The
standard has major change in principle by adding the risk based approach. It is
therefore important to understand where, to what extend will this have an
impact, and what can be changes in the implementation, and audits.
The
risk is defined as Effect of Uncertainty
over expected result. Let us use this definition on where ever the
requirement is added.
The
risk related requirements are added in clause: 4.4, 5.1.2, 6.1, 8.5.5, 9.3.
Also
the, reference can be linked with clauses like- 6.3, 8.1, 8.3.3, 8.4.2, 10.2.
Before
that, it is interesting to see the linkage of context, risk, review and
strategic direction.
This
means, the organization shall know
issues, have a set direction, and monitor the performance. The review shall
give details of actions taken.
Let
us see a small example.
The issues for small sector organization can be
typically:
- Dependence on small client base.
- Retaining of employee
- Cash flow
The strategic direction on each of these issues can
have set of risk/ opportunities.
The direction in general can be:
- Maintain quality, delivery schedule
- Ask for better payment terms
- Develop new customer.
The associated risk, opportunities are
Risks: Loss of
current customer, Loss of employee
Opportunity: Spare capacity for new customers, less
paid employees
The management need to have plan on risks,
opportunities to meet uncertainties of result and review the direction.
Review
ideally should state actions on:
- Result on set objectives on Quality, delivery performance customer satisfaction.
- Result on new customer development.
The
action points actually have clear co-relation to risks mentioned above:
1. Procurement of new instruments for inspection, new
machines,
2. Recruitment of employees, training.
The extent of documentation is left to
organization for documenting context, strategic direction, risks, and
opportunities. There is no reference to documented information for the clauses
except for review.
On
the operational part / product related part, the areas where the risk becomes
starting point for review. Following statement refers to the action, or result
of risk analysis.
Planning
of the process is risk based as per concept shown figure 2 of the standard.
This
is referred in planning for the changes, and statement refers to potential
consequences. (6.3. a)
At
operational planning again the reference is used to consider controls based on
risk. (8.1)
For
Design of the product, consideration is given to potential consequences. (8.3.3.e)
Potential
impact of service provider’s services on the final product also refers to risk.
When
taking corrective action, the considerations are on consequences, and
evaluation is based on potential to occur again. (10.2 A, b)
Thus
at operational level, during various stages right from planning, design
procurement stage the risk and impact is to be analysed.
Simple
example can be:
After
deciding the processes for realization & after reviewing the result, the
organization can consider:
- Inspection sampling plan, method, stages for the product.
- FMEA for the product under design
- Pre check before procurements.
For
auditors: some simple questions can lead the trail.
- What if the results are not achieved?
- When was the process reviewed for risk/ opportunity and what is the outcome.
- What are the proposed improvements based on risk/ opportunities.Hence, to concludeThe consideration of risk based thinking means, evaluate the result, identify uncertainties, and take actions for improvement.The risk based thinking actually is not a document which does not add any value, but gives insight for sustainable development towards strategic direction.