Practical guide to scan for Risks in all QMS systems without missing any

[QAMTY]

Thanks Joe

In your point of view, regarding risk and opportunities, what will be the best option to detect the risks ans opps.?

In the case that ISO 2008 version is implemented and certified?
Would it be to have meetings with Top management and asking him how he complies every ISO clause regarding Risks and Opp?.

After that, to follow with responsibles of processes, with the same question?
All picked-up risk and opportunities it would be documented.

On the other hand, in respect to your comment.

I was thinking to put an effort in order to detect in a short time all the risk existing into our processes.

The fastest we detect the risk, the minimum possibilities to have non conformances.

Ok I know, I may miss some risk, ok, that wouldn´t deserve a NC.

But if we have an audit, and a non conformance in a process is found because was not well planned regarding a risk, would it be a nc against 6.1?

Please feed back, sorry for a lot of questions.

Thanks

 

[QAMTY]

Joe I forgot to say something
form the standard:

6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:......
Says and Determine the risks and opportunities, at planning, for me having 2008, already have been planned but not considered risks, so my task it is to determine them but you say "and address the risks to your processes/QMS, AS they get identified", dont you think that "as they get identified" it may take too long, if it is not put an immediate effort to do that?

That is the point in my mind, immediate tasks to determine them as soon as possible.

Hope it is clear.

Thanks

 

[Randy]

You'll never find all opportunities and risks so get it out of your head that you can.

Business is fluid, organizations are fluid, situations are fluid, people are fluid and as such there is no such thing as all. Anybody tells you different should be buying lottery tickets.

You're expending your most valuable and finite resource, your time, in quest of the Holy Grail and fighting windmills.

 

[Joe Cruse]

I'm with Randy; it appears that you have it in mind that EVERY risk must be tracked down, then written on the "risk list" for your registrar to look at, and then addressed. You have the "tail wagging the dog", so to speak.

Your top managers, including top management and especially the managers responsible for your core processes, have already identified the risks (negative and positive) associated with the process under their control. They see it every day in operating. Some of them are likely negligible and may not be worth spending a lot of time on (running out of staples or other office supplies from one supplier, for example-easily mitigated), whereas others could either put a dead stop on the process, or lead it to non-conformance. You can probably bet that your managers have identified these risks, and are active in mitigating them. These are ones you need to be able to effectively show top management AND a registrar auditor that your system is identifying and addressing. You don't HAVE to have a list to do this; it's up to you how you show you are meeting the standard. Most risks that have been identified in your core processes have likely been addressed by your management and process owners, and that is built into your QMS already, possibly in work instructions.

 

[QAMTY]

Thanks Randy and Joe

Very helpful your comments.I really appreciate your time for feeding us back.

 

[Tagin]

...You can probably bet that your managers have identified these risks, and are active in mitigating them. These are ones you need to be able to effectively show top management AND a registrar auditor that your system is identifying and addressing.....

1) I'd just note that sometimes the managers are not aware of particular risks, and its the folks on the line who are seeing them and either compensating for them or avoiding them, so that they don't rise to the attention of the manager. Not necessarily out of fear, but rather a can-do attitude to get the work done, line workers can be silently mitigating risks, and soon it becomes part of a "its always been that way" attitude. Even with educating them and praising them to raise awareness about such things, sometimes risks can still fly below the radar. So, I consider talking with folks on the line essential.

2) As to the original question, I agree its not about finding ALL the risks. But on the other hand, some degree of proactive scanning for risk is called for in 6.1 ("...determine the risks and opportunities..."). I'm thinking about using something like the diagram in 9001:2015 0.3.1 "Figure 1 - Schematic representation of the elements of a single process" as a possible template for high-level scanning (and documenting) of processes both for controls and for risks (or raising questions about risks which then call for drilling in deeper). Its so easy to end up in the weeds, having a tool to keep a big-picture perspective will be welcome.

 

[QAMTY]

Thanks Tagin

In point 1, you are right, here its needed theta the top management be fully involved

In point 2 well, what Im doing it is.
to define a procedure to manage R&O
I started with top management, detected risk ad we are implementing action plans

Next, with processes responsibles and detected other different risks,
However in some risk in top management are like an umbrella for risk in processes
for example, In top management a risk was " not complying with client satisfaction" well, consequences are of high impact, in this case, we did a fisbhone analysis and detected poor competence in people, then when analyzed the risk in processes, we detected the same risk (por competence) so in this case we did nothing, cause we already addressed it with top management.
I have a method of PXI and defined a table, in which according to the value, we tajke different actions.

Regards