ISO 9001:2015 Risk Management
Recent rapid growth of industry has
resulted in the need for more efficient management tools and less complex
processes to control their activities. This would ensure compliance with best
practice at all levels, whilst promoting business continuity. As a result, the
concept of “risk management” has become increasingly popular in all areas of
business including food manufacturing industries in line with the
implementation of robust and sustainable quality systems.
In general, risk is defined as any situation
that may cause a negative impact on the food safety, quality and continuity of
a company. Risk is measured based on the likelihood of occurrence and severity
of the impact. It is therefore expected that risk assessments should be molded
to the characteristics of each entity, company or industry – as risk levels can
be perceived in different ways in different forums. In food manufacturing
industries, perhaps more than in any other area, the risk management process
takes center stage. It is a tool to monitor and control manufacturing processes
of foods, and ultimately, safeguards the integrity and safety of consumers.
Quoting from ISO 9001:2015
draft….”Top Management shall demonstrate leadership and commitment to customer
focus by insuring:
b) risk and opportunities that
can affect conformity of products and services and the ability of enhancing
customer satisfaction are determined and addressed.”
So how has the risk management system
evolved in the quality management sytems?
The structure of quality systems (QMS) in the industry is well known. The QMS begins with quality control processes, feeding through to quality assurance, resulting in total quality as the culmination of effective QMS implementation. However, it is now practically mandatory to incorporate risk management within the total quality concept. Generally, the current systems, including inspection and audit processes, are solely focused on: compliance and processes, how we manage these processes; How
we measure compliance.
But rarely included is the question: what
would happen if…?
Certainly, every company has an emergency
and business continuity plan to mitigate the impact of these “what if…”
situations, but how effectively can they ensure that all risks are covered and
have a mitigation plan?
Here, a dynamic and interdisciplinary
committee comes into play to review, evaluate and effectively manage risk
following a few basic steps:
Defining
a Risk Management Process
This involves identifying:
Representatives from different areas of
your organization to comprise the risk analysis forum; Communication channels
to escalate or cascade down information (to managers and from managers to
teams);
Definition of responsibilities;
And importantly, create a written procedure
to capture the requirements and records.
It is necessary to follow up on training
provided for all areas to ensure that the importance of risk management is
clear and appreciated.
Establishment
of a Continuous Process of Risk Identification
Once the training process and awareness of
risk management is finished, the organization should now able to properly
identify and communicate potential risks that may affect the flow and
continuity of the production processes. Nevertheless, additionally, it is vital
to define regular meetings in which these risks are exposed. Management team
participation is necessary for an adequate analysis of the risk(s), mitigation
plans definition, resources allocation, identification of responsibilities and
setting deadlines.
Risk
Analysis
A risk must be analyzed from different
angles in order to ensure that the final action plan is suitable, be it risks
elimination or mitigation. The following questions should be asked:
What could go wrong?
What is the likelihood of something going
wrong?
What is the expected impact if something
goes wrong?
What is, most likely, the cause (root
cause) for the occurrence of this situation?
The guidance can be applied to any kind of
risk by any kind of organization. Essentially, the steps are as follows:
Establish the context – what activities are
we talking about?
e.g., a piece of machinery, a process, a
natural disaster, exporting goods, staff, data
Identify risks – what could go wrong?
e.g., entanglement, pinch injury,
collision, dust, noise, chemical exposure, flood, theft, fraud,
Analyze them – what could happen if it did
go wrong? How likely is it?
e.g., a minor injury, permanent impairment,
loss of life, loss of reputation, economic setback, business closure…
Evaluate – can we live with this risk?
e.g., minor inconvenience? major problem?
Control/treat – what are we going to do
about it?
e.g., use the hierarchy of controls to
decide, and consider the cost/benefit balance.
Monitor/review – is the control working?
Can it be better?
Some organizations have developed specific
forms for the different kinds of hazards they deal with, to make it easier to
remember to ask all the relevant questions. Looking at past incidents will also
help you become aware of the different kinds of hazards to look for.
Risk
Mitigation Plans
Knowing the root cause of a possible risk
makes it easier to identify an effective action plan. The actions identified and defined will directly attack the initial stages of a risk developing. In this step it is important to emphasize two aspects:
There is not always one single root cause –
in most situations a combination of several possible cause elements are
observed. Improper handling of these can lead to a consecutive chain of events,
allowing the risk to occur. The identification and monitoring of these elements
is one of the critical aspects of risk management.
