Professional Documents
Culture Documents
The requirement:
When planning for the management system, the organisation is required to consider
article 4.1 (internal and external context in which the organisation operates) and article
4.2 (the requirements of interested parties) and establish the risks and opportunities that
need to be addressed in order to:
1) Assure that the management system can achieve its intended results,
In addition, the organisation must plan appropriate actions to address these risks and
opportunities and also to integrate and implement the actions into the management
system processes (see article 4.4) and evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities must also be proportionate to the
potential impact on the conformity of products and services.
Comment:
Section 6.0 of ISO 9001:2015 is primarily concerned with the “Plan” part of the Plan, Do,
Check, Act cycle.
The concept of risk has always been implied in the 9001:2008 standard. IE The now
deleted reference to “Preventive Action.” The 2015 update however, makes it now much
more explicit and builds it into the whole management system. From the Introduction –
where the concept of risk-based thinking is first explained, to Clause 4, 5, (6) 9, and 10
risks and opportunities are required to be considers and acted upon. (Risk based
thinking is also implied in clauses 7 & 8, as risk can be considered implicit whenever
“suitable” or “appropriate” is referred to.)
The intent is that by addressing risk throughout the business processes, the output
quality is more consistent and customers more likely to receive the required products or
services. The emphasis on organisations assessing their own unique risks and
opportunities, has also enabled a reduction in prescriptive requirements in the standard.
(Critics would term this as being more “woolly.”)
IE: What is the probability and severity? (What is acceptable or unacceptable and hence
requiring mitigation?)
Methods might include:
Research,
Analysis of data,
Formal risk assessment / prioritisation tools such as; Brainstorming, FMEA, Risk
Registers, Pareto Analysis, Pugh Matrix,
Meetings output.
For Risk:
Actions to avoid the risk, deciding to take an identified acceptable risk in order to pursue
an opportunity, eliminating the risk at source, changing the probability or consequences,
sharing the risk, or retaining risk by informed decision.
(Remember, planed actions must be proportionate.)
Improvement projects,
Action plans,
Design Reviews,
Capital Investment plans,
The revision of old, or the setting of new, objectives,
Training,
Procedures / work instructions review,
Note:
For complex systems, an alternative, highly structured process may be required (IE 6
sigma.)
ISO 31000 Risk management – Principles and guidelines, may also be a useful
reference for organisations that require a more formal approach to risk. It can be used
by any business regardless of its size, activity or sector, but its use is not a mandatory
requirement of ISO 9001:2015
(See also article 9.1.3 Analysis and Evaluation)
Audit Check:
These guidelines and lists are by no means exhaustive and every organisation will have
its unique risks and opportunities. However, businesses need to be prepared to
demonstrate to auditors that a systematic, planned methodology is in place that allows
them to determine the risks and opportunities relevant to the planning and
implementation of the management system.
As risk based thinking is now embedded throughout the standard, auditors are being
advised to assess compliance when conducting audits across the entire breadth of the
management system, including when interviewing top management (risk can of course
impact on the business strategy) and ensuring that the effectiveness of planned actions
(Act) have been followed up, as this is the most common point of failure in the Plan, Do,
Check, Act process.
Dave Barker is a Chartered Independent Quality Practitioner, who through his company
Relevant Business Solutions, delivers flexible, quality management support to
organisations across the Midlands.