Wednesday, January 25, 2017

ISO 9001:2015 Risk Assessment - III

Application of Risk Assessment for ISO 9001:2015
As to the new ISO 9001:2015 standard, risk based thinking is the new mode of preventive actions for quality management systems which need organizations to apply risk based thinking (RBT) to Quality Processes. As to ISO 9001 risk assessment given in 2015 revision, it should apply one or more risk assessment tools given in ISO 31010:2010. However, it is not an easy task since there are over 30 different tools given as guidelines without exactly considering single tool since it is depending on the organizational context in the supply chain decides the relevant tools for assessment. However, it is mandatory to have expert knowledge on organizational context as well as specific tools before selecting and applying them for considering the most appropriate tools to help identify, analyze and evaluate risk in the organizational context with the appropriate resources. Nonetheless, ISO 9001:2015 has no mandatory requirement for risk management, but it requires organization to provide with sufficient evidence to the auditors to assess whether organization has considered all the considerations including interested parties such as consumers, buyers, and various certification bodies with documented evidence of risk based thinking.

The easiest way to start ISO 9001:2015 risk assessment is to carry on as if ISO 9001:9008 was still the current version of the standard effectively ignoring the risk based thinking requirements of Clause 6 in the way that preventive actions have (some claim) been ignored in the past and then work on the risk assessment separately. However, you need to consider all other new amendments to the standard as usual changes and update the system. After updating the relevant sections of an existing system, then consider risk when defining the rigour and degree of formality needed to plan and control the quality management system. Once your risk assessment is completed and updated; Report on non-conformances and corrective actions might be unnecessary with proper consideration of the risks, since your plan is to consider all the risk and control them without harming the organization’s products and services.

When it comes to external/internal auditing, auditor will further regard the failure to show evidence of risk based thinking in an organization’s quality processes as a nonconformity (maybe a major nonconformity) in future and will judge the quality system to be ineffective because it has failed to reduce or eliminate the risks to process outputs. However, you can use previous audit reports/internal audit reports as a source of information to improve your ISO 9001:2015, by considering any good practices observed by the auditor in the process of application of risk based thinking to the planning and consideration of quality processes as well as its impact to achieve continual improvement of the system and how it can provide the assurance of conformity to customer and applicable statutory and regulatory requirements.

On the other hand, continual improvement has become a frequent word in Clause 5: Leadership, Clause 6: Planning, Clause 7: Support, Clause 9: Performance Evaluation, and in Clause 10: Continual Improvement; which states that: “the organization shall consider the outputs of analysis and evaluation, and the outputs from management review, to confirm if there are areas of underperformance or opportunities that shall be addressed as part of continual improvement”. Thus you need to showcase continual improvement is a part of your process with regards to the risk assessment because your quality processes reflect the fact that whether you have taken account of the risk and opportunities in your context or not.

Planning and considering risks in quality system processes
As ISO management systems are continually improved towards multiple platform operations, there is already a significant precedent in the ISO family of management system standards that explains the need for the risk based approach. ISO 9001:2015 takes a risk based approach to the planning and implementation of the quality management system, resulting in an appropriate and affordable level of quality. In this way, it ensures that the right people, processes, procedures and technologies are in place to achieve the intended results of the quality management system. It is also worth bearing in mind that the integrated management systems of an organization may apply the same risk assessment methodology across several disciplines.

What actions are required to plan for risks and opportunities?
Clause 6 of ISO 9001:2015 is clearly explain about the need for planned actions to address risks and opportunities in quality systems:
6.1.2 The organization shall plan:
a) Actions to address these risks and opportunities;
b) How to evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. Although not all the processes of the quality management system will represent the same level of risk in terms of the organization’s ability to meet its objectives and the consequences of process, product, service or system non-conformities are not the same for all organizations. There will be risks that you will need to address through the quality processes. Thus you need to plan how do you go about identifying, considering and planning for risks to quality and how could risk analysis help you to achieve your objectives? To address the requirement, it is necessary to plan processes that address risk and then analyze the relative importance of risks in the system. The risk factors of the process determine the organization’s success or failure, where you need a detailed understanding of each of the specific risks posed to successful outcomes at the various stages of quality processes which determines the appropriate priorities for actions. This full understanding should result in fewer unpleasant surprises arising and will enable quality managers to determine where the greatest effort should be focused in treating identified risks for quality assurance purposes.

