Is Risk Identification and Treatment a Process?

[randomname]

It's all about integrated systems. As long as QM professionals ignore what else goes on in the organization, they'll always be seen as just baggage. If they link what they do to what the organization does strategically, then they'll be seen as value adding.

If people want to just focus on what ISO requires, that's their decision. But many organizations go beyond the basic requirements (e.g., using 9004), and become better business partners.

 

[Stijloor]

I believe that two (linked) issues are mixed up here. Risk Based Thinking (RBT) may be a "mindset." However, activities to mitigate identified risks is a process.

 

[Sidney Vianna]

However, activities to mitigate identified risks is a process.

Almost anything is a process if you consider INPUT==>ACTIVITIES==>OUTPUT as definition of a process.

The OP, however was clear in his original question: would this "process" have to be treated as per 9001:2015 4.4.1? I still say: heck no!!!

If anyone says yes to that question, that means that EVERY 9001:2015 compliant organization in the world would have to have a Risk identification and treatment process as one of the mandatory QMS processes, which, I believe, is not supported by the standard itself nor in the spirit and intent of the authors.

 

[vinnie23]

ISO 13485 DOES require that you have a risk management procedure though, correct?

 

[Sidney Vianna]

It's all about integrated systems. As long as QM professionals ignore what else goes on in the organization, they'll always be seen as just baggage. If they link what they do to what the organization does strategically, then they'll be seen as value adding.

I advocate that the only cost-effective, sustainable and wise approach to quality is to embed the quality system in the business processes of the organization. That way, quality ceases to be a department and becomes a way of running the business.

I have been promoting that concept for over 20 years now. But that has nothing to do with promoting FORMAL risk management practices willy nilly, everywhere, all the time.

 

[randomname]

So who has been doing that?

 

[Cari Spears]

ISO 13485 DOES require that you have a risk management procedure though, correct?

Does it? I'm not familiar with ISO13485 - does it specifically say that you have to have a documented risk management process?

 

[randomname]

It definitely requires that risk management be applied to QMS processes. And most organizations working under 13485 are likely also using 14971 for device risk management, which covers a documented risk management plan for each device covering the entire life cycle. For sure lots of documented risk management processes.

 

[charanjit singh]

Coming back to ISO 9001:2015 and RBT. Just two examples of Risk-Based Thinking:

1. When you decide on your external providers, do you take into account the possibility of failure of a source of a very vital product or process?
2. When you have a single person performing a key production process, do you consider the possibility of his/her sudden non-availability due to accident/ prolonged illness/resignation etc.?

In both cases your Quality Management System may fail to meet customer requirements unless you have planned to take these into account. I am sure any intelligent business owner/top manager who has a stake in the business, would take due care of these instinctively. It is as simple as that. There is no need to prepare documentation on this.

 

[randomname]

These are classic examples of high level risk for which an FMEA is not likely to be useful. However, a Bowtie is a good way to analyze them. Whether or not the organization decides to use FMEAs to analyze process risk or Bowtie (or other techniques) to analyze high impact-low frequency (HILF) events is up to them.