Informational How the addition of "Risk" will affect ISO 9001:2015

Sidney Vianna · Dec 30, 2014

Jennifer Kirley said:
I will be interested to see someone try to register a quality management system without anything in it.

Jennifer, we do know that thousands of organizations have attained and maintained certification without ever truly understanding and deploying the so called "process approach" (now to become mandatory). It should be surprising to no one if organizations attain and maintain ISO 9001:2015 certification doing lip service to RBT.

Contrary to the stock market, in this case, past performance is indicative of what we can expect in the future.

Jen Kirley · Dec 30, 2014

To see any real improvement, registrars will need to do a better job of training their auditors to assess how clients are using the process approach. Good luck with that.

As far as lip service to RBT, clients can do it at their peril. Whereas folklore has had it that a firm could manufacture concrete life preservers and be certified to ISO 9001 (a poor example because life preservers are regulated, but you probably get the gist) ignoring the risk based approach means a firm could go out of business making concrete life preservers unless they are decorations. So RBT would be about the business and its continued viability instead of just getting the certificate. Value.

drgnrider · Dec 30, 2014

What I took from Jennifer's posts (BTW, thanks) are that Risk is not based solely ON the production line, but what affects it.
i.e.: Aside from the fact that we are in "Tornado Alley", I have been asking our management team since 2012 "Since supplier X is now a prime supplier and we are dumping more business into this one basket, has ANYONE asked about their disaster recovery plan?" The subject keeps getting changed or ignored. My side conversations go 'well they have this other branch an hour away...' To my knowledge, nobody has ASKED suppler X what their plan is, let alone how much thought, if any, they have put into one. Loss of this one supplier can potentially stop ALL our production in about two-days.
Our recovery plan is in writing and specifies how we will get office space, phones, computers, re-route production, etc.

As for password - IMO, a company that is using a shared folder on their intranet to store their documents and setting the document's 'read-only' attribute is not acceptable. Some form of password is necessary, am I going to ask for it? Probably not, but I might ask if it is a combination of letters (upper & lower)/numbers. If their RA for password "12345", or only using the RO-attribute, can show it is effective, then OK, otherwise:

Not taking a chance, in my company, we have:
. 1) older folks not too familiar with computers, too easy to inadvertently delete/modify something, (I see a number of shortcuts to documents in the original folder and empty "New Folder"), and
. 2) too many young kids with computer experience and a willingness to 'not have to work' (first time in ten-years someone has called in a bomb-threat).

:2cents:

Jen Kirley · Dec 30, 2014

Yes!

There are all sorts of support function ideas, places where inefficiencies can impact customer satisfaction or cost the business money. RBT is not just about product. Everything is connected somehow. It is a system.

It is time to involve more people more closely - IT people I have interviewed have often felt like they are at the peripheral, but they know the costs of getting it wrong very well and can describe what they are doing without giving me specifics on what they expect form their internal customers' passwords.

Disaster plans are a tough subject, and expecting suppliers to have disaster plans are especially tough I am sure. How to deal with risk of lost material stream in tornado alley? Second source? Semiconductor grappled with this with silicone shortages. Not everything can be solved, but recognizing and addressing what we can could mean being employed next week.

Human performance is the toughest yet. IT people can set up daily mirror backups and weekly backups for the less-savvy computer users. I'm not sure what to do with the bomb threat thing though, :mg: except to question how badly I need that person should the origin ever be found out. :whip:

At least, even a fake bomb threat can count as a drill.

Colin · Dec 30, 2014

Jennifer Kirley said:
To see any real improvement, registrars will need to do a better job of training their auditors to assess how clients are using the process approach. Good luck with that.

<snip> So RBT would be about the business and its continued viability instead of just getting the certificate. <snip>

I agree with on both of these points Jennifer - in fact my previous post is intended to say just that - al organisations take risk into account almost every day - especially the small ones, or they don't survive.

The fun part will be how we get to audit this stuff

Sidney Vianna · Dec 30, 2014

Colin said:
all organisations take risk into account almost every day - especially the small ones, or they don't survive.

