Informational Risk Management Implementation for ISO 9001:2015

Jen Kirley

Quality and Auditing Expert
Leader
Admin
I have seen a huge amount of discussion, concern and misinformation about risk-based thinking and ISO 9001:2015 (and related standards that use it as their core requirements).

Some people have tried to claim FMEAs will be required. That is not true. Indeed, ISO TC 176/SC2 has published a white paper on RBT to help clarify FMEAs are not required.

The FMEA's format has tended to be suited for manufacturing widgets, but I have seen its format adapted to help IT groups perform their risk control systems. Environmental and safety managers have been making Aspects and Impacts and Risk-Hazard Analyses for years, using an adapted FMEA format.

For that reason it seems sensible for some to suggest such a format might be helpful, especially for those of us who are accustomed to seeing it for product. That is why I made an adaptation of the FMEA for managing risks in processes. The fact that it somewhat resembles an FMEA is due to the usefulness of the FMEA for sorting information. That is all. Please see attached. I hope this helps!
 

Attachments

  • Risk Based Planner.xlsm
    463.5 KB · Views: 1,677
Last edited:

Stijloor

Leader
Super Moderator
Here are some thoughts regarding Risk Management.

ISO 9001:2015 does not require this effort to be documented.

Top Management (Managers/Process Owners) will likely be interviewed regarding how this has been considered and implemented in the processes they own or manage.

What's the risk associated with Managers contradicting each other during audits? (I've often experienced this!! :notme:). My recommendation? Develop a risk matrix.

It represents "lessons learned." It helps to retain knowledge. And it should be part of "organizational knowledge."

Comments folks?
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
What's the risk associated with Managers contradicting each other during audits? (I've often experienced this!! :notme:). My recommendation? Develop a risk matrix.

It represents "lessons learned." It helps to retain knowledge. And it should be part of "organizational knowledge."

Comments folks?
I look forward to seeing anything and everything that is effective for the organization. It occurs to me that the tools used might be selected based on the organization's management system maturity. Those with less maturity and less confidence might opt for an adapted FMEA format. Risk Matrices are excellent alternatives and I look forward to reviewing these as well, for those whose systems find them the best fit. :cool:
 
T

tqmexpert

Managers contradicting each other during audits...
whooo...seems like the organization is not streamlined in policy, audit scope, etc...

risk matrix - yes ! of course..., including...

Geographical risks
Supply chain risks
Political risks
location risk
product risk
logistics risks
plotical risks
etc...
all what applies to the individual organization,
holistic view is the key
needs mostly a global continuity strategy PLUS a local contingency strategy,
put it all in one risk mitigation plan,
FMEA can be part of it and cover also a lot of it, if done good,
to cover all or at least set up mitigation thinking...
but highest priority numbers must keep the "customer comes first" in mind,
even with lower RPN, must be mitigated best,
that's the right set of "risk based thinking" third party auditors will except
hope that helps...;)
 

tony s

Information Seeker
Trusted Information Resource
RBT can be factored into the following processes:
  • when the organization convenes during their strategic or business planning (SWOT and other Risk Management tools can be used);
  • during design and development of new products, services and processes (FMEA is useful for most companies, for ISO/TS companies they don't have a choice, for the food sector they have HACCP);
  • in identifying the necessary controls to prevent illnesses and injuries to ensure a "suitable environment" as specified in clause 7.1.4 of ISO 9001:2015 (job hazard analysis or HIRAC is useful);
  • in ensuring companies are environment friendly (Aspect/Impact ID and Assessment should be carried out);
  • in identifying controls to ensure Business Continuity (labor problems, equipment failure, alternative site, man-made and natural disasters should be considered);
  • whenever there are changes in the existing controls (a procedure for Management of Change should be considered);
  • when we introduce corrections or corrective actions (identification of the "residual risks" or the remaining risk after treatment can be considered);
  • when auditing the processes (auditors may check if there are controls in place on the risks that may occur in the realization of their processes, if not available then OFIs can be identified)
 
M

mvezalulimi

There is no need to panic in regards with risked based thinking. I am sure that most of the organization conduct their SWOT analysis. if not, I would advise them to conduct it because I strongly believe that it is the right way of identifying all risks and opportunities of the organization.
 

Zearl

Starting to get Involved
Here are some thoughts regarding Risk Management.

ISO 9001:2015 does not require this effort to be documented.

Top Management (Managers/Process Owners) will likely be interviewed regarding how this has been considered and implemented in the processes they own or manage.

What's the risk associated with Managers contradicting each other during audits? (I've often experienced this!! :notme:). My recommendation? Develop a risk matrix.

It represents "lessons learned." It helps to retain knowledge. And it should be part of "organizational knowledge."

Comments folks?
Agree Stijloor and thanks for the comment.
Before everyone undertakes an across the board risk analysis process,
suggest reading article by John Guzik in the June issue of Quality Progress
("Prove It. How to demonstrate risk-based thinking for auditors).
General conclusion of the article: risk based thinking does not require a new
tool or process like risk management, FMEA, or other. Use your existing
processes like Management Review, Internal audits, etc. to demonstrate
risk-based thinking. Its an interesting article, but of course I cannot
attach it due to copyright concerns.
 

howste

Thaumaturge
Trusted Information Resource
Agree Stijloor and thanks for the comment.
Before everyone undertakes an across the board risk analysis process,
suggest reading article by John Guzik in the June issue of Quality Progress
("Prove It. How to demonstrate risk-based thinking for auditors).
General conclusion of the article: risk based thinking does not require a new
tool or process like risk management, FMEA, or other. Use your existing
processes like Management Review, Internal audits, etc. to demonstrate
risk-based thinking. Its an interesting article, but of course I cannot
attach it due to copyright concerns.

If you are logged in to ASQ, here's a direct link to the article: https://asq.org/quality-progress/2016/06/standards-outlook/prove-it.html
 
Top Bottom