1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Effect of article "the"

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Leonid, Dec 12, 2019.

  1. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    According to 6.1.1 “… the organization shall … determine the risks and opportunities that need to be addressed to…” Does it mean that all risks and opportunities that were determined need to be addressed? I think not all but only THOSE (the meaning of article “the”) that NEED to be addressed. The organization will have to analyze and assess the risks and opportunities prior to making decision which ones to address. There is no need to address minor risks and opportunities.
     
  2. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    FWIW, in the wordplay of life...

    It seems to direct that the company ONLY needs to determine the risks and opportunities that the organization judges as "needs addressing".
    I don't see a requirement to determine, or even identify, risks or opportunities that you don't need to address, though as you suggest...it is fairly unavoidable.

    Worded pretty well, all in all, IMO.
     
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @Leonid ;
    If you are looking for affirmation, then consider yourself affirmed. You are indeed correct in regards to the fact that it is left to the organization to determine which risks an opportunities "need" to be addressed.

    My only word of caution would be in regards to your comment..."There is no need to address minor risks and opportunities."

    The use of subjective terms (i.e. "minor") is not sustainable as many instances of my experiences have proven, since if individual members of staff and leadership in an organization are asked, rarely will they agree on which are "minor" and which are "major" risks.

    Hope this helps.
    Be well.
     
    Katrijn likes this.
  4. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
     
  5. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    Thanks John. Anyway some risks are always left without addressing. And there are risks which are
    unanimously assessed by sight as minor.
     
  6. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Let's say I have "determined" the risks and listed them all in a table. Should I need further "determination" to demonstrate I really "determined" the risks that need to be addressed? Or I can just say "all those that are listed are the ones that need to be addressed"?
     
  7. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    Of course you can say it and then the auditor may ask you to provide evidence that the risks are addressed by the planned actions. By the way information about addressing risks needs to be documented as a part of processes according to 4.4.1(f), 4.4.2 and 8.1(e).
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    No, because it doesn't use the word "all".
     
  9. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    Without "all" the meaning of the statement in the standard is the same. Organization determines risks that need to be addressed. What was determined should be addressed.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Is it?
     
  11. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Not sure about this when Annex A.4 specifies:
    • Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process.
    • Under the requirements of 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.
     
    Andy Nichols likes this.
  12. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    Tony, let's consider the situation (sort of happened in my life). I am an 3rd party auditor. You are the auditee. I am asking you to provide documented information about actions planned (6.1.2) and implemented (8.1 e.1) to address risks and opportunities. You give me the above answer. I agree with you because 6.1 does not actually require to document information. The requirements to document information about the processes are stated in 4.1.2 and 8.1. Actions to address risks and opportunities are carried out in processes as per 4.4.1 f. Eventually I issue a NC report.
     
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    If the issue here is about documented information about addressing risks/opportunities (based on your post #7), auditors should understand that not all evidences rely on documented information. The International Accreditation Forum's Auditing Practices Group Guidance on Evidence Collection clarified this, as specified below:

    "Auditors should be aware that objective evidence does not necessarily depend on the existence of documented information, except where specifically mentioned in ISO 9001".

    Clause 8.1e.1 mentioned "to the extent necessary". If my organization has actions in place to address risks/opportunities and an auditor will slap us an NC report because we failed to document the plan, I will definitely challenge his/her finding.
     
  14. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    I addressed the actions which were both planned and implemented. If you say there is a documented evidence that actions were implemented then evidence of decisions about how to address the risks will be available and shown to the auditor.
     
  15. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Why would an auditor look for the documented evidence of decision if I'm already showing him/her the actual action that addresses the risk/opportunity?
     
  16. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    How to show the actual action?
     
  17. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Actual actions can include:
    • physical controls installed by the organization (e.g. stand by generator in case of power outages);
    • newly introduced tools, policy, procedures, checklist;
    • acquisition of alternate production site;
    • additional supplier for a specific material; etc.
    The above examples are actual actions that an organization may have established to address risks and opportunities. Planned actions may be in a form of documents but it's up to the organization. There's no requirement in the standard that plans to address risks/opportunities are to be reflected in a document. The IAF APG on Evidence Collection further says:

    "It is the organization’s responsibility to provide objective evidence of conformity. Organizations may be able to demonstrate conformity without the need for extensive documented information".