Informational Risk Management Implementation for ISO 9001:2015

dsanabria

Quite Involved in Discussions
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.

Before you begin and create an empire of documents and beuricracy - FMEA is one out of many tools that you can use.

For additional information ofn this subject follow the link and incorporate what works for your processes and it is effective - use the KISS principle.

https://www.sae.org/servlets/regist...HGeneral&PAGE=getSCMHBOOK&vgenNum=224&scmhs=1
.
 

Attachments

  • 7.3.2_Risk_Management_Storyboard_Content_01_APR_2014.pdf
    1.3 MB · Views: 1,920

Zearl

Starting to get Involved
Agree.
In our current system, we have documented "turtle diagrams" which basically detail each process in our system....production, maintenance, purchasing, etc. We are
planning at this point to document risk assessment by simply tabulating Risk/Results/Controls for areas of concern. These areas of concern already, naturally, have controls to prevent unintended results, thus mitigating associated risks.

My opinion is this doesn't have to be a massive undertaking encompassing every risk
that can possibly be considered, since we just need to demonstrate we have considered risk.

For example, with respect to Raw Materials, one risk is Poor Quality Raw Material. Result, off-spec product, control, incoming inspection procedure requirements, etc.
With respect to production, one risk is off-specification product. Result, poor customer satisfaction/monetary losses. Control, final product analysis and inspection requirements.

At first I considered doing a risk assessment similar to environmental aspects in 14001, but on further reading of the standard and elsmar comments, I don't believe such a massive undertaking is warranted. I'll be checking with our auditor to see what
he/she expects.

What say you Elsmar?
 

Sidney Vianna

Post Responsibly
Leader
Admin
I'll be checking with our auditor to see what he/she expects.
Be careful with designing and implementing a system based on "auditor's wishes" because they can be fickle and there is auditor rotation. Much wiser to implement something that is well thought out and make sense and is sustainable for the organization, instead of something that is a moving target, extrinsic to the company.

What say you Elsmar?
First thing I would say: there is NO REQUIREMENT in ISO 9001:2015 for Risk Management. Risk based thinking does not equate to formal risk management.

Risk based thinking is supposed to be a framework, a MINDSET to be deployed when confronted with decisions, challenges and dilemmas related to the organization's ability to deliver conforming product and enhancing customer satisfaction. I provided one example of solving a typical question along the lines of risk based thinking deployment (broken link removed).

Obviously, in more complex contexts (e.g. medical devices, aerospace, automotive, chemical sectors), formal (qualitative and quantitative) risk management processes and practices could be required.
 

Zearl

Starting to get Involved
Sidney,
Appreciate you comments and agree with the auditor statement. My intent is to explore what he/she has noted from talks with other auditors. But it is our system.

With regard to risk management, section 6.1 requires actions to address risks and opportunities. 6.1.2 states "the organization shall plan: a) actions to address these
risks and opportunities; b) how to: 1) integrate and implement the actions into its
QMS processes (4.4) and 2) evaluate the effectiveness of these actions."
So documenting risks associated with processes would seem to help accomplish 1) above. if we need to plan actions to address risk, isn't that managing risks? Not a
all out formal risk management matrix, but simply a means of documenting risks and actions which we have already considered in the first place.
 

LUV-d-4UM

Quite Involved in Discussions
Just today our TS auditor told us that her recommendation for Risk Based Thinking is FMEA and elaborated why. I told her in front of the management she's auditing that the standard does not require FMEA.
 

Big Jim

Admin
Just today our TS auditor told us that her recommendation for Risk Based Thinking is FMEA and elaborated why. I told her in front of the management she's auditing that the standard does not require FMEA.

It may not be required but for some companies it would be very useful. For others it would be a huge pain in the neck.
 

Zearl

Starting to get Involved
It may not be required but for some companies it would be very useful. For others it would be a huge pain in the neck.
Agree. But I am afraid we will see auditors all across the board on risk, as the standard is very vague on the subject. It seems with every new revision, the more ambiguous. As a result, there is too much interpretation by the auditors at times.
 
T

tqmexpert

to John R. Broomfield

Good point, but here is the guideline for you...

You must use your head...
for each potential risk component you must ask...
"Is the risk artifact ACCEPTABLE OR NOT, in order to ensure
that this particular QMS process can work out as planned?"

By answering this question you find the right answers
to put into your QMS Contingency Plan, which you should develop
to summarize your risk findings plus mitigation strategies.
If you really know your QMS processes well,
you will have no probelm with all the "holistic" risk assessment,
but make sure you apply it to all potential risk factors, like geographical risk,
process risk, pruduct risk, people risk, etc...well, that is what "risk based thinking" is all about...FMEA cannot cover it all and does not suit always 100%.

Hope that helps.:bigwave:
 
Top Bottom