Informational Is Identification of Risks and Opportunities required for QMS Processes?

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#51
Which ones? Everyone?
Everyone with responsibilities in the QMS should have awareness of the risks pertinent to their responsibilities.
Looking at risks and opportunities, IMHO, is a far bigger issue than this. It could mean the viability of the business...
Looking at risks and opportunities can be about small nonconformities and/or threats to business viability, and everything in between. That is why we prioritize.
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#52
I really worry when the first statement in the last document on the list states that "Risk has been always implicit and addressed in ISO 9001".
From the Introduction in ISO 9002:2016: "Risk-based thinking has been implicit in previous editions of ISO 9001 in such requirements as determining the type and extent of control for external providers based on the effect of the product that is going to be provided, or taking corrective action based on the potential effect of an identified nonconformity."

What is there to worry about?
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#53
Your organization’s management system is meant to help the people working for the organization to fulfill its mission; generalized as “converting the needs of stakeholders into cash in the bank”. Right here you have an axample of risk-based thinking that is focused on winning and exploiting opportunities to serve.

When you develop your organization’s process-based management system (from scratch, to improve performance or to bring about project success) you and your colleagues focus on those processes that are essential to the success of the organization; this is an example of risk-based thinking but you may have glossed over that fact because it is so obvious.

Having determined the cross-functional processes essential for organizational or project success you and your colleagues will name the most knowledgeable person as the owner of each process. Again this is RBT.

Working with each process owner you’ll determine the objectives of each process; again this is RBT. You’ll then capture (perhaps in a deployment flowchart linked to any instructions and forms) who are involved and what they actually do to plan the work, do the work and check the work while making corrections and improvements as necessary.

The process owner will then walk this partially documented procedure across the functions or departments responsible so the process team can ensure it is accurate. Some new processes may be necessary so the documented procedures defining the design of these processes would be reviewed by the process team members for their feasibility.

As you can see, when developing the system, quality planning or designing processes you’ll see lots of evidence of risk-based thinking quite naturally.

Going beyond such practical thinking may confuse others or yourself.

John
I read all that and went back to the Introduction in ISO 9002:2016, which said "Risk is the level of uncertainty inherent in a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are determined, considered and controlled throughout the design and use of the quality management system." Maybe it's because I am tired, but I welcomed that when what I thought I was reading in your post was more like process-based thinking. Like I said, it could just be me.
 
#54
From the Introduction in ISO 9002:2016: "Risk-based thinking has been implicit in previous editions of ISO 9001 in such requirements as determining the type and extent of control for external providers based on the effect of the product that is going to be provided, or taking corrective action based on the potential effect of an identified nonconformity."

What is there to worry about?
Because someone wrote that, doesn't make it so! The fact remains that ISO 9001 in its earliest forms wasn't about risk. When people rely on "implicit" requirements then you know they are grasping at straws. The fundamental reason for ISO 9001 (forget certification because that only came along later, to reduce costs) is as a basis of agreement (contractually) between customers and suppliers, as I said, to reduce the need for supplier development activities. In fact, the ONLY time customers were mentioned was in respect to customer complaints, if I recall correctly. Hardly a "risk based thinking" approach. Same with "Contract Review". To wait until a contract is awarded, to review it is hardly a "risk based thinking" approach is it? If the standard was about risk, how come so many ISO certified companies still deliver rubbish (and the same for other certifications based on 9001)? Why is it auditors have rarely, if ever, addressed "risk" when auditing? Or signed off on management reviews and audits being done once a year?
 
Last edited:

Sidney Vianna

Post Responsibly
Staff member
Admin
#55
Because someone wrote that, doesn't make it so! The fact remains that ISO 9001 in its earliest forms wasn't about risk. When people rely on "implicit" requirements then you know they are grasping at straws.
I will respectfully disagree. Yes, you are correct when say that ISO 9001 was never "about risk", but the intent has always been about identifying areas of higher potential for problems and acting accordingly. For example, something that you and I have been voicing for years: "internal audits to be scheduled based on status, importance and past performance..." In my view, that is a clear area where, without using the word risk, the standard is saying: use your resources wisely and direct your efforts where you have the highest potential for problems.

So, in my view, whenever the standard used words such as applicable, as appropriate, etc, it had an implicit aspect of risk evaluation. In many places the standard used to allude to system requirements robustness to be commensurate with the risks encountered.

But, as I mentioned in my previous post, when the TC 176 decided to include this poorly structured, ill-identified RBT requirement in 9001, it created a huge problem. Too much friction without a return. Had the Conformity Assessment sector associated with this done their jobs, we would not have so much confusion.
 

John Broomfield

Staff member
Super Moderator
#56
Jen,

All process and projects are planned to some extent. I contend that planning includes assessing the risks of failure

Planning engages the process or project team in understanding and agreeing the objectives (and the risks of not meeting the objectives) before determining the resources necessary to fulfill the objectives.

How can planning that omits risk be considered complete or likely to be effective?

John
 
#57
Jen,

All process and projects are planned to some extent. I contend that planning includes assessing the risks of failure

Planning engages the process or project team in understanding and agreeing the objectives (and the risks of not meeting the objectives) before determining the resources necessary to fulfill the objectives.

How can planning that omits risk be considered complete or likely to be effective?

