"Demonstrating" Risk Based Thinking

It is the organization, not auditor, who shall evaluate the effectiveness of actions taken to address risks and opportunities (9.1.3 e) and retain documented information.
Possibility of incomplete effectiveness is embedded in the standard via 10.2: the detected nonconformity implies that the risk for this particular NC was not either determined or/and addressed.

 

I keep reading this line over and over again...it is 100% true and on point...but inherently flawed all the same. That's why I keep coming back to it trying to find a better way.

The difference between
"it simply verifies that someone is steering." and "it simply verifies that someone competent, with the necessary resources, is steering." is, of course, the red part (which is why it's red).

But the ones steering are also the ones who have the final say on the definition of "Competent" and also the ones who have the final say on what resources are "necessary"....that's the flaw.
Don't know how to get around it...but keep coming back to it all the same...like a nagging toothache.
I just can't picture Top Management saying they themselves aren't competent...and the final decision on competence (in the purview of ISO) lies with Top Management.
There seems a systemic failure here. Please feel free to set me straight.

 

Sorry, but in the case of ship steering, you are incorrect. The crew of vessels sailing around the World are subject to the Standards of Training, Certification & Watchkeeping Convention, and the Flag States will actually endorse the crew's certificates (assuming they are competent). So, differently than what you are suggesting, a shipping company can not simply assign any person to man the bridge on a ship, just like an airline can not assign any person to be in charge of the cockpit and pilot an aircraft. As for the example of resources, if the ship is using paper-based navigation aids as navigation charts, they must have all the relevant charts available at the bridge.

This is an example of personnel competence to operate, regulated by international laws. It is NOT do what you say, say what you do....it has never been that, actually.

 

I guess this spirited conversations proves that it is totally up in the air what you need to do to demonstrate objective evidence in audit. Sounds like it will completely be a judgement call by the auditor. Yes, we are all constantlly weighing the risks if our businesses are succesful. We would have had to do that in order to not fail.

 

If you believe that, remember that auditors change and being at the mercy of the "auditor du jour" is a terrible way to manage a system.

 

So well said Jennifer .....
If I can talk about a plan B that I have I have demonstrated RBT
If I can sure shot say that I have not made a plan B, for reasons that I best know based on experience and past history., I have demonstrated RBT
If I show a blank eye or astonishment for any reasonably foreseeable situation, then I have not demonstrated RBT.

 

Thanks for more answers. They kind of confirm that it will be up to the auditors discretion and our organizations ability to explain our approach to risk based thinking. I am not worried about our companies ability to evaluate the risks. We are a very advanced Hi-Tech company which dominates its industry and competitors. ISO certified for 20 years. Customers are extremely satisfied. Profits and growth most companies prey for. Our leadership team has deep industry, business, and customer knowledge. We could not be as succesful as we are without contunually evaluate risks. We just went through a management review and discussed risk to projects, business, processes, and customers constantly. Was the word risk ever used....no? Did we evaluate a list of "risks"....no. Would anyone on our leadership team except me understand what "Risk Based Thinking" is.....no. I see not reason to change how we do things outside of some potential improvements. I was recently telling another exec about how a major ISO9001 change was the addition of RBT. His response was "What the F^&* does that mean?". After I told him he thought it was the dumbest thing to add to ISO9001. I get RBT, but I think it is going to cause allot of hassles during audits.

 

Organization will always present to auditor various plans of various actions which are taken in the business life continuously. And then will clarify to auditor what any action ether prevents or facilitates. Prevents threat to deviate from expected; facilitates opportunity to achieve improvement. Thereby, risks are identified and explained to auditor. Context issues are readily recognized by the nature of action or risk.

 

Sadly missed.

 

Just go by what is written in the standards. If the auditor say it needs a record or more just ask him to show you in the standards. If it is not there then it can be verbal, written or telepathically transferred., there is no requirement. People are making this to complicated.

 

So I attended a DNV ISO9001:2015 webinar. They explained 2015 from an auditor viewpoint. They stated that if you are doing FMEA's (process or design) you will meet the RBT requirement.

 

There is no requirement in the standard for any formal risk assessment method I.e FMEA unless your customers require it. It may be a requirement in the TS or AS world. There is no requirement for "documented information" but you may wish to capture some instances of where you considered process risk to avoid a lengthy argument with your auditor.

In my role as quality contractor I put a little check box: high/medium/low risk. Anyone who sets up a new inventory item, new customer, new supplier, or makes a document change or CA may choose to assign a risk higher than "low" in any of these cases if they feel the need to consult a higher authority. Hazmat and Safety always get a "medium" just so that it is communicated to somebody.

The risk and opportunity is also probably also considered in the management review.

If I were auditing I would look for any of the items above ref: insurance, disaster planning, backup suppliers, hedging...

 

It's a landscaping reference.