Risk Based Thinking - Is a Documented Procedure required?

[qusys]

If it was me, I'd do a spreadsheet listing your processes. In it I would put in things your company does to assess risk(s) for each. If you do that it will get you to thinking about all the areas you do some type of risk assessment, paper based or otherwise. That way you will have a "cheat sheet" that you can use and discuss with the auditor, and it will help you to more fully understand all the various ways your company assesses various risks.

Thanks Marc.
For an ISO TS company now shifting to IATF, there are also other method like FMEA process and product.
The question is: need a risk analysis for each QMS processes at high level, or process FMEA for each process is ok? As to opportunities, how to proceed ?

 

[qusys]

Risk Based Thinking is not required as a stand-alone procedure. You do however need to demonstrate that you're assessing risk at all levels of the organization. If you have a procedure on supplier assessment, you're already doing this in Purchasing. Preventive Actions, PFMEAs, Cross Training Matrix, Contingency Plans, AQL sampling plans, capability studies, and Gage R+R's are all examples of Risk Assessment.

Thanks.
A question: ISO 9001 requires risk and opportunities analysis starting from the organization context and the identification of internal/external issues and parties. How what you suggested match that requirement? Do you have a method to assign a risk score?

 

[Jen Kirley]

Thanks.
A question: ISO 9001 requires risk and opportunities analysis starting from the organization context and the identification of internal/external issues and parties. How what you suggested match that requirement? Do you have a method to assign a risk score?

There is an idea out there that a single approach must be used to identify and address risk. Not so. Additionally, the idea that risks must be scored is not true.

There are many ways to address risks. If you have a task-oriented process, such as receiving or packaging and shipping, would a checklist help to avoid missed steps? If so, use that to describe how risk was identified (is there a history of missed steps?) and how the checklist addresses the issue. Done.

Please do not make this too complex.

 

[qusys]

For some processes it is good swot analysis with then risk evaluation with ad hoc tables for severity and probability including risk matrix.
Also Fmea is ok as tool.
As to opportunities? Could Brainstorming be ok?

 

[Jen Kirley]

For some processes it is good swot analysis with then risk evaluation with ad hoc tables for severity and probability including risk matrix.
Also Fmea is ok as tool.
As to opportunities? Could Brainstorming be ok?

I would say opportunities become apparent with brainstorming. What is identified through that exercise could be the Opportunity.

 

[normzone]

If you want to second guess the million possible asinine questions some auditors could ask, let the ISO gods have mercy on you.

Stick to the requirements of the standard and how you your system complies with them, in a meaningful manner, and you will be in a much better and sane place.

Systems are not meant to pass audits. Especially when conducted by questionably competent auditors. Systems exist to provide GOVERNANCE to an organization.

Good luck.

Thanks Sidney. I wish I could add that to my email signature template