The alternative to decision making based on risk analysis is a combination of experience and intuition. Experience, no matter how extensive, can be out of date and therefore fail to anticipate the potential risks in a system. Intuition is the ability to acquire knowledge without inference or the use of reason and is of questionable value to organizations when planning and considering processes in order to consistently produce desired outcomes. By developing a better understanding of risk, risk analysis techniques help organizations facilitate structured action planning and resource allocation.

The following methodology is very simple method developed by Michael Shuff as an idea in his blog post, but it has very important points while developing a risk assessment for ISO 9001:2015 which is one way to combine quality management systems and risk management processes so as to achieve continual process improvement that takes full account of the risks and opportunities in any given context. A key feature of the proposed design for the R&O Register would be outputs from a simple risk assessment process, following a six step risk assessment and continual process improvement model, which would be used to (1) establish the context, (2) identify possible risks to quality outputs, (3) carry out a qualitative risk analysis and risk evaluation, (4) extend this analysis to a semi-quantitative analysis used to assign a numerical risk factor (RF value) to each of the risks in order to determine the highest priority risks, before (5) determining a risk treatment plan, and (6) monitoring and reviewing the quality system processes to determine the effectiveness of the quality controls and identify as early as possible any new risks and opportunities.

Establish the context
Referencing 4.1 Understanding the organization and its context, and 4.2 Understanding the needs and expectations of interested parties: this step determines the issues and requirements that can impact on the planning of the quality management system; employs and their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure.

Risk identification
Risk identification involves selecting a suitable process for risk identification and for each quality process, identifying and numbering the risks. The activity is designed to be carried out in a group situation where each risk is described in terms of what could happen and what that could lead to, the causes of the risk both external and internal to the organization and the existing controls that could prevent, transfer or mitigate risks.
This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System.

Qualitative Risk Analysis and Risk Evaluation
The systematic use of available information regarding probability, consequence and exposure will lead to a better understanding of the risk and the controls that are needed. For each risk we would then: assess the effectiveness of the existing controls using a suitable effectiveness scale; determine the consequences (impact) for each risk; the likelihood of these consequences occurring and the potential exposure were the controls that we have in place to fail.

For example, the consequence of a failure to control the quality of production outputs through an adequate inspection process could result in the customer rejecting the goods or services supplied as unfit for purpose; causing the organization to suffer a financial loss that can measured in penalties under the terms and conditions of contract, and reputation damage.

Semi-Quantitative Risk Assessment for Systems and Processes
Qualitative analysis is used to determine the probability and impact of risks, however, by its nature and definition, lacks quantitative precision. In comparison, a semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar criteria so that they can be more easily compared. Scores are applied to each component of risk, to assess both the consequence (impact) and likelihood of the risk occurring and to derive an average consequence score and average likelihood score for the risks associated with each process analyzed. These risk scores are then used to determine the comparative ‘risk factors’ (RFs) associated with different processes to aid decision making by plotting the RFs on a graph overlaid with ISO contours.

Implementation
Risk treatment and costs, advantages and disadvantages of each treatment option are taken into account and where the benefits determined exceed the known/likely costs of action, treatment options are selected for implementation. The brainstorming process is repeated after implementation to determine whether the level of risk after risk treatment has been completed is tolerable; and if this is not the case, then further risk treatment actions are sought and considered.

Monitoring and Review
A monitoring process is need to be developed for each risk by the risk owners and each relevant control (control owners). Decisions are should be made about the time intervals at which the risks and controls shall be reviewed. At the same time, a monitoring process will be put in place for each risk treatment plan under the direction of the relevant risk owners. Progress will be monitored in respect to the objectives of the risk treatment plan, and the resulting successes and failures need to be recorded. Periodically, the team need to assess whether new risks are affecting or could affect quality processes and systems as part of the cycle of continuous quality process improvement.


