1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Addressing Clause 4.1 and 6.2

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Tiffany Andrade, Feb 7, 2019.

  1. Tiffany Andrade

    Tiffany Andrade New Member

    Joined:
    Feb 1, 2019
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    Hi everyone,

    My company recently completed our first certification audit. We were advised to do the STEEPLE Analysis in determining clause 4.1. Here's just a glance at what we did... upload_2019-2-7_8-20-49.png

    Our approach was to have process maps to address 4.4 and 6.1 by highlighting the risks associated with each process and document the data in a Risk Register for monitoring but the STEEPLE is done based on the overall company.

    My question is how do I now link the two in showing that we are addressing both overall and process risk? Considering that the standard hinges on 0.3.3 Risk Based thinking.
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @Tiffany Andrade and welcome to the forum.

    First, let us hope that it was not your CB third party auditor that "advised" you to do a STEEPLE analysis. The 3rd party is not ALLOWED to consult, and, the third party has no business telling your organization "how" regarding any approach to your registration. One thing you will likely find as a constant on this site, is that most will advise you to do what is in the best interest of your organization and to never do anything for your auditor. Be selfish. Don't create methods or documentation for the auditor or the standard as you will then need to maintain and (as one gentleman on this site often says) "feed the monster you've created."

    So, back to your question. A STEEPLE approach is fine if that is what your organization needs/wishes. One of the struggles for companies over the years has been the failure of organizations to make the management system integral to the business. It is very common for organizations to keep the management system in one "box" and then conduct business in another "box" . (i.e take a look at 5.1.1 - c), which requires "...integration of the quality management system ...into...the business processes.") So be careful not to do duplicate work or keep the QMS outside of the business proper. I guess I would ask, why are you looking at your process risks and opportunities separate from the "overall company"?

    Food for thought.
     
    GODWIN OCHAYI and Laura N. like this.
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    It can be done separated, use steeple at strategic level and the operational risk by using amef, pxi, or whatever.
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Why do you need to link? Show to whom? Who/what requires you to do this? I don't see any statement in the standard that requires this. RBT can be applied in any level (i.e. strategic, tactical or operational). The standard has a requirement that actions to address risks/opportunities are integrated/implemented into the QMS processes. If you determined actions to address risks/opportunities during any level of planning, you should plan how these actions can be incorporated into the existing or new processes.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is waaaayyyyyy too complex. Who suggested this?
     
    Ellie likes this.
  6. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1

    We have the same dilemma @Tiffany Andrade . In our organization, we do SWOT, then from that SWOT, we identify risks related to WT. One by one,which is tooooo much tasking. I think we are overdoing something. But yet we are confined because we can not figure out other means to evidence 4.2 and 6.1. :|
    Help!
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    @Tiffany Andrade and @may@ m.

    The requirements of the standard are interrelated. Some serve as inputs to another requirement (e.g. to establish the scope (4.3), you need to consider issues (4.1) and requirements (4.2)). Some serve as outputs (e.g. objectives (6.2) are part of the results of planning (6)). Do not attempt to satisfy 4.1 independently from the other requirements where 4.1 serves as an input. If your organization have gone through a workshop just to produce a SWOT analysis document in the assumption that this will satisfy 4.1, I believe, your organization fell short of understanding the intent of the standard.

    Clause 4.1 is an input to clause 6. When an organization plans (at the strategic level) to established its strategies, including objectives, issues that can affect the approach in developing and achieving the strategies and objectives should be considered. Here is where SWOT analysis plays a value-adding role. Internal (Strengths and Weaknesses) and external (Opportunities and Threats) issues if clearly understood will aid an organization to come up with the appropriate strategies and objectives. So SWOT shouldn't just be a product of a workshop that your organization intends to show to a CB auditor but a tool that your organization used during planning.

    You don't need to identify risks from the SWOT, Threats is already the equivalent of risks. As per section 3.2.11 of ISO 14001, "risks and opportunities" is defined as potential adverse effects (threats) and potential beneficial effects (opportunities). Presenting the SWOT analysis as part of the planning records can demonstrate fulfillment of clauses 4.1 and 6.1.1.

    What about 4.2? Can an organization just go through a workshop and produce a list of relevant interested parties (RIP) with their relevant needs and expectations? Then present this list of RIPs to the CB auditor to demonstrate conformity with 4.2? I don't think so. As established in the first paragraph about interrelated requirements, 4.2 is an input during planning to produce the appropriate quality objectives (6.2). The requirement in 6.2.1 specifies that "quality objectives shall c) take into account applicable requirements". So, in developing quality objectives at relevant functions and levels, clearly understood "needs and expectations" relevant to each function will help the organization to establish suitable quality objectives. Organizations should not establish quality objectives where nobody cares whether they achieve them or not. The objectives should be clearly tied to the requirements of the relevant interested parties.
     
    Ellie and Andy Nichols like this.
  8. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1

    Thank you for this @tony s . Please extend your patience in explaining. Our CB said risks and opportunities determined must be assessed/ranked, so we'd know how opportunities are prioritized, etc. He even said, if there would be no scoring made, they expect to see action plans to each risk and opportunity identified. Can you share how will evidence such? TIA.
     
