Informational Is Identification of Risks and Opportunities required for QMS Processes?

Jen Kirley

Quality and Auditing Expert
Leader
Admin
As part of their QMS? As in part of their documented ISO 9001:1987/94/2000 certified system? The answer is in many cases, no! They had procedures. Those procedures didn't define input or outputs. No measurement (except of product, only).
Of course. In many cases no, in many other cases yes. But were these procedures developed to reduce the effect of uncertainty?
 

ISO_Man

Involved In Discussions
Dear all

I searched in ISO 9001 requirements to find a requirement about the necessity for risk identification for any QMS processes.

As you know, in 4.4.1 f) the standard requires that the QMS process shall address risks and opportunities determined in accordance with the requirement of 6.1.

So, I think that it is only mandatory to identify high level risks and opportunities based on environmental analysis (SWOT, PESTEL,etc) for strategic goals and objectives and there is not any requirement to identify risks and opportunities for any QMS processes. Is it right?

Thanks all

My guidance during a recent ISO-9001:2015 audit was that there is a general push toward risk-based thinking for all processes. When I performed some recent documentation training I stressed that people should think about the risk to which we're exposed if documentation is NOT done correctly.
 

Sidney Vianna

Post Responsibly
Leader
Admin
My guidance during a recent ISO-9001:2015 audit was that there is a general push toward risk-based thinking for all processes.
Please, don't you think for a minute that what you heard from ONE auditor is "general". There is tremendous variation among CB's and even within the same CB, there is tremendous variation among "trained" auditors.

As for risk-based thinking applying universally and permanently, that's a given. It has always been like that, even when we did not use the term risk, explicitly.
 

ISO_Man

Involved In Discussions
Really? I'd be keen to see more on this. All I've seen, so far, is a lot of BS findings about document control and auditor qualifications...

Reading through the standard it's one of the top 3 lines in the introduction, then comments about risk and the PDCA cycle and "
Risk-based thinking enables an organization to determine the factors that could cause its processes and
its quality management system to deviate from the planned results, to put in place preventive controls
to minimize negative effects and to make maximum use of opportunities as they arise..." and that's just in the introductory section.
 

Sidney Vianna

Post Responsibly
Leader
Admin
All I've seen, so far, is a lot of BS findings about document control and auditor qualifications...
But.....but.....but.....weren't we told that the new standard brings more accountability to top management leadership? Weren't auditors supposed to spend more time with the people who can really make sure the quality system is integrated in the organization business processes? Weren't organizations supposed to realize tremendous business improvements by "upgrading" their quality systems to the 2015 Edition of ISO 9001? Were those all empty promises? :mad:
In the IAF resolution (attached below), the message was:
The new ISO 9001 promotes enhanced leadership involvement in the management system, introduces risk-based thinking and aligns the quality management system policy and objectives with the strategy of the organisation.
If the auditors are still focusing on things that are immaterial to customer satisfaction and/or product conformity because they don't have the intelectual horsepower or the intestinal fortitude to address real issues, what is the point of revising standards? We all know that organizations, in the vast majority, will only do things they are written up for.

So, are you telling us that auditors are still delving into inconsequential issues just because this is their comfort zone? all the while ignoring issues of tremendous materiality for the system at hand? Who could see that coming? :sarcasm:

Too bad that people involved in the management system conformity assessment sector have not been introduced to the notion of risks and opportunities for the "certification sector". Until buyers properly specify what they want from suppliers (hint: assurance and confidence) instead of certificates, we will reward mediocrity in the auditing world.

Thanks, Andy, for sharing your perspective. :agree:
 

Attachments

  • IAF_communique__Important_information_for_Certification_Bodies_regarding_transition_to_ISO_900...pdf
    166.7 KB · Views: 369

John Broomfield

Leader
Super Moderator
All,

RIsk-based thinking is second nature for most of us but can easily be taken for granted.

When analyzing your system with top management to determine its key processes the thinking is risk-based, perhaps starting with agreeing the criteria for a process being “key” or critical to success. PESTLE or SWOT can be useful analytical techniques here to flush out this thinking.

When analyzing each of the key processes with the process owner you are both thinking risk as you determine the actions (starting with planning and preparation) taken to fulfill process objectives while preventing nonconformity.

When designing the few new key processes, needed for the system to fulfill its mission, with the process owner you are both thinking risk as you determine the PDCA actions necessary to fulfill process objectives while preventing nonconformity.

So, seek evidence of risk-based thinking and you’ll probably find it or your colleagues will be ready to help.

This is preferable to ignoring risk-based thinking for you to impose your new fangled RM tools on your colleagues.

Asking auditors what they’ll be looking for so you can keep them happy is wrong because our system should be about creating more successful customers.

John
 

AndyN

Moved On
When I performed some recent documentation training I stressed that people should think about the risk to which we're exposed if documentation is NOT done correctly.

I'm interested to understand more abut this approach. Seriously. We've seen a significant reduction in ISO 9001 requirements (to almost zero) in prescriptive documentation requirements, while at the same time, increasing references to risk and opportunity. Doesn't this tend to suggest that documentation, in general terms, isn't linked to risk?
 
Top Bottom