Informational Is Identification of Risks and Opportunities required for QMS Processes?

[Jen Kirley]

Which ones? Everyone?

Everyone with responsibilities in the QMS should have awareness of the risks pertinent to their responsibilities.

Looking at risks and opportunities, IMHO, is a far bigger issue than this. It could mean the viability of the business...

Looking at risks and opportunities can be about small nonconformities and/or threats to business viability, and everything in between. That is why we prioritize.

 

[Jen Kirley]

I really worry when the first statement in the last document on the list states that "Risk has been always implicit and addressed in ISO 9001".

From the Introduction in ISO 9002:2016: "Risk-based thinking has been implicit in previous editions of ISO 9001 in such requirements as determining the type and extent of control for external providers based on the effect of the product that is going to be provided, or taking corrective action based on the potential effect of an identified nonconformity."

What is there to worry about?

 

[Jen Kirley]

Your organization’s management system is meant to help the people working for the organization to fulfill its mission; generalized as “converting the needs of stakeholders into cash in the bank”. Right here you have an axample of risk-based thinking that is focused on winning and exploiting opportunities to serve.

When you develop your organization’s process-based management system (from scratch, to improve performance or to bring about project success) you and your colleagues focus on those processes that are essential to the success of the organization; this is an example of risk-based thinking but you may have glossed over that fact because it is so obvious.

Having determined the cross-functional processes essential for organizational or project success you and your colleagues will name the most knowledgeable person as the owner of each process. Again this is RBT.

Working with each process owner you’ll determine the objectives of each process; again this is RBT. You’ll then capture (perhaps in a deployment flowchart linked to any instructions and forms) who are involved and what they actually do to plan the work, do the work and check the work while making corrections and improvements as necessary.

The process owner will then walk this partially documented procedure across the functions or departments responsible so the process team can ensure it is accurate. Some new processes may be necessary so the documented procedures defining the design of these processes would be reviewed by the process team members for their feasibility.

As you can see, when developing the system, quality planning or designing processes you’ll see lots of evidence of risk-based thinking quite naturally.

Going beyond such practical thinking may confuse others or yourself.

John

I read all that and went back to the Introduction in ISO 9002:2016, which said "Risk is the level of uncertainty inherent in a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are determined, considered and controlled throughout the design and use of the quality management system." Maybe it's because I am tired, but I welcomed that when what I thought I was reading in your post was more like process-based thinking. Like I said, it could just be me.

 

[AndyN]

From the Introduction in ISO 9002:2016: "Risk-based thinking has been implicit in previous editions of ISO 9001 in such requirements as determining the type and extent of control for external providers based on the effect of the product that is going to be provided, or taking corrective action based on the potential effect of an identified nonconformity."

What is there to worry about?

Because someone wrote that, doesn't make it so! The fact remains that ISO 9001 in its earliest forms wasn't about risk. When people rely on "implicit" requirements then you know they are grasping at straws. The fundamental reason for ISO 9001 (forget certification because that only came along later, to reduce costs) is as a basis of agreement (contractually) between customers and suppliers, as I said, to reduce the need for supplier development activities. In fact, the ONLY time customers were mentioned was in respect to customer complaints, if I recall correctly. Hardly a "risk based thinking" approach. Same with "Contract Review". To wait until a contract is awarded, to review it is hardly a "risk based thinking" approach is it? If the standard was about risk, how come so many ISO certified companies still deliver rubbish (and the same for other certifications based on 9001)? Why is it auditors have rarely, if ever, addressed "risk" when auditing? Or signed off on management reviews and audits being done once a year?

 

[Sidney Vianna]

Because someone wrote that, doesn't make it so! The fact remains that ISO 9001 in its earliest forms wasn't about risk. When people rely on "implicit" requirements then you know they are grasping at straws.

I will respectfully disagree. Yes, you are correct when say that ISO 9001 was never "about risk", but the intent has always been about identifying areas of higher potential for problems and acting accordingly. For example, something that you and I have been voicing for years: "internal audits to be scheduled based on status, importance and past performance..." In my view, that is a clear area where, without using the word risk, the standard is saying: use your resources wisely and direct your efforts where you have the highest potential for problems.

So, in my view, whenever the standard used words such as applicable, as appropriate, etc, it had an implicit aspect of risk evaluation. In many places the standard used to allude to system requirements robustness to be commensurate with the risks encountered.

But, as I mentioned in my previous post, when the TC 176 decided to include this poorly structured, ill-identified RBT requirement in 9001, it created a huge problem. Too much friction without a return. Had the Conformity Assessment sector associated with this done their jobs, we would not have so much confusion.

 

[John Broomfield]

Jen,

All process and projects are planned to some extent. I contend that planning includes assessing the risks of failure

Planning engages the process or project team in understanding and agreeing the objectives (and the risks of not meeting the objectives) before determining the resources necessary to fulfill the objectives.

How can planning that omits risk be considered complete or likely to be effective?

John

 

[AndyN]

Jen,

All process and projects are planned to some extent. I contend that planning includes assessing the risks of failure

Planning engages the process or project team in understanding and agreeing the objectives (and the risks of not meeting the objectives) before determining the resources necessary to fulfill the objectives.

How can planning that omits risk be considered complete or likely to be effective?

John

From your posts, John, it seems to me that we work in very different worlds. For the most part, my recent experiences are with small/medium sized businesses which are relatively unsophisticated and certainly don't do what you've described. "Risk" is often a board game played with family at the weekend...

 

[John Broomfield]

Andy,

I cannot imagine such disrespect even for the most unsophisticated of my clients. They usually seek to maximize their chances of success while minimizing their chances of failure.

By asking questions about their planning of their processes and projects I learned a lot about their preventive actions.

They valued their preventive actions more than the conventional hold points you’d see in those QC inspection and test plans because they knew that being proactive made them more money, faster.

It’s not rocket science, though I will admit that many QC folk then tended to think mainly in terms of catching defects after the opportunity to prevent them was lost.

John

 

[AndyN]

I cannot imagine such disrespect

As I said John, we experience different worlds. I'm not being disrespectful and nothing I've said indicates such. I believe you're reading too much into my comments.

 

[John Broomfield]

Equating running a small business to playing board game at the weekend when the owner has staked his or her family home and more on the success of their business.

...is respectful?