Informational Is Identification of Risks and Opportunities required for QMS Processes?

morteza

Quite Involved in Discussions
#31
This is one of ununderstandable topic of 9001:2015. ISO TC 176 does not provide the clear explanation about that. ISO/TC 176/SC 2/N1289 THE PROCESS APPROACH IN ISO 9001:2015 only states:
"These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that may impact on objectives and results must be addressed by the management system. Risk-based thinking is used throughout the process approach to:
• Decide how risk (positive or negative) is addressed in establishing the processes to improve process outputs and prevent undesirable results
• Define the extent of process planning and controls needed (based on risk)
• improve the effectiveness of the quality management system
• maintain and manage a system that inherently addresses risk and meets objectives."
Very general and poor explanation indeed!
I personally use and suggest you the following approach:
Initially, take into consideration the requirement of 4.4.1 f. "The organization shall ... address the risks and opportunities as determined in accordance with the requirements of 6.1";
Following this statement, cl.6.1 "Actions to Address Risks and Opportunities" is a starting point in the risk-based thinking and the main purpose here is to determine the risks and opportunities that need to be addressed in QMS at a whole.
After risks determined the organization shall integrate and implement the actions into its quality management system processes (cl. 6.1.2). In the other words - divide risks between processes.
Therefore, for some processes risks will be relevant, but for others - irrelevant.
My conclusion - there is not any DIRECT requirements in 9001:2015 to identify risks and opportunities for ALL QMS processes.

Any opinions will be appreciated!
Dear all,

I searched much on this topic after my initial post. I believe that MVladimir is right.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (reduction of product price). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

Totally, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

What are your idea, friends?
 

Jim Green

Involved In Discussions
#32
I am not getting something. The whole ISO system was created as a way to control/ mitigate RISK! Starting back to the 20 elements in 1994, to the process approach in 2000, til now. It is inherent within Quality System Management. I gotta admit, not really impressed with the upgrade. if you already had a robust system, this stuff is covered. So, when it is time to "Promote risk based thinking" I will turn to 21 years of ISO certification as proof positive , objective evidence:cool:.
 
#33
I am not getting something. The whole ISO system was created as a way to control/ mitigate RISK! Starting back to the 20 elements in 1994, to the process approach in 2000, til now.
Was it? Viewed from which perspective? If I recall correctly, the 94 version wasn't much of a change from 87 and the organization's customers' satisfaction wasn't mentioned... So what risk is being considered?
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#34
So, when it is time to "Promote risk based thinking" I will turn to 21 years of ISO certification as proof positive , objective evidence:cool:.
Sorry, but I don't think that would be a good evidentiary proof. In the context of ISO 9001, risk based thinking is the (presumed better) alternative to the previous maligned preventive action requirement, a clause that was exhaustively discussed and, for many people, brought more challenges than benefits.

I would suggest that a much better evidence of risk based thinking for a quality system is the low number of dissatisfied customers and quality escapes.

Many dysfunctional organizations have attained and maintained certification to a quality system standard for over 20 years, so that would not be a good nor proper indicator, in my opinion.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#35
Dear all,

I searched much on this topic after my initial post. I believe that MVladimir is right.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (reduction of product price). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

Totally, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

What are your idea, friends?
ISO/TC 9002:2016 (Guidelines for the application of ISO 9001:2015) disagrees, stating: "(6.1.1) The intent of this subclause is to ensure that when planning the quality management system processes, the organization determines its risks and opportunities and plans actions to address them. Its purpose is to prevent nonconformities, including nonconforming outputs, and to determine opportunities that might enhance customer satisfaction or achieve an organization’s quality objectives."

Neither standard invites us to pick and choose which processes to identify risks for. 9002:2016 does specify that no requirement for a formal risk management program is required, and lists several options and says the organization can choose the methods that suit its needs. Of all the changes in 9001:2015, this has been the least understood.
 

tony s

Information Seeker
Trusted
#37
I would agree that ISO 9001 doesn't categorically mention "identify risks/opportunities on all processes". ISO 9001 is a requirement standard and could only tell us WHAT must be done. However, guideline standards such as the ISO/TS 9002 help us to understand WHY and sometimes HOW. The statement from ISO/TS 9002 quoted by Jen Kirley, IMHO, clearly established the INTENT of ISO 9001 about "identifying risks and opportunities".
 
#38
I'd go as far as to say that if anyone thinks that determining risk/opportunities regarding (all) QMS processes is what is intended, then they are missing the point, almost completely. It's NOT the same as, for example, doing a process failure modes effects analysis.

Indeed, ISO/TS 9002 makes reference to simple tools such as a SWOT analysis. If you consider that the standard is written to be applicable to all sizes/complexities of business, plus it references the "strategic" nature of risk and opportunity, it seems (to me) that doing anything more than something simple like a SWOT or PEST(LE) analysis is overkill. It's not supposed to be a form filling exercise and certainly NOT as extensive as ISO 31000 would suggest it is...
 
Last edited:
#39
Great discussion here! This has been helpful to read through. I'm completely new to the ISO system and am trying to implement a QMS that is truly value-add for our business. As stated it is easy to read too deep into the standard and begin pumping out paperwork purely to meet the assumed requirements.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#40
I'd go as far as to say that if anyone thinks that determining risk/opportunities regarding (all) QMS processes is what is intended, then they are missing the point, almost completely. It's NOT the same as, for example, doing a process failure modes effects analysis.

Indeed, ISO/TS 9002 makes reference to simple tools such as a SWOT analysis. If you consider that the standard is written to be applicable to all sizes/complexities of business, plus it references the "strategic" nature of risk and opportunity, it seems (to me) that doing anything more than something simple like a SWOT or PEST(LE) analysis is overkill. It's not supposed to be a form filling exercise and certainly NOT as extensive as ISO 31000 would suggest it is...
One of the biggest struggles is the idea that filling out forms for risks is required. 9001:2015 does not require it, but an organization's members should still be aware of the risks, how they are being addressed in order to avoid nonconformity to requirements, and (as required in management review) the effectiveness of the actions taken to address risk. That is supposed to be the point of the whole thing; it is why they took out the preventive action clause.

SWOT is ideal for high level risk consideration, specially in subjects like human resources.
 

Top Bottom