I'm @ RISK of not showing my RISKS!

[Robert Stanley]

Thank you all very much - this has been helpful!

 

[mmasiddiqui]

Thank you all very much - this has been helpful!

I am a certified Internal Auditor. Implementing ISO 9001:2015 in our business, I may know a thing or two.
I have made sure, the risk and opportunities are discussed at various levels in the Business. Each function/ department have their own risk that prevent them from sleeping at night and opportunities that make them excited to milk the benefits. Then these are rated such that the Management have a list of Risk and Opportunities that are discussed in their Management Reviews. The risk and opportunities will be both internal to the business and external to the business as well.
You will also have to mention the criteria, what risk is important and why it is important. There should be an Impact effort matrix for opportunities and Cause and effect matrix for Risks. Your auditor will surely ask you, why you chose to work on certain risk/opportunities and not others. This matrix will give him the justification on why you decided to work on one vs others.
If you need more information, I can help you.

 

[qualprod]

I am a certified Internal Auditor. Implementing ISO 9001:2015 in our business, I may know a thing or two.
I have made sure, the risk and opportunities are discussed at various levels in the Business. Each function/ department have their own risk that prevent them from sleeping at night and opportunities that make them excited to milk the benefits. Then these are rated such that the Management have a list of Risk and Opportunities that are discussed in their Management Reviews. The risk and opportunities will be both internal to the business and external to the business as well.
You will also have to mention the criteria, what risk is important and why it is important. There should be an Impact effort matrix for opportunities and Cause and effect matrix for Risks. Your auditor will surely ask you, why you chose to work on certain risk/opportunities and not others. This matrix will give him the justification on why you decided to work on one vs others.
If you need more information, I can help you.

More than satisfy the auditor, is to satisfy the needs of your organization.
The standards doesn't require to evaluate risk level nor to be documented, according to what Tony's recommended, however , in order to give a more appropriated treatment to risks (my case) we apply criteria to evaluate risk level.
But none auditor should require as mandatory, to evaluate risk level.
Is up to you the way it is addressed.
My two cents.

 

[Ninja]

I am a certified Internal Auditor. Implementing ISO 9001:2015 in our business, I may know a thing or two.

Wrong forum to brag in... just sayin'... why don't you look at the credentials of the folks here...some of the folks you're bragging to may have written the training materials you used to get certified...

 

[mmasiddiqui]

More than satisfy the auditor, is to satisfy the needs of your organization.
The standards doesn't require to evaluate risk level nor to be documented, according to what Tony's recommended, however , in order to give a more appropriated treatment to risks (my case) we apply criteria to evaluate risk level.
But none auditor should require as mandatory, to evaluate risk level.
Is up to you the way it is addressed.
My two cents.

I am yet to see a business which is free of risk and without opportunity. Anyway, resources to address them are surely limited.

 

[tony s]

You've already received some really good council here. Allow me to add a "visual", which may help you...

4 -> 6.1 -> 9.3

Just want to add:

4 -> 6.1 -> 8.1 -> 9.3

 

[Marc]

FYI - To all:

@mmasiddiqui says:

There is nothing to brag here. I am providing my credentials to make sure Bob knows the suggestion is proven during audits. I'm surprised that you can twist things the other way, which was not my intention.
------------------------------------------------------------------
Please folks - Chill - Please keep this professional, not personal.

Thanks!

 

[Robert Stanley]

Everyone, this has been very helpful! I'm so glad I was introduced to Elsmar. I mentioned this site in my Lead Auditor training class (QAI; through Exemplar Global) and the instructor had everyone stop what they were doing so that they could write down "Elsmar Cove" because according to him it is, "a fantastic resource." But back to the theme of the thread: I found some old FMEA's (Failure Modes and Effects Analysis) for the equipment and referenced those as showing risks (lazy I know). I'm thinking this will likely not suffice and I am planning a meeting with everyone where they can tell me their risks. I'll offer that documentation as well during my audit (June 1st). Do you guys think the combination of the FMEA's and a record of risks from the staff will be sufficient?

 

[Ninja]

Leave out the FMEA's and you're likely good to go...Identify the risks and opportunities, that's the requirement, no?

 

[qualprod]

Everyone, this has been very helpful! I'm so glad I was introduced to Elsmar. I mentioned this site in my Lead Auditor training class (QAI; through Exemplar Global) and the instructor had everyone stop what they were doing so that they could write down "Elsmar Cove" because according to him it is, "a fantastic resource." But back to the theme of the thread: I found some old FMEA's (Failure Modes and Effects Analysis) for the equipment and referenced those as showing risks (lazy I know). I'm thinking this will likely not suffice and I am planning a meeting with everyone where they can tell me their risks. I'll offer that documentation as well during my audit (June 1st). Do you guys think the combination of the FMEA's and a record of risks from the staff will be sufficient?

I your are newbie , I will not recommend to implement FMEA.
Start in the easiest way, as Tonys suggested.

Is more complex then just PXI (probability x impact), In FMEA, there are 3 aspects to consider.
and is required to have some training.

Hope this helps