I agree with Bev, however in all the discussions of "risk based thinking" and related "risk" discussions, the ISO folks and many hundreds of consultants have, in my opinion, just stirred a pot of "stupid".
Why do I say that? After what is now over 30 years since I was first involved in "quality assurance" (some of you may remember I was a biology major with a chemistry minor in college, so long story of how I ended up in the "business" world), what I have consistently seen a lack of reality in thinking, and a lot of a lack of common sense (e.g.:
Common Freaking Sense and
Is Common Sense Learned, Taught, Inherent or An Outcome Of Life Experience? ). People are WAY over doing the "risk" thing to the point that people are reacting as if it's new and spending countless, mostly useless hours trying to "meet the requirements of the standard".
If I had a nickel for every hour spent by people in companies all over the world "trying to comply with the standard" producing mostly useless documents, and I shared it with my extended family, which I would were I that rich, as it is with the Walton family of Wal-Mart fame no one in my extended family, as well as generations to come, would ever
have to work (as in have a job). Well, maybe not that rich, but I'd have one heck of a chunk of cash... Just a nickel an hour. Think about how much ISO 9001 is costing on a world wide basis just on "risk based thinking" alone.
Think rationally and realistically. For example:
Political risk - OK, put it on a list and simply state it is not something that can typically be predicted and prepared for by 99% of companies. Not to mention, what type of "political risk"? There are many kinds, from over throw of a government to the lesser, but still significant, numerous various potential changes in local/state/federal laws which are typically political rather than data based. And what about wars? What about the Brexit vote?
Commercial agreements in other countries - Again, put it on your list. That is evidence you have considered it which is all the standard requires. You can't even ensure that a commercial agreement (aka contract) within your country will be adhered to so add that as well. Over the years I've seen so any contracts broken for one reason or another that, while not typical, it isn't unusual. Thing is, it can't be predicted for every contract. If it can't be predicted no concrete, reliable plan can be made for it. This is not to mention, think about how many various contracts a company of any size will have. One may say "Well, we could predict a potential that this contract may be broken and planned for..." but think about that for a minute. Can that be said about every contract a company has? And again, Brexit is currently in play as another example...
Natural disaster - Some can be planned for, at least to some degree, but most can't (realistically). How are you going to plan for an earthquake that destroys a production facility? How are you going to do anything to mitigate the total loss of a production facility in a location? Build a "back-up" facility in a location let's say 200 miles away, fully equipped with production equipment, measurement and test equipment (etc., etc.) and let it sit idle as you wait for an earthquake, a flood, a tornado, a hurricane, a forrest fire, a catastrophic dam failure, (etc.) which may or may not ever occur? Or are you going to move everything to a new state (country, whatever) where there is, for example, a low risk of flooding or earthquakes, but a high risk of tornados and/or wild fires? There is no location with no risks.
Single source supplier - Bev's statement is well taken, but not every company can have two sources for every component, every sub-assembly, every raw material, every service. Yes, for some companies it is possible, but for most? I don't think so.
We could produce a 20 page, single spaced
list of potential risks in a
small company. For a large company one could produce a list of 500 pages (or 1000, or more!) of the potential risks alone, not including an analysis for each.
ISO 9001:2015 only requires "risk based thinking" which companies are doing anyway whether they realize it or not. It doesn't require 100 pages of potential risks,
much less an analysis for each.
I do suggest people read through some of the existing "risk based thinking" discussions here -
https://elsmar.com/Forums/tags/risk management and analysis/
I also highly recommend that people read through other posts Bev has made, as well as Jennifer and Sidney, about "risk based thinking" compliance to ISO 9001:2015 -
Remember - You can search for all posts a specific user has made by simply clicking on their name in any post they make (you will get a "drop down" list with options, one of which is "Find all posts by <Name of the poster>").
Anyway - My
Too many people are
over thinking the "risk based thinking" requirement and are wasting a heck of a lot of time on unnecessary "work" they think is required to meet the requirements of the standard.
I leave you with the following....
Today we mourn the passing of a beloved old friend - Common Sense