Informational How the addition of "Risk" will affect ISO 9001:2015

Prospects and consequences
opportunities and threats
success and failure
.
..
...
The later words of these and many more such all together forms the risks.
A planned effort quantifies and leads us to develop mitigation means.
Managing risks therefore is planned quality assurance for
Greater prospects.
More opportunities.
Sure shot success.

I'm sure I read somewhere the phrase "opportunities and risks". If I'm right that means they view risks as related to the chances of a negative event. the opportunities is not just a positive but it can come from the negative event. I guess I mean you look at the risks (possibilities of a negative) and take actions to mitigate them which improves your system and is the opportunity for improvement (that term I've heard a lot since a recent audit).

I wonder what sort of change it really is to an organization's QMS. If you plan for new processes part of it is looking at the risks to quality (take the PFMEA and DFMEA used widely in automotive sector and probably others too). Also it makes good business sense to look at all business risks during any strategic review of your business. I'm sure if this isn't being done the company is lucky to still be around. I've worked for companies who didn't look at that and I got the nice redundancy package as a result (new kitchen and a walk into new job with better prospects thank you very much. Hehehe! ).

Marc, thanks for sharing this info on the future inclusion of risk. I work within an engineering group in my company. For the last year or so there has been a stronger focus on risk during the design process. Maybe we will be ahead of the game when the revision comes out . We can use this information to help us work on the continuing improvement of our QMS. But, I do hope we get clear definition of terms.

Marc said:

ISO 31000 isn't in the ISO 9001 Draft. I don't have the ISO 9000 Draft to know whether it's in there or not.

Click to expand...

Guess I am way too far out of the loop(s), where/how does one gain access to all these draft, SL, etc. documents? Hearing about 'pieces' of them here on the Cove, while helpful, but getting a chance to review the entire thing gives me a chance to have more of an idea of what I am in for.

As the quality mgr. for an ISO 17025 Accredited Calibration & Testing lab, some of our customers are asking about calibration uncertainty as "risk". I have not seem anyone mention this in these threads. Anyone have any thoughts? These questions are coming from our clients that are beginning to understand uncertainty.

Ken11 said:

As the quality mgr. for an ISO 17025 Accredited Calibration & Testing lab, some of our customers are asking about calibration uncertainty as "risk". I have not seem anyone mention this in these threads. Anyone have any thoughts? These questions are coming from our clients that are beginning to understand uncertainty.

Click to expand...

Ken, in your case the risk is not the uncertainty, but it is related. The risk is in the decision to declare the UUT measurement as good, when it may not be.
The probability of false accept is the parameter customers will want to know-- the likelihood that a decision for pass/in tolerance is incorrect.

This is not addressed in ISO 17025, but is in ANSI Z540.3.

I think the inclusion of "risk" will bring quality into the real world - where in many cases it has always been.

For example, many organizations use FMEA to identify and mitigate the risks in their designs. Supply chain management, too, is often risk-based; insisting on duplicate suppliers is an element of risk management.

Further, risk management was in the old standard, but disguised in arcane language as "preventive action" that was often misunderstood.

I think the inclusion of "risk" will in some cases enable quality to get alongside real business practice and, in so doing, win management commitment where previously it was lacking.

For example, some believe as Deming and Crosby preached, that quality is meeting customer requirements. Which is fine, except some business leaders know that if they take a few shortcuts on quality of product and service, they can get to market faster, capture market share, and fix quality later. To some quality people that's anathema, yet it's a common business strategy. The business leaders are acknowledging the risk of poor customer satisfaction and betting they'll win in the long run. With the new ISO 9001, the risk can be put on the risk register and managed with everyone's buyin - including quality's - instead of hoping the CEO gets it right.

Risk isn't always negative, even though it's uncertain. Semiconductor companies bet their existence on Moore's Law (bang for the buck doubles every 18 months). So do their clients. It's not certain, but it's worked for several decades. The opportunity for some is to design products now that won't work until, in 18 months time, more power comes along. Waiting for the more powerful product is less risky in a technical sense, but more risky because competitors that took the gamble will get market share first.

For technology companies there's single and dual sourcing: if you know your competitors are always safe and use multi-sourced components, you might have an opportunity to get ahead by using something innovative, newly patented, and only available from one source. You use risk management to decide whether to take the risk and if so, how to manage it. Long term, for example, you might ask (or if you're big enough, demand) that your supplier license the technology to alternative suppliers. The semiconductor industry license eachother's products, so they all earn money from innovation and at the same time mitigate supplier risks.

Another example. Many are taking the opportunity to manufacture in low cost areas like China - but there are well-known risks attached, which they have to mitigate.

Another example: there are reportedly concerns over information security and the possibility of problems with Huawei products which, some think might be used by the Chinese to spy on the West. The UK telecom provider BT has historically bought a lot of Huawei product (because it's cheap) and claims to be proactively managing the security risks - which BT claim are not an issue.

The new ISO 9001 will enable such risks and opportunities to be managed within the QMS (which for some they always were) and bring quality people into the loop.

For some of us, that will mean letting go of "quality means meeting customer requirements" in favour of, maybe, "quality means meeting customer requirements - eventually."

Just 2c
Pat

Pat,

Yes, it is only a matter of time before quality professionals are asked to participate in risk assessments before shipping nonconforming product.

RM may dilute the principles of prevention and the principle of keeping promises.

Our management systems are meant to help salespeople make better promises than the competition and to keep them.

Compromise may be the result of more risk management.

John

Good points John.

In information security, where ISO 27001 requires formal risk assessment, as an auditor I've seen several systems where the risk assessment was done by a consultant, often using risk assessment software, appeared on paper to meet the requirements and actually missed risks that were obvious.

BP claimed to have done risk assessments prior to the Deepwater Horizon incident in the Gulf and, if I recall correctly, they had - and then had failed to put mitigations in place.

So yes, risk assessment can be made, by unscrupulous managements, into another arcane process to hide behind; but equally, I think it can be valuable to real-world management teams trying to do the right thing in an uncertain world.

Another example comes to mind, to your point. I worked once in a software company that found it hard to keep its promises, because we wrote bespoke software and sometimes underestimated the difficulty of the job. We introduced the usual planning processes including contingency planning but that still wasn't enough. So we introduced risk management. At the start of a project we got the team together and asked them to identify risks to successful completion, on time. For each significant risk we made a contingency plan and costed it in man-days. Then, if the risk-weighted sum of contingency plans exceeded the estimated overtime available (project plans were based upon normal, 7.5 hour days) the project manager knew that something had to be done. In the extreme, the project manager was in a position to call the customer and apologise for the unforeseen problem and agree a way out.

So we tried to use risk management to keep our promises. (

Did it work? Sorta. But the company had more fundamental problems and went out of business before we had time to work these ideas through. I think they were good ideas, though, which we had stolen from a software management text book whose title, sorry, escapes me.)

Pat

Risk management has its place but so do absolutes when it comes to honoring the promises made with every contract.

RM should make us more careful about the promises we make; another principal of prevention.

Right now the authors are repeatedly saying ISO 9001:2015 requires no preventive action. But this is baloney. TC176 may have remove the clause specifying preventive action but for RM to be effective it must predominantly be preventive.