Informational How the addition of "Risk" will affect ISO 9001:2015

L

LUV-d-4UM

Quite Involved in Discussions
That is where Barrier Thinking is implemented. My company is a risk based thinking company however the barriers in place to prevent failure, from my standpoint has been quite shaky. It is now time to review the Risk Assessment document to ensure that the risk is reduce to as low as reasonably possible. Thanks.
 
John Broomfield

John Broomfield

Leader
Super Moderator
LUV-d-4UM said:
That is where Barrier Thinking is implemented. My company is a risk based thinking company however the barriers in place to prevent failure, from my standpoint has been quite shaky. It is now time to review the Risk Assessment document to ensure that the risk is reduce to as low as reasonably possible. Thanks.
Click to expand...

LUV-d-4UM,

Are you referring to this:

Multiple Barrier Thinking

...or the problem of ignoring risk?

Thanks,

John
 
H

heartolearn

The mentality of the governing body seems to be that all things need to be stated and not just implied.
Associated risks can be identified within the documentation of each process. (Everyone knows you have to document how a process is to function for numerous reasons!) In documenting a process you include not only who, what, when, and where but also inputs, outputs, and expectations. How risks are "mitigated" can be a natural inclusion. Improvement opportunities result from many sources, including the failure to sufficiently address a risk.
 
J

Johndeere42

Reading this entire thread is most enlightening. While the intent for the RM is noble, I fear that auditors, being hard to calibrate as previously stated ( I am going to steal that line!) are going to be asking for objective evidence to support RM. If your product line is pretty stable, I suspect that despite the 'in your face' nature of that stability ( differing only in color or size for a particular customer) your 'uncalibratable' auditor is going to spend unwarranted time going down that RM rabbit hole than perhaps in other areas that would warrant more scrutiny.

To address this, if the organization's QMS defined RM as applicable only to new products (defined as a new process, not merely a new shape of an existing product) there may be some relief, but as it now appears, this looks like new bright and shiny targets for auditors without a corresponding payback for the auditee.
 
Jen Kirley

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Johndeere42 said:
Reading this entire thread is most enlightening. While the intent for the RM is noble, I fear that auditors, being hard to calibrate as previously stated ( I am going to steal that line!) are going to be asking for objective evidence to support RM. If your product line is pretty stable, I suspect that despite the 'in your face' nature of that stability ( differing only in color or size for a particular customer) your 'uncalibratable' auditor is going to spend unwarranted time going down that RM rabbit hole than perhaps in other areas that would warrant more scrutiny.

To address this, if the organization's QMS defined RM as applicable only to new products (defined as a new process, not merely a new shape of an existing product) there may be some relief, but as it now appears, this looks like new bright and shiny targets for auditors without a corresponding payback for the auditee.
Click to expand...
I will be asking for objective evidence of planning for mitigating risk. It is, however not just in product but also our support processes. For example, mitigating the risk of losing sensitive data through e-media records control, sound document destruction methods and reasonably sound IT security protocols like having a better password than 12345. Just something to think about.

I won't overall be satisfied with efforts to convince me that absence of errors is evidence by itself, though of course it helps because if errors did occur despite the efforts then corrective action would be needed.

I can appreciate a wish for payback, but I think Sony, Home Depot, Target etc. can convince us that risk is not just about product.
:2cents:
 
Sidney Vianna

Sidney Vianna

Post Responsibly
Leader
Admin
Jennifer Kirley said:
I will be asking for objective evidence of planning for mitigating risk. It is, however not just in product but also our support processes. For example, mitigating the risk of losing sensitive data through e-media records control, sound document destruction methods and reasonably sound IT security protocols like having a better password than 12345. Just something to think about.

I won't overall be satisfied with efforts to convince me that absence of errors is evidence by itself, though of course it helps because if errors did occur despite the efforts then corrective action would be needed.

I can appreciate a wish for payback, but I think Sony, Home Depot, Target etc. can convince us that risk is not just about product.
:2cents:
Click to expand...
Jennifer, you are to be commended for the attempt to clarify your position.

But your post just exemplifies how risky it is for conformity assessment practitioners to try to encapsulate what is needed to establish compliance with Risk Based Thinking. For example, you mentioned that RBT needs to go beyond the product and needs to include support processes. Where do you draw the line? If an organization is taking chances and paying suppliers late for cash flow problems, they run the risk of having their deliveries halted. Are you going to demand to audit their accounts payable process?

If they are not enforcing employees to wear personal protective equipment, they are taking chances with their occupational safety risks. Are you going to extend your QMS audits into systems that are clearly outside of your intended audit scope?

If 12345 is not a strong enough password for computer access, what is the Jennifer Kirley minimum threshold of password strength?

