Application of Risk
Assessment for ISO 9001:2015
As to the new ISO 9001:2015 standard, risk
based thinking is the new mode of preventive actions for quality management
systems which need organizations to apply risk based thinking (RBT) to Quality Processes.
As to ISO 9001 risk assessment given in 2015 revision, it should apply one or
more risk assessment tools given in ISO 31010:2010. However, it is not an easy
task since there are over 30 different tools given as guidelines without
exactly considering single tool since it is depending on the organizational
context in the supply chain decides the relevant tools for assessment. However,
it is mandatory to have expert knowledge on organizational context as well as
specific tools before selecting and applying them for considering the most
appropriate tools to help identify, analyze and evaluate risk in the
organizational context with the appropriate resources. Nonetheless, ISO
9001:2015 has no mandatory requirement for risk management, but it requires
organization to provide with sufficient evidence to the auditors to assess
whether organization has considered all the considerations including interested
parties such as consumers, buyers, and various certification bodies with
documented evidence of risk based thinking.
The easiest way to start ISO 9001:2015 risk
assessment is to carry on as if ISO 9001:9008 was still the current version of
the standard effectively ignoring the risk based thinking requirements of
Clause 6 in the way that preventive actions have (some claim) been ignored in
the past and then work on the risk assessment separately. However, you need to
consider all other new amendments to the standard as usual changes and update
the system. After updating the relevant sections of an existing system, then consider
risk when defining the rigour and degree of formality needed to plan and
control the quality management system. Once your risk assessment is completed
and updated; Report on non-conformances and corrective actions might be
unnecessary with proper consideration of the risks, since your plan is to
consider all the risk and control them without harming the organization’s
products and services.
When it comes to external/internal auditing,
auditor will further regard the failure to show evidence of risk based thinking
in an organization’s quality processes as a nonconformity (maybe a major
nonconformity) in future and will judge the quality system to be ineffective
because it has failed to reduce or eliminate the risks to process outputs.
However, you can use previous audit reports/internal audit reports as a source
of information to improve your ISO 9001:2015, by considering any good practices
observed by the auditor in the process of application of risk based thinking to
the planning and consideration of quality processes as well as its impact to
achieve continual improvement of the system and how it can provide the assurance
of conformity to customer and applicable statutory and regulatory requirements.
On the other hand, continual improvement has
become a frequent word in Clause 5: Leadership, Clause 6: Planning, Clause 7:
Support, Clause 9: Performance Evaluation, and in Clause 10: Continual Improvement;
which states that: “the organization shall consider the outputs of analysis and
evaluation, and the outputs from management review, to confirm if there are
areas of underperformance or opportunities that shall be addressed as part of
continual improvement”. Thus you need to showcase continual improvement is a
part of your process with regards to the risk assessment because your quality
processes reflect the fact that whether you have taken account of the risk and
opportunities in your context or not.
Planning
and considering risks in quality system processes
As ISO management
systems are continually improved towards multiple platform operations, there is
already a significant precedent in the ISO family of management system standards
that explains the need for the risk based approach. ISO 9001:2015 takes a risk based
approach to the planning and implementation of the quality management system,
resulting in an appropriate and affordable level of quality. In this way, it
ensures that the right people, processes, procedures and technologies are in place
to achieve the intended results of the quality management system. It is also
worth bearing in mind that the integrated management systems of an organization
may apply the same risk assessment methodology across several disciplines.
What actions are
required to plan for risks and opportunities?
Clause 6 of ISO
9001:2015 is clearly explain about the need for planned actions to address
risks and opportunities in quality systems:
6.1.2 The
organization shall plan:
a) Actions
to address these risks and opportunities;
b) How to evaluate
the effectiveness of these actions.
Actions taken to
address risks and opportunities shall be proportionate to the potential impact
on the conformity of products and services. Although not all the processes of
the quality management system will represent the same level of risk in terms of
the organization’s ability to meet its objectives and the consequences of
process, product, service or system non-conformities are not the same for all
organizations. There will be risks that you will need to address through the quality
processes. Thus you need to plan how do you go about identifying, considering
and planning for risks to quality and how could risk analysis help you to
achieve your objectives? To address the requirement, it is necessary to plan
processes that address risk and then analyze the relative importance of risks
in the system. The risk factors of the process determine the organization’s
success or failure, where you need a detailed understanding of each of the
specific risks posed to successful outcomes at the various stages of quality processes
which determines the appropriate priorities for actions. This full
understanding should result in fewer unpleasant surprises arising and will enable
quality managers to determine where the greatest effort should be focused in
treating identified risks for quality assurance purposes.
