That’s fake news. Real news COSTS. Please turn off your ad blocker for our web site.
Our PROMISE: Our ads will never cover up content.
Inderjit Arora
Published: Monday, March 27, 2017 - 11:02 Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.” Per clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as detrmined in accordance with the requirements of 6.1.” This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk. Can you imagine a general planning a war strategy without appreciating the risks involved, per clause 9.1.3, which requires analysis and evaluation? Perhaps this is an opportunity for the rest of the world! In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? The details we go into are based on the context of what we are doing and the parties involved. Therefore, if an organization manages a simple production line to manufacture toilet rolls, the context and risk would be different than those involved in operating a nuclear plant. But why call it “risk-based thinking” and not risk management? ISO 9001:2015 has to be applicable across industries and to organizations of various sizes. It remains a process-based standard. Should an organization need a formal risk-management system, the standard refers to ISO 31000:2009—“Risk management.” Risk-based thinking asks that everyone in the organization think about the risk of doing, or not doing, their assigned tasks. This concept was implicit in earlier versions of ISO 9001, too, but now organizations are systematically required to understand the context (clause 4.1) and then determine risks before planning (clause 6.1). Although the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action, the QMS has become more effective as a philosophy. Moreover, risk no longer has a strictly negative connotation. It simply must be addressed, and where applicable, it should be taken as an opportunity for improvement. Risk input may lead to a positive and innovative idea. As organizations transition to ISO 9001:2015, or seek to become newly certified, they must not go into “panic mode.” It’s helpful to remember that risk has always been considered in the standard, but companies are now required to be proactive rather than reactive in their considerations. With its high-level structure (HLS), ISO 9001:2015 is actually more logical, simple, user friendly, customer-focused, and aligned with modern technologies. And it’s applicable to both manufacturing and service industries. At a very basic level, all that an organization has to do is consider these six steps: The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Inderjit Arora is the President and CEO of Quality Management International Inc. (QMII). He serves as a team leader for consulting, advising, auditing, and training in management systems. He specializes in several ISO and industry specific standards. He is an Exemplar Global certified Lead Auditor and is on the US TAG-176 committee, and a member of the US Submarine League. IJ is a popular speaker at several universities and forums on management systems, conflict management, crisis communication and leadership. Dr. Arora is a Master Mariner with an MBA from the College of William and Mary and additionally MSC in defense studies and graduation in nuclear sciences. He has a 32 year record of achievement in the military, mercantile marine, and civilian industries. He writes a blog and contributes to several professional magazines, including Quality Digest. His articles have been published in the USCG Proceedings.Risk-Based Thinking: Is This Something New?
Not really, but it does require a new way of planning
1. Make a list of the organization’s hazards. These should be identified in various processes by process owners. Where an organization is departmentally organized, the department heads should consider these.
2. Having listed the risks, the impacts or potential harm should be listed against each risk.
3. The departmental lists can be consolidated into an organizational list under the direction of top management or a designated quality manager.
4. Evaluate each risk and its associated impact or potential hazard to assign a priority or significance number.
5. With top management’s involvement, decide how to isolate, minimize, accept, transfer, or eliminate the risk.
6. These risk-minimizing decisions then require a specific plan. Come up with proposed actions for each risk, including assigning responsibility and a completion date for them. Process owners must also agree with top management on the frequency of monitoring the progress.
7. This can be further expanded, if necessary and within the context of the organization, by considering the likelihood of detection.
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Inderjit Arora
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.
Comments
ISO 9001 is not a business excellence model
Hi,
Nice article Dr Arora, thanks, I agree with you..but..there's always one of those!
Corrective Action and Preventive action "in accordance with the risks encountered" was in the standard when I did my Lead Assessor course in 1984, long before BS 5750:1979 became ISO 900x in 1987 and it's been there with different words up to the 2008 version.
Even back then, and nothing has changed in my opinion, "preventive action" (= RBT) required two approaches, reality and crystal ball gazing.
The reality approach came from the the investigation into the causes of the nonconformity that happened, where the idea was to avoid REcurrence. The "preventive" questions were, "How else, and where else could a similar nonconformity OCcur?". The point here was that one was dealing with a real event and the answers were tangible.
The second approach was the proverbial crystal ball gazing that in my view was seriously less effective when it came to identifying real issues to deal with. The reason for that was general ignorance of the tools necessary to do it properly, such as those described in ISO 31010 and those in the Memory Jogger II from GoalQPC.
Ok, that's all well and good, except that I'm seeing two alarming trends since ISO 9001:2015 destabilised a previously stable model.
The first is that ISO 9001 is about business excellence, it isn't and never has been, check the scope at clause 1. It's still only a litany of check points to assess if a supplier is OK to do business with. It doesn't even get into professional quality assurance (eg SPC, TGM, LSS), ensuring the business is commercially viable or that staff are being looked after properly (as per Sir Richard Branson's philosophy, perhaps).
The second alarming trend is "management by internal audit". Back in 1984 there was no internal audit requirement, it first appeared as ISO 9001:1987/4.17. Beforehand system implementation was down to management plain and simple and quality management systems were much more effective because of it.
So, to contain RBT within the defined scope of ISO 9001 all that is necessary is to consider the risks associated with being unable to deliver against the supply agreement, which is where the whole thing came from when the standard was known as the Allied Quality Assurance Procedures (AQAPs) released by NATO Committee AC-250 n 1969.
Cheers
Ian