Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Addressing Clause 4.1 and 6.2

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Tiffany Andrade, Feb 7, 2019.

  1. Tiffany Andrade

    Tiffany Andrade New Member

    Joined:
    Feb 1, 2019
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    Hi everyone,

    My company recently completed our first certification audit. We were advised to do the STEEPLE Analysis in determining clause 4.1. Here's just a glance at what we did... upload_2019-2-7_8-20-49.png

    Our approach was to have process maps to address 4.4 and 6.1 by highlighting the risks associated with each process and document the data in a Risk Register for monitoring but the STEEPLE is done based on the overall company.

    My question is how do I now link the two in showing that we are addressing both overall and process risk? Considering that the standard hinges on 0.3.3 Risk Based thinking.
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    290
    Likes Received:
    172
    Trophy Points:
    42
    Good day @Tiffany Andrade and welcome to the forum.

    First, let us hope that it was not your CB third party auditor that "advised" you to do a STEEPLE analysis. The 3rd party is not ALLOWED to consult, and, the third party has no business telling your organization "how" regarding any approach to your registration. One thing you will likely find as a constant on this site, is that most will advise you to do what is in the best interest of your organization and to never do anything for your auditor. Be selfish. Don't create methods or documentation for the auditor or the standard as you will then need to maintain and (as one gentleman on this site often says) "feed the monster you've created."

    So, back to your question. A STEEPLE approach is fine if that is what your organization needs/wishes. One of the struggles for companies over the years has been the failure of organizations to make the management system integral to the business. It is very common for organizations to keep the management system in one "box" and then conduct business in another "box" . (i.e take a look at 5.1.1 - c), which requires "...integration of the quality management system ...into...the business processes.") So be careful not to do duplicate work or keep the QMS outside of the business proper. I guess I would ask, why are you looking at your process risks and opportunities separate from the "overall company"?

    Food for thought.
     
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    405
    Likes Received:
    48
    Trophy Points:
    27
    Location:
    Mexico
    It can be done separated, use steeple at strategic level and the operational risk by using amef, pxi, or whatever.
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,015
    Likes Received:
    759
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Why do you need to link? Show to whom? Who/what requires you to do this? I don't see any statement in the standard that requires this. RBT can be applied in any level (i.e. strategic, tactical or operational). The standard has a requirement that actions to address risks/opportunities are integrated/implemented into the QMS processes. If you determined actions to address risks/opportunities during any level of planning, you should plan how these actions can be incorporated into the existing or new processes.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    3,040
    Likes Received:
    1,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is waaaayyyyyy too complex. Who suggested this?
     
    Ellie likes this.
  6. may@ m.

    may@ m. Member

    Joined:
    Jul 31, 2019
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1

    We have the same dilemma @Tiffany Andrade . In our organization, we do SWOT, then from that SWOT, we identify risks related to WT. One by one,which is tooooo much tasking. I think we are overdoing something. But yet we are confined because we can not figure out other means to evidence 4.2 and 6.1. :|
    Help!
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,015
    Likes Received:
    759
    Trophy Points:
    112
    Location:
    Laguna Philippines
    @Tiffany Andrade and @may@ m.

    The requirements of the standard are interrelated. Some serve as inputs to another requirement (e.g. to establish the scope (4.3), you need to consider issues (4.1) and requirements (4.2)). Some serve as outputs (e.g. objectives (6.2) are part of the results of planning (6)). Do not attempt to satisfy 4.1 independently from the other requirements where 4.1 serves as an input. If your organization have gone through a workshop just to produce a SWOT analysis document in the assumption that this will satisfy 4.1, I believe, your organization fell short of understanding the intent of the standard.

    Clause 4.1 is an input to clause 6. When an organization plans (at the strategic level) to established its strategies, including objectives, issues that can affect the approach in developing and achieving the strategies and objectives should be considered. Here is where SWOT analysis plays a value-adding role. Internal (Strengths and Weaknesses) and external (Opportunities and Threats) issues if clearly understood will aid an organization to come up with the appropriate strategies and objectives. So SWOT shouldn't just be a product of a workshop that your organization intends to show to a CB auditor but a tool that your organization used during planning.

    You don't need to identify risks from the SWOT, Threats is already the equivalent of risks. As per section 3.2.11 of ISO 14001, "risks and opportunities" is defined as potential adverse effects (threats) and potential beneficial effects (opportunities). Presenting the SWOT analysis as part of the planning records can demonstrate fulfillment of clauses 4.1 and 6.1.1.

    What about 4.2? Can an organization just go through a workshop and produce a list of relevant interested parties (RIP) with their relevant needs and expectations? Then present this list of RIPs to the CB auditor to demonstrate conformity with 4.2? I don't think so. As established in the first paragraph about interrelated requirements, 4.2 is an input during planning to produce the appropriate quality objectives (6.2). The requirement in 6.2.1 specifies that "quality objectives shall c) take into account applicable requirements". So, in developing quality objectives at relevant functions and levels, clearly understood "needs and expectations" relevant to each function will help the organization to establish suitable quality objectives. Organizations should not establish quality objectives where nobody cares whether they achieve them or not. The objectives should be clearly tied to the requirements of the relevant interested parties.
     
    Andy Nichols likes this.

Share This Page