Informational Risk Management Implementation for ISO 9001:2015

tony s

Information Seeker
Trusted Information Resource
In auditing RBT, I would have the following expectations:
  • For clauses 6.1.1 and 6.1.2a: RBT were considered during QMS planning (e.g. SWOT or equivalent might have been utilized during strategic planning; for operational planning, tools like FMEA, Risk Matrices or Registries, etc. might be used to determine process risks/opportunities that need to be addressed). RBT can also be demonstrated to manage changes on QMS processes, products and services;
  • For clauses 6.1.2b.1 and 4.4.1f: Controls are established on determined risks/opportunities. Controls can be physically present and/or specified in documented information such as control plans, procedures and instructions;
  • For clauses 6.1.2b.2 and 9.1.3e: Effectiveness of the actions were evaluated, typically, through internal audits or evaluations of the set performance indicators. I'd like to see whether internal auditors look into the actions to address risks/opportunities;
  • For clause 9.3.2e: One of the topics discussed in the management review was the result of the evaluation of the effectiveness of the actions taken to address risks/opportunities. The organization's lead internal auditor may have some sort of a summarized report on the audited actions on risks/opportunities;
  • For clause 10.2.1e: I'll check whether reported NCs and implementation of CAs triggered the updating of the record of identified risks/opportunities, including actions.
 

Big Jim

Admin
In auditing RBT, I would have the following expectations:
  • For clauses 6.1.1 and 6.1.2a: RBT were considered during QMS planning (e.g. SWOT or equivalent might have been utilized during strategic planning; for operational planning, tools like FMEA, Risk Matrices or Registries, etc. might be used to determine process risks/opportunities that need to be addressed). RBT can also be demonstrated to manage changes on QMS processes, products and services;
  • For clauses 6.1.2b.1 and 4.4.1f: Controls are established on determined risks/opportunities. Controls can be physically present and/or specified in documented information such as control plans, procedures and instructions;
  • For clauses 6.1.2b.2 and 9.1.3e: Effectiveness of the actions were evaluated, typically, through internal audits or evaluations of the set performance indicators. I'd like to see whether internal auditors look into the actions to address risks/opportunities;
  • For clause 9.3.2e: One of the topics discussed in the management review was the result of the evaluation of the effectiveness of the actions taken to address risks/opportunities. The organization's lead internal auditor may have some sort of a summarized report on the audited actions on risks/opportunities;
  • For clause 10.2.1e: I'll check whether reported NCs and implementation of CAs triggered the updating of the record of identified risks/opportunities, including actions.

I'm glad that your expectations are expressed in "mights". None of those require a record that reflects risk based thinking.

So the question comes up of how do you gather objective evidence when documents or records are not required? By interview and observation.

So if you don't see documented evidence of risked based thinking, ask them how they do it.
 

John Broomfield

Leader
Super Moderator
Re: Auditing ISO 9001 RBT (aka Risk Management) Compliance

First focus on how the organization creates and takes up opportunities to fulfill its mission (reason for its existence).

Then work with top management to listen and look for evidence of risks being considered and dealt with (via their organizational management system) for:

1. Existing services and products for existing customers
2. Existing services and products for new customers
3. New services and products for existing customers
4. New services and products for new customers

You'd expect to see different controls so query when the controls seem the same.

Seek evidence of the risks being known (including the unknown risks being acknowledged) and how the organizational management system responds to changes (agility).

Much as we did before ISO 9001 specified RBT.

John
 

Big Jim

Admin
Re: Auditing ISO 9001 RBT (aka Risk Management) Compliance

First focus on how the organization creates and takes up opportunities to fulfill its mission (reason for its existence).

Then work with top management to listen and look for evidence of risks being considered and dealt with (via their organizational management system) for:

1. Existing services and products for existing customers
2. Existing services and products for new customers
3. New services and products for existing customers
4. New services and products for new customers

You'd expect to see different controls so query when the controls seem the same.

Seek evidence of the risks being known (including the unknown risks being acknowledged) and how the organizational management system responds to changes (agility).

Much as we did before ISO 9001 specified RBT.

John

That's an excellent point. Most every if not every company has practiced risk identification and mitigation forever. The new standard seeks us to have greater awareness of it, but it really isn't anything new.
 

Crusader

Trusted Information Resource
Thanks for chiming in above! We wrote new/revised old procedures and included the RBT in all except a couple. But since we just implemented it within the last 2 - 3 months, I wonder how we will do in the Stage 1....we'll all find out very soon (Monday 17th). I wasn't even sure how to audit it since it is so new. Everything written is what we do since it's newly written in text and not tribal knowledge. It's like everyone says, we've all been doing it but not realizing it and it was never outlined/written down until now.

:popcorn:
 
A

anders.kemper

In My opinion you have to explain in QMS how you you did you business plan. You have you business goals you make A SWAT for the business goals and you have you plan to handle risks and oputonities. (I just had My audit for 2015)


Skickat från min iPhone med Tapatalk
 

Big Jim

Admin
In My opinion you have to explain in QMS how you you did you business plan. You have you business goals you make A SWAT for the business goals and you have you plan to handle risks and oputonities. (I just had My audit for 2015)


Skickat från min iPhone med Tapatalk

Wow. That sounds like an over reach of the requirements of the standard. Business plan isn't mentioned in the standard, and I don't think you have to have a business plan to explain strategic direction (which is in the standard).

Personally, I think a business plan makes sense. The first time I read the new standard I commented on how 4.1 through 4.4 looked a lot like the logical steps to create a business plan and have speculated that TC-176 dusted off an old textbook from management 101 or business 101 and opened it to the chapter on writing a business plan.

That said, having business plan IS NOT a requirement of the standard and I would question an auditor or a CB that tries to tell you otherwise.
 
A

anders.kemper

Wow. That sounds like an over reach of the requirements of the standard. Business plan isn't mentioned in the standard, and I don't think you have to have a business plan to explain strategic direction (which is in the standard).



Personally, I think a business plan makes sense. The first time I read the new standard I commented on how 4.1 through 4.4 looked a lot like the logical steps to create a business plan and have speculated that TC-176 dusted off an old textbook from management 101 or business 101 and opened it to the chapter on writing a business plan.



That said, having business plan IS NOT a requirement of the standard and I would question an auditor or a CB that tries to tell you otherwise.



I was surprised during the audit that 75% of the time we were Talking about our business plan.
In My opinion most of the companies have some kind of strategic planing in the form of A business plan.but it's not implemented in the QMS.
My tip is to use this and conect it to the QMS and you Will have A soft transision.
What I think is the hardest thing is to do is to engage the management in the QMS. If you can't show the engagement of the management the audit will fail.


Skickat från min iPhone med Tapatalk
 

SpinDr99

Involved In Discussions
Jen,

We're a small machine job shop. Very streamlined on our procedures and transitioning to 2015 from 2008. You talked about documented procedures for process controls. We have none of these and no work instructions. Instead, we work strictly off our work order/production traveler and the drawing for the job. Do you think this will this satisfy the auditor?

The work order/traveler determines when the product goes to the lather or milling areas and the CNC program runs in each area. First Article and in-process inspections are performed to monitor processes and whether we are meeting customer requirements. There is a big emphasis on aiming for the nominal dimension and not just staying within tolerance. Communication between QC (at First Article Inspection) and the operators is excellent so operators know what adjustments to the CNC program is required to achieve nominal dimensions. Do you think we still need to have documented procedures to maintain process control?
 
Top Bottom