1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

"Demonstrating" Risk Based Thinking

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by QMSmaster, Feb 8, 2016.

  1. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    IDK. Sounds to me like a real hornets nest. If you need a PhD to figure RBT out I think most users will pass and focus on running their actual business.
     
  2. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
  3. Leonid

    Leonid Well-Known Member

    Joined:
    Jan 4, 2016
    Messages:
    164
    Likes Received:
    31
    Trophy Points:
    27
    Location:
    Moscow
    Sorry for the sad lapse. Please read the above statement as folows: What value will be added by implementing RBT as compared with PREVENTIVE actions toward potential nonconformities?
     
  4. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    The preventative action stems from the recognition of a potential non-conformity.
    The recognition of a potential non-conformity stems from RBT.

    One is a cause (RBT), the other is an effect (PA)...they are different steps of the same concept that already existed in 2008 and 2000.
    It continues to amaze me how much time this wording change is costing people.

    IMO, "implementing RBT" is an oxymoron, like "wetting water".
     
    Jennifer Kirley and Leonid like this.
  5. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Is this akin to saying RBT is common sense? .... Because we all know common sense ain't so common. ;)

    The cynic in me wonders if RBT has been specifically included as a way to nudge organizations to go for more than just the "pretty piece of paper on the wall" certification. Most of us are probably familiar with at least one organization that went through the motions of implemented ISO 9001. Technically, they addressed each and every requirement, yet they failed to capture the spirit or intent. And, let's face it, it's difficult to issue a nonconformance on failure to have the right spirit.

    By including RBT in the standard, auditors are going to start to look for the WHYs and HOWs behind the WHATs of a QMS. ... I'm suddenly having flashbacks to math class and the whole "show your work" approach. :eek:
     
  6. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Well said.
     
  7. Tony Wardle

    Tony Wardle Member

    Joined:
    Dec 3, 2015
    Messages:
    18
    Likes Received:
    15
    Trophy Points:
    2
    Actually I hope they do. And our auditors usually do anyway.

    The risk of business failure is more important than anything.
    Risk Based Thinking is not new at all - risk and return is the basis of business and a well planned business model is vital.

    Quality IMHO extends beyond the product or service - it extend into systems, people, planning, strategy and so on.

    Just my opinion on this ;)
     
    Jennifer Kirley likes this.
  8. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Our biggest challenge, among clients and ourselves, is recognizing the two (RBT and preventive action) are the same thing.
     
  9. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Opining further (as if I haven't already opined enough on this thread!)

    The biggest challenge for an auditor will be "verifying the use of RBT" without judging or condemning the risks taken.

    With any two people, (auditor & auditee) there is fertile ground for disagreement in whether the risk taken was warranted.
    There isn't much of a line between "You considered the risk" and "You took an unwarranted risk"...and auditing the QMS only gets to play on one side of the line.

    Verifying RBT without judgement of the risk taken is a tall order.
    At an extreme, Bernie Madoff knew the risk he was taking, and took it anyway.
    While a QMS auditor might have raised the flag on fraud, they shouldn't have flagged against not considering the risk.
    ...and it just gets harder with everyday things in business that are not at such an extreme.

    To the auditors here....good luck!
     
  10. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Because I like playing the Devil's Advocate (I really should have gone into law or politics! *lol*)...

    In a way, I think RBT is applicable to Corrective Action, as well. There have been times when my organization was faced to more than one way to address a situation and decision needed to be made. Terms such as "acceptable loss" or "acceptable risk" or "business decision" come to mind. However, RBT would allow us to demonstrate the evaluation process between the multiple options and support the final decision.

    A real world example could be that you're late for a meeting. You park across the road from the building where the meeting is going to be held. Do you dart across a busy road in an effort to be "less late" or do you walk down to the crosswalk that is a half-block away? Yes, I know, you're already late so this isn't really corrective action, but you're trying to lessen the impact of the tardy arrival. Without thinking about it, you do RBT on a daily basis as ways to correct nonconforming situations and prevent adverse situation.

    Or am I simply getting bogged down in the details?
     
  11. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Ahhh...good point...do we audit the process or the RESULTS of the process? ;-)
     
    Bev D likes this.
  12. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Oh goody...it goes even deeper...

    The "results of the process" may be considered to be that a risk was taken or not.
    ...or they could be the result of having taken the risk.
    Methinks it's gonna be messy for a while. Right up the alley for your tag line. {BTW, on your tag line, did you consider the risks of the Chances Taken? ;) }
     
    RoxaneB likes this.
  13. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    But the results may be bad. Just because you considered the risks doe not mean you can anticipate every risk. Sometimes the process will fail. Does that mean that RBT was considered? Or not considered enough? (I enjoy Devils advocate too...).
    If you cannot cover every risk (because some are improbable), if that risk occurs is it a failure to properly conduct RBT?
     
