SBS - The Best Value in QMS software

Risk Identification and Risk Assessment for any Process - Is it necessary?

morteza

Trusted Information Resource
#1
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
 
Last edited:
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
Re: Risk identification and risk assessment for any process. Is it necessary?

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.
You can ask the question 2 million times and get conflicting, unclear, misleading answers. Because the standard writers failed to deliver a clearly written, auditable requirement, people will have wide ranging views of "RBT". Even worse, the "clarification" documents are also inconclusive and non pragmatic.

People here will offer opinions, some more educated than others. At the end of the day, you will have to determine YOUR interpretation and move forward. If you are being audited and your auditor does not agree with your interpretation, you must demand, what requirement is not being complied with.
 
T

Tyler C

#3
Are you currently certified to ISO 9001:2008? If so, what do you do for Preventive Action? If you look at Annex A (A.4), it talks a little about RBT.

It goes on to say that RBT has always been implicit in previous editions of the standard. They say the key purpose of a QMS is to act as a preventive tool, and the concept of Preventive Actions are expressed through the use of RBT. They say this gives it better flexibility, and to Sidney's point, I think that is why they left it so vague.

From Annex A, "Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process..." "...the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks."

I would suggest reading A.4, then going to your registrar and ask for guidance documentation from them. If they can't provide this, listen to Sidney and determine it yourself, for your organization. To help you with this, look at how you handle Preventive Actions and adapt it as you see necessary. Whether it needs to be as deep as every single individual process, or otherwise, is up to you.
 

John Broomfield

Staff member
Super Moderator
#4
So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
I agree with your interpretation.

As always, put nothing in your management system to pass an audit.

For your colleagues to enthusiastically use and improve their management system it must help them to fulfill the organization's mission and their contributory objectives.

Given this, your colleagues will defend their management system in explaining how it assures quality while helping them to address the risks when planning and realizing opportunities.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
Dear all

I asked my question (whether it is necessary to identify and assess risks for any QMS processes) in another thread, but I could not receive a clear answer.

Based on clause 6.1.1, the organization shall determine its risks and opportunities (e.g. emerge of new competitors). Based on clause 6.1.2, the organization shall plan actions to address the determined risks (e.g. reduction of product price for mentioned risk). These action shall implement through QMS processes,(reduction waste in production process, providing raw material with lower price by supply process, etc.) as it has been referred in clause 6.1.2 and has been stated in clause 4.4.1 f).

So, I think ISO 9001:2015 does not require to determine risks and opportunities for any processes. It requires to determine risks that effect on organizational objectives, and plan treatment actions and implement them through processes.

Is it right?
I am sorry you did not get a satisfactory answer on the first try.

While it is true that the standard did not very specifically define where and how to identify risks, the
ISO 9001 Technical Committee's ISO TC/176/SC2 Home Page does include a guidance document on risk that says risks are inherent in processes as well as having an effect on objectives. Risk is defined as the effect of uncertainty.

Because of the confusion, the
ISO 9001 Auditing Practices Group published guidance documents, including one on Risk Based Thinking. It includes a number of ways to accomplish it and demonstrate it for audit purposes.

I hope this helps!

 

morteza

Trusted Information Resource
#6
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
 
R

rkk2014

#7
Risk assessment for other processes or I feel every process is possible. Since standard has not specified any specific guideline for risk analysis, make your own logical guidelines and do the analysis
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#8
Hi Jen

I read all the mentioned documents, but really it is not possible to result in that doing risk assessment or risk management for any processes (such as purchasing, communication. tool management, etc) is a requirement on the ISO 9001 standard.
But some experts believe that it is a requirement.

I am searching and requesting for correct interpretation.
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.
 

morteza

Trusted Information Resource
#9
First, let us understand risk means effect of uncertainty. There is an idea that "risk management" is required for all processes, but those documents did not say that. We can identify and understand risk, accept it or avoid it, and maybe eliminate it if we find that to be important. But a formal program for that is not needed.

I have a sense you are already doing risk based thinking.

Let us look at Purchasing.

1) Do you audit any suppliers? If so, why? Would that be to reduce the risk of not understanding their practices or capability?

2) Or, do you favor suppliers having ISO certification? If so, why? Is it enough to presume the certification process is sufficient to ensure controlled processes are in place?

We make choices based on risk. Sometimes we find we need to change our minds; so be it.

I would not list Communication as a process. That said, there is always a risk we are not effectively communicating; we might decide an alternative method is better. I also wonder if Tool Management is a process or is it a subprocess of Maintenance or Production. That said, is there a chance of tooling becoming damaged from handling? Or is there a chance of it being misplaced? How do you store your tooling to prevent damage or loss? This is risk based thinking too.

