Risk Identification and Risk Assessment for any Process - Is it necessary?

morteza

Trusted Information Resource
#1
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
 
Last edited:
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
Re: Risk identification and risk assessment for any process. Is it necessary?

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.
You can ask the question 2 million times and get conflicting, unclear, misleading answers. Because the standard writers failed to deliver a clearly written, auditable requirement, people will have wide ranging views of "RBT". Even worse, the "clarification" documents are also inconclusive and non pragmatic.

People here will offer opinions, some more educated than others. At the end of the day, you will have to determine YOUR interpretation and move forward. If you are being audited and your auditor does not agree with your interpretation, you must demand, what requirement is not being complied with.
 
T

Tyler C

#3
Are you currently certified to ISO 9001:2008? If so, what do you do for Preventive Action? If you look at Annex A (A.4), it talks a little about RBT.

It goes on to say that RBT has always been implicit in previous editions of the standard. They say the key purpose of a QMS is to act as a preventive tool, and the concept of Preventive Actions are expressed through the use of RBT. They say this gives it better flexibility, and to Sidney's point, I think that is why they left it so vague.

From Annex A, "Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process..." "...the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks."

I would suggest reading A.4, then going to your registrar and ask for guidance documentation from them. If they can't provide this, listen to Sidney and determine it yourself, for your organization. To help you with this, look at how you handle Preventive Actions and adapt it as you see necessary. Whether it needs to be as deep as every single individual process, or otherwise, is up to you.
 

John Broomfield

Staff member
Super Moderator
#4
So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
I agree with your interpretation.

As always, put nothing in your management system to pass an audit.

For your colleagues to enthusiastically use and improve their management system it must help them to fulfill the organization's mission and their contributory objectives.

Given this, your colleagues will defend their management system in explaining how it assures quality while helping them to address the risks when planning and realizing opportunities.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
I am sorry you did not get a satisfactory answer on the first try.

While it is true that the standard did not very specifically define where and how to identify risks, the
ISO 9001 Technical Committee's ISO TC/176/SC2 Home Page does include a guidance document on risk that says risks are inherent in processes as well as having an effect on objectives. Risk is defined as the effect of uncertainty.

Because of the confusion, the
ISO 9001 Auditing Practices Group published guidance documents, including one on Risk Based Thinking. It includes a number of ways to accomplish it and demonstrate it for audit purposes.

I hope this helps!

 

morteza

Trusted Information Resource
#6
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
 

rkk2014

Starting to get Involved
#7
Risk assessment for other processes or I feel every process is possible. Since standard has not specified any specific guideline for risk analysis, make your own logical guidelines and do the analysis
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#8
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.
 

morteza

Trusted Information Resource
#9
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.
Hi Jen

Thanks for your detailed explanation.
As you mentioned we do some actions in our processes based on risk consideration, such as supplier assessment in purchasing process.

We provided a detailed risk assessment (through a risk assessment form) on our quality objectives and documented it. In this assessment we defined some actions for addressing risks which should be implemented through processes and projects. we did not do such assessment for processes. One auditor said us that it is an ISO 9001 requirement to do risk assessment for process objectives, although it is not necessary to document it. Truly, we did not do such assessment for processes.

So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes? I know that we usually do risk assessment in some ways.
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#10
I think Jen is saying that you already do it, but can you explain how to an auditor.

I'm not really into ISO 9001:2015 but when reading about this stuff when I did implementations the biggest part was usually explaining to someone in a company how they were already, in most things, doing what the standard required. I would say you are doing this and this is what the standard requires. We usually did a cross-matrix to the clause in the standard to their process(es) and procedures which fulfilled the requirement of the standard. Key was the person in the company who could speak with the auditor about the requirements of the standard.

I would do the same today - In the case of Risk Based Thinking I would have a list of things, such as aspects Jen mentioned in her post so that when the auditor wanted to discuss compliance, you can say "We do this, and we do this, and we do this".

I do feel that the 2015 version is - Well, Sidney has made quite a few posts in which he for all intents and purposes has said that this version is poorly written (to say the least). From what I have read I agree. Then again, it is being audited to and auditors are asking questions. Think about what questions auditors are asking.

If it was me, I'd do a lead auditor course (again). I did my first one in 1994. I think I did it again in 1998. I did an "update" again for the 2000 version and I did a "transition" course for the 2000 version. These are a few of them: https://elsmar.com/Certificates-Marc_T_Smith/ It's a tough week, but part of what you learn is what questions to ask and expected/acceptable responses. Afterward, you should be able to come back and use that to audit your company. That, in turn, prepares you.

And of course the internet has expanded so much and these days there is so much written about things like RBT that there are a lot of discussions about it. I agree with Jennifer in that many people are over thinking it and making it seem more complex than it is.

As to
So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes?
you are doing it is my bet. In some areas you're documenting risks analysis you do and in others it may not be documented, but you're doing it. Jen has started you out with a few examples. Now, make up a list of all the examples you can think of. If it was me I'd probably have a list of departments and processes and such, and list some of the things your company does in each. With that you will be ready to discuss with the auditor how you comply, the things you do. My bet is once you start listing things you do to address risk in various parts of the company's business systems, you'll see and be able to talk about what your company does to address risk.

Like I say - The internet is vast these days and there is tons of articles and such you can read to help you think about RBT and how it is being audited. An example: http://rube.asq.org/audit/2015/01/a-risk-based-thinking-model-for-iso-9001-2015.pdf

and https://www.qualitydigest.com/inside/risk-management-column/030216-what-risk-based-thinking.html

NQA also has a decent write-up: https://www.nqa.com/en-us/resources/blog/july-2016/risk-based-thinking - Note where they say
Understand the standards. You need to correctly interpret the terminology applied to ISO management systems. Risk is not always stated explicitly in each ISO standard. Terms like “suitable” and “appropriate” will often imply that you need to demonstrate a balanced approach towards risk based thinking.
which is what I am referring to above in this post and why I suggest there is value in a lead auditor course.

I will say that what they are calling RBT has been part of most of the companies I have actually worked in going back to the 1980's. I have worked in aerospace, automotive, and explosives to name a few. At one time I had an entire wall in my garage that had shelves filled with training and information materials, such as Hazardous Operations and Process Design in Explosives Manufacturing. I was doing FMEAs, or variants of risk analysis, years ago.

Anyway - Just a few thoughts, and my Thanks to Jennifer for her posts on RBT in this thread and in others here.
 
Thread starter Similar threads Forum Replies Date
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
A Is Risk Identification and Treatment a Process? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1
Uriel Alejandro Risk Identification Methods and Risk Management Procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 24
S Hazard Identification and Risk Assessment - Can Risk Assessment be "Grandfathered"? Occupational Health & Safety Management Standards 4
K Do you have to use RPN in Medical Device Risk Analysis? Identification of Hazards ISO 14971 - Medical Device Risk Management 6
K Behaviour Assessment for Hazard Identification & Risk Assessment Occupational Health & Safety Management Standards 25
G Hazard Identification and Risk Assessment 4.3.1 Occupational Health & Safety Management Standards 14
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 2
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 17
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
M Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
MrTetris Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5

Similar threads

Top Bottom