The root cause may not always be obvious to
the naked eye – hence, the importance of analysis tools involving
multidisciplinary teams to implement dynamics such as Ishikawa model or the 5
whys. The “5 whys” model establishes that with at least 5 why question we may
be able to determine the most probable root cause, of course, as in many
techniques, there are drawbacks but this provides a useful framework to start
with.
Risk mitigation plan does suffice. Periodic
review and monitoring is required to ensure that actions are still valid
through time, including reassessments during management meetings that may
provide answers to questions like:
Is
this risk at an acceptable level?
What
further actions can I take to reduce or eliminate this risk?
What
is the appropriate balance of risk, benefit and resources that should exist?
Are new risks created as a result of actions taken to control a particular
risk?
The performance of audits and certain
performance indicators are important parts of the control and monitoring
process. These tools also help provide a picture of the evolution of processes
within a company.
Audits
It should not be restricted to ensuring the
proper enforcement of standards and that processes are in place. Audits should
further verify the existence of a risk management plan that can predict and
anticipate the occurrence of future risks. Existing processes or activities
should be challenged during questioning using hypothetical situations based on
“what would happen if…?”
Performance
Indicators
Elements such as the tendency of
deviations, complaints, incidents, change controls and other statistics can
clearly illustrate whether the organization is at an important turning point.
An increase in any of these indicators should alert the management team as
these may be the first signs of a risk developing. Risks have always existed
and no company is exempt from them. Traditionally risk has been handled
throughout history in different ways, either through observation or reactive
actions. More recently, the concept of risk has been incorporated into quality
systems to be studied in a more proactive way. A risk management program should
aim to act as a tool for continuous improvement, building knowledge and
experience for food industries. When used correctly as part of the daily
function of any organization, success is achieved, despite the threats that
arise with the accelerated growth of the world economies. Anticipating,
identifying, and eliminating or controlling a risk effectively, can transform
the risk into an opportunity.
Additional
Examples
Standard writers have defined risk (3.09
Definitions as listed in the ISO 9001:2015
Draft) as the “effect of uncertainty” on an
expected result. Consequently, organizations will now be required to define
upfront the scope of risk for their organization as it relates to product
conformity and customer satisfaction. It is important to remember in defining
risk that it is a part of the QMS and its boundaries must include internal,
external, and interested parties (4.2 and 4.3 of ISO 9001:2015 draft).
Some examples of “uncertainty” from the
expected results might be scrap, rework, or lack of first time quality.
Customer satisfaction “uncertainty” might result from the lack of on time
delivery or timely quotations. Presently, some organizations are addressing
“uncertainty” as separate events. 2015, as drafted, will require most of these
separate events to fall under the risk management segment (6.1) of the QMS. Example
– some organizations look at customer satisfaction as a collection of customer
complaints, customer returns, and on time delivery. 2015 requires organizations
to address the “uncertainties” or “risk” to the organization of not meeting an
acceptable level of internal performance. Another example is product quality
impacting risk to the organization. In many cases product quality can be viewed
as scrap, rework, and productivity. Managing an organization’s risk extends to
“interested” parties i.e., FDA. These risks are associated with manufacturing
the product exactly as initially approved and will need to be included in an
organization’s risk management system. Organizations generally have Quality
Objectives or Key Process Indicators (KPIs) for internal as well as external
issues. Reviewing these indicators in a
formal method with records of the reviews and action plans, an organization can
create a risk management system and improve their continual improvement
(opportunities) system. 
Other risk management tools are the
corrective action form with a section to define containment. Good containment reduces
risk and good corrective action with effective root cause analysis leads to
reduced risk of the product to your customer. Thus start using the word risk in your QMS
and address risk issues on a regular basis. i.e., at weekly team meetings
address risk such as risks to on time delivery. Risk issues can be discussed
and documented whether supplier or internal issues. A copy of the team meeting
minutes can be provided to Top Management for their action, if necessary. There
is no reason to “delete” any activity that your organization is currently
conducting using ISO 9001:2008. Management Review usually contains records of
the effectiveness of all Quality Objective action plans, customer issues, and
can certainly be labeled as an important method to evaluate risk and risk
reduction activities.
No comments:
Post a Comment