The alternative to
decision making based on risk analysis is a combination of experience and
intuition. Experience, no matter how extensive, can be out of date and therefore
fail to anticipate the potential risks in a system. Intuition is the ability to
acquire knowledge without inference or the use of reason and is of questionable
value to organizations when planning and considering processes in order to
consistently produce desired outcomes. By developing a better understanding of
risk, risk analysis techniques help organizations facilitate structured action
planning and resource allocation.
The following
methodology is very simple method developed by Michael Shuff as an idea in his blog
post, but it has very important points while developing a risk assessment for
ISO 9001:2015 which is one way to combine quality management systems and risk
management processes so as to achieve continual process improvement that takes
full account of the risks and opportunities in any given context. A key feature
of the proposed design for the R&O Register would be outputs from a simple
risk assessment process, following a six step risk assessment and continual
process improvement model, which would be used to (1) establish the context,
(2) identify possible risks to quality outputs, (3) carry out a qualitative
risk analysis and risk evaluation, (4) extend this analysis to a
semi-quantitative analysis used to assign a numerical risk factor (RF value) to
each of the risks in order to determine the highest priority risks, before (5)
determining a risk treatment plan, and (6) monitoring and reviewing the quality
system processes to determine the effectiveness of the quality controls and
identify as early as possible any new risks and opportunities.
Establish
the context
Referencing 4.1
Understanding the organization and its context, and 4.2 Understanding the needs
and expectations of interested parties: this step determines the issues and requirements
that can impact on the planning of the quality management system; employs and
their interactions; the competence of persons within or working on behalf of
the organization; and its size and organizational structure.
Risk
identification
Risk identification
involves selecting a suitable process for risk identification and for each
quality process, identifying and numbering the risks. The activity is designed
to be carried out in a group situation where each risk is described in terms of
what could happen and what that could lead to, the causes of the risk both
external and internal to the organization and the existing controls that could
prevent, transfer or mitigate risks.
This process
records the risks in a Risk and Opportunities Register (R&O Register) that would
form an integral part of the Quality Management System.
Qualitative
Risk Analysis and Risk Evaluation
The systematic use
of available information regarding probability, consequence and exposure will
lead to a better understanding of the risk and the controls that are needed. For
each risk we would then: assess the effectiveness of the existing controls
using a suitable effectiveness scale; determine the consequences (impact) for
each risk; the likelihood of these consequences occurring and the potential
exposure were the controls that we have in place to fail.
For example, the
consequence of a failure to control the quality of production outputs through
an adequate inspection process could result in the customer rejecting the goods
or services supplied as unfit for purpose; causing the organization to suffer a
financial loss that can measured in penalties under the terms and conditions of
contract, and reputation damage.
Semi-Quantitative
Risk Assessment for Systems and Processes
Qualitative
analysis is used to determine the probability and impact of risks, however, by
its nature and definition, lacks quantitative precision. In comparison, a semi-quantitative
measure of risk is an estimate derived using a scoring approach. Risk indices
are used to rate a series of risks using similar criteria so that they can be
more easily compared. Scores are applied to each component of risk, to assess
both the consequence (impact) and likelihood of the risk occurring and to
derive an average consequence score and average likelihood score for the risks
associated with each process analyzed. These risk scores are then used to
determine the comparative ‘risk factors’ (RFs) associated with different
processes to aid decision making by plotting the RFs
on a graph overlaid with ISO contours.
Implementation
Risk treatment and
costs, advantages and disadvantages of each treatment option are taken into
account and where the benefits determined exceed the known/likely costs of
action, treatment options are selected for implementation. The brainstorming
process is repeated after implementation to determine whether the level of risk
after risk treatment has been completed is tolerable; and if this is not the
case, then further risk treatment actions are sought and considered.
Monitoring
and Review
A monitoring
process is need to be developed for each risk by the risk owners and each
relevant control (control owners). Decisions are should be made about the time
intervals at which the risks and controls shall be reviewed. At the same time,
a monitoring process will be put in place for each risk treatment plan under
the direction of the relevant risk owners. Progress will be monitored in
respect to the objectives of the risk treatment plan, and the resulting
successes and failures need to be recorded. Periodically, the team need to
assess whether new risks are affecting or could affect quality processes and
systems as part of the cycle of continuous quality process improvement.