John
From your posts, John, it seems to me that we work in very different worlds. For the most part, my recent experiences are with small/medium sized businesses which are relatively unsophisticated and certainly don't do what you've described. "Risk" is often a board game played with family at the weekend...
 

John Broomfield

Staff member
Super Moderator
#58
Andy,

I cannot imagine such disrespect even for the most unsophisticated of my clients. They usually seek to maximize their chances of success while minimizing their chances of failure.

By asking questions about their planning of their processes and projects I learned a lot about their preventive actions.

They valued their preventive actions more than the conventional hold points you’d see in those QC inspection and test plans because they knew that being proactive made them more money, faster.

It’s not rocket science, though I will admit that many QC folk then tended to think mainly in terms of catching defects after the opportunity to prevent them was lost.

John
 

John Broomfield

Staff member
Super Moderator
#60
Equating running a small business to playing board game at the weekend when the owner has staked his or her family home and more on the success of their business.

...is respectful?
 
Thread starter Similar threads Forum Replies Date
X [QMS] Identification and Evaluation of Aspects, Impacts and Risks... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
M Medical Device Identification & Codes - Article 27 Requirements questions EU Medical Device Regulations 1
T Non conformance product identification and traceability 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Monitoring of lead time - Good KPI identification? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
Q Controlled sticker for product identification? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
Watchcat Identification of Test Sample in Test Reports? Design and Development of Products and Processes 22
B Marking of Medical Electrical equipment and accessories - Cl. 7.2.2 "Identification" and Cl. 7.2.4 "Accessories" IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
M Informational EU – Unique Device Identification (UDI) System – FAQs Medical Device and FDA Regulations and Standards News 0
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
Z Two Payment Identification Number (PIN) for the same order in DFUF website 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
K Identification and Traceability with an ERP system - Barcode Labels? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
M MDR Annex IX Chapter I, 2.2 (c) - Device identification procedures during manufacture. EU Medical Device Regulations 1
M Informational USFDA final guidance – Unique Device Identification: Convenience Kits Medical Device and FDA Regulations and Standards News 0
Stefan Mundt ISO 9001:2015 - 8.5.2 Identification and Traceability Manufacturing and Related Processes 14
S Looking for procedure on UDI (Unique Device Identification) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S UDI (Unique Device Identification) Requirements for Remanufactured devices 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
B Quality Management System documentation identification Document Control Systems, Procedures, Forms and Templates 11
K Document Numbering (Identification) System Document Control Systems, Procedures, Forms and Templates 10
N Requirements for the identification and traceability of demo product for sales force US Food and Drug Administration (FDA) 1
M RFID (Radio Frequency Identification) Registration in Europe and in MENA countries EU Medical Device Regulations 1
Q Identification of Training Needs = People Performance? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
H European Pharmacopoeia First Identification Requirements Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
J Identification of gage blocks General Measurement Device and Calibration Topics 8
DeeDeeM IATF16949, clause 8.5.2.1 Identification and traceability-supplemental IATF 16949 - Automotive Quality Systems Standard 1
DeeDeeM IATF 16949 - Clause 8.5.2 Identification and Traceability IATF 16949 - Automotive Quality Systems Standard 7
Q ISO 9001 Cl. 8.5.2 and 8.5.4 - Identification in Products ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Measurement Equipment - Identification of Calibration Status General Measurement Device and Calibration Topics 25
J Customer Identification and Traceability in Manufacturing Plans Manufacturing and Related Processes 5
M Risk Identification and Risk Assessment for any Process - Is it necessary? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
Edward Reesor UDI (Unique Device Identification): HIBCC or GS1? ISO 13485:2016 - Medical Device Quality Management Systems 31
R Identification of Medical Devices in MDD 93/42 Certificate EU Medical Device Regulations 2
L Managing Finance Processes - Identification of Sub Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
dubrizo Initial Supplier Identification, Review and Controls ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
H UDI (Unique Device Identification) Requirements for IVD Software EU Medical Device Regulations 2
A Receiving Goods Inwards - Identification Records and Data - Quality, Legal and Other Evidence 8
Pmarszal UDI (Unique Device Identification) Transition Period - Packaging Labeling Other US Medical Device Regulations 5
Q RFID (radio frequency identification) registration for Medical Device Other Medical Device Regulations World-Wide 6
B Class II Medical Device UDI (Unique Device Identification) Question(s) Other US Medical Device Regulations 8
A Is Risk Identification and Treatment a Process? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
D 820.120 UDI (Unique Device Identification) Labeling Verification Requirements Other US Medical Device Regulations 11
M Identification of Glass Instruments and Measurement Devices General Measurement Device and Calibration Topics 2
A Identification of Customer Property: Customer-Supplied Thumb Drives & Ext Hard Drives ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Z Failure Mode Identification in PFMEA according to AIAG FMEA Rev.4 FMEA and Control Plans 6
M Reagent Status Identification - 7.4.3 Verification of Purchased Product ISO 13485:2016 - Medical Device Quality Management Systems 6
Gman2 Identification of Raw Material being used In-Process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Identification and labeling medical device replacement system components Other Medical Device and Orthopedic Related Topics 12
L Identification of Inputs vs. Outputs in Design and Development (Section 7.3) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Implementing a Suspect Counterfeit Identification Program Quality Manager and Management Related Issues 3
S Understanding UDI (Unique Device Identification) Other US Medical Device Regulations 10
Similar threads


















































Top Bottom