Tuesday, May 26, 2015

Risk Based Thinking and ISO 9001:2015 DIS - II

ISO 9001:2015 Risk Management 
Recent rapid growth of industry has resulted in the need for more efficient management tools and less complex processes to control their activities. This would ensure compliance with best practice at all levels, whilst promoting business continuity. As a result, the concept of “risk management” has become increasingly popular in all areas of business including food manufacturing industries in line with the implementation of robust and sustainable quality systems.

In general, risk is defined as any situation that may cause a negative impact on the food safety, quality and continuity of a company. Risk is measured based on the likelihood of occurrence and severity of the impact. It is therefore expected that risk assessments should be molded to the characteristics of each entity, company or industry – as risk levels can be perceived in different ways in different forums. In food manufacturing industries, perhaps more than in any other area, the risk management process takes center stage. It is a tool to monitor and control manufacturing processes of foods, and ultimately, safeguards the integrity and safety of consumers.

Quoting from ISO 9001:2015 draft….”Top Management shall demonstrate leadership and commitment to customer focus by insuring:
b) risk and opportunities that can affect conformity of products and services and the ability of enhancing customer satisfaction are determined and addressed.”
  
So how has the risk management system evolved in the quality management sytems?
The structure of quality systems (QMS) in the industry is well known. The QMS begins with quality control processes, feeding through to quality assurance, resulting in total quality as the culmination of effective QMS implementation. However, it is now practically mandatory to incorporate risk management within the total quality concept. Generally, the current systems, including inspection and audit processes, are solely focused on: compliance and processes, how we manage these processes; How we measure compliance.

But rarely included is the question: what would happen if…?

Certainly, every company has an emergency and business continuity plan to mitigate the impact of these “what if…” situations, but how effectively can they ensure that all risks are covered and have a mitigation plan?

Here, a dynamic and interdisciplinary committee comes into play to review, evaluate and effectively manage risk following a few basic steps:

Defining a Risk Management Process
This involves identifying:
Representatives from different areas of your organization to comprise the risk analysis forum; Communication channels to escalate or cascade down information (to managers and from managers to teams);
Definition of responsibilities;
And importantly, create a written procedure to capture the requirements and records.
It is necessary to follow up on training provided for all areas to ensure that the importance of risk management is clear and appreciated.

Establishment of a Continuous Process of Risk Identification
Once the training process and awareness of risk management is finished, the organization should now able to properly identify and communicate potential risks that may affect the flow and continuity of the production processes. Nevertheless, additionally, it is vital to define regular meetings in which these risks are exposed. Management team participation is necessary for an adequate analysis of the risk(s), mitigation plans definition, resources allocation, identification of responsibilities and setting deadlines.

Risk Analysis
A risk must be analyzed from different angles in order to ensure that the final action plan is suitable, be it risks elimination or mitigation. The following questions should be asked:
What could go wrong?
What is the likelihood of something going wrong?
What is the expected impact if something goes wrong?
What is, most likely, the cause (root cause) for the occurrence of this situation?

The guidance can be applied to any kind of risk by any kind of organization. Essentially, the steps are as follows:
Establish the context – what activities are we talking about?
e.g., a piece of machinery, a process, a natural disaster, exporting goods, staff, data
Identify risks – what could go wrong?
e.g., entanglement, pinch injury, collision, dust, noise, chemical exposure, flood, theft, fraud,
Analyze them – what could happen if it did go wrong? How likely is it?
e.g., a minor injury, permanent impairment, loss of life, loss of reputation, economic setback, business closure…
Evaluate – can we live with this risk?
e.g., minor inconvenience? major problem?
Control/treat – what are we going to do about it?
e.g., use the hierarchy of controls to decide, and consider the cost/benefit balance.

Monitor/review – is the control working? Can it be better?
Some organizations have developed specific forms for the different kinds of hazards they deal with, to make it easier to remember to ask all the relevant questions. Looking at past incidents will also help you become aware of the different kinds of hazards to look for.

Risk Mitigation Plans
Knowing the root cause of a possible risk makes it easier to identify an effective action plan.

The actions identified and defined will directly attack the initial stages of a risk developing. In this step it is important to emphasize two aspects:
There is not always one single root cause – in most situations a combination of several possible cause elements are observed. Improper handling of these can lead to a consecutive chain of events, allowing the risk to occur. The identification and monitoring of these elements is one of the critical aspects of risk management.
The root cause may not always be obvious to the naked eye – hence, the importance of analysis tools involving multidisciplinary teams to implement dynamics such as Ishikawa model or the 5 whys. The “5 whys” model establishes that with at least 5 why question we may be able to determine the most probable root cause, of course, as in many techniques, there are drawbacks but this provides a useful framework to start with.

