Do I need to have a SINGLE major risk?

Niko90 · Apr 10, 2017

Greetings!

Just last week, we underwent the first stage audit with our CB. To determine the actions to address risks and opportunities, we used a matrix that lists down all the steps of a procedure, its requirement/s, the corresponding risks and opportunities of these requirements and the actions to address them. We also indicated what the planned result should be for these steps. IMHO, doing this would help us make sure that our procedures would be effective. Here's the thing though, one of the auditors from our CB indicated that one of the risks I should have explicitly stated is that our process (which is about providing info to clients through various means) may not be effective. It seems the auditor wants me to identify a single major risk. I can't buy into this idea because when we were indicating the actions in this matrix, the main goal is for our process to be effective by addressing risks/opportunities. Thus addressing risks, effectiveness and achieving intended results are 'peppered' throughout this matrix.
I would like to hear everyone's thoughts on this. Thank you.

Andy Nichols · Apr 10, 2017

Your auditor is WRONG! All you are required to demonstrate is "risk based thinking". If you understand the context of the organization, your organization's interested parties and their needs, through something like a SWOT analysis, then addressing the weaknesses and threats, can be used to demonstrate you recognize risks and you address them in your planning - take for example an aging workforce. If you plan on creating an apprenticeship scheme to bring entry level people up to some level of skill you can't recruit replacements who already posses those skills, THATS demonstrating RBT.

Your auditor is incompetent. Take a look at ISO/TS 9002.

Jennifer Kirley · Apr 10, 2017

I don't understand the single major risk idea, as all processes are expected to have had risk (effect of uncertainty) defined and they could be very different from each other.

Andy Nichols · Apr 10, 2017

Jennifer Kirley said: ↑

as all processes are expected to have had risk
Click to expand...

and it's not just about process risks...

Jennifer Kirley · Apr 10, 2017

Andy Nichols said: ↑

and it's not just about process risks...
Click to expand...

Yes, that's right.

Randy A. Kaczynski · Apr 10, 2017

I disagree with the prior statement --- All you are required to demonstrate is "risk based thinking".
The requirements are in 6.1 (Actions to address risks and opportunities).

determine the risks and opportunities

plan actions to address these risks and opportunities

integrate and implement the actions into its QMS processes

evaluate the effectiveness of these actions

Jennifer Kirley · Apr 10, 2017

Randy, let's not forget that one of the management review inputs is (e) effectiveness of actions to address risks and opportunities. How to demonstrate that?

Andy Nichols · Apr 10, 2017

Randy A. Kaczynski said: ↑

I disagree with the prior statement --- All you are required to demonstrate is "risk based thinking".
The requirements are in 6.1 (Actions to address risks and opportunities).

determine the risks and opportunities

plan actions to address these risks and opportunities

integrate and implement the actions into its QMS processes

evaluate the effectiveness of these actions

Click to expand...

Isn't this "risk based thinking" Randy? Can't the requirements be addressed by leadership discussing this and not having procedures, risk records or a specific tool (FMEA etc) to document it?

tony s · Apr 11, 2017

Auditors should refrain from being presumptuous. If an organization opted to use RBT tools where they are comfortable with, they should not dictate how their preferred tools are to be used.

Niko90's intention in using their tool is clear to him - that's why he said:

Niko90 said: ↑

IMHO, doing this would help us make sure that our procedures would be effective.
Click to expand...

Why should an auditor demand a single major risk, when Niko90 clarified this to the auditor:

Niko90 said: ↑

To determine the actions to address risks and opportunities, we used a matrix that lists down all the steps of a procedure, its requirement/s, the corresponding risks and opportunities of these requirements and the actions to address them.
Click to expand...

Most of the items mentioned by Randy were covered, except the last statement (i.e. evaluation of effectiveness of actions taken to address risks/opportunities).

Randy A. Kaczynski · Apr 13, 2017

If you want to comply with ISO 9001:2015 and demonstrate RBT, just follow the 6.1 requirements. 'Nuff said!

Log in or Sign up

Do I need to have a SINGLE major risk?

Niko90 Member

Andy Nichols Moderator Staff Member

Jennifer Kirley Moderator Staff Member

Andy Nichols Moderator Staff Member

Jennifer Kirley Moderator Staff Member

Randy A. Kaczynski Member

Jennifer Kirley Moderator Staff Member

Andy Nichols Moderator Staff Member

tony s Well-Known Member

Randy A. Kaczynski Member

Log in or Sign up

Do I need to have a SINGLE major risk?

Niko90 Member

Andy Nichols Moderator Staff Member

Jennifer Kirley Moderator Staff Member

Andy Nichols Moderator Staff Member

Jennifer Kirley Moderator Staff Member

Randy A. Kaczynski Member

Jennifer Kirley Moderator Staff Member

Andy Nichols Moderator Staff Member

tony s Well-Known Member

Randy A. Kaczynski Member

Useful Searches