1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Register of Risks, live document?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Qualmx, Sep 9, 2017.

  1. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Hi all
    I wonder hoe to manage the Register of Risks, regarding as to how to have evidences of risks analized.
    It could be the Register of risks a "live" excel file, where is mentioned the risk, responsible, risk value, action plans, severity,etc.?

    But at managing the risks, it may be moved/modified data of risks, and could not be well traceable.

    Would not be better in practice to have general data in the "live" excel, only the number of risk, the the description of the risk, and general values, and have an additional data sheet of every analized risk?

    In this sheet, it could be an Amef, Decision tree,fishbone analysis, describing the detail of the risk, the values, the severity, the responsibles, the calculation of the risk Impact =PxI,etc.
    This data sheet it could be stored as a PDF file in the network.

    In practice What documents/format are recommended to have the risk documented?
    and which of them could be "live" documents and why?

    Please share your comments, thanks
     
  2. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Your approach in addressing risks and opportunities may not be the same as the other QFO members' approaches. I'm afraid they cannot specifically provide you the answers you are requesting. Anyways. My approach in RBT primarily happens during our planning processes. When we had the strategic planning, we made use of the SWOT Analysis to establish our strategic directions. For our operational planning, we used a tool similar to FMEA but without the rating and computation of the priority number.
     
    Qualmx likes this.
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Thanks Tonys
    But, how do you rate your operational risks? Including those where you use fmea?
    Dont you do an analysis for each risk detected?
    Could you explain a little bit more?
    How do you evidence risk thinking?
    Thanks
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    For each process, we determine risks and opportunities and the actions to address them. The actions are then integrated into the controls for the process being analyzed. Some actions will be reflected into the documented procedure. We don't need to analyze the level of risks in terms of severity, occurrence and detection like in FMEA in manufacturing. There's no requirement to analyze the level of risk, ISO 9001 only requires to determine. Below is a sample of the tool we use to determine risks/opportunities and actions.
    upload_2017-9-12_21-16-41.png
     
    The PPAP Assassin and MCW8888 like this.
  5. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Thanks Tony,
    1- Im implenting a criteria PxI, probability x impact, additonally a fishbone to detect causes, then apply action plans.
    Muy business Is small, 60 people, not risky, do you think it Is worth the time/effort for this method?
    Do you have a procedure for the risks addressing?
    Pelease, feed me back
    Thanks
     
  6. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Other point, if dont rank risks, what criteria do you follow to prioritize them?
    Which to discard and take?
    Thanks
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    No need for prioritization for us. We only need to determine and ensure actions are taken to address them.
     
  8. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Tony, thanks again

    Dont you think your approach it may result short in benefits compared to implement an approach where probability and impact is measured?

    Please give your comments regarding my approach, do you see that really will it help an organization?

    As I told you , is a small organization, and products are plastic bags and boxes.

    Im afraid that could be to add some task to people additionally to what they have.
    and considering that the standard, only asks RBT.

    Have you have any experiences in other companies?

    Thanks
     
  9. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    49
    Likes Received:
    20
    Trophy Points:
    7
    Hi Qualmx,

    We have seen this issue with some of our customers as well. You can always link your actions of the actionlist to parts of particular risks and track it like this. We wrote a small on article on what to do when the initial risk assessment is performed.
    http://blog.qooling.com/risk-assessment-done-now-what/
     
    Qualmx likes this.
  10. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Thanks Nick1

    Very interesting article,
    I wonder if the Risk treatment plan yo mention could be the same I have, Im thinking in a(Register of risks).
    Into it, Im registering the risk, the source, the value of risk, the mitigation plans with due dates, and responsibles, so when I want to see whats new on risks, I check out this excel file.
    Additionally I have a like a technical sheet, (excel file, where I do the analysis PxI, also use a fishbone to find root causes, this is done for every risk detected, this way when we wanted to know which criteria was followed, well I have this evidence.
    Maybe it is somewhat demanding for the people in my business, lets say regarding to risk assessment from 1 to 10, Im in a value of 3.
    1 is zero analysis, no value calculated, 3 like me, and 8 or 9, using FMEA ,decision tree and so on.
    Thanks for your input.
     
  11. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    49
    Likes Received:
    20
    Trophy Points:
    7
    The plan could be the same or you can just distribute tasks to people. Cause you mitigation plan is probably a list of actions right? If that is the case you can manage the tasks lists and when they asks of a certain risks are all done you can adjust the risk level appropriately.

    Regarding resetting the action risk value P*I you can just talk with them why they think the risk changed and talk it over with them. Yes you can use a root cause for this but is there always a root cause to a risk? I don't know to be honest. Is there a root cause to the risk of fire. If it has happened there is a root cause but is there a root cause to the risk itself?
     
  12. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Since we don't bother ourselves to assess the level of risks like what your organization has opted to do, all risks/opportunities that we identify are acted upon - regardless of level. When we create or revise procedures, each procedure is required to have this ROA (risks/opportunities and actions) analysis. It has the same concept like preparing an FMEA before a Control Plan. All the controls that are or will be incorporated into the procedure are captured in our ROA Analysis form. The form is a "living" document and can be updated anytime new risks/opportunities are identified by the process owners. Occurrence of nonconformities can also trigger the update of the ROA Analysis form. The updated ROA form can be used as one of the basis for initiating change in the procedure/process.
     
  13. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Tony I got, this from you (other site)


    RBT can be factored into the following processes:

    • when we introduce corrections or corrective actions (identification of the "residual risks" or the remaining risk after treatment can be considered);
    • when auditing the processes (auditors may check if there are controls in place on the risks that may occur in the realization of their processes, if not available then OFIs can be identified.
    Could you clarify this:
    in bold you say "after treatment can be considered", I wonder taken in account or carried out, I mean after have defined the actions and before actions are carried out? or after have been carried out action plans?

    Thanks
     
  14. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Did you mean, whether I consider RBT "after treatment"? My answer would be YES.
    If we look at the requirements in clause 10.2.1:
    10.2.1e requires us to "update risks and opportunities determined during planning, if necessary";
    and it comes after 10.2.1a to 10.2.1d - where actions are already taken and evaluated for effectiveness.​
     
  15. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Thanks
    I refer to residual risk, if this is evaluated after all action were carried out?
    in this point, and according to the residual risk, I decide if I close the risk or apply another action?

    Or it is calculating residual risk before decide to take any actions.

    For example: I may face a risk, then do a first evaluation and is high, ok, but immediately I can make a like simulation supposing a special action and run again the evaluation (which is residual risk) and after this second run, I may have an acceptable value and then, Is good for me this special action, and then I will carry out this action.

    I mean calculate the Residual risk before doing something.

    I hope is clear my explanation.
     
  16. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    My approach is just simple. If I identify any risk (before, during or after implementation of any action), I will have to determine appropriate action/control to address the risk. I don't need to calculate any prioritization number to initiate my actions.
     
    Qualmx likes this.
  17. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Thanks tony s
     
  18. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Hi Tonys, I m planning to implement R Y O in the easiest way, I like your approach.
    although it seems easy and simple, but to understand it clearly I ´d like to have an additional guide.

    Could you provide some other examples, additional to Purchase process you shared?
    in order to catch better your approach?

    Thanks you so much