ISO9001:2015 Cl. 6.1 - What evidences of risk addressing is needed?

Q

QAMTY

Hi all

Regarding of documented evidences in 6.1, I don´t see any specific
information required.

Would it be needed to have only a list of identified and treated risks, also to have the evidences of the follow-up and actions plans? Additional, evidences of a swot and list of interested parties.

But I wonder if is needed, say, an evidence of a brainstorming session
with employees when determining risk? and also a sheet/format for every risk detected en each process, where risk is evaluated (the impact, the responsibles, due dates for actions,etc) including sign off of them?.

Please give some feedback

Thanks
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
I am sorry for the delay in answering this question.

Evidence can be in the form of physical changes, such as 5S to reduce the risk of product damage. It can be a checklist that helps people avoid missing tasks or steps in transaction-based processes. It can be documented in SWOT, in tables, in FMEA, in a short statement within controlled procedures, but none of these types of documentation are specifically required.

I always advise the simple approach if it is possible. The main difficulty with that may be in how you can express effectiveness of actions taken, which is an input in Management Review. That can be a chart, a number or a statement but it should be something that can be verified through documentation and/or talking with people and/or the auditor's physical observations.
 

bpritts

Involved - Posts
As Jen states there are MANY possible considerations and actions on risk. Too many of our QA colleagues seem to think that we invented risk management in 2015! That's just nonsense. Our whole field has been based on managing risks. So, some other examples:

- Any time you do an inspection, you presumably do so because you perceive a risk of nonconformance. (If you were certain that a process was perfect, why would you do inspections? But we know that processes, and people, aren't perfect... there's risk!) How did you decide when to do inspections, and how many? That involved risk based thinking... I hope!

- Anything you do involving STATISTICS probably involves risk. A process capability study measures the risk of producing nonconforming product. Ongoing SPC process control is intended to assess the risk of processes going astray. The entire field of statistics was invented to help assess risk!

- Any time you audit a process, you are considering risk. If you "knew" that processes were always executed 100% correctly why would you audit them?

Same extends to supplier audits.

- When you calibrate/confirm a gauge, you should be considering risk. Why do you decide to do the calibration every 90 days/ 365 days/ 1 day/ etc. Hopefully you have considered the risk of the gauge/ measurement device going wrong, as well as the cost of checking it and the cost of reaction if bad parts have been accepted.

I hope that these everyday examples help illustrate the point. Good QA has always been about managing risk!

Brad
 

somashekar

Leader
Admin
Please note that the 6.1 is leading you back to 4.1 and 4.2.

This means that its reflecting back on your context and needs and expectations of your organizations's interested parties.

If you have not done this well, you will not be able to focus on the actions to address the risks and opportunities. This is more at a macro level and not just the stuff of product failure risk, calibration risk and such.

Risks that address your business continuity, new technology challenges, changing market and demands, competition, need for diversification and its associated risks, Investment risks .....and more.

Unless your leadership (the management) gets down to discussing these with the executing professionals after a clear understanding of the business process and QMS requirement, most will simply be addressing the risks around what processes and products you see in and around you.
 

Paul Simpson

Trusted Information Resource
Hi all

Regarding of documented evidences in 6.1, I don´t see any specific
information required.

Would it be needed to have only a list of identified and treated risks, also to have the evidences of the follow-up and actions plans? Additional, evidences of a swot and list of interested parties.

But I wonder if is needed, say, an evidence of a brainstorming session
with employees when determining risk? and also a sheet/format for every risk detected en each process, where risk is evaluated (the impact, the responsibles, due dates for actions,etc) including sign off of them?.

Please give some feedback

Thanks

As others have said. How you address planning is up to you and depends on how the organization currently works. As somashekar the results of your internal and external context assessment (perhaps the PESTLE and / or SWOT analysis) will generate a list of issues you want to manage.

Similarly your list of process risks and opportunities (4.4.1 f)may generate some evidence of risk and opportunity management.

So long as your organization is happy you have adequately looked at risk your 3rd party CB should also be happy.
 
Z

zucccchini

:bigwave:Well guys, here is how I am going to approach this risk thing and it may even cover some other little 'shalls' the powers that be have thrown in there. I internal Audit a AS9100 manufacturing (machine shop). I have since retired actually working there but they call me in to do their internals. Long time ago I suggested that they really needed a history paper among the CAD/CAM programs, inspection notes, etc. for reoccurring job. At that time it simply helped the setup people and operator to realize ahead of time the problems that they may run into.

This thing has become invaluable now. It lists the RISKS over time for that job, includes tooling issues, machine issues, hard to find gauges, etc, mistakes made that caused scrap. On top of that it qualifies as addressing loss of learned experience. No starting a new learning curve if someone leaves that always ran that job. It did not walk out the door with him/her.

As far as addressing risks on the outside to the business in general, that would fall into the Planning 6. But that 'job history paper' certainly helped our production side address those issues.
 
X

xxxxxxl

I have been wondering if Opportunities need to be addressed separately to risks. Some identified risks due reveal opportunities, but sometimes opportunities originate from places other than risk assessment, business plans, or management review outputs.

Thoughts?
 
Q

QAMTY

It could be both ways, maybe at the same time a risk is detected, or may come alone.

A good practice is to have a method to evaluate if the opportunity is worth to take it

there is a method somewhere, that considers probability and benefit and you get a factor, depending of the factor, you can decide if it is convenient or not.


Hope this helps
 
S

Shaun Michael

I have prepared the risk register for ISO 9001-2015 which includes only the probability and severity of the risk and mitigation plan, is that okay for ISO 9001-2015 or it also needs DETECTION and CONTINGENCY PLAN? Does the risk is only limited to the all processes of business failure or it should also contain risk to human beings involved in the process or act?
 
Top Bottom