Our PROMISE: Our ads will never cover up content.
Our children thank you.
Published: Friday, August 21, 2015 - 12:26 Sponsored Content Risk is not a straightforward concept. Definitions of risk vary, even within documents published by the International Organizations for Standardization (ISO). One ISO definition indicates that risk is the “effect of uncertainty on an expected result.” Risk is now addressed by ISO 9001:2015—“Quality management systems—Requirements,” the international standard for quality management systems (QMS), scheduled for publication next month. In it, organizations are asked to “address risks and opportunities.” New language in the final draft international standard (FDIS) of ISO 9001 focuses on “risk-based thinking,” although it stops short of actual “risk management.” As a result, the international community is wrestling with how best to audit risk. What are the concerns of auditors? What does ISO 9001:2015 ask for? In ISO 9000:2015—“Quality management systems—Fundamentals and vocabulary,” risk is defined as the “effect of uncertainty.” Notes in the definition further describe risk as a “deviation from the expected,” either positive or negative. The term “uncertainty” is clarified as a lack of information or knowledge about an event that can be expressed in terms of consequences the likelihood of occurrence. Lastly, ISO 9000 states that risk is related to potential events, and that it’s typically expressed as a result of the likelihood and consequence of such an event. Let’s consider risk as it’s defined in ISO/FDIS 14001:2015—“Environmental management systems,” and in ISO 31000—“Risk management—Principles and guidelines.” The definition of risk in ISO 14001 is identical to ISO 9000, even though it includes only four of the six notes from ISO 9000. However, the definition of risk in ISO 31000 is a little more specific than ISO 9001 and ISO 14001, and is defined as an “effect of uncertainty on objectives.” This is a good time to emphasize a few notions about risk. Risk in ISO 9001:2015 and ISO 14001:2015 is general, that is, it is a concept that can be applied anywhere in an organization, including planning (Clause 6.0), i.e., the setting of objectives as it is defined in ISO 31000. Risk can be described as a potential event that can be expressed in terms of consequence, impact, or severity of the impact and its related likelihood of occurrence. Risk appears in the normative parts of ISO 9001 eight times, and risk-based thinking appears once. Risk and risk-based thinking appear many times more when we study the informative portions of the standard, e.g., the introductory sections and the appendix. Clause number Title Explanation 4.4.1 No title QMS process risk and opportunities 5.1.2 Customer focus Risk and opportunities that can affect conformity of products and services—this, then, is quite broad 6.1 Actions to address risks and opportunities Appears in title 6.1.1 No title Consider risk and opportunities as they relate to the context of the organization and interested-party expectations so that the QMS achieves its “intended results,” i.e., its objectives, including improvement. This is the definition that now appears in ISO 31000. 6.1.2 No title Appears twice: Plan actions to address risk and opportunities, including their effectiveness; and actions taken shall be proportionate to the potential impact. 9.1.3 Analysis and evaluation Effectiveness of actions taken to address risk and opportunities 9.3.2 Management review inputs Effectiveness of actions taken to address risk and opportunities as it relates to Planning (6.1) Table 1: ISO/FDIS 9001:2015 requirements for risk The table seen above explains the requirements of ISO/FDIS 9001:2015 for risk and opportunity analysis within the organization. The concept of risks and opportunities, which emphasizes identifying potential problems as well as opportunities for improvement, needs to be applied to QMS processes, the conformity of products and services, and planning QMS objectives, including setting out actions for improvement plans and evaluating their effectiveness. Process risk and planning risk—Ref. Clauses 4.1 and 6.1 Product and Process Risks and Opportunities—Ref. Clause 5.1.1 ISO 9001:2015 mandates What the standard doesn’t require Omnex suggests that organizations integrate risks and opportunities into their organizational processes (i.e., QMS processes). Risks and opportunities must be integrated into the planning process (Clause 6.1), as shown below for business planning, or for setting organizational goals and objectives. Omnex calls this process the “business operating system” (BOS). It identifies key processes and conducts risk analysis on them because they affect the organization’s overall objectives. For managing risk in products and services, we suggest the following methodologies. First, it’s