Risk Management Implementation for ISO 9001:2015

S

SystemsQualityGuy

#1
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
 

dsheaffe

Involved In Discussions
#2
Re: Risk Management Implementation for ISO 9001 2015 Standards.

You will no doubt get vastly different opinions, but based on the discussions that I have had with our external auditor (and the feedback from an information session run by our CB on the draft version), they are not expecting that we implement a full Risk Assessment program based on ISO 31000 or FMEA.

Their only expectation is that we can demonstrate that we have considered/addressed risks. So this may be as simple as eg, showing that when implementing a new process (or changing an existing process) that have identified what risks are involved in the change and addressing those that we consider appropriate.

Of course different CB's may have different expectations so start the conversation with your auditor/CB to see what they are expecting.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#3
I agree with dsheaffe. :agree1:

There with certainly be confusion among CB auditors about what is acceptable evidence. We can't even agree on which documents need to be controlled and which can be just tools.

I can offer that my training thus far has stressed that FMEAs will not be required for all the processes, and an expectation there will be no defined required format for exhibiting risk based thinking.

The six required documented procedures will no longer be required. The new version of ISO 9001 will require documented procedures for process controls so as to ensure product and service conform to customer requirements, which you are probably doing now. The standard will also ask us to measure and monitor so as to know if we are succeeding, which you may also already be doing. The new idea may be making controls to avoid other undesired outcomes that might include the business interests, maybe even employee turnover if your intellectual capital is critical to your organization.
 
Last edited:
#4
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
I can't find 4.4.2 in my copy of the DIS for ISO 9001:2015. Can you tell me where you found it? Have they published the FDIS and I missed it? I understood it would be out in June or July.
 
#5
I agree with dsheaffe. :agree1:

There with certainly be confusion among CB auditors about what is acceptable evidence. We can't even agree on which documents need to be controlled and which can be just tools.

I can offer that my training thus far has stressed that FMEAs will not be required for all the processes, and an expectation there will be no defined required format for exhibiting risk based thinking.

The six required documented procedures will no longer be required. The new version of ISO 9001 will require documented procedures for process controls so as to ensure product and service conform to customer requirements, which you are probably doing now. The standard will also ask us to measure and monitor so as to know if we are succeeding, which you may also already be doing. The new idea may be making controls to avoid other undesired outcomes that might include the business interests, maybe even employee turnover if your intellectual capital is critical to your organization.
I agree that the concept of involving risk is not nearly as daunting as some seem to fear. Most companies have always practiced some level of risk mitigation anyway. The ultimate risk mitigation is to no bid a project that a company is not comfortable with.

I do question your thought that there is a requirement for a procedure for process controls. From the last paragraph of 4.4 in the DIS:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Documented information is defined in Section 3 of the DIS.

Documented information controls are detailed in 7.5 of the DIS.

In my search of all of this I cannot find where any written procedures are required. Every place that documented information is mentioned appear to require keeping what we now know as records. It appears that documented information may include what we now know as procedures, but at the organizations discretion.

As I see it, 4.4 certainly does not require a written procedure.
 

AndyN

A problem shared...
Staff member
Super Moderator
#6
Good comments so far. How did you get the understanding that an FMEA was needed for all processes?
 

John Broomfield

Fully retired...
Trusted
#7
This is the problem:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Whose confidence? The auditor's?

This rephrasing of:

ISO 9001:2008's clause 4.2.1d "to the extent necessary for effective planning, operation and control" had the benefit of being objective.

Effectiveness is verifiable, confidence is not.
 
S

SystemsQualityGuy

#8
That is a good question. I can't find it in clause 4 either. I have seen this text referred to in other threads and on the Certified Enterprise Risk Manager Academy website. In any case, risk will still be a major part of ISO 9001 2015.
 

hogheavenfarm

Quite Involved in Discussions
#9
4.4.2 - Process approach
“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”


This clause seems conditional. Note that the determination is required IF unintended outputs are delivered OR process interaction is ineffective. Sort of like a corrective action here, not any advance planning.
 
#10
4.4.2 - Process approach
“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”


This clause seems conditional. Note that the determination is required IF unintended outputs are delivered OR process interaction is ineffective. Sort of like a corrective action here, not any advance planning.
Like others I can't find the clause reference mentioned and the text you've quoted is not that included in my copy of the DIS. :confused:

So I'm not sure of the value in responding to text that doesn't exist in a draft standard that is soon to be superseded by another (final) draft standard! :D
 

Top Bottom