Risk (management) Based Thinking has to be assessed based on the context of the organization. Something that is unacceptable for a supplier of aerospace parts could be totally adequate for a supplier of commercial products. Risk is subjective and, in a way, is connected with the "as applicable" and "as appropriate" terms in the standard.

I was specially puzzled with the
because if errors did occur despite the efforts then corrective action would be needed
Click to expand...
sentence.

I said before, Monday morning quarterbacking can become the auditor's preferred approach. I disagree that errors should always be followed with corrective actions. We don't demand that for defective products and I don't believe it would be appropriate for us to do so for RBT proven bad, either.

People will make decisions based on the information they have at hand at the time of the decision making. Obviously, not every decision will be sound. Sometimes, there are unknown unknowns.
 
Jen Kirley

Jen Kirley

Quality and Auditing Expert
Leader
Admin
With the 2015 standard as well as the 2008 standard I will not have the right to approve of anyone's password. Knowing as I do, however that control of records has always been based on their media and the basic role the password has in protecting access to sensitive networked data, I can ask what the client has thought of to help control the risk of unauthorized access. The IT people, who may not be used to being considered a part of the QMS, would be ready for this kind of question.

I have stated my position with auditing risk based thinking a number of times, but continue to run up against questions of how to apply shalls in a way that won't exist anymore.

Since the upcoming standard will be more similar to the environmental standard than the current quality standard, I expect I will apply the same methods for assessing the risk based thinking as I have done for years with 14001. I will ask them to show me how they do it, what their criteria/method is to decide what requires operational controls, how they know if they've succeeded and what they are doing if they have fallen short (nonconformances.) Really, people are making this look way too hard.

Nonconformances, which I probably poorly described as errors, should be corrected when and where they are important. The organization and customer determine that as per ISO 9001:2015, not me. My role is to see that they have a process for dealing with nonconformances and that they are applying the process in order to achieve what they have already identified as important in the risk analysis process.

I am sure there will be challenges among people who are used to operating to a list of shalls. I don't know many business people who blunder along on a series of whims. I maintain most are probably already applying risk based thinking, just not writing it down. They haven't learned to give themselves credit for the thinking process they are very possibly already applying.
 
Last edited:
John Broomfield

John Broomfield

Leader
Super Moderator
Jennifer,

Auditing effective determination of significant environmental aspects and the application of controls to those significant aspects is relatively easy with ISO 14001 when compared with the significant "risks and opportunities" of DIS 9001.

DIS 9001 did not specify enough for even the most experienced auditor to audit risk-based thinking beyond the auditee knowing what the risks and opportunities are.

RBT may not result in any evidence or action by the auditee.

Perhaps the FDIS will refer to the auditee's criteria for determining significance of risks and opportunities.

John
 
Jen Kirley

Jen Kirley

Quality and Auditing Expert
Leader
Admin
John Broomfield said:
Jennifer,

Auditing effective determination of significant environmental aspects and the application of controls to those significant aspects is relatively easy with ISO 14001 when compared with the significant "risks and opportunities" of DIS 9001.

DIS 9001 did not specify enough for even the most experienced auditor to audit risk-based thinking beyond the auditee knowing what the risks and opportunities are.
Click to expand...
That is correct. The auditee will need to understand his or her own business enough to make even educated guesses about what could happen that might jeopardize their profits or market share. It is basic SWOT stuff, nothing new.
John Broomfield said:
RBT may not result in any evidence or action by the auditee.
Click to expand...
I will be interested to see someone try to register a quality management system without anything in it.
John Broomfield said:
Perhaps the FDIS will refer to the auditee's criteria for determining significance of risks and opportunities.
Click to expand...
Maybe in the introduction portion. 14001 doesn't dictate the methods or criteria for determining significance either, so I see a lot of variation in how it's done. I am allowed to describe the good things I see others doing, but so long as the client is doing the P-D-C-A involved with this process and is not missing some regulatory item or customer requirement, okay.
 
You must log in or register to reply here.

Similar threads

M
ISO 9001:2015 Software Validation Query
Replies
3
Views
112
Big Jim
B
J
  • Poll
ISO 9001 News ISO 9001:2015 Amendment 1 Published - Determination of Climate Change Relevance * Poll added May 2024
16 17 18 19 20 21 22 23 24 25
Replies
242
Views
14K
Big Jim
B
V
Traceability in risk analysis
Replies
1
Views
225
Tidge
T
C
Selling your business and transferring ISO certification
Replies
1
Views
224
Randy
Randy
K
A final-year student who needs help conducting an external audit using ISO 9001:2015
2 3 4 5
Replies
48
Views
2K
Kronos147
Kronos147
Top Bottom