important that a project is evaluated for overall risk, particularly how risk relates to new products, suppliers, and technology. Second, it’s also important to use tools such as failure mode and effects analysis (FMEA), and product and process design risk to evaluate risk within the context of the new-product development process. FMEA, along with control plans, identifying critical and significant characteristics, process capability, and measurement system analysis, are proven techniques that can help organizations reduce risks. Results have shown that customer nonconformances will lower significantly into the range of 10 to 60 parts per million (PPM). Auditing risk For more on risk-based thinking, join Chad Kymal and Dirk Dusharme on Tues., Aug. 25, 2015, at 11 a.m. Pacific for the webinar, “Risk-Based Thinking: Actions to Address and Audit Risk and Opportunities.” Kymal will also be releasing a new book on ISO 9001:2015 auditing, published by ASQ, at the end of 2015. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Chad Kymal is the CTO and founder of Omnex Inc., an international consulting and training organization headquartered in the United States. He is also president of Omnex Systems, a software provider of ISO 9001, ISO 14001, and ISO 27001 management systems. He developed and teaches auditor training for ISO 9001, IATF 16949, ISO 14001, and ISO 45001, as well as an Integrated Management Systems Lead Auditor training course where all three standards are combined in a single audit. Kymal is also on the ISO/TC 176, ISO/TC 207, and PC283 committees for ISO 9001:2015 (quality), ISO 14001:2015 (environmental), and ISO 45001 (health and safety) management system development. R. Dan Reid is Omnex Inc.’s director of standards and consulting. Reid, an ASQ Fellow and ASQ-Certified Quality Engineer is first delegation leader of the International Automotive Task Force; a member of U.S. Technical Advisory Groups for quality, environmental, and OH&S management systems; a trainer for ISO 9000, ISO 14000, OHSAS 18000, AS9100, ISO 13485, ISO 17025, and VDA 6.3; and serves on the American Association for Laboratory Accreditation (A2LA) board of directors. Reid led the supplier development administration at GM, and served on the Chrysler, Ford, and GM Supplier Quality Requirements Task Force, which was responsible for QS-9000 and ISO/TS 16949.Risk-Based Thinking and ISO 9001:2015
Understanding the effects of uncertainty and applying them in your QMS
Understanding risk
Use of risk in ISO 9001:2015
Under 4.4—QMS and its processes
When the requirements of ISO/FDIS 9001:2015 are studied, these are the relationships indicated as they relate to QMS processes and planning:
Risk as it relates to product and process conformance can be quite broad. The following are some areas where risk is usually addressed by organizations:
ISO/FDIS 9001:2015 requires companies to address risk and opportunities as they relate to QMS processes (Clause 4.4.1), planning (Clause 6.1), and product risks (Clause 5.1.2). The effectiveness of risk management and opportunities for analysis must be evaluated (Clause 9.1.3). Also, the effectiveness of the actions associated with objectives or planning must be included in the management review (Clause 9.3.2).
Rightly so, the standard does not prescribe a methodology or require a documented process for risk-based thinking. Ultimately, it is up to an organization to choose a suitable process or specific methodology to address this.Omnex methodology for risk
Auditors must be flexible when auditing a QMS for conformity to ISO 9001:2015’s risk-based thinking. There are no requirements in the standard for a risk management process or methodology, so auditors have been concerned that auditing a QMS will be difficult. Let’s examine the standard’s planning process for organizations. Following are some of questions auditors can ask when auditing a QMS:
1. Does the organization identify internal and external issues as they relate to the context of the business? (Clause 4.1)
2. Has the organization identified relevant interested parties as they relate to the context of the business? Has the organization understood the interested-party expectations? (Clause 4.2)
3. Has the organization used the issues developed in the context and in the needs and expectations of the interested parties when planning for the organization? (Clause 4.3)
4. Has the organization identified the risks and opportunities as they relate to the organization achieving its intended results, i.e., goal and objectives? (Clause 6)
5. Has the organization identified the actions to address the risks and opportunities?
6. Is the organization meeting its goals and objectives, i.e., is it improving?
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Authors
Chad Kymal
R. Dan Reid
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.