QMS for Life Sciences
Elsmar Cove Forum Sponsor

Informational Is Identification of Risks and Opportunities required for QMS Processes?

I'm one of those CB Auditor's that register companies to ISO 9001:2015. You know us as those guys concerned about document control, auditor qualifications, etc etc. As for 'Risks' I will say there are numerous differing opinions on risks.

Try thinking of your entire ISO QMS as a process and Risks as a sub-set of the QMS process. What primary controllable Risks can affect the QMS ? Once you identify say a maximum of 5 assign an owner to each for mitigation and have the owner report the status of each Risk & Mitigation monthly. For example:
Risk - aging workforce
Owner - HR
Mitigation - ???

Risk - changes to NAFTA
Owner - Purchasing and Sales
Mitigation - ???.

Just a few ideas for you. Hope it's helpful.

John Broomfield

Staff member
Super Moderator

My opinion:

The fact that you’ve determined what processes are essential to the effectiveness of your organization working as a system means you’ve already thought about the risks (positive and negative) that generally apply.

Within this system you will have planning processes to address specific risks arising from a new or changed situation or opportunity.

At the front of each process within your system you may have activities that address risks to prevent nonconformity and ineffectiveness.

So, you can see at least three ways in which your organization may address risk as necessary for your system to be effective.

It would be wrong to focus all your risk management opportunities in each individual process.

And all this may be achieved without once mentioning risk.

Best wishes,

From your posts, John, it seems to me that we work in very different worlds. For the most part, my recent experiences are with small/medium sized businesses which are relatively unsophisticated and certainly don't do what you've described. "Risk" is often a board game played with family at the weekend...

I cannot imagine such disrespect even for the most unsophisticated of my clients. They usually seek to maximize their chances of success while minimizing their chances of failure.

As odd as it may seem. It has happened. The analogy that Andy is making doesn't feel so distant. I'm working in a 70 employee manufacturing organization in a developing country. The owner bought 2 robots in an attempt to "improve productivity". It's been a disaster. Requirement 6.3 of ISO 9001:2015 totally ignored. Process engineering required for this kind of project was non-existant. In the end the productivity remains the same (like it used to be before the aquisition of the robots). Key factors that weren't considered: raw material quality and composition, measuring system requirements, competent personel needed in previous processes.

So yes, this kind of organizations do exist.

John Broomfield

Staff member
Super Moderator
Sure such badly run organizations exist (at least temporarily).

But are these organizations also developing their management systems to improve their chances of success?


Starting to get Involved
Going through all the comments, the bottom line to me is......if you are operating and producing product or service(s), you've already
considered the risks. You've added specifications, service communication protocols, testing, etc. The process involved have controls
in place already for address of big risks important to your customers, or you wouldn't be successful. Yes, top management should also
take an overall look at high level risks (SWOT, etc.) and requirements of interested parties.
However, much of the risk associated with processes is already known and was done ages ago if you have been in business a long time.
If you want, list up the major risks for a process and put the risks in a turtle diagram or something to document what they are.
Then go on. New risks are basically documented in your corrective action process or identified at management review, etc.
Not that big a deal IMHO at this point, since I've already agonized about it way back when working on getting certified to 2015 standard.
But that is how I approached it and it worked. We continue to review SWOT, perform management review, etc. where new risks come
out and as a result, are documented in management review.

There, I said my peace. Probably should apologize for rambling on too long. :)


Involved In Discussions
The biggest problem I see with risk in AD9100D is auditor training and auditor consistency. If auditors were better trained and were consistent in what was considered a NC, there would be fewer problems.

After several years of auditors complementing how we handle risk, we got an NC last year because many of our big picture risk discussions are in the strategic planning meeting (with a page or more of meeting minutes) and yearly planning process (with meeting minutes) rather than as part of the management review meeting. The auditor did not like that.

This auditor claimed to have better understanding than most auditors and had participated on the committee, but in reality I think she was sometimes auditing to committee discussions and what she thought the standard should require rather than what the standard actually says in the released version. Much of her objective evidence was poor, nonspecific, and vague. I wanted to appeal several NCs but was overruled by my boss. (Tactical and part specific risk is handled as part of the contract review and part intake process.)

Our auditor also did not like we have moved some of the risk management to meetings that happen monthly to weekly and did not have a risk register.
Top Bottom