Informational Risk Management (and Risk Based Thinking) in ISO 9001:2015

John Broomfield

Leader
Super Moderator
Re: Risk Management in ISO 9001:2015

I am taking a big risk by posting the Quality Policy statement for the ISO9001:2015 management system. I welcome everyone to critique this quality policy. Thank you.

"We the employees of XYZ company are committed to deliver quality in every product and service which we provide to all our customers. To meet this commitment we will:

Supply products and services which meet customer expectations and requirements surpassing or equalizing the competition

Develop and introduce innovative products and services to meet emerging expectations and requirements

Maintain an environment which encourages us to continuously strive to improve the quality of work, both individual and as a team.

This commitment to quality is a responsibility accepted by all XYZ Company employees to maintain the loyalty and trust of our customers."

LUV-d-4UM,

I hope you don't mind me rewriting your policy statement:

"We the employees of XYZ company remain committed to deliver quality services and products to all our customers.

To fulfill this commitment we use and improve our management system to:

A. Supply services and products which meet customer requirements;

B. Determine emerging customer needs and develop the knowledge, skills, abilities and innovative services and products to fulfill these needs; and

C. Recognize the inherent opportunities and risks and take action to prevent failures to fulfill requirements.

We share this commitment to quality and improvement in everything we do to earn and maintain the loyalty and trust of our customers."


Please note that services always are experienced before products and that opportunities are recognized before risks. It is also worthwhile mentioning the management system that should help the employees to fulfill the policy.

It needs several further rewrites to be as readable as the Wall Street Journal.

It best be true and from the hearts of top management.

John
 

Marc

Fully vaccinated are you?
Leader
Re: Risk Management in ISO 9001:2015

just to be clear, many companies do not adequately evaluate and control risks.
I agree to some degree, however most of the companies which I have done work for have done, and do, appropriate risk analysis/use "risk based thinking" but many times it is not always formalized and documented, nor is the phrase "risk based thinking" used. In companies where it is formalized and documented, the company usually has high risk aspects (such as death) for end users such as in aviation, medical, pharma, marine and automotive, etc.

RBS is rehashing old stuff (I worked in risk assessment back in the 1980's in aerospace electronics but no one ever used the phrase "risk based thinking") and making "risk based thinking" into an ISO 9001 requirement will just be adding to confusion and complexity. I even remember working in a grocery when I was in high school around 1966-67, and while it wasn't called "risk based thinking", they went through a risk analysis to the point of training us that bagging groceries such as all canned (and other "hard") goods go into separate bags, "soft" items like bread were set aside and bagged last (and point out to customer which bag their bread was in). People don't like squashed bread or cans piled upon a bag of potato chips. Another aspect back then in grocery stores was how high objects must be stacked (and shelf height was figured into how shelving was set up in stores). Etc.Etc.

Philip Scalise did a good quick write up recently on a Linkedin group in which he spoke about "risk" in every day life. Each of us does a risk analysis every day in everything we do. We don't typically think of it as "risk based thinking", but everything we do is a risk assessment/risk based thinking to one degree or another. I was thinking about "risk based thinking" the other day when it was very cold here. My GF said to me, as I was leaving to go to the grocery store, "You better take your cell phone in case your car won't start". Tracey's "risk based thinking" was on and working. Another example: Every time I have bought a house since ground fault outlets have been available, I replaced EVERY outlet in the house with a ground fault outlet before I moved in.

The only good thing (on my end) I see coming out of this is more money for consultants, book writers and such. As they make ISO 9001 more and more prescriptive and complex, it makes ISO 9001 less appropriate and less useful - Especially to "Mom & Pop" businesses.

What matters will be the end ISO 9001:2015 document and the many ways it will be interpreted as each sentence is parsed.

But being a "consultant" this is, of course, good for us financially. To many of my clients, however, formalizing/documenting it is not typically value added (most are already doing it but this will make it more "formal" thus more costly). It is one more (increasing) cost of doing business.

In 2000 the buzz phrase was "The Process Approach" which is still not understood by many. This time around it's "Risk Based Thinking". I don't think this will become a significant issue, since most companies are already evaluating risks appropriately. I think the thing will be to get the phrase "risk based thinking" into their vocabulary.

Just my :2cents:
 

Paul Simpson

Trusted Information Resource
Re: Risk Management in ISO 9001:2015

Msrc. I'd agree that there is little new about RBT in the Draft. I've snipped from the new clause 0.5 - here:
This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system.

Well my questions is where is RBT more explicit in the DIS? I guess the new clause 4.1 of organisational context requires organisations to look around and gather information about needs and expectations and 4.4 f requires organisations to consider risks and opportuniteis in process development and 6.1 requires determination of and planning for risks and opportunities. So perhaps more explicit but is it explained better? I'd be interested in the views here.

The approach is a bit more granular but does it really move RBT on from Preventive Action, the current 4.1 c and the capture of requirements in Clause 7 for what the product / service should do.

Like many others I have worked in quality for longer than ISO 9001 has been around :D and can remember day 1 in work was all about how quality was there to reduce the risk to the customer of product that doesn't meet his / her requirements.
 

Marc

Fully vaccinated are you?
Leader
Re: Risk Management in ISO 9001:2015

<snip> Like many others I have worked in quality for longer than ISO 9001 has been around :D and can remember day 1 in work was all about how quality was there to reduce the risk to the customer of product that doesn't meet his / her requirements.
Yes, and going back to the late 1970's and the early 1980's the goal was to address across border (country to country) issues which was the genesis of what became ISO 9001 (and back then ISO 9002 and ISO 9003, for those that remember them) in 1987.

I do believe your post is correct as long as we consider both production (in-house) risks and end user use (and mis-use) risks.
 

LUV-d-4UM

Quite Involved in Discussions
Re: Risk Management in ISO 9001:2015

Thank you Paul.

Can you suggest a better way to "capture of requirements in Risk Analysis and Clause 7 for what the product / service should do?" That will surely enrich this policy statement.
 

LUV-d-4UM

Quite Involved in Discussions
Re: Risk Management in ISO 9001:2015

Thank you Marc.

I think I can also include the phrase "Risk-based thinking" into the uality policy. I'll post it when I come up with something.
 

Lise Quality

Registered
Re: Risk Management in ISO 9001:2015

does anyone made risk identification and assessment to share with us?

i like to see some samples

Because we have decided to continue with the written process and we are going to transition to IATF 16949, here is what I use for each of my processes (blank copy) When you click on the risk analysis format at the end of the document, it brings you to excel.
 

Attachments

  • Process Map template.doc
    64 KB · Views: 1,886

Marc

Fully vaccinated are you?
Leader
Re: Risk Management in ISO 9001:2015

Thank you for sharing, Lise Quality.

Does anyone else have anything to share with us? Other examples perhaps?
 
Top Bottom