Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Addressing Clause 4.1 and 6.2

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Tiffany Andrade, Feb 7, 2019.

  1. Tiffany Andrade

    Tiffany Andrade New Member

    Joined:
    Feb 1, 2019
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    Hi everyone,

    My company recently completed our first certification audit. We were advised to do the STEEPLE Analysis in determining clause 4.1. Here's just a glance at what we did... upload_2019-2-7_8-20-49.png

    Our approach was to have process maps to address 4.4 and 6.1 by highlighting the risks associated with each process and document the data in a Risk Register for monitoring but the STEEPLE is done based on the overall company.

    My question is how do I now link the two in showing that we are addressing both overall and process risk? Considering that the standard hinges on 0.3.3 Risk Based thinking.
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    193
    Likes Received:
    105
    Trophy Points:
    42
    Good day @Tiffany Andrade and welcome to the forum.

    First, let us hope that it was not your CB third party auditor that "advised" you to do a STEEPLE analysis. The 3rd party is not ALLOWED to consult, and, the third party has no business telling your organization "how" regarding any approach to your registration. One thing you will likely find as a constant on this site, is that most will advise you to do what is in the best interest of your organization and to never do anything for your auditor. Be selfish. Don't create methods or documentation for the auditor or the standard as you will then need to maintain and (as one gentleman on this site often says) "feed the monster you've created."

    So, back to your question. A STEEPLE approach is fine if that is what your organization needs/wishes. One of the struggles for companies over the years has been the failure of organizations to make the management system integral to the business. It is very common for organizations to keep the management system in one "box" and then conduct business in another "box" . (i.e take a look at 5.1.1 - c), which requires "...integration of the quality management system ...into...the business processes.") So be careful not to do duplicate work or keep the QMS outside of the business proper. I guess I would ask, why are you looking at your process risks and opportunities separate from the "overall company"?

    Food for thought.
     
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    330
    Likes Received:
    47
    Trophy Points:
    27
    Location:
    Mexico
    It can be done separated, use steeple at strategic level and the operational risk by using amef, pxi, or whatever.
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    721
    Likes Received:
    480
    Trophy Points:
    62
    Location:
    Laguna Philippines
    Why do you need to link? Show to whom? Who/what requires you to do this? I don't see any statement in the standard that requires this. RBT can be applied in any level (i.e. strategic, tactical or operational). The standard has a requirement that actions to address risks/opportunities are integrated/implemented into the QMS processes. If you determined actions to address risks/opportunities during any level of planning, you should plan how these actions can be incorporated into the existing or new processes.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,227
    Likes Received:
    1,157
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is waaaayyyyyy too complex. Who suggested this?
     
    Ellie likes this.

Share This Page