Informational Risk Management Implementation for ISO 9001:2015

My comment was strictly on the grammar used in the OP, not on the validity of the quoted section. I did find in my ever-growing expansion of 2015 related files, a spreadsheet entitled "ISO 9001:2015 vs. 2008 Matrix" that exact quote which appears to have been from a consultants site on the net. The creation date was 11/21/13, so it could very well be material that is no longer being considered.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
I agree that the concept of involving risk is not nearly as daunting as some seem to fear. Most companies have always practiced some level of risk mitigation anyway. The ultimate risk mitigation is to no bid a project that a company is not comfortable with.

I do question your thought that there is a requirement for a procedure for process controls. From the last paragraph of 4.4 in the DIS:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Documented information is defined in Section 3 of the DIS.

Documented information controls are detailed in 7.5 of the DIS.

In my search of all of this I cannot find where any written procedures are required. Every place that documented information is mentioned appear to require keeping what we now know as records. It appears that documented information may include what we now know as procedures, but at the organizations discretion.

As I see it, 4.4 certainly does not require a written procedure.
These are really good points. I have reviewed the following lines in section A.6 to help clarify my position: 1662 through 1672. Particularly 1668 and 1669, where
1668 Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or
1669 support a process) this is now expressed as a requirement to maintain documented information.
Documented information is defined in 3.11.

"Documented information" as associated with operational controls is mentioned in 4.4 with the caveat "to the extent necessary..." in 7.5.1, with the qualifier "...determined by the organization as being necessary..." also in section 8.5.1 without these caveats or qualifiers.

I agree there seems to be a lot of loopholes and weasel words regarding controlled documents, but not in 8.5.1.
:2cents:
 

Big Jim

Admin
These are really good points. I have reviewed the following lines in section A.6 to help clarify my position: 1662 through 1672. Particularly 1668 and 1669, where Documented information is defined in 3.11.

"Documented information" as associated with operational controls is mentioned in 4.4 with the caveat "to the extent necessary..." in 7.5.1, with the qualifier "...determined by the organization as being necessary..." also in section 8.5.1 without these caveats or qualifiers.

I agree there seems to be a lot of loopholes and weasel words regarding controlled documents, but not in 8.5.1.
:2cents:

8.5.1 in the DIS:

a) the availability of documented information that defines the characteristics of the products and services;

b) the availability of documented information that defines the activities to be performed and the results to be achieved;

This looks like what you would include in a traveler and/or the traveler package. That would be routing, work instructions, drawings, specifications, and the like.

I don't see a requirement for a written procedure here.
 

Zearl

Starting to get Involved
Re: Risk Management Implementation for ISO 9001 2015 Standards.

You will no doubt get vastly different opinions, but based on the discussions that I have had with our external auditor (and the feedback from an information session run by our CB on the draft version), they are not expecting that we implement a full Risk Assessment program based on ISO 31000 or FMEA.

Their only expectation is that we can demonstrate that we have considered/addressed risks. So this may be as simple as eg, showing that when implementing a new process (or changing an existing process) that have identified what risks are involved in the change and addressing those that we consider appropriate.

Of course different CB's may have different expectations so start the conversation with your auditor/CB to see what they are expecting.
My initial thoughts on demonstrating consideration of risks were to compare with the
environmental aspects list in ISO 14001. A similar approach could be used for risk in
QMS processes. Show the risks, rate the risks, show the controls. Re-evaluate periodically.
Any comments?
 
C

chasf

In discussion with the auditor from our registrar we talked about risk management. He said what we used to call preventive action is very much the idea behind risk management and that it does not require the FMEA type approach. In one example he said that the documentation could be in the form of meeting notes. How to document this is where it will take some creative thinking.
 
I

in_cr_ove

The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
The standard does not suggest to use a specific Risk management method, in the spirit of providing more flexibility to an organisation.
Logically the following choices exist:
1. analyse risk on case to case basis
since we are talking about standardised work processes, this choice goes against the basic tenets of the standard
2. devise your own method
will need expertise in-house and will need validation before being put to use
3. use a proven method like FMEA
common sense dictates this to be a good choice.
FMEA has evolved to address risks in all type of business processes. It not only identifies the risk, it analyses, prioritises, helps find the right action & check effectiveness of action.
FMEA is a proven method & it offers flexibility for customisation, thereby a good choice.
 

Mike S.

Happy to be Alive
Trusted Information Resource
The standard does not suggest to use a specific Risk management method, in the spirit of providing more flexibility to an organisation.
Logically the following choices exist:
1. analyse risk on case to case basis
since we are talking about standardised work processes, this choice goes against the basic tenets of the standard
2. devise your own method
will need expertise in-house and will need validation before being put to use
3. use a proven method like FMEA
common sense dictates this to be a good choice.
FMEA has evolved to address risks in all type of business processes. It not only identifies the risk, it analyses, prioritises, helps find the right action & check effectiveness of action.
FMEA is a proven method & it offers flexibility for customisation, thereby a good choice.

I respectfully disagree.

FMEA is a great tool in some cases, in other cases it is like using a sledgehammer when a claw hammer, or a screwdriver, is the better tool for the job.

Case-by-case risk analysis does not go against the basic tenants of the standard. As the IAQG says, risk-based thinking is not always a formal analysis, sometimes it is “something that we all do automatically and often sub-consciously” and “continuously”. Those words are certainly not describing FMEA or other formal risk analysis methods.

JMO.
 
Top Bottom