P
pldey42
Marc's earlier post said:
For someone to say that the new ISO 9001 requires no preventive action is, I think, misleading.
While some may indeed use RM to dodge difficult contract conditions, I don't think that's the intent. I do think it's trying (perhaps with clumsy wording, but RM is an ill-defined art) to capture what responsible organisations have been doing all along, with process capability measures, risk-based supply chain management, FMEA and so forth.
For software I think this will be helpful. Very few software orgs in my experience use FMEA even though it's common in manufacturing. Now, they'll have to do something like it. The same will be true , I think, of services industries.
The Quality Digest article does raise the possibility of attracting legal problems by documenting risks and that could, perhaps, be a minefield. Yet public companies already have to disclose risks to shareholders, so I'm not sure that it's a real problem.
I think there are some precedents for this being set in ISO 27001, information security management. It's often used as a contractual condition to safeguard sensitive data, especially when it's personal information which is governed in the UK by the Data Protection Act and governed by a regulator called the Information Commissioner. My understanding is that the information commissioner does not expect perfect security, nor zero risk. Rather, as the standard requires, proportionate controls and risk mitigations are expected. ISO 22301, business continuity, is similar.
The problem BP had in the Gulf was an extreme example of doing it wrong, and not in the spirit called for. They were drilling deeper than ever before, and despite having done risk assessments, they had no meaningful risk mitigation plan. So they wrote to the relevant US regulator and said, "We have no risk mitigation plan, as required by the regulations. Can we start drilling anyhow please?" The regulator wrote back: "Yeah, ok." Both BP and the regulator (which at that time also collected taxes due on oil revenues, and has since been relieved of that duty by the Obama administration) wanted the money more than the risk mitigation.
So yes, I agree, in the wrong hands it'll go wrong. But the wrong hands will always find a way.
For those organizations that want to keep their promises, I can only see RM as a good thing for increasing their chances of doing so in an uncertain world. For example, some organizations are using business continuity and its risk-based approach to maintain on-time delivery schedules despite disruptive events like losing electric power, flooding and so forth - especially important when they're saving money by manufacturing in places where labour is cheap, and infrastructure is weak.
Pat
Also notice opportunities in 6.1 a)
?The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
For me, this is the equivalent of the old preventive action requirement, but now (assuming it stays in something like this form) explicitly basing preventive actions on risk assessments.?The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
For someone to say that the new ISO 9001 requires no preventive action is, I think, misleading.
While some may indeed use RM to dodge difficult contract conditions, I don't think that's the intent. I do think it's trying (perhaps with clumsy wording, but RM is an ill-defined art) to capture what responsible organisations have been doing all along, with process capability measures, risk-based supply chain management, FMEA and so forth.
For software I think this will be helpful. Very few software orgs in my experience use FMEA even though it's common in manufacturing. Now, they'll have to do something like it. The same will be true , I think, of services industries.
The Quality Digest article does raise the possibility of attracting legal problems by documenting risks and that could, perhaps, be a minefield. Yet public companies already have to disclose risks to shareholders, so I'm not sure that it's a real problem.
I think there are some precedents for this being set in ISO 27001, information security management. It's often used as a contractual condition to safeguard sensitive data, especially when it's personal information which is governed in the UK by the Data Protection Act and governed by a regulator called the Information Commissioner. My understanding is that the information commissioner does not expect perfect security, nor zero risk. Rather, as the standard requires, proportionate controls and risk mitigations are expected. ISO 22301, business continuity, is similar.
The problem BP had in the Gulf was an extreme example of doing it wrong, and not in the spirit called for. They were drilling deeper than ever before, and despite having done risk assessments, they had no meaningful risk mitigation plan. So they wrote to the relevant US regulator and said, "We have no risk mitigation plan, as required by the regulations. Can we start drilling anyhow please?" The regulator wrote back: "Yeah, ok." Both BP and the regulator (which at that time also collected taxes due on oil revenues, and has since been relieved of that duty by the Obama administration) wanted the money more than the risk mitigation.
So yes, I agree, in the wrong hands it'll go wrong. But the wrong hands will always find a way.
For those organizations that want to keep their promises, I can only see RM as a good thing for increasing their chances of doing so in an uncertain world. For example, some organizations are using business continuity and its risk-based approach to maintain on-time delivery schedules despite disruptive events like losing electric power, flooding and so forth - especially important when they're saving money by manufacturing in places where labour is cheap, and infrastructure is weak.
Pat