The words “risk” or “risks” have been sprinkled throughout the 2015 revision of ISO 9001, the quality management system standard from the International Organization for Standardization (ISO).
Although some “requirements” will be easy to satisfy using well-established process monitoring or capability techniques, other references to risk are so vaguely stated they’re open to myriad interpretations and may become meaningless. Having read and reread the current references to risk throughout several paragraphs, I wonder if it would not have been better to address risk in one paragraph at the beginning of the standard. I have copied and pasted most of the current references to risk and included brief comments.
ISO 9001:2015 subclause 4.4.2—Process approach
“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”
What is the meaning of “unintended output?” Does it mean nonconforming product? Unintended output from a process can be: reprocessed (e.g., chemical industry), scrapped, or sold at a discount. The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved; the analogy would be a process operating at 4.5 sigma vs. 5 or higher. The lower the parts per million, the lower the risk of producing unintended output. However, one must not forget that depending on the industry (e.g., medical vs. pencil manufacturers), these risks have different end-user impact and costs. Fortunately this is recognized in the last line of subclause 6.1—Actions to address risks and opportunities.
5.1.2—Leadership and commitment with respect to the needs and expectations of customers
“Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;”
This can be achieved by establishing process capabilities for each process from manufacturing and assembly to packaging and product delivery and installation. The computation of a simple indicator of process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would help managers quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process, thus minimizing the risk of producing so-called unintended output.
6.1—Actions to address risks and opportunities
“When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 (4.2 Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to:
a) assure the quality management system can achieve its intended outcome(s)
b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.”
The context of the word “risks” is difficult to interpret given the requirements stated in a) through d) of subclause 6.1. For example, how does one determine the risks and opportunities to assure the quality management system can achieve its intended outcomes? The intent has always been to ensure that the quality management system is effective, and this is verified via the audit process. The insertion of the word “risk” does not help and confuses things. Nevertheless, these risks can be quantified by simply looking at nonconformance percentages (per process and at final output), but this is already established via the use of process capability measures.
“The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction.”
Good to know and a wise decision, but this could well be seen as an escape clause by many companies.
8.3—Operational planning process
“In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate:
b) actions to identify and address risks related to achieving conformity of goods and services to requirements;”
This is nothing more than a repeat of what has already been stated.
8.5.1—Development processes
“In determining the stages and controls for the development processes, the organization shall take account of:
e) the determined risks and opportunities associated with the development activities with respect to
1) the nature of the goods and services to be developed and potential consequences of failure
2) the level of control expected of the development process by customers and other relevant interested parties, and
3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.”
This is already done in some industries (e.g., automotive and avionics) but is not likely to be documented for all to see. Who will document these risks for future lawyers to see? If a company acknowledges that there is a small risk (let’s say a one-in-one-million chance) that something wrong could happen, lawyers would say that the company knew that there was a risk and is therefore liable. You can’t have zero risk; no one will want to pay the cost of developing a product with zero risk. This idea to either quantify and/or document risk for all to see is unrealistic from a legal point of view. However, lawyers will love it.
8.6.5—Post delivery activities
“The extent of post delivery activities that are required shall take account of:
a) the risks associated with the goods and services”
This sounds like a rephrasing of warranty-cost analysis; major companies have done this for a long time, but I don’t know about small to medium-size companies.
9.1—Monitoring, measurement, analysis and evaluation
“The organization shall take into consideration the determined risks and opportunities and shall:”
This is vague, but there are important issues to address relating to inaccurate measurements or insufficient measurements. Gauge repeatability and reproducibility (Gauge R&R) addresses many if not most of these issues and I don’t see how adding the word “risk” brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk.
9.2—Internal audit
“The organization shall:
a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;”
Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure. This would be challenging to quantify and assess. Potential risks would also have to be assessed, which would be even more challenging.
10.2—Improvement
“The organization shall improve the quality management system, processes and goods and services, as appropriate, through responding to:
c) changes in identified risk (see 6.1);”
One could do failure mode effects and analysis (FMEA) to show that the risk-priority number has decreased as a result of a process change. This would not be difficult to do but full of uncertainties because FMEA is based on subjective assessment. All of this work can give the illusion that all is well or even that things are getting better, until the famous black swan (unforeseen outlier) shows its ugly head, thereby demonstrating that risk analysis is by definition a risky business.
The bottom line
ISO 9001:2015 may truly be a paradigm shift standard.
The referenced italicized subclauses of ISO 9001:2015 are copyright of ISO and are used within the context of fair use for public review of the standard.
This article was first published Aug. 1, 2013, in CERM RISK INSIGHTS.
Comments
A Risk Horror Picture Show?
Reviewing my comments on CERM e-magazine, I cannot but underline my agreement with Mr. Lamprecht's analysis: there is a basic weakness in risk assessment, prediction and prevention, and that is extreme subjectivity. While with quality we all were more or less well off, having to work according to product drawings or specifications, risk is instead an extremely volatile matter. Just writing these few lines, I'm doing my best to stay on the specified topic road, but I still run the risk that somebody reading them will disagree. We are undergoing an abrupt change from strict, monolithical management systems to all too flexible ones: that's a real risk.
Add new comment