Context of organization less complex

o

The auditor pointed out that while internal issues assessment may be done enterprise level, the external issues can not because of peculiar issues that may be found at the locality where the branch is located. Thats why they are looking for issues and r/o assessment at the branch level.
While it is true that at the branch level, they have their own strategy planning on how their targets will be met, our system did not require them to conduct a separate assessment at their level.
Im afraid were doing wrong and bringing in unuseful documentations and activities.

 

This could be the reason why your auditor is asking about context and risks/opportunities at the branch level. Risk-based thinking concept was adopted by ISO 9001:2015 to help organizations PLAN for their system and their processes. Context, risks and opportunities are not limited at the enterprise level. There are issues, risks and opportunities that can emanate at the branch level, even in the processes. Section 0.1 General of the standard specified this:

"Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise (see Clause A.4)".

Annex A.4 Risk-based thinking mentioned this: "The concept of risk-based thinking has been implicit in previous editions of this International Standard, e.g. through requirements for planning, review and improvement. This International Standard specifies requirements for the organization to understand its context (see 4.1) and determine risks as a basis for planning (see 6.1). This represents the application of risk-based thinking to planning and implementing quality management system processes (see 4.4) and will assist in determining the extent of documented information".

Section 6.1.1 of the ISO/TS 9002:2016 (Guidelines for the application of ISO 9001:2015) gave further clarification on the use of RBT during planning from this statement:

"There are various situations where risks and opportunities should be considered, for example strategy meetings, management reviews, internal audits, different kinds of meetings on quality, meetings to set quality objectives, the planning stages for the design and development of new products and services, and the planning stages for production processes".

So, when planning, at any level, the RBT concept is always applicable.

 

Thanks @tony s Sir.
I would like to believe our Branches do that as may be evidenced by their positive performances. However, they can only present their action plans which contains what clients to pursue, etc., which I would think are products of their "market/envi scanning/business review". I think we have to strengthen our documentation now.

Additionally, while the branches do SWOT, is it ideal to come up with criteria which r/o would they take?

As a background, branches are mainly focused in increasing business. With regard to our processes, everything is risk based as part of many compliance reqts. We have lots of risk assessment methodologies in placed as we operate in a highly regulated environment.

Thank you for any advice.

 

The "positive performances" could be an offshoot of planning, but might not be perceived as evidence of planning. "Market and environmental scanning" are RBT approaches. These, including the "action plans" form part of the evidences of planning.

SWOT already covers the risks and opportunities that need to be addressed. The requirements of the standard is to determine r/o and plan actions to address them. There's no requirement to establish criteria on which r/o an organizations would address. It's your organization's prerogative on which r/o to address - not the CB auditors. Hence, the standard always specify "The ORGANIZATION shall..."

 

Thank you always.
What would be the best way to evidence risk/opportunity assessment if we do not have a formal template/criteria to do this? Because in our process, it is purely based on appetite which to pursue.

 

Since you mentioned in your previous posts that your organization has "lots of risk assessment methodologies", then it's up to your organization which of them are to be employed by the branch level.

Assessment of r/o is, actually, not a requirement by ISO 9001:2015. But, of course, the standard does not prohibit organizations to use the RBT techniques they find sensible for their operations.