Effective use of a Risk Register - Bumper sticker or Mission Control ?

normzone

Trusted Information Resource
We have successfully avoided implementing a Risk Register for several years, but our most recent auditor convinced us it was a path to follow.

The examples I've been looking at range from default smoke and mirrors -

"We're good, it's all good, and if it wasn't, we'd execute one of plans 01 thru 23!" ...

... to tables alleging to be actively managed to-do lists regarding all known risks, and names persons responsible for action items managing said risks and their due dates ...

Working with an organization that ineffectively addresses action items and their owners, the latter has it's appeal.

But I can see that having it's own failure mode, since we're already less than devout about such matters.

Your opinions, counsel, and any general scoffing would be welcomed.
 

Randy

Super Moderator
our most recent auditor convinced us it was a path to follow

Convinced you it was a path to follow? So your auditor has turned consultant? It's for you to determine a path to follow, and not that goofball's. Replace the auditor and do what effectively meets your needs as well as the requirements you have to meet.

You can make all the extra work for yourself you want, but stumble, trip, fall or fail with following your planning and it's on you.
 

normzone

Trusted Information Resource
We attempted to demonstrate that we address risks adequately, but the auditor was not satisfied with our arguments, and had little difficulty demonstrating that we were not flawless regarding this issue. Different auditor made the same case last year, and after much discussion we decided we were not implementing an RR. This years auditor, the most stringent I have ever met, presented arguments that wore down our resistance.

I agree with "stumble, trip, fall or fail with following your planning and it's on you.", and since you happens to be me and a first time Quality Manager I am training, I am leaning towards simpler is better.

All the usual problems remain though -
 

geoffairey

Involved In Discussions
There’s nothing in the standard which requires a documented Risk Register, however you still have to be able to prove to the auditor that your company are managing risk adequately.
To be honest though, implementing a register for show sounds like a lot of work (probably for you) with very little benefit to you or the company and any half decent auditor will quickly see through it (unless they’re similarly just looking for a token document).
How are your Senior Leadership Team managing risk at the moment?
 

Randy

Super Moderator
We attempted to demonstrate that we address risks adequately, but the auditor was not satisfied with our arguments, and had little difficulty demonstrating that we were not flawless regarding this issue. Different auditor made the same case last year, and after much discussion we decided we were not implementing an RR. This years auditor, the most stringent I have ever met, presented arguments that wore down our resistance.

I agree with "stumble, trip, fall or fail with following your planning and it's on you.", and since you happens to be me and a first time Quality Manager I am training, I am leaning towards simpler is better.

All the usual problems remain though -

The only requirement is "Risk based THINKING" Have your Dilbert auditor review "A.4 Risk-based thinking" in the 9001:2015 document.

Look, I've been doing this 3rd party stuff for 20 years now, I've taught about 200 lead auditor courses across multiple ISO standards and in every single one of them at one time or another I told the folks who'd spent a couple thousand $$$ the same thing..........As an auditor it doesn't matter what you want, hope, desire, like, or wish for, you're not part of the equation. The only things that matter are:
1-Are the requirements understood?
2-Are the requirements met?
Everything else is a load of Horse---t :horse:
 

Bev D

Heretical Statistician
Leader
Super Moderator
I don’t see that a risk register or any other piece of paper will help you if management doesn’t care to manage risks in any appropriate way. You are focusing on the wrong gap.
 

Randy

Super Moderator
I don’t see that a risk register or any other piece of paper will help you if management doesn’t care to manage risks in any appropriate way. You are focusing on the wrong gap.
That's not the stated problem. The problem is the 3rd party auditors making requirements up to satisfy their thirst for easy audit evidence.
 

Bev D

Heretical Statistician
Leader
Super Moderator
Yes the auditor has overstepped their authority. The OP should not be swayed by a requirement that doesn't exist.

But I interpreted the OP’s question as including the general question regarding addressing risk regardless of the standard. He does seem to have a problem there.

So perhaps the OP can clarify: is the question about (perceived) compliance to the standard. Or is it about how to improve risk management and therefore Quality in his organization? Or both?
 

Mike S.

Happy to be Alive
Trusted Information Resource
The problem is the 3rd party auditors making requirements up to satisfy their thirst for easy audit evidence.

This is a problem I have encountered many times. And the desire (pretty much demand) of the auditor to see a risk register/FMEA was one of the issues raised. An auditor wants to see X because that's how most people do it and it is easy for them to document and they don't have to think too much or take too much time trying to understand how your methods Y and Z also meet the requirements of the standard.

This has happened more often over the years; not sure if it is because of auditors becoming lazier or less competent/capable, or due to ever more demands placed on them while pay is not keeping up, or a combination of things.

The Bozo who fought me on the risk register/FMEA was a "doctor" (Ph.D.) and he would frequently remind you how smart he was, you didn't have to ask. :rolleyes:
 

Johnny Quality

Quite Involved in Discussions
normzone,

What clauses are your 3rd party auditors claiming you are not meeting and hope to fulfill by adding a "risk register"?
 
Top Bottom