Concept of Risk in ISO 9001:2015

The standard has major change in principle by adding the risk based approach. It is therefore important to understand where, to what extend will this have an impact, and what can be changes in the implementation, and audits.

The risk is defined as Effect of Uncertainty over expected result. Let us use this definition on where ever the requirement is added.

The risk related requirements are added in clause: 4.4, 5.1.2, 6.1, 8.5.5, 9.3.

Also the, reference can be linked with clauses like- 6.3, 8.1, 8.3.3, 8.4.2, 10.2.

Before that, it is interesting to see the linkage of context, risk, review and strategic direction.

This means, the organization shall   know issues, have a set direction, and monitor the performance. The review shall give details of actions taken.

Let us see a small example.

The issues for small sector organization can be typically:

1. Dependence on small client base.
2. Retaining  of  employee
3. Cash flow

The strategic direction on each of these issues can have set of risk/ opportunities.

The direction in general can be:

1. Maintain quality, delivery schedule
2. Ask for better payment terms
3. Develop new customer.
    

The associated risk, opportunities are

Risks:  Loss of current customer, Loss of employee

Opportunity: Spare capacity for new customers, less paid employees

The management need to have plan on risks, opportunities to meet uncertainties of result and review the direction.

Review ideally should state actions on:

1. Result on set objectives on Quality, delivery performance customer satisfaction.
2. Result on new customer development.

The action points actually have clear co-relation to risks mentioned above:

1. Procurement of new instruments for inspection, new machines,

2. Recruitment of employees, training.

 The extent of documentation is left to organization for documenting context, strategic direction, risks, and opportunities. There is no reference to documented information for the clauses except for review.

 

On the operational part / product related part, the areas where the risk becomes starting point for review. Following statement refers to the action, or result of risk analysis.

Planning of the process is risk based as per concept shown figure 2 of the standard.

This is referred in planning for the changes, and statement refers to potential consequences. (6.3. a)

At operational planning again the reference is used to consider controls based on risk.  (8.1)

For Design of the product, consideration is given to potential consequences. (8.3.3.e)

Potential impact of service provider’s services on the final product also refers to risk.

When taking corrective action, the considerations are on consequences, and evaluation is based on potential to occur again. (10.2 A, b)

Thus at operational level, during various stages right from planning, design procurement stage the risk and impact is to be analysed.

Simple example can be:

After deciding the processes for realization & after reviewing the result, the organization can consider:

1. Inspection sampling plan, method, stages for the product.
2. FMEA for the product under design
3. Pre check before procurements.
    

 

For auditors: some simple questions can lead the trail.

1. What if the results are not achieved?
2. When was the process reviewed for risk/ opportunity and what is the outcome.
3. What are the proposed improvements based on risk/ opportunities.
    
   Hence, to conclude
   The consideration of risk based thinking means, evaluate the result, identify uncertainties, and take actions for improvement.
   The risk based thinking actually is not a document which does not add any value, but gives insight for sustainable development towards strategic direction.
    

ISO 9001 2015 - New requirements - Understanding the Context

There are many changes in the upcoming standard of ISO 9001:2015.The standard released as of now is DIS and likely to go undergo at least more round of change. The changes may not be very significant.  The first and major change is the Context of Organization. Let us to understand the requirements.

The clause 4 covers :  4 sub clauses :

1. Identification of Issues
2. Needs  and Expectations of interested parties
3. Determination of scope
4. Quality management processes

The entire system is based on the needs, issues, scope and processes. The information compiled here provides the basis for strategy, performance review and improvements.

1. Identification of Issues: The issues are significant points important to the organization . The points which are related to strategy are required to be identified. The issues are categorized as external, internal based on the control an organization has.

Internal--

Performance: Quality, Delivery.

Knowledge:  Product knowledge, patents

Values: team work, Integrity,

Culture:

 

External:

Market: Market share, Market size

Competitive: Features of competitors product

Technological: Infrastructure , work environment, Machines

Economical:  Pricing, costing

International: Currency rate , political stability

The requirement of the standard is to identify, monitor and review of  the issues.

The issues are referred in Management review, Risk and opportunities, quality policy, and top management commitment.

Though there is no specific requirement of documentation, but the issues can be coupled with risks identified , and opportunity.. A general introduction, or SWOT addressing  issues covering strategy  can be good way of representing the issues.

The link is as below:

Demonstration of consideration that  risks/ opportunities  are identified for the significant issues. Action plan on risk, opportunities, changes are availavble and reviewed  by management.

The requirements thus help the organization to get a more mature view.

1. Interested parties:
   The interested parties related to QMS can be: Customer, end user, Regulatory body, and employees, supplier, service provider,  management. The expectations  for each interested party are  different.
   Here again the needs are referred in the management review as inputs.

