Practical guide to scan for Risks in all QMS systems without missing any

Q

QAMTY

#1
Hi all

In trying to detect risks, I thought it would be enough to analize processes shown in the general process map.
Considering that normally main processes are there.

Now I see that there is some difficulty because it is supposed that processes are documented in procedures, but there may exist requirements which are not in documents, moreover that now some documents are not needed.

What will ve a practical guide to scan risk in all the system without missing them?
Could you provide a guide?
Should we check every clause?

Thanks
 
Elsmar Forum Sponsor
#2
Good morning.

The 3rd party auditor who just conducted our re-certification audit told us to use the FMEA form for everything when assessing risk. Of course, he then advised us to use a FMEA of the FMEA, to have a plan in case we did forget something in the original FMEA; sort of like a 'Plan B', if you will.
 

ousgg

Starting to get Involved
#3
A couple of things to consider here:

1) There is no obligation on you to encapsulate ALL relevant risks in your risk-management approach. An auditor cannot write you a nonconformity for a risk you have omitted from your system, providing your system has some structure and consistency. It is emphatically NOT an auditor's job to try to identify risks you have missed by nitpicking and/or using their own arcane knowledge - keep your eyes open for this sort of practice, because it's worryingly common.

1b) My advice - start with Top Management. Discuss what the major risks to the business are. Get those properly documented and associate them with action plans. Make sure Top Management communicate this to middle management. This alone should be enough to make you compliant to the requirements, but you can then talk to middle management about how their departments/processes contribute to this risk and identify deeper causes and risks. Some areas will be more fruitful for drilling into than others.

2) Using FMEA for everything is a terrible idea. The inputs to an FMEA need to be structured, otherwise you end up with a free-for-all that is no help to anyone. I recommend you only use FMEAs where they were intended: in product designs and for individual clearly-defined granulated processes (ie - ones with a process flow chart).

2b) My advice - break down Risk Management by business process. In my QMS, Risk Management is part of each process design, and can take different forms depending on the process - some do FMEAs, some do a simpler risk assessment, some just do SWOT. The Risk Management for our despatch department, for example, is simply a list of contingency delivery plans. I have one show-off process owner who has done fault-tree analysis, but then his process is entirely driven by data, so it makes sense in context. You will probably already have a top-level business contingency plan which can slot quite neatly into this structure and might also overall guidance for the process-level documents if it is comprehensive enough.​
 

dsanabria

Quite Involved in Discussions
#4
Hi all

In trying to detect risks, I thought it would be enough to analize processes shown in the general process map.
Considering that normally main processes are there.

Now I see that there is some difficulty because it is supposed that processes are documented in procedures, but there may exist requirements which are not in documents, moreover that now some documents are not needed.

What will ve a practical guide to scan risk in all the system without missing them?
Could you provide a guide?
Should we check every clause?

Thanks
Go to AIQG website (International Aerospace Quality Group) and open the link for Supply Chain Management Handbook and go to section 7.3 Risk Assessment.

Supply Chain Management Handbook - Terms of Use
 

Big Jim

Super Moderator
#5
In trying to detect risks, I thought it would be enough to analize processes shown in the general process map.
Considering that normally main processes are there.

Now I see that there is some difficulty because it is supposed that processes are documented in procedures, but there may exist requirements which are not in documents, moreover that now some documents are not needed.

What will ve a practical guide to scan risk in all the system without missing them?
Could you provide a guide?
Should we check every clause?
The short answer is that you are overthinking it. Risk is so diverse and so permeated into everything we do that you could never in your lifetime list it all.
 

Big Jim

Super Moderator
#6
Good morning.

The 3rd party auditor who just conducted our re-certification audit told us to use the FMEA form for everything when assessing risk. Of course, he then advised us to use a FMEA of the FMEA, to have a plan in case we did forget something in the original FMEA; sort of like a 'Plan B', if you will.
Gross example of overthinking it. In this case overthinking solutions. This is even worse than turning every instance of a nonconformance into a corrective action.
 

Big Jim

Super Moderator
#7
A couple of things to consider here:

1) There is no obligation on you to encapsulate ALL relevant risks in your risk-management approach. An auditor cannot write you a nonconformity for a risk you have omitted from your system, providing your system has some structure and consistency. It is emphatically NOT an auditor's job to try to identify risks you have missed by nitpicking and/or using their own arcane knowledge - keep your eyes open for this sort of practice, because it's worryingly common.

