Informational Risk Management (and Risk Based Thinking) in ISO 9001:2015

M

Marie Cavanaugh

Re: Risk Management in ISO 9001:2015

I am taking a big risk by posting the Quality Policy statement for the ISO9001:2015 management system. I welcome everyone to critique this quality policy. Thank you.

"We the employees of XYZ company are committed to deliver quality in every product and service which we provide to all our customers. To meet this commitment we will:

Supply products and services which meet customer expectations and requirements surpassing or equalizing the competition

Develop and introduce innovative products and services to meet emerging expectations and requirements

Maintain an environment which encourages us to continuously strive to improve the quality of work, both individual and as a team.

This commitment to quality is a responsibility accepted by all XYZ Company employees to maintain the loyalty and trust of our customers."
Hi, I just rewrote mine, 3 sentences. Yours may fit your business needs, however, I have always used meet or exceed expectations.
M. Cavanaugh QSM
 

AndyN

Moved On
Re: Risk Management in ISO 9001:2015

Hi, I just rewrote mine, 3 sentences. Yours may fit your business needs, however, I have always used meet or exceed expectations.
M. Cavanaugh QSM

Can I ask if this fits your context and the needs of "interested parties"? Was that a consideration in setting your policy? What is it you do for your customers?
 

AndyN

Moved On
We did a simple SWOT analysis for the business for 9001-2015 and worked off that for risk analysis and it was accepted by the auditor.

As John B suggests, was it useful to the management? Pleasing an external auditor isn't the goal.
 

qualprod

Trusted Information Resource
Re: Risk Management in ISO 9001:2015

Jen
Questions regarding your format for risks:
1 what do you base on to decide the level of risks?
Do you use numerical information? Is qualitative or quantitative?
2 please explain your criteria regarding to when apply actions according to risk value.
3 Do you apply the residual risk practice?
4 what is your criteria to tge closeoupt of risks?
Thanks
 

Helmut Jilling

Auditor / Consultant
Re: Risk Management in ISO 9001:2015

Jen
Questions regarding your format for risks:
1 what do you base on to decide the level of risks?
Do you use numerical information? Is qualitative or quantitative?
2 please explain your criteria regarding to when apply actions according to risk value.
3 Do you apply the residual risk practice?
4 what is your criteria to tge closeoupt of risks?
Thanks

I would suggest you keep it simple... Low, Medium and High.... and finer resolution than that is really just a noisy guess... I mean, how do you really distinguish between a 4 or a 5?
 

qualprod

Trusted Information Resource
Re: Risk Management in ISO 9001:2015

Yes Helmut.
In fact that's the problem I have, because I use probability and impact, pxi=risk value.
But by using this method, and by using this way , is not so simple, because is very difficult to assign values to P and I, because as you say , then values between 4 and 5, or P and I, what happens with that?
In my case, in order to keep it simple, I will try to just rank risk in low med and high, not considering probability and impact.
Because if you want it simple, is not possible to use criteria like PxI, is what I've learned.
My plan is to give another risk approaching, more simple, and also because my business is not risky, I mean is not necessary to apply complex analysis.
My main concern is that P and I, values are very vague and not precise, so risk value is very imprecise.
, That's the reason to change, my approach.
If my analysis were quantitative, using real values in P and I, maybe I would keep it.
Please share your comments.
 

Helmut Jilling

Auditor / Consultant
Re: Risk Management in ISO 9001:2015

Yes Helmut.
In fact that's the problem I have, because I use probability and impact, pxi=risk value.
But by using this method, and by using this way , is not so simple, because is very difficult to assign values to P and I, because as you say , then values between 4 and 5, or P and I, what happens with that?
In my case, in order to keep it simple, I will try to just rank risk in low med and high, not considering probability and impact.
Because if you want it simple, is not possible to use criteria like PxI, is what I've learned.
My plan is to give another risk approaching, more simple, and also because my business is not risky, I mean is not necessary to apply complex analysis.
My main concern is that P and I, values are very vague and not precise, so risk value is very imprecise.
, That's the reason to change, my approach.
If my analysis were quantitative, using real values in P and I, maybe I would keep it.
Please share your comments.

My recommendation was consider everything - severity, significance, probability, impact, likelihood, consequences - but just rank it as a conclusion of - low med and high. Don't try to apply statical analysis to it.... you will drive yourself crazy and still not come up with more precise results than what I described....
 
Top Bottom