1. Hello and Welcome to The Quality Forum Online...Continuing in the spirit of People Helping People !
    Dismiss Notice
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Question: Documenting A Risk Analysis Evaluation

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Malcolm Morriss, Nov 4, 2015.

  1. Malcolm Morriss

    Malcolm Morriss New Member

    Joined:
    Nov 2, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    I have referenced the requirement of a risk analysis evaluation in all of my applicable procedures. Do I have to document all of these risk analysis evaluation? Would the following statement meet the 9001:2015 requirements? “During this process all applicable risk are evaluated. This risk evaluation may or may not be documented.”
     
  2. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    630
    Likes Received:
    408
    Trophy Points:
    62
    Location:
    Laguna Philippines
    ISO 9001:2015 Annex A.4 specifies:

    Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

    Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.


    I don't believe that writing the above statement is necessary.
     
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,016
    Likes Received:
    1,053
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Before any answers can be meaningful, may I ask if you've considered and fully understood the "Context of the Organization"? This is a foundational requirement which will help you to understand if you should/shouldn't document something...
     
  4. Malcolm Morriss

    Malcolm Morriss New Member

    Joined:
    Nov 2, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    Thank you for the response. Does not the "shall" stated in 6.1 require an action in some state or form. In Annex A.4 it also states “Under the requirements of 6.1, the organization is responsible for its application of risk-based thinking and the actions it takes to address risk”. My thinking is that I am now required to reference a risk evaluation statement in any procedure that may incur risk. In referencing a risk evaluation, an auditor is going to ask for evidence that this evaluation has taken place. I included the statement “this risk evaluation may or may not be documented” to avoid any problems. Quite frankly stating in Annex A.4 “Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process” only muddies the water for the end users and auditors alike.
     
  5. Malcolm Morriss

    Malcolm Morriss New Member

    Joined:
    Nov 2, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2


    I have reviewed section 4 and do understand the requirement. Now in 9001:2015 section 6 Planning it states that these meetings "shall consider" the issues in 4.1. Our company has already been including all the aspects of risk management and the requirements of our interested parties into our decision processes. We do not have a documented risk management system. We do have round table meetings that include all of departmental managers including safety and environmental. We discuss all applicable internal and external risks and also opportunities for improvement during these discussions. I am going to add the statement “During this process all applicable risk and requirements of our interested parties are evaluated” into all relevant procedures and leave off “This risk evaluation may or may not be documented". I will also be looking forward to long discussions with my auditing body concerning this subject.
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,016
    Likes Received:
    1,053
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Good deal, Malcolm. I'm guessing you're a small company, if you don't document your risk considerations (in some cases). One thing that will be potentially audited is the actions which come from the risk assessments - "what did you do about it", kinda thing.
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    630
    Likes Received:
    408
    Trophy Points:
    62
    Location:
    Laguna Philippines
    I would assume the statements above are going to be mentioned in a "documented procedure" or the "quality manual". Should you opt to write such statements, you may also consider having statements on "evaluating the opportunities". Since most, if not all, of the clauses in the 2015 that mention the word "risks" it comes also with the word "opportunities".
     
  8. Malcolm Morriss

    Malcolm Morriss New Member

    Joined:
    Nov 2, 2015
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    2
    I will be including this statement in all applicable documented procedures. Good point, I will also include a statement to reference "evaluating the opportunities". Thank You.
     
    tony s likes this.

Share This Page