1b) My advice - start with Top Management. Discuss what the major risks to the business are. Get those properly documented and associate them with action plans. Make sure Top Management communicate this to middle management. This alone should be enough to make you compliant to the requirements, but you can then talk to middle management about how their departments/processes contribute to this risk and identify deeper causes and risks. Some areas will be more fruitful for drilling into than others.
Excellent advise
 

Big Jim

Super Moderator
#8
2b) My advice - break down Risk Management by business process. In my QMS, Risk Management is part of each process design, and can take different forms depending on the process - some do FMEAs, some do a simpler risk assessment, some just do SWOT. The Risk Management for our despatch department, for example, is simply a list of contingency delivery plans. I have one show-off process owner who has done fault-tree analysis, but then his process is entirely driven by data, so it makes sense in context. You will probably already have a top-level business contingency plan which can slot quite neatly into this structure and might also overall guidance for the process-level documents if it is comprehensive enough.
Even this could be overthinking.

To quote Randy, it isn't rocket science.

Use any of the tools (SWOT, FEMA, etc) when appropriate. Trying to come up with a heavy duty response for every instance every time isn't just impracticle, it is a terrible waste of time and leads to not only ineffeciency but to inadequate answers for the ones that matter.
 
Last edited:
Q

QAMTY

#9
Thanks dsanabria, office35o and Big Jim I appreciate your feedback

Specially referring to what dsanabria suggested, I read briefly such documents, and they are very complete, but consider risk as a formal management,

I wanted to have a simple guide to follow considering how the 2015 version considers the risk, not a really risk management.

Trying to have some guides, I got the next information, have in consideration that I already have 2008.

This is an extracted info from the ISO/IAF document (Auditing Practices Group) regarding to Risk auditing.

what an auditor should look,
In Italic (between rows), is shown what I have planned to do.

An auditor should act in accordance with the following steps and collect objective evidence as follows:

What inputs are used by the organization for risk and opportunity determination?

These inputs should include the following:

_ analysis of external and internal issues

By using SWOT, I got the risks and opportunities and will be registered
with its analysis and treatments in List of risks.
The weaknesses will need some attention, some actions plans, will be carried out.
For sure, some output issues from SWOT will be inputs for the quality objectives.


_ the strategic direction of the organization.

For the strategic direction, I think is a term which expect too much, I´ll make it simple, for that , I will show actions derived from the SWOT analysis and maybe
A piece of paper where I have written the vision, mission of my business.
In this point, I think the auditor will not expect to see complex business analysis, at least in my business ( 30 employees) steel parts manufacturing.



_ interested parties, related to its QMS, and their requirements, also
related to the QMS.

Ok, will be considered what will be detected

_ the scope of QMS of the organization.

Ok, will be considered

_ the processes of the organization.
Is Ok, inviting to owners of all the processes including the top management
I think is good idea that all process owners, participate in detecting risk and opportunities in each process, this way would more effective.

Thanks again
 

Joe Cruse

Mopar or No Car
#10
1) There is no obligation on you to encapsulate ALL relevant risks in your risk-management approach. An auditor cannot write you a nonconformity for a risk you have omitted from your system, providing your system has some structure and consistency. It is emphatically NOT an auditor's job to try to identify risks you have missed by nitpicking and/or using their own arcane knowledge - keep your eyes open for this sort of practice, because it's worryingly common.
:applause: I'm not seeing the "shall" to put together a list of EVERY possible permutation of risk and write that list into your QMS, and definitely not the registrar auditor's job to go out and find all the risks you didn't formally define. To me, your system should be built with the structure and consistency that allows for your business to define, assess, and address the risks to your processes/QMS, AS they get identified. It's not supposed to be a one-time, catch-all list that you build up and add to the QMS for an auditor to see and approve of or get an NC on you from, for failing to document a specific risk that THEY see.
As part of your ongoing, regular QMS/process planning (production planning, etc) you'd generally go through the risks associated as a general course, and if you (or your internal auditors, or an NC incident, etc) identify another risk, well, that's all part of improvement, isn't it?
 
