1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Risk based thinking

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by bkirch, Jun 19, 2019.

  1. bkirch

    bkirch Active Member

    Joined:
    Jun 24, 2016
    Messages:
    73
    Likes Received:
    13
    Trophy Points:
    7
    Would anyone share some methods that they use to approach risk based thinking as required per ISO9001:2015? I have listened to many webinars and read articles on the subject, and there seems to be many different opinions on how it should be approached. I think most companies consider risk and opportunities everyday, but to explain and show evidence of this activity is a little tricky unless it is documented.
     
  2. KyleG

    KyleG Active Member

    Joined:
    Nov 7, 2018
    Messages:
    96
    Likes Received:
    68
    Trophy Points:
    17
    Location:
    Reno Nevada
    I do a biannual SWOT analysis
     
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Maybe, but that's not what the ISO 9001 requirements are directing you towards. It's the strategic aspects of risk and opportunity. ISO/TS 9002 is good guidance in this respect.
     
  4. Daniel Padilla T

    Daniel Padilla T Member

    Joined:
    Jun 14, 2018
    Messages:
    44
    Likes Received:
    17
    Trophy Points:
    7
    As Andy said, 6.1 of ISO 9001:2015, is related to strategic level. So you could use a SWOT analysis (most commonly used) AND the requirements of interested parties, to determine the risks and opportunities of the QMS. Then you will plan the actions to address the risks and opportunities (incorporating them in the QMS or in the processes). You can establish all this during Management Review, and remember you need a follow up to evaluate effectiveness of actions taken.
     
    KyleG and Qualmx like this.
  5. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Nota only strategically, but operational.
    Most of processes have R&O
    Regards
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    ISO 9001 doesn't mention anything about operational risk...nor process risk/opportunity.
     
    Daniel Padilla T likes this.
  7. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Take a look at this below:

    According to ISO/TC 176/SC 2/N 1283.
    [​IMG]
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Exactly! However, this is purely guidance and buried - without reference to risk - in the back of ISO 9001:2015 in the bibliography, so how would anyone know?

    If we are dealing with requirements - which is where most people start - the references are to strategic direction. Since operational risk isn't actually part of any requirement of ISO 9001, per se, and may not be applicable, it is unwise to suggest that operational risk is REQUIRED. As pointed out, earlier on, companies think of such things daily. But not ALL. Hence, it cannot be a requirement.
     
  9. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    464
    Likes Received:
    59
    Trophy Points:
    27
    Location:
    Mexico
    Andy
    Why not to consider risks and ops, at operational level, You could find important risks, what would be the reasons for not considering them?
    Thanks
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's going to be a case-by-case basis. It's impractical to force fit R & O to all processes. Businesses don't always need to do this. You can't say the same for those at a strategic level.
     
    Qualmx likes this.
  11. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    It is worthwhile to ask "What can go wrong in our process?" (risk) and "What is available to us to help improve this process?" (opportunity). The important thing to remember is that we are not confined to one way to ask or address these questions for all processes, because they can be so different.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    But risk isn't necessarily a negative, which is what most people do to approach it. It's flawed thinking. Risk is simply the effect of uncertainty. It isn't thinking what could go wrong...
     
    John C. Abnet likes this.
  13. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    You are absolutely correct. The 3M Post It Note provides a good example of design risk to fail to recognize and properly market a good product. It took 3M a couple of tries, but now we have the ubiquitous yellow sticky note.
     
  14. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    According to ISO/TS 9002:2016 clause 6.1.1:

    The intent of this subclause is to ensure that when planning the quality management system
    processes, the organization determines its risks and opportunities and plans actions to address them. Its
    purpose is to prevent nonconformities, including nonconforming outputs, and to determine opportunities
    that might enhance customer satisfaction or achieve an organization’s quality objectives.

    Hence, risks can be determined at the strategic and operational levels. Another statement under this clause mentioned various techniques that can be employed to determine risks at strategic and operational levels:

    In determining risks and opportunities, the organization can consider using the outputs of techniques
    such as SWOT or PESTLE. Other approaches can include techniques such as Failure Mode and Effects
    Analysis (FMEA); Failure Mode, Effects and Criticality Analysis (FMECA); or Hazard Analysis and
    Critical Control Points (HACCP). It is for the organization to decide which methods or tools it should use.
    Simpler approaches include techniques such as brainstorming, Structured What If Technique (SWIFT)
    and consequences/probability matrices.
     
    Mazzel Lou Bael likes this.
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I've taken this to mean that it's the planning for the process(es) to take care of the risk, not that planning takes care of risks of/for processes. Subtle, but different. If a company makes washers all day long, then there's little in the way of process risk at a process level, but there will be strategic risk.
     
  16. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Could be. But for people where English is not their native language, "planning the processes" could have a different meaning from "planning for the processes". Since, ISO/TS 9002 mentioned techniques that are more appropriate to be employed at the operational level (e.g. FMEA, HACCP), I believe, risks at the operational level must also be determined and must be addressed as intended by Clause 4.4.1f.
     
  17. Daniel Padilla T

    Daniel Padilla T Member

    Joined:
    Jun 14, 2018
    Messages:
    44
    Likes Received:
    17
    Trophy Points:
    7
    Tony, do you apply this planning for all your processes or only those you consider with more significant risk?
     
  18. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    All QMS processes. I believe clause 4.4 is applicable to all QMS processes and one of the requirements says "address the risks and opportunities as determined in accordance with the requirements of 6.1" (see 4.4.1f).
     
    Daniel Padilla T likes this.
  19. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    HACCP and HARPC are preferred tools for the food industry, but would be difficult to apply for other industries, particularly service sector (e.g. schools, banks, logistics, government agencies, etc.)
     
  20. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    ISO 9001 doesn't mention anything about neither operational nor strategic risk. Nonetheless it implicitly addresses both:
    (1) The organization shall determine issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended results of its QMS (4.1). Thus, the issues concern both the strategy and operations.
    (2) The organization shall consider the issues… and determine the risks and opportunities that need to be addressed (6.1.1). Given (1), risks and opportunities can be both strategic and operational.
    (3) The similar mixed picture is drawn by the requirements to the quality policy and quality objectives: 5.1.1a) Top management shall ensure that quality policy and quality objectives are compatible with the context and strategic direction of the organization; 5.2.1 Top management shall establish, implement and maintain a quality policy that: a) is appropriate to the purpose and context of the organization and supports its strategic direction; b) provides a framework for setting quality objectives.
    (4) Under 8.1 the organization operates processes needed to meet the requirements for the provision of products and services (the non-strategic domain) and to implement the actions to address risks and opportunities (the mixed domain).