IATF 16949 Clause 6.1.1 - My first Major NCR (Management Review)

[rkk2014]

Hi,
Very recently, we had undergone a transition audit from IS/TS 16949 to IATF 16949, We have done risk analysis for every function, except that for Manufacturing ( for which we are having PFMEAs).
Risk Analysis is pretty simple
In first Column you write Process Steps, against each step identify risks in terms of 6m, then categorize them, it is up to you or as per process needs, which risks, you want to take actions, accordingly categorize them and make action plans.

 

[Andrei77]

Hello,

I got the same thing (Major) but not against Management review which I think its much more out of place than mine. I got my non-conformity against 4.4.1 Quality management system and its processes (letter f. address the risks and opportunities as determined in accordance with the requirements 6.1). Of course, if you look at both these requirements there's nothing there that requires you to risk assess all processes. However, we got a Major non-conformity.
Our auditor has suggested we can use SWOT analysis / FMEA but I think its overkill and also it's not helping anyone here. We have a contingency plan in place that covers all the areas of risks that can disrupt deliveries, in my mind this is an output of risk analysis but the auditor said we have to analyze all our processes, not just business ones. Where does it state that? I know that this standard is all about preventing risks but we already have FMEA`s in place and a contingency plan but is not enough.

I would really appreciate your thoughts on this.

Thank you.

 

[Andrei77]

I totally agree with AndyN. There is nowhere in the standard asking to do a risk assessment. Its all about Leadership and the way they deal with internal and external issues and how they integrate them into the strategic direction.

We got SWOT and PESTLE analysis but its still wasn`t enough. Our auditor has seen a different way in another company and when he came in here went straight to this requirement and immediately said this is a Major non-conformity.

 

[rkk2014]

If we read 4.4.1 , It mentions......
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
f) address the risks and opportunities as determined in accordance with the requirements of 6.1;

I think this means....We will have to evaluate risks & opportunities for the every process needed for QMS and its application....that means Core & Support Processes both.
Standard is silent on How to identify / analyze / prioritize / mitigate risk ,
whether you do it thru SWOT / FMEA /PESTLE / or develop your own guideline, whatever suits you best.
In our Company, Since we are part of Automotive Chain, for Core Processes we had PFMEAs while for Support Processes , we developed our own guideline on the basis of ISO 31000

 

[AndyN]

I totally agree with AndyN. There is nowhere in the standard asking to do a risk assessment. Its all about Leadership and the way they deal with internal and external issues and how they integrate them into the strategic direction.

We got SWOT and PESTLE analysis but its still wasn`t enough. Our auditor has seen a different way in another company and when he came in here went straight to this requirement and immediately said this is a Major non-conformity.

Your auditor is looking for something beyond what's reasonable. If you have done a SWOT analysis, that enough to identify internal (S, W) and external (O, T) issues. If an NC was written, reject it back to your CB and tell them to do the audit over, at their cost...

 

[Andrei77]

Thank you for your input AndyN. Trust me I am very argumentative and sometimes I`m even more than that and I have argued a lot with this auditor. I just think that haven`t got the faintest idea of what they should find some they take for granted what they see in other places and they believe its right and kind of apply it in different places.

I got even a minor non-conformity for a note of a requirement. "7.5.1.1 Quality management system documentation. NOTE A matrix of how the requirements of this Automotive QMS standard are addressed by the organization processes may be used to assist with linkages of the organization`s processes and this Automotive QMS." and for that, I got minor non-conformity. In my mind, this is a non-conformity of the Auditor that the CB would have to raise against him.

 

[rkk2014]

Conducting SWOT is not sufficient.
As per 6.1.2, You must plan Actions on identified Risks and your actions must be integrated to QMS (Ref : 6.1.2...(1)).
You cannot take equal actions with equal priority on all risks, hence you will have to prioritize the Risks.
Some of the Risks you may accept, some may be under control that will become opportunity (take actions for strengthening ....if Risk is of High Impact), Some may not be acceptable to you...Critical to your business & QMS......Accordingly Plan your actions bring controls and integrate into QMS.

Hence for doing all this you must identify, Analyze and Prioritize actual as well as potential risks.
Standard talks about Risk in every Clause right from 4.0 to 10.0

7.5.1.1......You will have to make a matrix how your each Process is addressing the IATF Clauses. This is not a new requirement.......

 

[Big Jim]

Thank you for your input AndyN. Trust me I am very argumentative and sometimes I`m even more than that and I have argued a lot with this auditor. I just think that haven`t got the faintest idea of what they should find some they take for granted what they see in other places and they believe its right and kind of apply it in different places.

I got even a minor non-conformity for a note of a requirement. "7.5.1.1 Quality management system documentation. NOTE A matrix of how the requirements of this Automotive QMS standard are addressed by the organization processes may be used to assist with linkages of the organization`s processes and this Automotive QMS." and for that, I got minor non-conformity. In my mind, this is a non-conformity of the Auditor that the CB would have to raise against him.

That's a truly misguided auditor. You cannot audit to a note. Notes are not shalls. They provide insight and illumination but are not requirements.

Call your certification body and tell them what you have run into and ask for that nonconformance to be withdrawn. Don't just ask, insist.

 

[Big Jim]

Hello,

I got the same thing (Major) but not against Management review which I think its much more out of place than mine. I got my non-conformity against 4.4.1 Quality management system and its processes (letter f. address the risks and opportunities as determined in accordance with the requirements 6.1). Of course, if you look at both these requirements there's nothing there that requires you to risk assess all processes. However, we got a Major non-conformity.
Our auditor has suggested we can use SWOT analysis / FMEA but I think its overkill and also it's not helping anyone here. We have a contingency plan in place that covers all the areas of risks that can disrupt deliveries, in my mind this is an output of risk analysis but the auditor said we have to analyze all our processes, not just business ones. Where does it state that? I know that this standard is all about preventing risks but we already have FMEA`s in place and a contingency plan but is not enough.

I would really appreciate your thoughts on this.

Thank you.

That is a horrible overreach. Talk to your certification body and insist that it be withdrawn and that they do something about training the misguided auditor.

 

[Golfman25]

If we read 4.4.1 , It mentions......
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
f) address the risks and opportunities as determined in accordance with the requirements of 6.1;

I think this means....We will have to evaluate risks & opportunities for the every process needed for QMS and its application....that means Core & Support Processes both.
Standard is silent on How to identify / analyze / prioritize / mitigate risk ,
whether you do it thru SWOT / FMEA /PESTLE / or develop your own guideline, whatever suits you best.
In our Company, Since we are part of Automotive Chain, for Core Processes we had PFMEAs while for Support Processes , we developed our own guideline on the basis of ISO 31000

That is an unfounded stretch reading of the standard. 6.1.1 deals with the risk evaluation. 4.4.1 has a-h subparts. Each of the subparts, except for f, has the word processes in it. All f does is refer us back to the risk evaluation in 6.1. Did they make a mistake or purposely leave out "processes?" If they wanted risk analysis on all processes, the powers that be could have said so. They did not.