Question: Documenting A Risk Analysis Evaluation

I have referenced the requirement of a risk analysis evaluation in all of my applicable procedures. Do I have to document all of these risk analysis evaluation? Would the following statement meet the 9001:2015 requirements? “During this process all applicable risk are evaluated. This risk evaluation may or may not be documented.”

 

ISO 9001:2015 Annex A.4 specifies:

Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.

I don't believe that writing the above statement is necessary.

 

Thank you for the response. Does not the "shall" stated in 6.1 require an action in some state or form. In Annex A.4 it also states “Under the requirements of 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk”. My thinking is that I am now required to reference a risk evaluation statement in any procedure that may incur risk. In referencing a risk evaluation, an auditor is going to ask for evidence that this evaluation has taken place. I included the statement “this risk evaluation may or may not be documented” to avoid any problems. Quite frankly stating in Annex A.4 “Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process” only muddies the water for the end users and auditors alike.

 

I have reviewed section 4 and do understand the requirement. Now in 9001:2015 section 6 Planning it states that these meetings "shall consider" the issues in 4.1. Our company has already been including all the aspects of risk management and the requirements of our interested parties into our decision processes. We do not have a documented risk management system. We do have round table meetings that include all of departmental managers including safety and environmental. We discuss all applicable internal and external risks and also opportunities for improvement during these discussions. I am going to add the statement “During this process all applicable risk and requirements of our interested parties are evaluated” into all relevant procedures and leave off “This risk evaluation may or may not be documented". I will also be looking forward to long discussions with my auditing body concerning this subject.

 

I would assume the statements above are going to be mentioned in a "documented procedure" or the "quality manual". Should you opt to write such statements, you may also consider having statements on "evaluating the opportunities". Since most, if not all, of the clauses in the 2015 that mention the word "risks" it comes also with the word "opportunities".

 

I will be including this statement in all applicable documented procedures. Good point, I will also include a statement to reference "evaluating the opportunities". Thank You.