Saturday, January 14, 2017

ISO 9001:2015 Risk Assessment - II

Risk Identification in ISO 9001:2015
Risk is defined as the "possibility of an event occurring that will have an impact on the achievement of objectives." Organizations are exposed to a wide variety of risks every day and their impact could affect an organization's finances, operations, legal standing, or reputation. Therefore, to effectively manage these risks, management should have a process to identify, assess, prioritize, and manage them, because risk is inherent in all aspects of a quality management system as well as in all systems, processes and functions. Thus risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system. 

The research that was carried out as part of the review process recognized that several other important changes were required since the last major change in 2000. These were:
Providing a foundation for the integration with other management systems
Introducing risk-based thinking, now prevalent in many organizations
Aligning the QMS policy and objectives with the strategy of an organization
Providing greater flexibility with documentation

On the other hand, risk management and preventive action are sequential, complementary elements that are essential to the QMS. The effectiveness of any preventive action depends on the extent to which the action addresses the root causes identified by the risk assessment. Therefore, the success of the risk assessment process depends on the extent to which it identifies root cause issues. When all root cause issues have been identified, it is possible to examine the proposed preventive actions to determine if all elements of risk have been satisfactorily addressed and mitigated.

When considering the 2015 revision of ISO 9001, the committee responsible decided that change was necessary in order to, adapt to a changing world, enhance an organization’s ability to satisfy its customers, provide greater focus on the customer, provide a consistent foundation for the future, reflect the increasingly complex environments in which organizations operate and to ensure the new standard reflects the needs of all interested parties.

Risk Identification
Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern. The objective of risk identification is the early and continuous identification of events that, if they occur, will have negative impacts on the processes’ ability to achieve performance or capability outcome goals. They may come from within the management system or from external sources.

There are multiple types of risk assessments, including quality risk assessments, food safety risk assessments, program risk assessments, risk assessments to support an investment decision, analysis of alternatives, and assessments of operational or cost uncertainty. Risk identification needs to match the type of assessment required to support risk-informed decision making. For a production process, the first step is to identify the production goals and objectives, thus fostering a common understanding across the manufacturing and quality team of what is needed for production success. This gives context and bounds the scope by which risks are identified and assessed.

The sooner risks are identified, the sooner plans can be made to mitigate or manage them. Nevertheless, assigning the risk identification process to a contractor or an individual member of the staff is rarely successful and may be considered a way to achieve the appearance of risk identification without actually doing it. Thus it is important, however, that all relevant management personnel receive specific training in risk management methodology. This training should cover not only risk analysis techniques but also the managerial skills needed to interpret risk assessments.

Preliminary hazard analysis
Preliminary hazard analysis can be defined as “a simple inductive method of analysis of whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system”. However, the term ‘hazard’ is always used in the context of physical harm. At first sight, not a very promising tool but it does have advantages. Namely, it is able to be used when there is limited information and it also allows risks to be considered very early in the system lifecycle. In some organizational contexts such as food manufacturing organizations, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps to prevent Critical Nonconformities which could, for example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on the product.

Structured Interviews and Brainstorming
Structured interviews and brainstorming sessions are conducted to collect a broad set of ideas and evaluation, ranking them by a team. Brainstorming may be stimulated by prompts or by one on one and one on many interview techniques. When planning for the quality management system, ISO 9001:2015 requires organizations to consider the issues referred to clause 4.1 [Understanding the organization and its context] and the requirements referred to in 4.2 [Understanding the needs and expectations of interested parties] and determine the risks and opportunities that need to be addressed, in order to:
a)         Give assurance that the quality management system can achieve its intended result(s);
b)         Prevent, or reduce, undesired effects;
c)         Achieve continual improvement.

