1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Help identifying risks - ISO 9001:2015

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Rafael J Mateo C, Sep 10, 2015.

  1. Rafael J Mateo C

    Rafael J Mateo C New Member

    Joined:
    Sep 10, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I am having a hard time trying to differentiate risks from nonconformity in practice. I understand the concepts in theory but when I'm trying to identify risks I come up with nonconformities that has happened before and might happen again, so I don't know if I'm on the right track.

    In short, my confusion is if a risk is strictly something that has not happened before or if it can be something that has already happened and can happen again?

    I am using a simpler version of FMEA to implement the Risk Management Approach of ISO 9001:2015, in which I identify the risks, effects, possible causes, probability, impact and action plan.

    Thanks!
     
  2. Somashekar

    Somashekar Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    114
    Likes Received:
    98
    Trophy Points:
    27
    Risk of an occurred nonconformity exists if the determined corrective action for it was either inadequate or not implemented as planned.
    So evaluate yourself, what has been the effectiveness of the corrective actions taken so far.
    Highly effective CA >> very low risk
     
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why are YOU trying to do it? Surely, the leadership of your organization should be working on this?
     
  4. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    My suggestion is to hold a Management Review this month and introduce the new ISO9001:2015 to Top Management. He/she meeds to know how this standard impacts his/her stakeholders. Then you can mention the 2 most improtant changes: Risk and Change Management. You need to geneerate action plan perhaps to invite one of these experts in QFO (for a modest fee of course!) to give an awareness training of the standard at (at your site) to Top Management. Then we hope the transition journey will go smoothly.:)
     
  5. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    ha ha - funny Andy. I believe the last time I worked on this my boss said "You are the expert, thats what I pay you for!". My issue with 9001:2015 is precisely this, the emphasis on involving the management will not be successful in smaller companies, as they have no desire to be involved in "your" department. This I predict most will retain the MR position and the quality manual and things will simply continue as they have been. It will be up to the poor MR to figure out how to 'involve' management without actually involving them.
    Yes, I know as a quality professional that this is not the way it should be, but it is the way it is for a large number of companies. I have written up the proposed SWOT and filed it with management for approval, (lack of any response indicates approval!) Frustrating but until the economy improves and options open up, this is the way it is for many. Consider yourself highly fortunate if your position is otherwise.
     
    Ted Schmitt likes this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'd suggest "awareness training" doesn't do anything practical. How about do an audit and then use the results to debrief against the standard? Much more meaningful, plus they'll get a read-out on risk based thinking (if the auditor knows what they are doing). "Awareness" doesn't add practically, until you give the management a practical situation to deal with. They will leave, nodding in agreement (who won't agree?) and then do nothing, because they don't know how the standard compares to what their process does.
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hogheaven: I don't subscribe to "doing the same thing and expecting a different result"...
     
  8. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    I dont either Andy - I agree.
     
    Andy Nichols likes this.
  9. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    Off topic: A lack of management caring and a less than robust economy - the age old dilemma for us. Short of management that actually cares perhaps the better approach is for ISO to focus less on what needs to be done and more on who needs to lead it. imagine the difference if auditors talked only to senior leadership? Imagine the difference if leadership had to personally demonstrate how their teams complied with the standard? or had to explain how they planned to improve quality? How about having to explain how they reacted to quality excursions and reports of Customer dissatisfaction since the last audit? and what if the auditors had the actual power and actually utilized it to suspend certifications based on direct leadership response?
     
    Ted Schmitt, AkShef, Roy Gray and 3 others like this.
  10. James

    James Active Member

    Joined:
    Aug 31, 2015
    Messages:
    50
    Likes Received:
    13
    Trophy Points:
    7
    Location:
    Oklahoma
    I often use that very dilemma to prioritize which battles I undertake when :). Fortunately for me we are a small growing company. Which means some things I'm ready for us to do but people not in quality are not will become apparent and they come on board. I can imagine how much harder this would be in an already established QMS in a large company.
     
  11. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Apparently, it is the Top Management that needs to be Audited on the requirements of Clause 5. Have the Auditors, by and large, paid full justice in auditing these requirements? In my experience, the answer is a big, bold NO.
     
  12. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    49
    Likes Received:
    20
    Trophy Points:
    7
    Hi Rafeal,

    IMHO it is good to identify every single risk even if it already happened even if you already mitigated the risk. This mitigation reduced the likelyhood of the risk but it doesn't make it disappear completely.

    I found this article. It might help you.

    http://blog.qooling.com/risk-management/
     
  13. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    risk is a horrible terrible word. first it's a vector: risk is the magnitude and probability of an undesired event.
    every non-conformance or functional failure has some risk: there is the magnitude - or severity - of it's effect and it's occurrence rate
    if the non-conformance or failure hasn't occurred yet there is still risk: the magnitude or severity of the event and it's probability of occurring at some occurrence rate.

    When you are identifying risks, you are first identifying the potential non-conformances and failures (and other un-desired events like late shipments, a supplier going out of business or a critical employee quitting or dying) then you determine the risks (magnitude and probability) inherent with those events.

    does this help?
     
    hogheavenfarm and MCW8888 like this.
  14. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    I have recently used the RISK-BASED thinking in addressing internal issues that were caused by suppliers. I reviewed, with Management, our SWOT analysis and the QMS risk analysis(the template in the RESOURCE of this forum can be used instead of simplified FMEA). There were 2 things we found: (1) Supplier issue is a THREAT to our organization and need to elevate Supplier control at a HIGH RISK. Then we looked at the action plan or improvement, and found out that whatever was written there was not enough to mitigate the HIGH RISK. A Corrective Action Plan was raised to prioritize our supplier because there is no such thing as one-size-fits-all supplier re-evaluation process. Some of them will need to be monitored more often. The responsibility of CP was re-iterated. We will now wait and see of the CAR is effective. I hope so, anyway.