me it seems that "we do not take actions" because in this instance communication is also part of the action. Also it may be that we have a problem with "implementation" or about not "addressing risks"... so I am very confused...

According to 6.1.2: "plan actions to address risks.... plan how to implement the actions into the processes". But this statement is about planning not implementation. If you use 4.4.1f, it requires the organization to "address risks as determined in 6.1". If your plan of action to address risks is through "communication" then, I believe, you should satisfy the statement in 8.1 where it says "implement the actions determined in clause 6"

 

[qualprod]

According to 6.1.2: "plan actions to address risks.... plan how to implement the actions into the processes". But this statement is about planning not implementation. If you use 4.4.1f, it requires the organization to "address risks as determined in 6.1". If your plan of action to address risks is through "communication" then, I believe, you should satisfy the statement in 8.1 where it says "implement the actions determined in clause 6"

Tony's
Could you give example about when to raise the NC regarding risks? In 4 ,6 and 8?
Could you raise the NC because risk was implemented but not planned?
Thanks

 

[tony s]

Could you raise the NC because risk was implemented but not planned?

We don't plan and implement risks, we address them (4.4.1f). The actions to address risks are the ones we plan (6.1.2) and, as part of the controls in the operation, the ones we implement (8.1).

 

[qualprod]

We don't plan and implement risks, we address them (4.4.1f). The actions to address risks are the ones we plan (6.1.2) and, as part of the controls in the operation, the ones we implement (8.1).

Sorry Tony's the question was wrong,
The correct, Is , Is it possible to rise a NC because that actions were implemented, but not planned?
E.g. NC raised in 6.1.2?
Thanks

 

[tony s]

Is it possible to rise a NC because that actions were implemented, but not planned?

How can an auditor say what was implemented was not planned? Let say a delivery van, on its way to the customer site, encountered a traffic jam on its regular route. The driver took an alternative route to proceed with the delivery. However, taking an alternative route was not mentioned as part of the actions in their delivery risk assessment tool. Can the auditor raise an NC because it was not part of the plan? I don't think so.

 

[Kronos147]

Per our internal instruction CS has to review the risk assessed and communicate it, but it does not happen.

Instead of a 'clause' write it against the procedure. Why have a procedure if it's not followed? Or what's wrong with the procedure, has it 'morphed' away from written\actual?

Root cause and additional requirements may follow, but as an internal auditor it seems the focus should be on your process and procedures rather than even assessing what clause is applicable.

That being said, the process ID as per 4.4 often includes information about requirements applicable to the process, or, if not, the audit plan should. That would narrow your focus on what clause to cite.