There is a pervasive myth that formal risk analysis is required for processes. A great deal of outcry on Linked In and other sites perpetuates the myth. Some of the loudest outcry is from consultants, who naturally want to exhibit their expertise and advocacy for the user.So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes? I know that we usually do risk assessment in some ways.
But 6.1 of ISO 9001:2015 does not require a formal analysis. It does not require documentation. Guidance documents suggest risk to be handled as per ISO 31000, which probably helped build the myth.
An auditor will ask about risk, and what you do in response to it. If you have a checklist to ensure all requirements are met in the packaging and shipping process, produce it and describe its intent. Checklists are very good for helping to control transaction-type process risks.
The internal audit can help determine effectiveness of actions taken to reduce risk. If your packaging area and shipping area uses a checklist, the audit can include that and compare it to complaints, if any, about problems with shipped product. If your purchasing process relies on ISO certification for suppliers and you find contamination problems with a certain raw material from a certain supplier, that is data indicating your action to address risk may not have been sufficient and you must do more. If that is the case, describe that; you can use supplier CARs and related documents to help show documentation of this analysis.
If an auditor demands you to have a formal risk analysis for processes, ask "Where is the requirement?" The regulated industries will need process FMEAs (Failure Mode Effect Analysis) but without that requirement or a customer requirement, this is not required in 9001:2015. A corrective action stating otherwise should be disputed so the auditor can be corrected.