  14. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    If you realize that the old preventive action requirement necessitated a documented procedure, records of the actions taken, verification of effectiveness, etc. , and none of that is required with risk based thinking, I would not consider the two as the same thing.
     
    Candi1024 and Jennifer Kirley like this.
  15. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Define 'bad'...again, it may be a business decision to accept a certain level of risk. RBT is the process by which we want to see the logic behind such a decision.

    Donald Rumsfeld said "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know."

    Our perception and/or knowledge of reality changes over time. Technology changes. Information changes. RBT is a 'current state' exercise - that is it is based on what we know at this time, including constraints or limitations of our knowledge, technology, etc. At one time, we knew the world was flat. RBT for ocean-faring excursions would have included the risks associated with sailing too far. We now know the world is not flat and the RBT for exploring our planet has changed.
     
    tony s, Candi1024 and Leonid like this.
  16. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    Even with logic behind it (the decision), if RBT was done and recorded, we are in the position of questioning its 'effectiveness'. For example - the World Trade Center was designed to withstand a direct hit from an aircraft. It was also designed to contain any resulting fire withing pre-estblished firewall zones. Yet both failed. RBT was certainly in evidence as this was a design risk that was addressed. Was the RBT not effective enough? According to ISO, RBT only needs to be addressed 'because we have always done it'. OK, now do we deem it effective? Effective 90% of the time? When is it ineffective, when the building collapses?
    The risk was known, it was planned for, mitigated, and failed. Is this bad (ineffective) RBT?
     
  17. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Good summary.

    My answer to your question is: The RBT worked fine. The remediation/solution implementation was ineffective or out of date.
    My question is: Was it compliant to ISO9001:2015 ?

    Effectiveness is my issue in my business and I'm not likely to appreciate a QMS auditor voicing their opinion on the risks I took with my eyes open.
    I would expect them to voice their finding if I had my eyes closed.
    If every less-than-perfect outcome is a non-conformance, there's gonna be a whole lot of pain.

    ISO has historically set high level boundaries and provided high level guidance for business operations. I doubt that this rev is meant as a free ticket to critique daily business activities.

    I tend to explain ISO to my folks this way:
    ISO does not tell you how to steer the ship...it simply verifies that someone is steering.
    I don't see that description changing with the latest rev.
     
    Leonid likes this.
  18. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    ISO does not tell you how to steer the ship...it simply verifies that someone competent, with the necessary resources, is steering.

    It is possible (almost likely?) that some misguided external auditor will attempt to misuse risk assessment and mitigation as a way to [micro]manage an organization's system, doing monday morning quarterbacking and criticizing risk assessment decisions when and if the results were negative. Organizations should be very aware of this possibility and push back.

    Poor risk assessment should result in organizational knowledge lessons learned and potential changes on how to treat similar risks in the future. From that perspective, RBT does not provide external auditors with an open invitation to critique and criticize the registrants system and their appetite to deal with risks. If organizations were misled to believe that RBT mandatorily leads to risk aversion and a demise of innovation and disruption (as these have an inherent risk component), the business community would gradually distance itself from ISO 9001.
     
    Last edited: Feb 23, 2016
  19. Tony Wardle

    Tony Wardle Member

    Joined:
    Dec 3, 2015
    Messages:
    18
    Likes Received:
    15
    Trophy Points:
    2
    RBT isn't new .... as point out before.

    FMEA in a way, is identifying potential risks
    Measuring scrap or rework is an answer to the risks involved in producing a particular product in a particular way.

    The corrective action is the opportunity -

    When one solicits business - again there is a risk / cost consideration one does - how much should I spend to get the business and at what point is my BE point and what is my ROI.

    I think the standard is simply asking us to keep the decision making process formal and offer an explanation of how we came to the decision we ultimately followed.
     
  20. Paul Simpson

    Paul Simpson Member

    Joined:
    Aug 6, 2015
    Messages:
    41
    Likes Received:
    61
    Trophy Points:
    17
    I delivered a presentation to IIRSM members recently on the topic of 'Risky Business' and the slides and my notes are available for download here: http://www.iirsm.org/past-iirsm-events. I used a few current examples of decisions that failed to manage risk effectively and put forward a process based on a rail industry risk assessment and evaluation methodology that looks at risk and how you will look at how you manage the risk if it is realised.

    Let me know if you have any questions / comments.
     
    Andy Nichols and Eric Twiname like this.