My point is companies are typically already doing this so the bottom line is people now have to be ready to discuss "risk" with the auditor. It's not as if there are many companies that do not consider risks in many, many ways, and typically there are risk assessments even though not all "risk assessments" are necessarily documents.
Some of this is a bit much because, for example, an auditor can't write up something like "You don't use FMEAs". There isn't a specific requirement for FMEAs to be used by ISO 9001 for the auditor to write the company up for.
I'm in the camp of "You're already doing this. Be ready to explain to the auditor what you do."
I think the "risk" thing is being over hyped as if it's something new. It isn't.
So show them and explain how risks are assessed and dealt with in various ways throughout the company. Not a big deal. It's no more than prepping for the "exam" (audit), so to speak. The auditor is going to ask someone something like "...how does your company do risk based thinking..." and someone has to be ready to answer.<snip> I fall into the camp where I think that auditors will want to see the usual risk management tools present, like FMEA, SWOT, etc. <snip>
Some of this is a bit much because, for example, an auditor can't write up something like "You don't use FMEAs". There isn't a specific requirement for FMEAs to be used by ISO 9001 for the auditor to write the company up for.
I'm in the camp of "You're already doing this. Be ready to explain to the auditor what you do."
I think the "risk" thing is being over hyped as if it's something new. It isn't.