Informational How the addition of "Risk" will affect ISO 9001:2015

Marc

Fully vaccinated are you?
Leader
My point is companies are typically already doing this so the bottom line is people now have to be ready to discuss "risk" with the auditor. It's not as if there are many companies that do not consider risks in many, many ways, and typically there are risk assessments even though not all "risk assessments" are necessarily documents.
<snip> I fall into the camp where I think that auditors will want to see the usual risk management tools present, like FMEA, SWOT, etc. <snip>
So show them and explain how risks are assessed and dealt with in various ways throughout the company. Not a big deal. It's no more than prepping for the "exam" (audit), so to speak. The auditor is going to ask someone something like "...how does your company do risk based thinking..." and someone has to be ready to answer.

Some of this is a bit much because, for example, an auditor can't write up something like "You don't use FMEAs". There isn't a specific requirement for FMEAs to be used by ISO 9001 for the auditor to write the company up for.

I'm in the camp of "You're already doing this. Be ready to explain to the auditor what you do."

I think the "risk" thing is being over hyped as if it's something new. It isn't.
 
Marc,
I couldn't agree more, this is why I pointed out that ISO already works with risk through other avenues.

".. I think the "risk" thing is being over hyped as if it's something new. It isn't...".

Right, just having the spotlight shone on it now I guess.
My concerns lie with how our primes decide to implement it, since it is they who call the shots, and their interpretations of it we would have to follow.
If past history is any indication, then this will be a real mess.
 

John Broomfield

Leader
Super Moderator
But the nebulous RBT requirement will have people flocking to the Registrars for their training and asking Registrars for advice on:

"How much evidence of RBT must I have?".

Perhaps that was the objective all along. :sarcasm:

Already we have too many auditees asking their auditors for advice. This'll make it ten times worse.
 

charanjit singh

Involved In Discussions
Risk Based THINKING! How do we audit somebody's 'thinking'. And if the risk thing has always been there (and it is there in all walks of life) why put in ISO 9001, when we are told that formal Risk Management is not needed What value does it add to the standard?:confused:
 

Paul Simpson

Trusted Information Resource
I take it nobody feels the current TC 176 guidance is sufficient? :notme:

To be fair to the working group they are trying to fix a problem that has been around for years. You only have to do a search on the Cove for 'preventive' or 'preventative' action to see that the whole quality world doesn't have a common view of risk and where it fits in quality management. :nope:

Just to be clear nobody is going to be audited against RBT as it isn't a requirement in 9001. From the DIS (soon to be FDIS) the RBT requirements are captured in 4.4 f, 5.2, 6.1, 9.1.3, 9.3.2, 10.2.1. The only requirement is for top management to promote RBT and all the requirements are captured under 'risks and opportunities' (above).

I get the concern that once you let 3rd party auditors loose on this it could become a dog's dinner but I see the purpose of sites like the Cove and discussions like this one to capture industry's perception of what the new requirements mean and challenge some of the misinformation out there.
:deadhorse:

For my part I have a clear plan for how my QMS will address the 'new' requirements - and there isn't much change. I'm prepared to discuss it with my external auditor but don't expect them to require much in the way of change. :argue:
 

charanjit singh

Involved In Discussions
Paul, I am a little confused. You have mentioned "...nobody is going to be audited against the RBT as it isn't a requirement" . Fine.

But the next line states "...the RBT requirements are captured in 4.4f, 5.2,6.1, 9.1.3, 9.3.2 and 10.2.1..." And again

" The only requirement is for the top management to promote RBT."

Will these not give enough material for a third party auditor to demand hand evidence of compliance with this "requirement" of Risk Based Thinking?
 

Paul Simpson

Trusted Information Resource
Paul, I am a little confused. You have mentioned "...nobody is going to be audited against the RBT as it isn't a requirement" . Fine.

But the next line states "...the RBT requirements are captured in 4.4f, 5.2,6.1, 9.1.3, 9.3.2 and 10.2.1..." And again

" The only requirement is for the top management to promote RBT."

Will these not give enough material for a third party auditor to demand hand evidence of compliance with this "requirement" of Risk Based Thinking?

Hi, Charanjit. I made the distinction between RBT that is mentioned once in the requirements to promote RBT (whatever that is) under clause 5.1 d.

All of the other clauses mentioned place requirements on the organisation to identify and manage risks and opportunities. So any 3rd party auditor should be asking questions about how the organisation addresses the specific requirements under organisational context, processes, management review etc.

Hope this helps.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Risk Based THINKING! How do we audit somebody's 'thinking'. And if the risk thing has always been there (and it is there in all walks of life) why put in ISO 9001, when we are told that formal Risk Management is not needed What value does it add to the standard?:confused:
Auditors will expect to see evidence that risk evaluation is applied in order to determine where operational controls are needed, and monitoring and measurement is to be done to confirm requirements (both customer and your internally decided requirements based on, for example your business case) are met.

There is a lot of concern involving what will be considered acceptable. I can offer that my training so far stressed no FMEAs are required and registers (similar to Aspects and Impacts in environmental systems) are not required. That means auditors should - should - apply some imagination in what "evidence" means because the standard will not prescribe what form the evidence will take.

I hope this helps!
 
Top Bottom