There are six (6) implementable clauses within ISO 9001:2015 Quality Management System Standard.
Within this series of posts over the next six weeks we will discuss the requirements to all six clauses and the correct interpretation thereof.
6.1 Actions to Address Risks and Opportunities
Clause 6.1.1 is a new requirement, so you should allow additional time to prepare for each audit in order to establish a suitable understanding of the new requirements and how it should be implemented. You should seek and record evidence that your organization has planned and implemented a process to effectively identify risks and opportunities with respect to QMS planning. Reference to risk-based thinking is present in the following clauses:
1. Determine and address risks (Clause 4.4.1);
2. Promote risk-based thinking (Clause 5.1.1);
3. Ensure risks determined and addressed (Clause 5.1.2);
4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
6. Control those risks identified (Clause 8.1);
7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
8. Review effectiveness of actions on risks (Clause 9.3.2);
9. Improve the QMS responding to risk (Clause 10.3);
The risks and opportunities should be relevant to the context of the organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively.
You should seek and record evidence of the following types of input that might be used by your organization for risk and opportunity determination:
1. Analysis of external and internal issues;
2. Strategic direction of the organization;
3. Interested parties, related to its QMS, and their requirements;
4. The scope of QMS of the organization;
5. The processes of the organization.
Clause 6.1.2 is a new requirement, so you should allow additional time to prepare for each audit in order to establish a suitable understanding of the new requirement and how it should be implemented.
You should seek and record evidence that your organization has taken a planned approach to addressing risks and accomplishing opportunities to the benefit of the QMS and the organization. Check that any actions taken to address the risks and opportunities are recorded, and ensure that the effectiveness of each action was effective at addressing the issue, and that the action taken was proportionate to the risk or opportunity. Objective evidence could be in the following various forms:
1. Meeting minutes;
2. SWOT analysis;
3. Reports on customer feedback;
4. Competitor analysis;
5. Brain-storming activities;
6. Planning, analysis and evaluation activities;
7. Strategic planning documents;
8. Design and development reviews;
9. Marketing and sales data;
10. Production inspections and service reviews;
11. Corrective actions;
12. Non-conformance reports;
13. Management review minutes;
14. Risk determination or evaluation records.
Why is Risk Management Important?
The concept of risk in the context of ISO 9001:2015 relates to the uncertainty in achieving these objectives. Risk will influence every aspect of your organization’s operations and by understanding the risks you face, managing them appropriately will enhance your ability to make better decisions and to achieve your objectives.
Your organization should begin to view the management of risks to its people, assets and all aspects of its operations as an important responsibility. Implement and maintain a risk management process to protect and support your organization’s responsibilities.
An effective risk management approach is not only good business practice but provides organizational resilience, confidence and benefits, including:
1. Provides a rigorous decision-making and planning process;
2. Provides the flexibility to respond to unexpected threats;
3. Takes advantage of opportunities and provides competitive advantage;
4. Equips managers with tools to anticipate changes and threats, and to allocate appropriate resources;
5. Provides assurance to Top management and stakeholders that critical risks are being managed appropriately;
6. Enables better business resilience and compliance management.
Risk Management Methodology
Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.
By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:
1. Improve customer confidence and satisfaction;
2. Assure consistency of quality of goods and services;
3. Establishes a proactive culture of prevention and improvement;
4. Intuitively take a risk-based approach.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using this approach:
Risk Management Information
Documented information resulting from risk management activities such as risk management processes, plans and reports, etc. should be maintained or referenced in either a risk management file or other appropriate sources:
1. Design history file;
2. Technical file/documentation;
3. Device master record;
4. Device history record;
5. Process validation files.
Your organization should consider the benefits of integrating the risk management processes, documents and records directly into your quality management system. The advantage of this could be a single document control system, ease of use and review, accessibility, retention, etc.
Document controls, including document change controls, for risk management system documentation should be the same as the controls for quality management system documentation. This documentation can be in any form or type of medium.
Communication of Risks
Within your quality management system, consideration needs to be given to internal and external communication of risk. Internal communication is necessary for all appropriate personnel to be aware of the remaining risks even after implementing risk control measures.
Your organization might outsource the provision of some processes or the manufacture of components, sub-assemblies or entire units. In order to maintain control over the processes, your organization should incorporate appropriate risk management activities for these processes and products by planning and by ensuring risk control measures are appropriately applied.
Before the approval and implementation of a change to any outsourced process or product, your organization should:
1. Review the change;
2. Assess if new risks have been discovered; and,
3. Determine if current and/or new individual residual risks and/or the overall risk is acceptable according to the predetermined existing acceptability criteria.
If risk control measures are applied to outsourced process or products, the risk control measures and their importance should be documented within the purchasing data or information and clearly communicated to the supplier.
Design & Development
Risk management activities should begin as early as possible in the design and development phase, when it is easier to prevent problems rather than correcting them later.
For each identified hazard, the risk in both normal and fault conditions is estimated. In risk evaluation, you should decide whether risk reduction is needed. The results from this risk evaluation such as the need for risk control measures then become part of the design input.
While not mandated by ISO 9001:2015, risk registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk registers will allow your organization to assess the risk in context with the overall context of your organization, and will help to record the controls and treatments of those risks. Risk registers can be developed in tiers:
1. Strategic level;
2. Operational level;
3. Process level.
The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. Some of the most widely used components are:
As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
1. Description of the risk;
2. Risk Type (business, project, stage);
3. Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
4. Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the project;
5. Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans;
6. Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken;
7. Current status of whether this is a current risk or if risk can no longer arise and impact;
8. Other columns such as quantitative value can also be added.
Auditing Risk Management
The primary objective of auditing the risk management process is to provide an assurance framework that underpins the risk management process. This should include reviews of processes and controls over high risks as determined through the risk planning process.
The internal audit function provides independent appraisal of the adequacy and effectiveness of internal controls. Recommendations should be provided, where applicable, for improvements to controls, efficiency and effectiveness of processes.
Join our mailing list to receive upcoming posts: https://www.isoqar.co.za/