Risk mitigation plan does suffice. Periodic review and monitoring is required to ensure that actions are still valid through time, including re­assessments during management meetings that may provide answers to questions like:
Is this risk at an acceptable level?
What further actions can I take to reduce or eliminate this risk?
What is the appropriate balance of risk, benefit and resources that should exist? Are new risks created as a result of actions taken to control a particular risk?

The performance of audits and certain performance indicators are important parts of the control and monitoring process. These tools also help provide a picture of the evolution of processes within a company.

Audits
It should not be restricted to ensuring the proper enforcement of standards and that processes are in place. Audits should further verify the existence of a risk management plan that can predict and anticipate the occurrence of future risks. Existing processes or activities should be challenged during questioning using hypothetical situations based on “what would happen if…?”

Performance Indicators
Elements such as the tendency of deviations, complaints, incidents, change controls and other statistics can clearly illustrate whether the organization is at an important turning point. An increase in any of these indicators should alert the management team as these may be the first signs of a risk developing. Risks have always existed and no company is exempt from them. Traditionally risk has been handled throughout history in different ways, either through observation or reactive actions. More recently, the concept of risk has been incorporated into quality systems to be studied in a more proactive way. A risk management program should aim to act as a tool for continuous improvement, building knowledge and experience for food industries. When used correctly as part of the daily function of any organization, success is achieved, despite the threats that arise with the accelerated growth of the world economies. Anticipating, identifying, and eliminating or controlling a risk effectively, can transform the risk into an opportunity.

Additional Examples
Standard writers have defined risk (3.09 Definitions as listed in the ISO 9001:2015
Draft) as the “effect of uncertainty” on an expected result. Consequently, organizations will now be required to define upfront the scope of risk for their organization as it relates to product conformity and customer satisfaction. It is important to remember in defining risk that it is a part of the QMS and its boundaries must include internal, external, and interested parties (4.2 and 4.3 of ISO 9001:2015 draft).

Some examples of “uncertainty” from the expected results might be scrap, rework, or lack of first time quality. Customer satisfaction “uncertainty” might result from the lack of on time delivery or timely quotations. Presently, some organizations are addressing “uncertainty” as separate events. 2015, as drafted, will require most of these separate events to fall under the risk management segment (6.1) of the QMS. Example – some organizations look at customer satisfaction as a collection of customer complaints, customer returns, and on time delivery. 2015 requires organizations to address the “uncertainties” or “risk” to the organization of not meeting an acceptable level of internal performance. Another example is product quality impacting risk to the organization. In many cases product quality can be viewed as scrap, rework, and productivity. Managing an organization’s risk extends to “interested” parties i.e., FDA. These risks are associated with manufacturing the product exactly as initially approved and will need to be included in an organization’s risk management system. Organizations generally have Quality Objectives or Key Process Indicators (KPIs) for internal as well as external issues.  Reviewing these indicators in a formal method with records of the reviews and action plans, an organization can create a risk management system and improve their continual improvement (opportunities) system.

Other risk management tools are the corrective action form with a section to define containment. Good containment reduces risk and good corrective action with effective root cause analysis leads to reduced risk of the product to your customer. Thus start using the word risk in your QMS and address risk issues on a regular basis. i.e., at weekly team meetings address risk such as risks to on time delivery. Risk issues can be discussed and documented whether supplier or internal issues. A copy of the team meeting minutes can be provided to Top Management for their action, if necessary. There is no reason to “delete” any activity that your organization is currently conducting using ISO 9001:2008. Management Review usually contains records of the effectiveness of all Quality Objective action plans, customer issues, and can certainly be labeled as an important method to evaluate risk and risk reduction activities.

Wednesday, May 13, 2015

Risk Based Thinking and ISO 9001:2015 DIS - I

Risk Management in the Context of Globalization  
Managing supplier quality is always a challenge. When you're dealing with possibly hundreds of suppliers around the globe who are engaged in a broad array of complex manufacturing processes, the challenge often appears to be insurmountable. Recent events have made supplier quality issues a top priority, for both the consumer goods industry and its regulators in the US and Europe; i.e. melamine contaminated baby formula and pet food as well as allergic reactions and deaths from contaminated heparin.  Bottom line, what happens at any outsourced manufacturing operation can cause your company legal liability, damage your reputation, and subject you to the considerable expense of a recall. Yet outsourcing some or all of the manufacturing process has become an inevitable part of doing business for the vast majority of multinational companies.

In 10 years all quality management systems are likely to be designed as risk based. At the moment, however, some quality management systems do not use risk assessment systematically to inform decision making across a product life-cycle or within a manufacturing environment.  Effective and consistent risk-based decision making relies on the implementation of systematic product development, risk management implementation over a product lifecycle, and a quality management system. None of these initiatives is effective without the other two components. They provide a common approach to product development, market authorization, and risk management in the global marketplace. Only a risk-based quality management system will prepare an organization for potential product opportunities. And only a risk-based quality management system will protect an organization from the risk that comes with the increasing complexity of innovative technologies, new emerging diseases, and a global definition of risk acceptability.

