SBS - The best value in QMS software

Is Risk Identification and Treatment a Process?

Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#22
The problem with calling it a process is that some registrars have an expectation that this process would also have KPI/objective/target(s). What would that be?

It could depend on how this is done. Does a responsible, competent person/group periodically perform it on a wide scale using inputs and generate output for all those other processes? (clause 8.1 links back to clause 6) I would expect this approach in a less mature system. We could recognize it as a process, which would be audited on its own like we have done with other standards for many years.

Or, is it done by responsible persons within the processes to address identified risks and opportunities as they arise? A more mature system might succeed with this approach, as long as the actions don't negatively impact other processes or activities. This could be included as an input in process auditing, and as such the output of the process represents a success metric.

The standard does not stipulate either of these or any other specific way to handle it, but the Auditing Practices Group guidance paper on Risk Based Thinking lists many options, almost none of which could be pointed to as requiring it to be called a process.
:2cents:
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#23
Sidney
A pity that ISO has not been as enlightened...!
9001:2015 5.1.1.c) would give us a glimpse of hope. In my opinion, one of the most important new requirements in the standard, but, based on my experience it is one of those requirements that will be selectively disregarded.
 
Last edited:

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#24
9001:2015 5.1.1.c) would give us a glimpse of hope. In my opinion, one of the most important new requirements in the standard, but, based on my experience it is one of those documents that will be selectively disregarded.
I can imagine 5.1.1c) is not meant to apply to this, but to make it clear that the ISO clauses don't run like a list of checklist "shalls" running in tangent to (we hope, even in parallel if not "in conjunction with" or "as a part of" or, dare I hope, "as a critical component of") business processes. We have been laboring for quite some time to clarify that QMS principles are not only sensible, but profitable. My take is that the standard is trying to add credibility to that assumption. Of course, I am not in the Technical Committee so I am just guessing...
:2cents:
 
R

randomname

#25
9001 has the purpose of embedding controls in business processes to help ensure that the product/service is conforming and customers get what they want. 14001 has the intent of building in controls to ensure that environmental requirements are met. Same is true for financial controls, safety controls, etc. That's why many say that 9001 has always been about risk management, it's just that the writers didn't have the cajones to use those words. What a shame.
 
M

melshahat

#26
Whether you're going to call it a process or an activity or whatever it's up to you. To address risks and opportunities just take into your account:
1- The size of your organization and its context,
2- The complexity of your processes,
3- The competencies of the people who’re doing the job.

Risk identification and treatment are two sub-processes of any typical risk management process. If you're working in a small business, just filling a risk registrar after a brain storming session about associated risks to your company might be helpful.

On the other hand, if you're working in a medium or large corporation, a detailed risk management process should be implemented, a certain budget will be needed, risk workshop will be held, etc.

I hope this is helpful to your question.

Mohammad Elshahat
 
Thread starter Similar threads Forum Replies Date
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk Identification and Risk Assessment for any Process - Is it necessary? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1
Uriel Alejandro Risk Identification Methods and Risk Management Procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 24
S Hazard Identification and Risk Assessment - Can Risk Assessment be "Grandfathered"? Occupational Health & Safety Management Standards 4
K Do you have to use RPN in Medical Device Risk Analysis? Identification of Hazards ISO 14971 - Medical Device Risk Management 6
K Behaviour Assessment for Hazard Identification & Risk Assessment Occupational Health & Safety Management Standards 25
G Hazard Identification and Risk Assessment 4.3.1 Occupational Health & Safety Management Standards 14
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 7
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 4
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 11
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 6
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3

Similar threads

Top Bottom