Risk analysis 6.1 and contingency plans 6.1.2.3, are they related?

[Johnson]

To meet IATF16949:2016 requirements on risk analysis, the generall accepted practice is:
- The organiation (supplier): add "risk analysis and opportunity" on each process turtle diagram, or/and maintain and control a "risk and opprtunity managtement work sheet" for all QMS processes.
- The CB: show risk analysis on 'audit check list" for each process.

 

[AndyN]

"To meet IATF16949:2016 requirements on risk analysis, the generally accepted practice is:
- The organization (supplier): add "risk analysis and opportunity" on each process turtle diagram, or/and maintain and control a "risk and opportunity management work sheet" for all QMS processes.
- The CB: show risk analysis on 'audit check list" for each process."

I'd suggest that a) this isn't "generally accepted practice" and b) is inaccurate to what is required.

 

[qualprod]

In IATF 16949 clause 6.1, which is the same as in ISO 9001, we need to conduct a risk analysis and then plan actions to mitigate such risks.

Then the contingency plan clause 6.1.2.3, mentions the risks analysis and risk mitigation activity again.

What is the difference between 6.1 (6.1.1-6.1.2) and 6.1.2.3? From what I could understand, they are referring to the same requirement. I could be wrong however.

We already have contingency plans in place despite the fact that they where not explicitly mentioned in ISO9001.

Thanks for your help.

As I understand:
I think is somewhat different
When risk is detected, if want ti mitigate it, you define plans with due dates and responsibles but such activities
are planned for short medium and long term, but What it happens if risk exploded suddenly, lets say that
next day after it was evaluated. what are you going to do if your plans are not finished yet?
See next:
A contingency plan is a course of action designed to help an organization respond effectively to a significant future event or situation that may or may not happen. A contingency plan is sometimes referred to as "Plan B," because it can be also used as an alternative for action if expected results fail to materialize

 

[Sebastian]

Risks and opportunities shall be determined for all processes of quality management system and this is 6.1.1.
Only one "waiver" is given in 6.1.2.2 b) where organization is authorised to decide whether implement or not preventive actions.
Expected here is good explanation for why not.

It would be nice to know names of those CB who accept lack of risk determination for all processes. in case of IATF 16949.

 

[AMIT BALLAL]

Sebastian, there is no requirement to determine risks for processes. Risk has to be determined in line with 4.1 and 4.2. Actions against these risk assessment has to be implemented in QMS processes. 6.1.1 doesn't specify any shall requirement to determine process-wise risk.

 

[AndyN]

Agreed Amit! People are reading too much into risks, risk analysis and risk for all processes. It's just NOT what ISO 9001 actually requires.

 

[Sebastian]

Amit I agree that literary not.
Let's take a look on it from opposite side. Is there any system process, which is not influenced by 4.1 and 4.2?
If yes, there are no risks, no opportunities.

 

[John Broomfield]

80:20 thinking is so valuable.

 

[AndyN]

Amit I agree that literary not.
Let's take a look on it from opposite side. Is there any system process, which is not influenced by 4.1 and 4.2?
If yes, there are no risks, no opportunities.

It's not a binary consideration

 

[AMIT BALLAL]

Amit I agree that literary not.
Let's take a look on it from opposite side. Is there any system process, which is not influenced by 4.1 and 4.2?
If yes, there are no risks, no opportunities.

We cannot assume that 4.1 and 4.2 influences every process. It varies from organization to organization. That's the main intention of the standard to start with organization's context (4.1 & 4.2), so that system can be designed accordingly. In your organization, the context might be influencing all process, but context of every organization is not same.

Standard doesn't state such requirement that it should relate to every process. If you feel you should do risk analysis process-wise / attach context to every process, you can, but is not required by the standard.