1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hello and Welcome to The Quality Forum Online...Continuing in the spirit of People Helping People !
    Dismiss Notice
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Register of Risks, live document?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Qualmx, Sep 9, 2017.

  1. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Hi all
    I wonder hoe to manage the Register of Risks, regarding as to how to have evidences of risks analized.
    It could be the Register of risks a "live" excel file, where is mentioned the risk, responsible, risk value, action plans, severity,etc.?

    But at managing the risks, it may be moved/modified data of risks, and could not be well traceable.

    Would not be better in practice to have general data in the "live" excel, only the number of risk, the the description of the risk, and general values, and have an additional data sheet of every analized risk?

    In this sheet, it could be an Amef, Decision tree,fishbone analysis, describing the detail of the risk, the values, the severity, the responsibles, the calculation of the risk Impact =PxI,etc.
    This data sheet it could be stored as a PDF file in the network.

    In practice What documents/format are recommended to have the risk documented?
    and which of them could be "live" documents and why?

    Please share your comments, thanks
     
  2. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    431
    Likes Received:
    252
    Trophy Points:
    62
    Location:
    Laguna Philippines
    Your approach in addressing risks and opportunities may not be the same as the other QFO members' approaches. I'm afraid they cannot specifically provide you the answers you are requesting. Anyways. My approach in RBT primarily happens during our planning processes. When we had the strategic planning, we made use of the SWOT Analysis to establish our strategic directions. For our operational planning, we used a tool similar to FMEA but without the rating and computation of the priority number.
     
    Qualmx likes this.
  3. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Thanks Tonys
    But, how do you rate your operational risks? Including those where you use fmea?
    Dont you do an analysis for each risk detected?
    Could you explain a little bit more?
    How do you evidence risk thinking?
    Thanks
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    431
    Likes Received:
    252
    Trophy Points:
    62
    Location:
    Laguna Philippines
    For each process, we determine risks and opportunities and the actions to address them. The actions are then integrated into the controls for the process being analyzed. Some actions will be reflected into the documented procedure. We don't need to analyze the level of risks in terms of severity, occurrence and detection like in FMEA in manufacturing. There's no requirement to analyze the level of risk, ISO 9001 only requires to determine. Below is a sample of the tool we use to determine risks/opportunities and actions.
    upload_2017-9-12_21-16-41.png
     
    MCW8888 likes this.
  5. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Thanks Tony,
    1- Im implenting a criteria PxI, probability x impact, additonally a fishbone to detect causes, then apply action plans.
    Muy business Is small, 60 people, not risky, do you think it Is worth the time/effort for this method?
    Do you have a procedure for the risks addressing?
    Pelease, feed me back
    Thanks
     
  6. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Other point, if dont rank risks, what criteria do you follow to prioritize them?
    Which to discard and take?
    Thanks
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    431
    Likes Received:
    252
    Trophy Points:
    62
    Location:
    Laguna Philippines
    No need for prioritization for us. We only need to determine and ensure actions are taken to address them.
     
  8. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Tony, thanks again

    Dont you think your approach it may result short in benefits compared to implement an approach where probability and impact is measured?

    Please give your comments regarding my approach, do you see that really will it help an organization?

    As I told you , is a small organization, and products are plastic bags and boxes.

    Im afraid that could be to add some task to people additionally to what they have.
    and considering that the standard, only asks RBT.

    Have you have any experiences in other companies?

    Thanks
     
  9. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    46
    Likes Received:
    17
    Trophy Points:
    7
    Hi Qualmx,

    We have seen this issue with some of our customers as well. You can always link your actions of the actionlist to parts of particular risks and track it like this. We wrote a small on article on what to do when the initial risk assessment is performed.
    http://blog.qooling.com/risk-assessment-done-now-what/
     
    Qualmx likes this.
  10. Qualmx

    Qualmx Well-Known Member

    Joined:
    Oct 7, 2015
    Messages:
    140
    Likes Received:
    15
    Trophy Points:
    17
    Location:
    Mexico
    Thanks Nick1

    Very interesting article,
    I wonder if the Risk treatment plan yo mention could be the same I have, Im thinking in a(Register of risks).
    Into it, Im registering the risk, the source, the value of risk, the mitigation plans with due dates, and responsibles, so when I want to see whats new on risks, I check out this excel file.
    Additionally I have a like a technical sheet, (excel file, where I do the analysis PxI, also use a fishbone to find root causes, this is done for every risk detected, this way when we wanted to know which criteria was followed, well I have this evidence.
    Maybe it is somewhat demanding for the people in my business, lets say regarding to risk assessment from 1 to 10, Im in a value of 3.
    1 is zero analysis, no value calculated, 3 like me, and 8 or 9, using FMEA ,decision tree and so on.
    Thanks for your input.
     
  11. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    46
    Likes Received:
    17
    Trophy Points:
    7
    The plan could be the same or you can just distribute tasks to people. Cause you mitigation plan is probably a list of actions right? If that is the case you can manage the tasks lists and when they asks of a certain risks are all done you can adjust the risk level appropriately.

    Regarding resetting the action risk value P*I you can just talk with them why they think the risk changed and talk it over with them. Yes you can use a root cause for this but is there always a root cause to a risk? I don't know to be honest. Is there a root cause to the risk of fire. If it has happened there is a root cause but is there a root cause to the risk itself?
     
  12. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    431
    Likes Received:
    252
    Trophy Points:
    62
    Location:
    Laguna Philippines
    Since we don't bother ourselves to assess the level of risks like what your organization has opted to do, all risks/opportunities that we identify are acted upon - regardless of level. When we create or revise procedures, each procedure is required to have this ROA (risks/opportunities and actions) analysis. It has the same concept like preparing an FMEA before a Control Plan. All the controls that are or will be incorporated into the procedure are captured in our ROA Analysis form. The form is a "living" document and can be updated anytime new risks/opportunities are identified by the process owners. Occurrence of nonconformities can also trigger the update of the ROA Analysis form. The updated ROA form can be used as one of the basis for initiating change in the procedure/process.
     

Share This Page