Thread starter Similar threads Forum Replies Date
A Exploding the Myths Surrounding ISO 9000: A Practical Implementation Guide Book, Video, Blog and Web Site Reviews and Recommendations 28
M Need practical guide on TS 16949 Clause 7.6 Requirement IATF 16949 - Automotive Quality Systems Standard 1
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
A What are Practical data center best practices IEC 27001 - Information Security Management Systems (ISMS) 0
N Best practices for capturing audit objective evidence in a practical manner? Internal Auditing 3
B Practical ideas for information labelling in healthcare environment IEC 27001 - Information Security Management Systems (ISMS) 2
M Getting into biotech QA from aerospace - Is it practical? Career and Occupation Discussions 2
Sidney Vianna Blockchain Technology - Any examples of practical application? The Reading Room 21
Q Practical Way to raise NCR's in an Assembly Workshop ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
C Practical use of Heat Input calculation for Manual MIG Welding Manufacturing and Related Processes 4
M Practical Methods using Sampling by Variables Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
R Looking for Practical Advice in Managing Measurement Uncertainties Measurement Uncertainty (MU) 3
WEAVER Is GR&R really practical for a Measurescope? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
A 6 Sigma: Could you share some practical examples of 6 Sigma Projects in your company? Six Sigma 3
L oPRP or CCP? Practical example Food Safety - ISO 22000, HACCP (21 CFR 120) 2
L Working closer and better with Suppliers - Practical ideas to improve? Supplier Quality Assurance and other Supplier Issues 8
R Suggestions for a practical way to manage Contract Review Contract Review Process 5
O Practical 8-D or similar Problem Solving worksheet or form Excel .xls Spreadsheet Templates and Tools 5
M Practical Guidance on TS 16949 Clause 7.5.3 - Product Status Identification IATF 16949 - Automotive Quality Systems Standard 3
P Random Sampling at Receiving Inspection: A Practical Implementation needed Inspection, Prints (Drawings), Testing, Sampling and Related Topics 13
C Practical Examples of completed ISO 19011:2011 Audit Reports General Auditing Discussions 5
T Practical Problem Solving - Does anyone have a practical problem solving template? Document Control Systems, Procedures, Forms and Templates 6
S Practical Data Collection Process Recommendations? Design and Development of Products and Processes 6
S OPRP or HACCP Plan - Opinions and Practical Example Wanted Food Safety - ISO 22000, HACCP (21 CFR 120) 17
S Validation of Production Process - Practical Example ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F Toyota A3 Practical Problem Solving (PPS) Document Needed Nonconformance and Corrective Action 1
L Corrective Action Request Assessment and Prioritisation Criteria - Practical Examples Nonconformance and Corrective Action 14
Q Father Of The Practical CMM, James Coggin (RIP) Coffee Break and Water Cooler Discussions 1
I Practical definition of IEC62304 Software Items and Software Units IEC 62304 - Medical Device Software Life Cycle Processes 7
A Definition Modify, Magnify, Minify, and Substitute - Seeking practical ways of differentiation Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 17
L Please share some practical SPC exercises for training purpose Statistical Analysis Tools, Techniques and SPC 4
M Practical Reasons Behind The ISO 13485/QSR Regulations ISO 13485:2016 - Medical Device Quality Management Systems 6
L Employee motivation and empowerment - Please some practical methods IATF 16949 - Automotive Quality Systems Standard 20
G Practical Screw Thread Information & Tolerances General Measurement Device and Calibration Topics 98
R Practical Problem Solving for Management Development Quality Tools, Improvement and Analysis 3
D Internal Auditing ? A Practical Approach General Auditing Discussions 4
Anerol C Definition Rework vs. Repair - What's the practical difference? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 43
ScottK How far is it practical to take a Process FMEA? FMEA and Control Plans 14
L Practical Ideas for TS 6.2.2.4 - Personel are aware of the relevance and importance.. Training - Internal, External, Online and Distance Learning 5
M Stakeholder Analysis - Practical success stories wanted ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
J Q Leading and Lagging Indicators - Difference (practical) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Z Design and Development Planning - Is It Sufficient and Practical or Not Design and Development of Products and Processes 0
C Interpretation and Practical Application of ISO 17025 - Development of a System ISO 17025 related Discussions 81
G Practical examples of VOC and CTQ flowdown Six Sigma 8
D What practical measures can be taken to improve customer satisfaction? Customer and Company Specific Requirements 21
Govind Here is a Practical Test for QMS Effectiveness ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 13485 Practical Internal Audit Checklist - Standard vs. Process Based Internal Auditing 26
S I need help creating a practical preventive action process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
J Auditing to ISO 9001:2000 - What is the Process Model in PRACTICAL terms General Auditing Discussions 17
L Practical ISO 14001 Aspect and Impact Assessment Miscellaneous Environmental Standards and EMS Related Discussions 8

Similar threads

Top Bottom