What is Risk Management? 
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate event or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty do not deviate the endeavor from the business goals. Risks can come from different ways e.g. uncertainty in financial markets, threats from project failures (at any phase in design, development, production or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments or public health and safety.

Risk sources are more often identified and located not only in infrastructural or technological assets and tangible variables, but in Human Factor variables, Mental States and Decision Making. The interaction between Human Factors and tangible aspects of risk highlights the need to focus closely into Human Factor as one of the main drivers for Risk Management. It is an extremely hard task to be able to apply an objective and systematic self-observation and to make a clear and decisive step from the level of the mere "sensation" that something is going wrong, to the clear understanding of how, when and where to act. The truth of a problem or risk is often obfuscated by wrong or incomplete analyses, fake targets, perceptual illusions, unclear focusing, altered mental states, and lack of good communication and confrontation of risk management solutions with reliable partners. This makes the Human Factor aspect of Risk Management sometimes heavier than its tangible and technological counterpart. 

Risk Based Thinking in ISO 9001: 2015
One of the key changes in the ISO 9001 DIS of 2015 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard. By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based. On the other hand, risk-based thinking is something everyone does automatically and often sub-consciously to get the best result in different sort of situations. The concept of risk has always been implicit in ISO 9001; however, in this revision with the maturity of standard’s core, ISO 9001 makes it more explicit and builds it into the whole management system. Risk-based thinking ensures risk is considered from the beginning and throughout the process approach where risk-based thinking makes preventive action part of strategic planning.  Risk is often thought of only in the negative sense, but risk-based thinking can also help to identify opportunities which can be considered as the positive side of risk.
 
The ISO 9001 standard is based on customer focus and their satisfaction which are some of the most important components in the present business organizations where the objectives of risk based thinking of ISO 9001 are;
To provide confidence in the organization’s ability to consistently provide customers with conforming goods and services;
To enhance customer satisfaction;

The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives and the concept of “opportunity” in the context of ISO 9001 relates to exceeding expectations and going beyond stated objectives. Thus successful companies intuitively take a risk-based approach because it brings benefits to improve customer confidence and satisfaction as well as to assure consistency of quality of goods and services. It also helps to establish a proactive culture of prevention and improvement.

The Risk Based Quality Management in Manufacturing Industry
Adequate use of limited resources in the development, manufacturing, and distribution of products and services requires a triage of tasks. There is not enough time or money or personnel available to validate every process, investigate every procedural deviation, qualify every supplier, and perform diagnostic studies or stability studies on every design change with the same rigor of analysis. Risk-based decisions are necessary to assure that limited resources are focused first of all on marketing practices, manufacturing operations, and product development studies that can have the greatest impact on product safety and performance. A systematic, risk-based approach is necessary to assure that decision making is consistent throughout a product lifecycle, throughout a product family, throughout the company, and throughout the industry. Based on agreed-on definitions of hazards and acceptable risk, this approach also minimizes the bias of case-by-case decision-making.


The baseline risk managed by any risk-based quality management system (QMS), despite the many types of hazards and associated risks in the development, manufacturing, and marketing of foods, pharmaceutical and biotech products, the baseline hazards of concern are common across all product types and all regions of distribution which are potential hazards. A critical hazard is a critical effect that is severe or life-threatening, where “severe” would result in serious injury, permanent impairment, irreversible effects; it requires unplanned medical intervention with hospitalization to prevent or mitigate serious permanent injury or death; presents a high patient safety concern.  Life Threatening is death or serious permanent injury is likely to occur, which presents a catastrophic patient safety concern.

In QMS development, companies can choose to identify, assess, and control additional risks (e.g., product performance, business, and regulatory risks), but every company should be expected to develop a quality management system that effectively manages risks to customer safety. Systematic product development supports risk-based decision making by assuring that information about critical hazards and associated safety-critical product features, and manufacturing processes which identified during product development that are used consistently during product development to eliminate or minimize risk and communicated consistently to commercial manufacturing and marketing for use in risk control programs.

Systematic integration of information from the market into the product development process increases the likelihood that a developed product will meet user needs. Product risk profiles can change over time with information gained through increased use of a product, increased distribution, improvements in intended use, changes in a disease state, and changes in manufacturing technologies or source materials. Monitoring for new risks and the effectiveness of risk control programs should be established in operations, in the distribution and in the market. Periodic and event-based review of this information (risk review) helps assure that product risks remain acceptable, providing better protection of the public and the company from new and/or unexpected risk.



To be continued.

References
http://en.wikipedia.org/wiki/Risk_management
http://www.iso.org/iso/iso9001_revision
http://isc-worldwide.com/iso-9001-2015-update-risk-based-thinking/
http://www.bioprocessintl.com/wp-content/uploads/bpi-content/070305ar02_77249a.pdf
http://www.biopharminternational.com/supplier-quality-management-risk-based-approach?rel=canonical