Quality management team should integrate and implement the actions into the organization’s quality management system processes (see clause 4.4) and evaluate their effectiveness. Brainstorming as a technique could be particularly useful when, for example, identifying risks of new technology where there is no data or where novel solutions to problems are needed. To quote ISO 31010 “…it encourages imagination which helps identify new risks and novel solutions”. However, it is not applicable to risk analysis tasks of consequence, probability or level of risk. It therefore has its limitations and along with the ‘Look Up Methods’ of Checklists and Primary hazard analysis, and most of the ‘Supporting Methods’ of Structured interviews, Delphi technique, SWIFT (Structured “what if”) and, it does not provide any quantitative output – although this is not a requirement of ISO 9001.

In the section ‘Supporting Methods’, Human reliability analysis (HRA), which deals with the impact of humans on system performance and can be used to evaluate human error influences on the system, is able to provide quantitative output and is ‘strongly applicable’ to risk analysis and ‘applicable’ to risk evaluation.


As a simple method, considering risks in relation to a quality management system and its associated processes, you can ask the following questions from yourself:
What are the risks associated with the organization’s context and objectives – and why does each risk occur? [identifying the risk and the reason for its occurrence].
What would be the likely negative consequences of process, product, service or system nonconformities? [consequences if the risk occurs].
How likely is it that the organization will deliver nonconforming products and services in relation to the risks we have identified? [probability of the risk effective are our existing controls?’ – in order to identify factors that reduce the consequences or probability of the risk. However, in terms of what we actually need to know, these will make a good start.

ISO 31000:2009 states that risk assessment attempts to answer the following fundamental questions:
What can happen and why (by risk identification)?
What are the consequences?
What is the probability of their future occurrence?
Are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk?
Providing that you adhere to this basic structure, you are following the framework that is set out in the International Standard ISO 31000:2009. Rather than spending several days reading the Standard and having long meetings with colleagues to see how it might be applicable, why not look for methods that would help you to meet the requirements of ISO 9001?

One of the important remarks is that you need to document the results of any ‘consideration of risks and opportunities’ exercise as evidence of your management team’s “risk based thinking”. Even if it is clear from the design of your processes that you have taken account of Clause 6.1 and determined the risks and opportunities that need to be addressed, having a record of your risk assessment processes might prove useful, if only as a reminder to keep matters under review! Then, evaluate the risk assessment tools (numbering 31 in total) in ISO 31010 to see if they are applicable to your organizational context.

According to the ISO 31000:2009: introduction “The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances”. It follows therefore that it is worth interviewing them (in a structured or unstructured way) or bringing them together for a brainstorming session – if only to find out what qualitative and quantitative risk assessments have been made that could help you to address the requirements of ISO 9001. Whether or not though anyone is carrying out risk assessments, with or without the use of the tools in ISO/IEC 31010:2009, ISO 9001:2015 expects the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). For example: The ISO assumes that one of the key purposes of a quality management system is to act as a preventive tool, taking account of identified risks. Consequently, ISO 9001:2015 does not have a separate clause or sub clause titled ‘Preventive action’. Rather, the wording states unequivocally: “The concept of preventive action is expressed through a risk based approach to formulating quality management system requirements”

Although there are undoubtedly a number of quality professionals who feel uncomfortable talking about risk in relation to preventive actions, assessing risk is something that managers in most organizations do already in one form or another. They may not always use the term risk to describe their activities, – which could include for example, conducting a sensitivity analysis of a financial projection, or product design for a newly invented production line, scenario planning for a project appraisal, assessing the contingency allowance in a cost estimate, negotiating contract conditions, or developing contingency plans . But even so, thinking about risks and opportunities is central to their work, because not everyone agrees with this statement of course, but understanding the context (see clause 4.1) and determining the risks and opportunities that need to be addressed (clause 6.1) are requirements of ISO 9001:2015. Therefore, before you reject the idea of using risk assessment tools on the grounds that they are too complicated and “not part of your job”, it’s worth pondering this quote from the introduction to the ISO 31000:2009: “The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context”.