ISO 9001-2015: New Risk Requirements

ISO 9001-2015: New Risk Requirements

Peter Knauer & Walt MurrayAlliance Partnership

Risk: How Big of a Deal?

ISO 9001:2008 ISO 9001:2015 (DIS)

3 “risk’ mentions 43 “risk” mentions

OverviewA key change in the 2015 revision is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system.

• In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard.

• By taking a risk-based approach, an organization becomes proactive rather than purely reactive.

Overview (continued) New language in the final draft international standard (FDIS) of ISO 9001 focuses on “risk- based thinking,” although it stops short of actual “risk management.” As a result, the international community is wrestling with how best to handle risk.

What does ISO 9001:2015 ask for?

Overview (continued)

In ISO 9001:2015 organizations are also asked to “address risks and opportunities.”

How do we do that?

“Risk Based Thinking”

What is it?

(from ISO/TC 176/SC2)

“Risk-based thinking is something we all do automatically.” “Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole management system.”

“Risk-based thinking is already part of the process approach.”

Case StudyAny risk based thinking here? What is you immediate reaction?

Benefits of “Risk Based Thinking”

Benefit ExamplePrioritize Resources Preparation for an Audit/Inspection,

CAPA prioritization, etc. Improve Customer Rapport Deal with complaints that matter,

escalate efficiently serious issues to the proper channel

Consistency in Products and Services Cost of Quality (CoQ) Curve

Objective evaluations Supplier Selection, Audit Observations, etc.

Moves towards Proactive vs Reactive PA versus CA

How to Use Risk Based Thinking?

What is required?

• Identify what the risks and opportunities are in your organization (hint: it depends on context)

Note: ISO 9001:2015 does not require you to carry out a full, formal risk assessment

ISO 31000 (Risk management & Principles and guidelines) is a useful reference (note: it is not mandated)

“Risks and Opportunities”Key Concepts:

• Analyze and prioritize the risks and opportunities in your organization – what is acceptable?– what is unacceptable?

• Plan actions to address the risks– how can I avoid or eliminate the risk?– how can I mitigate the risk?

• Implement the plan – take action• Check the effectiveness of the actions

– does it work? – Learn from experience – continual improvement

Case Study (part 2)

Let’s analyze the risks and opportunities

ISO 9001:2015? Part 1: Where is “Risk” mentioned in

Where is Risk Mentioned in 9001:2015?Introduction0.1 General:“The risks associated with its context and objectives”

0.3 Process approach:“….with an overall focus on risk based thinking"

0.5 “Risk-based thinking”:“Risk is the effect of uncertainty on an expected result and the concept of risk-based thinking has always been implicit in ISO 9001”

0.6 Compatibility with other management system standards:“Processes for planning and consideration of risks and opportunities”

Where is Risk Mentioned in 9001:2015?

3. Terms and definitions

3.09 Risk:“effect of uncertainty on an expected result”

Where is Risk Mentioned in 9001:2015?

4 Context of the organization

4.4 Quality management system and its processes:“the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them”

Where is Risk Mentioned in 9001:2015?

5 Leadership

5.1.2 Customer focus:“the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed”

Where is Risk Mentioned in 9001:2015?

6 Planning for the quality management system

6.1 Actions to address risks and opportunities:“When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed”

Where is Risk Mentioned in 9001:2015?

8 Operation

8.5.5 Post-delivery activities:“the risks associated with the products and services”

Where is Risk Mentioned in 9001:2015?

9 Performance evaluation

9.3 Management review:“the effectiveness of actions taken to address risks and opportunities (see clause 6.1)”

Where is Risk Mentioned in 9001:2015?

APPENDIXA.4 Risk-based approach:“Although risks and opportunities have to be determined and addressed, there is no requirement for formal risk management or a documented risk management process”

A.7 Organizational knowledge:“…additional knowledge needs to take account of the organization’s context, including its size and complexity, the risks and opportunities it needs to address…”

A.8 Control of externally provided products and services “The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services.”

ISO 9001:2015 Part 2: Risk Tools for

Risk Tools

What the standard doesn’t require:

Remember: the standard DOES NOT prescribe a methodology or require a documented process for risk-based thinking.

Ultimately, it is up to an organization to choose a suitable process or specific methodology to address risk.

Risk Tool Selection

Choose Wisely…(From ISO 31010):

“it should be justifiable and appropriate to the situation or organization under consideration;”

“it should provide results in a form which enhances understanding of the nature of the risk and how it can be treated;”

“it should be capable of use in a manner that is traceable, repeatable and verifiable.”

Risk Tool Selection (part 2)

Consider:

• the objectives of the study;• the needs of decision-makers; • the type and range of risks being analyzed; • the potential magnitude of the consequences; • the degree of expertise, human and other resources needed; • the availability of information and data; • the need for modification/updating of the risk assessment, and • any regulatory and contractual requirements.

Tools: Easy Hard⇢

Tools: Easy Hard⇢Easy: Brainstorming

Tools: Easy Hard⇢Easy: Brainstorming

Brainstorming involves stimulating and encouraging free-flowing conversation amongst a group of knowledgeable people to identify potential failure modes and associated hazards, risks, criteria for decisions and/or options for treatment. The term “brainstorming” is often used very loosely to mean any type of group discussion. However true brainstorming involves particular techniques to try to ensure that people's imagination is triggered by the thoughts and statements of others in the group.

Tools: Easy Hard⇢Easy: Structured Interviews

Tools: Easy Hard⇢Easy: Structured Interviews

In a structured interview, individual interviewees are asked a set of prepared questions from a prompting sheet which encourages the interviewee to view a situation from a different perspective and thus identify risks from that perspective. A semi-structured interview is similar, but allows more freedom for a conversation to explore issues which arise.

Tools: Easy Hard⇢Medium: Cause and Effect (Fish Bone)

Tools: Easy Hard⇢Medium: Cause and Effect (Fish Bone)

Tools: Easy Hard⇢Medium: Monte Carlo

Tools: Easy Hard⇢Medium: Monte Carlo

Tools: Easy Hard⇢Hard: FMEA or FMECA

Tools: Easy Hard⇢Hard: FMEA or FMECA

Tools: Easy Hard⇢Hard: RCA or Comparative Analysis

Tools: Easy Hard⇢Hard: RCA or Comparative Analysis

Case Study 2: Eyjafjallajökull

What Risk Tools should be used?

SummaryRisk is here: get used to it

• Mentioned 43x in the new update (vs 3x)• Risk-Based Thinking – it’s everywhere• It’s more than just risk: it’s opportunities • Use the correct tool for the job• And if nothing else:

PS: DON’T RUN ELECTRICITY THROUGH A POOL

Q&A

Peter Knauer & Walt MurrayAlliance Partnership