That being the case, what is the need/relevance of a QMS standard having requirements of questionable implementability and auditability for RBT? in other words, if everyone does, all the time, what is the point of a requirement being written to that effect?

Colin said:
The fun part will be how we get to audit this stuff

Some auditors will misuse this to attempt to wander outside of the scope of the audit they are contracted to perform. ISO 9001:2015 will STILL be a QMS standard. Any auditor who thinks s/he has a mandate to assess any type of business risk because of ISO 9001:2015 will have to be shown otherwise.

The DIS clearly scopes it in 6.1.2:

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

As for the concrete life jacket example, (broken link removed).

drgnrider · Dec 30, 2014

Jennifer Kirley said:
Disaster plans are a tough subject, and expecting suppliers to have disaster plans are especially tough I am sure. How to deal with risk of lost material stream in tornado alley? Second source? Semiconductor grappled with this with silicone shortages. Not everything can be solved, but recognizing and addressing what we can could mean being employed next week.

Not asking any of our suppliers for a detailed disaster plan, just have they looked into the issue? What is the general overview, how does it affect us? A rough plan is better than scrambling after the event happens. With our workload, a slow-down will be better than a stoppage! :mg: Either way, I won't be the one explaining up the chain as to why we delayed millions of dollars in product.

Jennifer Kirley said:
Human performance is the toughest yet. IT people can set up daily mirror backups and weekly backups for the less-savvy computer users.

I have our password-protected documents on a controlled-access server, backed-up nightly and the back-ups stored a few thousand miles away. I've had managers complain they cannot revise their procedure on-line or copy a newer revision to the server... I tell them it's working then, send it to me.

Jennifer Kirley said:
I'm not sure what to do with the bomb threat thing though, :mg: except to question how badly I need that person should the origin ever be found out. At least, even a fake bomb threat can count as a drill.

At 5:30am, I don't think management getting awakened at home, the three law-enforcement agencies, bomb dogs from 3-hours away, city and county highway departments closing a busy highway, or the bomb squad from 2-hours away were too appreciative of the "drill". But, as you mentioned, it counted and management did make some changes to the process.... so not a total loss.

Colin · Dec 31, 2014

Sidney Vianna said:
That being the case, what is the need/relevance of a QMS standard having requirements of questionable implementability and auditability for RBT? in other words, if everyone does, all the time, what is the point of a requirement being written to that effect?

Some auditors will misuse this to attempt to wander outside of the scope of the audit they are contracted to perform. ISO 9001:2015 will STILL be a QMS standard. Any auditor who thinks s/he has a mandate to assess any type of business risk because of ISO 9001:2015 will have to be shown otherwise.

The DIS clearly scopes it in 6.1.2:

As for the concrete life jacket example, (broken link removed).

I can't disagree with your point Sidney, my only thought is that it is a further attempt to encourage organisations to have a single system for running their business rather than that which we often see now where there seems to be a system for running the business and one for achieving certification.

This should be helped by the inclusion of statements such as "... relevant to its purpose and its strategic direction ..." (4.1).

As for wandering out of scope, do auditors need further encouragement? :lmao:

somashekar · Dec 31, 2014

If by logical questioning, common sense approach, trail of interacting processes based on established procedures, when a non conforming situation can be potentially seen, and the auditee agrees on same, a NC can be written up on RBT application ...

Colin · Dec 31, 2014

I don't want to be looking for evidence of a nonconformity for a lack of RBT, I want to see evidence that the organisation have included RBT as part of their operations.

Does having a business plan, or at least a SWOT analysis, meet the requirement? Or are we going to see an item on the management review agenda called Risk, just so that someone can point to it and say "we have addressed RBT" - I truly hope not.

Informational How the addition of "Risk" will affect ISO 9001:2015

Sidney Vianna

Post Responsibly

Jen Kirley

Quality and Auditing Expert

drgnrider

Quite Involved in Discussions

Jen Kirley

Quality and Auditing Expert

Colin

Quite Involved in Discussions

Sidney Vianna

Post Responsibly

drgnrider

Quite Involved in Discussions

Colin

Quite Involved in Discussions

somashekar

Colin

Quite Involved in Discussions

Similar threads