The idea is the management decisions are based on inputs from not only customers , but suppliers too.  The impact of this consideration can be more in on the organizations where end user, customers are different. Suppliers are 

 

1. Determination of scope:
   Though the requirement appears to be same , the details mentioned are with idea that , the processes , products, locations should be clearly defined. The boundary means the activities under control, and responsibility . There is no change in the exclusion with ref to the pervious standard.
2. System and processes:
   The change here is omission of the mention of quality manual, and that matter mention of requirement of documented procedure.
   However , the in order to prove the requirements related to establish, implement, maintain and improve the process, the organization can chose the way.
   The preferred way is still to have documents, macro/ micro flowcharts or cross linked matrix of can be an easy way.
   The new requirements are related to consideration to risk, opportunity, changes, and opportunity for improvement.
    
   Hence to summarize:
   The standard has brought together  following aspects in context.
    prevention as base.
    business situation or environment
   expectations from stake holders
   & processes
   Consideration is that management will have overview of needs, business environment, significant issues and current system.
   The aim is to have sustainable improvement and this clause now gives complete picture to the management for making decisions, look ahead , current scenario.
   The organization ideally should document

•  introduction in terms of the issues
• Levels of needs  from interested parties
• Processes and linkages
• Scope boundaries  
• 
  
  As an auditor , the understanding of context will streamline the audit focus, and will get initial knowledge on maturity of the system in the organization.
   

Review of possible impact of ISO 9001:2015

The CD version is released and in a routine pace, this will pass through the usual process of DIS, FDIS before release. The standard as such is not  only having some minor corrections , but has new concepts.

Risk, Process approach, Context & Development process are some major aspects in the standard. This will bring in major change in the understanding, documenting and implementing the standard. All such changes will bring in the quality management approach risk prevention, sustainability. The standard is in line with ISO 9004 guidelines published some time back.

From the business perspective let us analyze the changes:

This is now a management standard : With more focus on risk, prevention, strategy and accountability of top management, the standard clarifies the tasks for top management. In the earlier versions, the linkage between vision- strategy, policy, objective was not mentioned , though expected. Here it is direct linkage and there by onus will be more on management. This means management can not handover to MR and remain aloof.

Focus on sustainability: The context of organization identifies business related external & internal aspects , risks. The impact and counter actions are part of review. Hence this document will be guiding document and this will help organization to improve.

Focus on Prevention rather than QA/QC: The current  standard was clear on product monitoring and  has clear requirements related to process monitoring, product monitoring. The new standard uses risk approach, strategy, Knowledge management, process approach &  context of organization. This will bring in more focus on how to se all these to prevent product failures . The standard has no change as far as current requirements of product monitoring.

Better quality documentation: The process approach , the risk, knowledge management will ensure that the documentation will be pertaining to the organization’s size and purpose.

There are few areas which are different and made more generic in order to accommodate service sector. These can have some impact especially , clause on calibration , Management representative role are  more simplified.

Let us see the  not so positive impact :

a.       This standard will further add some documentation. Though useful , but may lead  a debate that earlier standard was more flexible, while this calls for more, structured documentation.

b.      The small organizations will find it difficult to prepare for unless some guidelines are released. At the same time, big organizations will find it very useful, only confidentiality can be an issue.

c.       The management clauses , context, and strategy  have some elements where there can be debate as to what extent organization would want to document the details. Adequacy, findings  may not be acceptable to the management.

d.      The same clauses when evaluated differently , may lead to consultancy.

e.      The time required for the audit is likely to go up – as documentation review, top management, planning function need to be audited to the requirements.

Positive  Impacts:

a.       Increased involvement of top management.

b.      More of management audit, hence success rate , sustainability of the organization will be better.

c.       Flexibility in the areas of monitoring, calibration.

d.      Better understanding of preventive actions, risk, strategy, improvements

 

Review of ISO 9001:2015 draft version

Impact of new standard ISO 9001:2015

We know that the most popular certification standard is ISO 9001. The applicability, adaptability and benefits to the organization are known to the industry. The standard is undergoing change and the first draft is out. It is too early to say what will be the final standard, but now the structure is defined, major changes in the requirements are known.

The changes as described in the standard are:

1. more generic and more easily applicable by service industries.

Product replaced by goods and service.

Clauses redefined related to monitoring devices, and development.



2. Context of the organization

Identify issues, requirements , & needs, expectations of the stakeholders.



3. Process Approach

Determine- the processes & their interaction, , and define for each process- inputs, stages, outputs, responsibilities, measurement, objectives, risks, resources. Determine, how these will be analyzed, changed, improved.



4. Risk and Preventive action

Identify risks, analyze and consider opportunity for improvement



5. Documented information

Document, record requirements are combined to as documented information.



6. Control of external provisions of goods and service

Combining of procurement function with outsourced processes. The new point is risk base approach.



Hence the common theme in this standard are:

a. Introduction of Risk based approach

b. Incorporating the Process approach

c. Simplification on document, record control

d. Improvements and innovations



Let us analyze the impact:

a. Understanding of the requirement by management:

This is no more just a standard oriented towards customer. This is a management standard aimed at sustainable improvement in performance.