  9. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Is he auditing you against ISO 9001? If so, I haven't read any categorical statement in the 132 "shalls" of ISO 9001 that requires assessment/ranking/scoring/prioritization of risks/opportunities and actions. The requirements of the standard are plain and simple:
    • 4.4.1f - determine the processes... and shall... address risks and opportunities...
    • 6.1.1 - when planning for the QMS... determine risks and opportunities
    • 6.1.2a - plan actions to addresss risks and opportunities
    • 6.1.2b.1 - plan how to integrate and implement the actions to address risks and opportunities
    • 6.1.2b.2 - plan how to evaluate the effectiveness of these actions
    • 8.1 - implement the actions determined in clause 6
    • 9.1.3e - results of analysis shall be used to evaluate the effectiveness of actions taken to address risks and opportunities
    • 9.3.2e - management review to take into consideration the effectiveness of actions to address risks and opportunities
    • 10.2.1e - when an NC occurs... update risks and opportunities determined during planning
    Satisfy the above requirements with the approach that you can easily and effectively implement. Your QMS should be implemented to benefit your organization and not to satisfy the whimsical interpretations of your CB auditors.
     
  10. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thank you very much! :)
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    That's rubbish - tell them "goodbye"...
     
  12. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    May i have an input so we can push back?

    Our auditor is looking for the application of risk based planning to EACH business unit - asking for the identification of risks and opportunities and assessment at the business unit level/branch.
    We have presented our compliance to the clauses for context, and planning on an enterprise level, e.g. that at the top management level, strategic planning is conducted, with even SWOT etc. etc., and that the targets are farmed out to each business unit concerned so all together can reach the overall objectives of the organization.
    However, during the audit at the business unit level, the auditors are asking for again the context and planning for that level, i.e. in a branch, how are risks and opportunities identified , and assessed, and acted upon to reached its cascaded target.

    oh please. this is exhausting.
     
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Although I would agree that issues, risks and opportunities can be determined at the strategic and operational levels - similar with objectives (see clause 6.2.1). There is no categorical statement in ISO 9001 that requires identification of risks/opportunities at "relevant functions, levels and processes". Here are the statements that your auditor might have used to establish an interpretation that risks/opportunities are to be identified at various levels:
    • clause 4.4.1f - "address the risks and opportunities as determined in accordance with the requirements of 6.1";
    • clause 8.1 - "to implement the actions determined in Clause 6".
    However, both statements made reference to clause 6 which your organization approach this planning requirement strategically.

    As long as you can demonstrate that the actions that you have identified to address risks and opportunities at the strategic level are integrated and implemented into the operational level, processes or the business units (see clause 6.1.2b.1), you're not violating the clauses relevant to context and RBT when planning and implementing the QMS.

    Auditors can only raise audit findings against requirements and never against interpretations.
     
    may@ m. and Andy Nichols like this.
  14. BufferMess

    BufferMess Member

    Joined:
    Aug 27, 2018
    Messages:
    43
    Likes Received:
    10
    Trophy Points:
    7
    You might not need to assess or rank your risks and opportunities but you still need to assess potential impact of the determined risks and opportunities to the conformity of products and services because you need to take actions proportional to the impact of a risk or opportunity. See clause 6.1.2 (untitled).
     
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Are you saying this needs documentation? When doing a SWOT with a client, there's not much "assessment" needs doing when the biggest issue/risk is finding skilled workforce replacements...
     
  16. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    any suggestion on how to approach and evidence such?
     
  17. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1

    Thank for this @tony s . To give you a clearer picture, we are a big organization, with over a hundred branch. We have lots of regulators, and one of which also requires numerous intensive risk assessment (so even if without ISO, we still do lots of risk assessment). Now, what we are presenting to the auditor is, the overall results of these various risk assessment methodologies we have, is one of the inputs to our enterprise business planning. And that during the enterprise business planning, SWOT and interested parties are also part of the inputs, alongside the results of our risk assessment methodology.

    Results of the enterprise business planning are strategic objectives, plans and measures. So after determination of such, these are farmed out to concerned business units. So naturally for them, they have to come up with their own strategies likewise.

    By the way, the action plans for the identified high risks, together with the SWOT are provided to the concerned business unit such that it becomes part of or inputs to its plans .

    Are we lacking something? Can you point out what is wrong? TIA for your valuable inputs.
     
  18. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    The standard is just asking us to take actions commensurate with the potential consequences of the risks/opportunities to product/service conformity. Don't catch a lion using a mouse trap - don't catch a mouse using a lion's trap.

    The same is true when clause 10.2.1 mentioned "Corrective actions shall be appropriate to the effects of the nonconformities encountered".
     
    John C. Abnet likes this.
  19. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    There is nothing wrong in your approach if the auditor will just use the statements in the standard as his/her audit criteria. Everything will be wrong if the auditor assess your approach against his/her approach.

    ISO 9001 specifies WHAT organizations must do but does not say HOW they must do it. This results in organizations satisfying the requirements with different systems and approaches. Therefore the auditor must:
    • understand the auditee’s systems and approach;
    • adapt to the auditee’s situation;
    • evaluate the auditees’ own interpretation against the intentions of the standard - NOT against his/her own interpretation.
     
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Looks just fine to me, too! Evidence? Likely recorded in management review(s)