Concept of Risk in ISO 9001:2015

The standard has major change in principle by adding the risk based approach. It is therefore important to understand where, to what extend will this have an impact, and what can be changes in the implementation, and audits.

The risk is defined as Effect of Uncertainty over expected result. Let us use this definition on where ever the requirement is added.

The risk related requirements are added in clause: 4.4, 5.1.2, 6.1, 8.5.5, 9.3.

Also the, reference can be linked with clauses like- 6.3, 8.1, 8.3.3, 8.4.2, 10.2.

Before that, it is interesting to see the linkage of context, risk, review and strategic direction.

This means, the organization shall   know issues, have a set direction, and monitor the performance. The review shall give details of actions taken.

Let us see a small example.

The issues for small sector organization can be typically:

1. Dependence on small client base.
2. Retaining  of  employee
3. Cash flow

The strategic direction on each of these issues can have set of risk/ opportunities.

The direction in general can be:

1. Maintain quality, delivery schedule
2. Ask for better payment terms
3. Develop new customer.
    

The associated risk, opportunities are

Risks:  Loss of current customer, Loss of employee

Opportunity: Spare capacity for new customers, less paid employees

The management need to have plan on risks, opportunities to meet uncertainties of result and review the direction.

Review ideally should state actions on:

1. Result on set objectives on Quality, delivery performance customer satisfaction.
2. Result on new customer development.

The action points actually have clear co-relation to risks mentioned above:

1. Procurement of new instruments for inspection, new machines,

2. Recruitment of employees, training.

 The extent of documentation is left to organization for documenting context, strategic direction, risks, and opportunities. There is no reference to documented information for the clauses except for review.

 

On the operational part / product related part, the areas where the risk becomes starting point for review. Following statement refers to the action, or result of risk analysis.

Planning of the process is risk based as per concept shown figure 2 of the standard.

This is referred in planning for the changes, and statement refers to potential consequences. (6.3. a)

At operational planning again the reference is used to consider controls based on risk.  (8.1)

For Design of the product, consideration is given to potential consequences. (8.3.3.e)

Potential impact of service provider’s services on the final product also refers to risk.

When taking corrective action, the considerations are on consequences, and evaluation is based on potential to occur again. (10.2 A, b)

Thus at operational level, during various stages right from planning, design procurement stage the risk and impact is to be analysed.

Simple example can be:

After deciding the processes for realization & after reviewing the result, the organization can consider:

1. Inspection sampling plan, method, stages for the product.
2. FMEA for the product under design
3. Pre check before procurements.
    

 

For auditors: some simple questions can lead the trail.

1. What if the results are not achieved?
2. When was the process reviewed for risk/ opportunity and what is the outcome.
3. What are the proposed improvements based on risk/ opportunities.
    
   Hence, to conclude
   The consideration of risk based thinking means, evaluate the result, identify uncertainties, and take actions for improvement.
   The risk based thinking actually is not a document which does not add any value, but gives insight for sustainable development towards strategic direction.
    

ISO 9001 2015 - New requirements - Understanding the Context

There are many changes in the upcoming standard of ISO 9001:2015.The standard released as of now is DIS and likely to go undergo at least more round of change. The changes may not be very significant.  The first and major change is the Context of Organization. Let us to understand the requirements.

The clause 4 covers :  4 sub clauses :

1. Identification of Issues
2. Needs  and Expectations of interested parties
3. Determination of scope
4. Quality management processes

The entire system is based on the needs, issues, scope and processes. The information compiled here provides the basis for strategy, performance review and improvements.

1. Identification of Issues: The issues are significant points important to the organization . The points which are related to strategy are required to be identified. The issues are categorized as external, internal based on the control an organization has.

Internal--

Performance: Quality, Delivery.

Knowledge:  Product knowledge, patents

Values: team work, Integrity,

Culture:

 

External:

Market: Market share, Market size

Competitive: Features of competitors product

Technological: Infrastructure , work environment, Machines

Economical:  Pricing, costing

International: Currency rate , political stability

The requirement of the standard is to identify, monitor and review of  the issues.

The issues are referred in Management review, Risk and opportunities, quality policy, and top management commitment.

Though there is no specific requirement of documentation, but the issues can be coupled with risks identified , and opportunity.. A general introduction, or SWOT addressing  issues covering strategy  can be good way of representing the issues.

The link is as below:

Demonstration of consideration that  risks/ opportunities  are identified for the significant issues. Action plan on risk, opportunities, changes are availavble and reviewed  by management.

The requirements thus help the organization to get a more mature view.

1. Interested parties:
   The interested parties related to QMS can be: Customer, end user, Regulatory body, and employees, supplier, service provider,  management. The expectations  for each interested party are  different.
   Here again the needs are referred in the management review as inputs.

The idea is the management decisions are based on inputs from not only customers , but suppliers too.  The impact of this consideration can be more in on the organizations where end user, customers are different. Suppliers are 

 

1. Determination of scope:
   Though the requirement appears to be same , the details mentioned are with idea that , the processes , products, locations should be clearly defined. The boundary means the activities under control, and responsibility . There is no change in the exclusion with ref to the pervious standard.
2. System and processes:
   The change here is omission of the mention of quality manual, and that matter mention of requirement of documented procedure.
   However , the in order to prove the requirements related to establish, implement, maintain and improve the process, the organization can chose the way.
   The preferred way is still to have documents, macro/ micro flowcharts or cross linked matrix of can be an easy way.
   The new requirements are related to consideration to risk, opportunity, changes, and opportunity for improvement.
    
   Hence to summarize:
   The standard has brought together  following aspects in context.
    prevention as base.
    business situation or environment
   expectations from stake holders
   & processes
   Consideration is that management will have overview of needs, business environment, significant issues and current system.
   The aim is to have sustainable improvement and this clause now gives complete picture to the management for making decisions, look ahead , current scenario.
   The organization ideally should document

•  introduction in terms of the issues
• Levels of needs  from interested parties
• Processes and linkages
• Scope boundaries  
• 
  
  As an auditor , the understanding of context will streamline the audit focus, and will get initial knowledge on maturity of the system in the organization.