This will increase adaptability , and will not be left for MR and team lower down to manage the standard to meet auditor requirements.



The emphasis on risk, strategy documents, reviews will ensure management will have to focus on standard.



b. Documentation:

This will also have a major change, based on process approach adaption. The processes/ SOP/ work instruction/ flow chart will have to address all the process approach requirements specified. This will make the system robust, and will support approach towards improvements.



c. Development process :

The new considerations, risk based approach, development process documentation will strengthen the process. The development process, development controls ( clause requirements in current standards) , an development transfer are essesntial stages in any new design.



d. New terminologies :

Knowledge management, strategy, Innovation, Accountability, risk based approach are the new concepts which are introduced.



Impact on organization ongoing for ISO 9001 revised std.:

1. Difficult for small companies.

The management concepts like strategy, knowledge management, risks etc. are not easily adopted for small companies. The extent of documentation, the relevance to the sector are the aspects to be reviewed.



2. Will be effectively used as tool for management.

The system was mainly driven by MR. The new standard has many elements related to top management involvement. This will ensure active participation by management.

3. No major changes at operating level.

There is no change in the contents of the clauses. The standard is aimed at management improvement.



4. Documentation will be elaborate, detailed and useful.

The documents will result in actionable plan for improvements. The risk, knowledge management, strategy and interrelation of objectives, tracking are the examples.



Impact on auditing:

a. Expect the management audit will be 10% more than earlier audits.

b. The auditor will have to understand process approach and audit processes.

Relation of strategy- objective- process measure must be understood.

The process improvements, innovations must be part of the audit as appropriate.

c. Management audit will require more competence in terms of management requirements, awareness of TQM tools.

d. Stage 1 audit will be in much more depth.



e. The auditor will have to do tight rope walking considering the findings on the management audit. The comments must not appear as consultancy and the inadequacies findings can be difficult.



To conclude,

The standard has a lot of new points for the organizations, as well as auditors. The concepts are aimed towards management related improvements.

 

How to Integrate QMS & TQM

I remember when we were implementing ISO 9001, we had consultants for implementation of ISO 9001, and as well management has another consultant for TQM. Both these consultants never see each other. Both had same agenda to improve the performance, but were working parallel and at times countering each other. During those days, there were separate teams working under both and resulted in creating parallel systems.

Generally now days this trend continues in large scale companies. For medium and small sectors if there is a consultant he either looks in QMS or TQM.

When there is integration of various management system is possible, why not have an integration of TQM and QMS.

The basic differences are as follows and normally the arguments are as below:

TOM	QMS
A focused way of improving	First documenting all the processes and then demonstrating the effectiveness
More of data review, less document oriented.	Data review , effectiveness is in the later phase of implementation of system
Results are immediately evident on completion / progress of projects	Results are related to objective setting, CAPA,IQA analysis,  Rejections, process monitoring,  relatively later part of implementation
Identify and improve continually	Write what you do & Do what you write

 

Generally QMS becomes stagnant once the certification is complete, and reviewed only once in year before audit. At the same time TQM brings in fresh air with defined approach, focused review, expert guidance and time bound actions with results.

However, in spite of this, both the system has more commonalities:

1.       The objective of the organization – to improve the performance

2.       Principles are same- Team work, PDCA, customer satisfaction, leadership

3.       Move towards sustained success.

4.       Calls for close review of processes.

The management system is now a need of modern business, and improvement is way of life. Hence it is better to integrate both and get maximum benefits.

How to achieve the integration:

1.       Discuss with top management and formalize the plan.

2.       Ensure that the team talks to each other.

3.       QMS helps in documenting the processes / current practices. Hence this is the first step.

4.       During implementation of QMS, the TQM activity can be initiated.

5.       The integration can be initiated with management first.

6.       The objective setting, process review, CAPA, complaints, customer feedback is the areas to be considered first for integration.

7.       The specific TQM activity such as 5S, Kaizen, Process review, six sigma can then be attached to the documented system.

8.       Reviews can be together for assessing the implementation.

9.       The changes in processes, infrastructure, and product must then be documented as part of change of system in QMS.

10.   It is important to be flexible because there can be too many small changes.

 

Simple example can be:

If the material is stored in identified bins, with particular system for retrieval. If the same is changed by taking project on 5S, inventory management to improve the storage condition, fast retrieval; the changes must be documented in work instruction, inventory records related software system, and changes in infrastructure are recoded as handling instruction & process of training must be available.

The result of such changes must be part of objectives, process monitoring of stores.

 

The soft side of integration:

The management generally tends to give more attention to the TQM projects since the results are visible. However if these results are to be sustained and tracked, the basis is provided by QMS or related management system.

To summarize:

The TQM, QMS are not isolated ways though apparently it is felt that way. It is the management involvement, team work and clarity in concept which can bring together the best of both.

FUTURE OF QUALITY SYSTEM

self Assessment of an Effective Audit