What is the best way to approach risk management for our company?

Risk management isn't, but "risk based thinking" is! I use my photo to demonstrate "RBT". Unlike some folks, I don't care to put my welfare in the hands of people I don't know... So:

• I wear a full face helmet
• My clothes are all EU padded, even the jeans which also have Kevlar sewn into them. I wear this or something similar every time "ATGATT"
• I attended an MSF foundation course and will sign up for the advanced course next year.
• I've got 40 years of driving experience in many countries, different vehicles and terrains. I've studied the British Police motorcyclist's "bible".
• I've added louder horns
• I've studied and can tell you the typical reasons for motorcycle accidents and where to position myself in the road, look for escape routes in the event.

None of this is written anywhere by me - I can show someone what I researched etc. I understand the risks and, importantly, the opportunities presented. I LOVE riding my bikes...

 

Why? Surely, it's going to be based on the "context of the organization"? I didn't write it down because my risk and opportunities are personal. In a small organization, it might not be needed to commit risks to paper. However, as the size of the organization grows, products become complex etc, then yes, writing it down may well be necessary for risk treatment purposes etc. But to flat out accept that auditors will expect it to be documented is capitulation to the old school world of doing things to please auditors...

 

Do you mean your process owners will do this? Please don't overlook the fact that ISO 9001:2015 doesn't HAVE a management representative to (in part) stop one person doing all the work...

 

I agree with Andy that the clause "context of the organization" applies, and I would add "relevant" which is determined via the organization's self definition of its context.

Where the standard requires documented information, CB auditors can be expected to ask for it. Otherwise, the expectation is to "demonstrate" which can be accomplished with (one or more of) documentation, observation and interviews. If your auditor is insisting for documentation that is not required, you have the right to dispute if a resulting nonconformity is issued. Like kids and puppies, auditors who get it wrong should be corrected as soon as possible. For that reason (and I expect some auditors to misinterpret the requirements) I hope to see clients exercising their right to dispute.

There is an idea out there that everything will need to be written down. But if you have identified risks to success through faulty raw materials, mis-processing, incapable operators and poor handling during shipping process, you can establish controls to manage outcomes in these things and a means to know it's working. Do that and it's pretty obvious you have addressed risks... we don't need to be hit over the head to absorb facts, but it would be helpful for client organizations to develop a comfort level necessary to walk us through how you've determined and addressed risks.

Opportunities can be harder to identify. They are considered the positive side to risk. Machine maintenance can help ensure ship dates are met, but can also avoid time consuming repairs and replacing costly parts. A consultative approach to communicating with employees can help the flow of improvement ideas from the "trenches" to levels where resources are allocated, but they may provide the added benefit of reducing turnover and recruitment costs among demographics in which employees like to have some say in how their work areas are managed. Projections for both of these types of prevention can't be pinpointed specifically but should still be recognized as what we could call collateral benefits.

 

It can't be too difficult for an auditor to (begin to) ask: "What's the process?" then expand on things like what are the objectives, how do you measure it and control it, and did you identify any risks which can impact achievement of those objectives. It's NOT rocket science...

 

Jennifer has given an excellent example. What about "key equipment" in the manufacturing process? I walked the line with a client and found that a simple assisted lift was an item of key equipment which could shut the production down if it wasn't maintained (simple enough to do) and no-one had thought about it. There was no work around available, either.

 

Excellent point HHF. So, in that case, we can tie back to the "context of the organization" once again and show why it was decided to write this down as "documented information"...

 

Nikki,

Did you come up with the list on your own? Did you come up with these Plan Bs on your own? Do you feel competent, qualified and comfortable with the outcome? Is "Nikki made a list" the risk management process? ;-) Don't get me wrong. I think you've captured a good solid few points in your list, but they are very internal to your organization.

What about risk management from a Customer's perspective? As you said, you compound the plastic to the Customer's specification. Yet, what if quality checks don't catch a flaw and there's a need for recall? Or what if the Customer's spec is wrong for the application?

I'm surprised no one has mentioned FMEA, yet. In my opinion, it gives you a solid starting point for determining where you want to start auctioning possible risks. Granted, the scope creep on it can be extreme if you don't clearly define the borders. What about FMEA sessions with the process owners for each process?