None of these things require documentation under 6.1, but supplier control is covered in 8.4. That said, Management Review inputs do include a review of effectiveness of actions taken to reduce risk. That does not require a formal program. Kaizen events could work, as could reviews of 5S projects, and so much more, Just please do not make it too complex.
Hi Jen

Thanks for your detailed explanation.
As you mentioned we do some actions in our processes based on risk consideration, such as supplier assessment in purchasing process.

We provided a detailed risk assessment (through a risk assessment form) on our quality objectives and documented it. In this assessment we defined some actions for addressing risks which should be implemented through processes and projects. we did not do such assessment for processes. One auditor said us that it is an ISO 9001 requirement to do risk assessment for process objectives, although it is not necessary to document it. Truly, we did not do such assessment for processes.

So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes? I know that we usually do risk assessment in some ways.
 

Marc

Fully vaccinated are you?
Staff member
Admin
#10
I think Jen is saying that you already do it, but can you explain how to an auditor.

I'm not really into ISO 9001:2015 but when reading about this stuff when I did implementations the biggest part was usually explaining to someone in a company how they were already, in most things, doing what the standard required. I would say you are doing this and this is what the standard requires. We usually did a cross-matrix to the clause in the standard to their process(es) and procedures which fulfilled the requirement of the standard. Key was the person in the company who could speak with the auditor about the requirements of the standard.

I would do the same today - In the case of Risk Based Thinking I would have a list of things, such as aspects Jen mentioned in her post so that when the auditor wanted to discuss compliance, you can say "We do this, and we do this, and we do this".

I do feel that the 2015 version is - Well, Sidney has made quite a few posts in which he for all intents and purposes has said that this version is poorly written (to say the least). From what I have read I agree. Then again, it is being audited to and auditors are asking questions. Think about what questions auditors are asking.

If it was me, I'd do a lead auditor course (again). I did my first one in 1994. I think I did it again in 1998. I did an "update" again for the 2000 version and I did a "transition" course for the 2000 version. These are a few of them: https://elsmar.com/Certificates-Marc_T_Smith/ It's a tough week, but part of what you learn is what questions to ask and expected/acceptable responses. Afterward, you should be able to come back and use that to audit your company. That, in turn, prepares you.

And of course the internet has expanded so much and these days there is so much written about things like RBT that there are a lot of discussions about it. I agree with Jennifer in that many people are over thinking it and making it seem more complex than it is.

As to
So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes?
you are doing it is my bet. In some areas you're documenting risks analysis you do and in others it may not be documented, but you're doing it. Jen has started you out with a few examples. Now, make up a list of all the examples you can think of. If it was me I'd probably have a list of departments and processes and such, and list some of the things your company does in each. With that you will be ready to discuss with the auditor how you comply, the things you do. My bet is once you start listing things you do to address risk in various parts of the company's business systems, you'll see and be able to talk about what your company does to address risk.

Like I say - The internet is vast these days and there is tons of articles and such you can read to help you think about RBT and how it is being audited. An example: http://rube.asq.org/audit/2015/01/a-risk-based-thinking-model-for-iso-9001-2015.pdf

and https://www.qualitydigest.com/inside/risk-management-column/030216-what-risk-based-thinking.html

NQA also has a decent write-up: https://www.nqa.com/en-us/resources/blog/july-2016/risk-based-thinking - Note where they say
Understand the standards. You need to correctly interpret the terminology applied to ISO management systems. Risk is not always stated explicitly in each ISO standard. Terms like “suitable” and “appropriate” will often imply that you need to demonstrate a balanced approach towards risk based thinking.
which is what I am referring to above in this post and why I suggest there is value in a lead auditor course.

I will say that what they are calling RBT has been part of most of the companies I have actually worked in going back to the 1980's. I have worked in aerospace, automotive, and explosives to name a few. At one time I had an entire wall in my garage that had shelves filled with training and information materials, such as Hazardous Operations and Process Design in Explosives Manufacturing. I was doing FMEAs, or variants of risk analysis, years ago.

Anyway - Just a few thoughts, and my Thanks to Jennifer for her posts on RBT in this thread and in others here.
 
Thread starter Similar threads Forum Replies Date
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
A Is Risk Identification and Treatment a Process? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1
Uriel Alejandro Risk Identification Methods and Risk Management Procedure AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 24
S Hazard Identification and Risk Assessment - Can Risk Assessment be "Grandfathered"? Occupational Health & Safety Management Standards 4
K Do you have to use RPN in Medical Device Risk Analysis? Identification of Hazards ISO 14971 - Medical Device Risk Management 6
K Behaviour Assessment for Hazard Identification & Risk Assessment Occupational Health & Safety Management Standards 25
G Hazard Identification and Risk Assessment 4.3.1 Occupational Health & Safety Management Standards 14
E Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 5
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 10
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 11
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 12
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3

Similar threads

Top Bottom