1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

No risk rating - NC!?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by tony s, Jun 5, 2019.

  1. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Early this week, a consultant friend told me that a nonconformity was raised against her client because their method for determining risks/opportunities doesn't have criteria for determining the level of risk (i.e. high, medium, low). The CB auditor was looking for factors such as how the severity of the impact and likelihood of the occurrence of risks are measured.

    I've actually observed such prescriptive calls of CB auditors, fortunately we know how to push back. For others, like my friend's client, who doesn't want to tussle with CB auditors, will just go along with the prescriptive call and accept the nonconformity finding.

    Just want to vent my exasperation and, at the same time, get some two cents (agreeable or dissenting) from the members of this forum.
     
  2. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    This is definitely overstepping (and underthinking) on the part of the auditor
     
    John C. Abnet and tony s like this.
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    I’m not agree, standard doesn’t require to evaluate level of risk, neither to use some special methodology for the addressing the risks.
     
    tony s likes this.
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yes! Another auditor who doesn't understand.
     
    tony s likes this.
  5. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Yeah. It's really disappointing. CB auditors should at least read the standards. Below are the statements where both ISO 9001 and ISO/TS 9002 clarified the concept on determining risks:

    Annex A.4 of ISO 9001:2015:
    Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement
    for formal methods for risk management
    or a documented risk management process. Organizations can
    decide whether or not to develop a more extensive risk management methodology than is required
    by
    this International Standard, e.g. through the application of other guidance or standards.

    Section 6.1.1 of ISO/TS 9002:2016:
    There is no requirement in ISO 9001 to use formal risk management (in accordance with ISO 31000
    [19]) in determining and addressing risks and opportunities. An organization can choose the methods
    that suit its needs.
    IEC 31010[23] provides a list of risk assessment tools and techniques that can be
    considered, depending on the organization’s context.
     
    Suraiya Ramkissoon likes this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Sadly, there's little/no incentive to ensure auditor competency. Registrars don't want to spend money on ensuring their auditors have a clue. We see examples here and at the Cove all the time.
     
  7. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    Auditors fall back on what they consider "best practices" instead of using the standard. Auditees frequently don't know the extent of the standard and take auditors commentary as gospel. It takes several cycles before the Auditee will learn to push back.
     
    tony s likes this.
  8. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Regarding to auditors, once I heard someone to say.
    we see them as Gods and some of them seem feel like that but really....... they are human.
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    With the most recent changes to ISO 9001, they don't even have that, because no-one knew what was a "best practice" and, for the most part contract auditors rarely have an opportunity to do consulting (some train, but talking about it instead of practicing isn't the same thing) so they avoid much of what is new and when they do venture into those areas - risk and opportunity - they don't read the guidance. A self proclaimed "expert" auditor who posted here frequently confused the various requirements...
     
    tony s likes this.
  10. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    Not disagreeing with any of the above but I wonder if the auditor asked how they addressed this clause (from 6.1.2):

    Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

    (emphasis added).
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Experience shows that, if a SWOT analysis is used, by the leadership team, there's rarely any debate about 1) what the risks and opportunities are and 2) the priority for dealing with them. One universal truth, here in the state of Michigan, is the need to grow some skilled people - fast! Management don't need no stinkin' criteria (H-M-L) to start working on THAT!
     
    yodon likes this.
  12. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    There's nothing here that implies determining the level of risk. The same intention is also employed in clause 10.2.1 where it says "Corrective actions shall be appropriate to the effects of the nonconformities encountered".
     
    yodon likes this.
  13. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    To me that's what a "judgement call" is. We make them every day.