Risk Approach doesn't address External Issues (Auditor's Comment)

[qualprod]

Sílex7
Merge is to combine or joint to obtain one part or unit.
I don't see the objective of the merge, could you share the example?
Or maybe you say that both issues are shown in one file, is that what you meant?
Although that is not a merge.
Regards

 

[AndyN]

The Auditor after discussing this part showed me a merged risk assessment model that has organization contexts and Interested parties together , and he told me that's a good example one

This is consulting and the (CB) auditor shouldn't be telling you what's a "good example". That's purely their opinion and I'd question their ability to know one when they see one! Any "risk assessment model" is far more than ISO 9001:2015 requires. Let's not overlook that this standard was written for all types of organizations all over the World. As such, an approach like you were shown may look nice, however, is it what the standard is asking for? No and what's more a far, far simpler approach is likely to be what IS actually required.

 

[Big Jim]

Until things settle down you are going to see a lot of overthinking about risk simply because it is new. Don't fall into the trap. Pay attention to what the standard actually says, not what people are reading into it. Make sure you read what's in the front and back of the standard as well as what's in sections 4 through 10 before you attempt to determine your method of dealing with risk.

Risk may be new to the standard, but it is not new to business. They have been handling it forever. Much of what they already do may be enough.

The same thing happened when the 2000 version was released with the new topic of continual improvement. Once the dust settled people realized that all they needed to do was already in the standard.

You do not need a formal procedure for risk. Record keeping of how you handle risk is limited to discussing it in management review and including that discussion in the management review record.

 

[Silex7]

Sílex7
Merge is to combine or joint to obtain one part or unit.
I don't see the objective of the merge, could you share the example?
Or maybe you say that both issues are shown in one file, is that what you meant?
Although that is not a merge.
Regards

Qualprod, what I meant, is rather to have risk plan for each clause, you could have something like this:

For each risk you define your interested party who could be facing this risk and his relation with your business context.

 

[Silex7]

Let's not overlook that this standard was written for all types of organizations all over the World. As such, an approach like you were shown may look nice, however, is it what the standard is asking for? No and what's more a far, far simpler approach is likely to be what IS actually required.

Andy, you're right that I might be getting farther than standard requirement, but I was thinking if I am getting to improve my organization's risk management, why not having a good one?
I've reading some debates about how some clauses requirements implementation could be somehow 'insufficient' or ineffectively implemented for instance , interested parties , it might be extra work to do I agree with that, but may be saving it from being inefficient.

 

[AndyN]

Silex7 - Have you had a look at what ISO/TS 9002 has to say on this topic? From what I recall - and what ISO 9001:2015 states - looking at risk and opportunity is at a much higher level, that is "strategic". It's not meant to be looking at FMEA or merging risk and opportunity with other parts of the context. TBH it's far, far simper than most believe. The context is trying to form an "anchor" for the quality management system, to enable a framework to be established rather than, as in the past, a bunch of random concepts: policy, objectives, procedures etc. The requirements of the context are to put some thought into what the organization needs to address for its QMS to be successful and then ensure suitability of the various parts of the QMS are aligned and support each other. It's really quite simple...

 

[Eredhel]

First, in 4.1 identify external and internal issues, the positive and negative.
Positive side are opportunities, negatives are risks.

Are you referring to how risks are supposed to be addressed in 6.1.1? Because 4.1 doesn't require a negative external or internal issue to be a risk. It says internal issues and external issues can be positive and negative, not that one has to be the other.:

"NOTE 1: Issues can include positive and negative factors or conditions for consideration."

 

[qualprod]

Qualprod, what I meant, is rather to have risk plan for each clause, you could have something like this:
View attachment 24245
For each risk you define your interested party who could be facing this risk and his relation with your business context.

As Andy Said, do it Easy, since the standard only require RBT.
On the other hand, ok , you could use a table/spreadsheet in order to manage risk easier, but remember the purpose in 4.1 is not that same in 4.2, so a real merge is not applicable in my criteria.
Hope this helps

 

[qualprod]

Are you referring to how risks are supposed to be addressed in 6.1.1? Because 4.1 doesn't require a negative external or internal issue to be a risk. It says internal issues and external issues can be positive and negative, not that one has to be the other.:

"NOTE 1: Issues can include positive and negative factors or conditions for consideration."

Eredhel
Don't see any difference, what you say in note 1, is what I included in my comment.
Hope is clear

 

[Bev D]

the answer isn’t in the standard. Nor will you find the answer with shallow thinking.
I always recommend that people read “the failure of risk management and how to fix it” by Douglass Hubbard. Risk based thinking requires thinking to understand what is the best thing to do...