1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hello and Welcome to The Quality Forum Online...Continuing in the spirit of People Helping People !
    Dismiss Notice
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

What is the best way to approach risk management for our company?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Nikki, Sep 25, 2015.

  1. Nikki

    Nikki Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    236
    Likes Received:
    134
    Trophy Points:
    42
    Location:
    Maine
    Hello All -

    Soon we will be purchasing the newest version of the ISO 9001 standard. I've been well informed that Risk Management is going to be a huge focus. I have not had any training in risk management and we are, at this point, playing it by ear - gap analysis, etc.

    I inquired about the risk management approach with a very good resource and I asked, "What is the best / easiest approach to start the risk management process?" I was told to basically make a list of everything that could go wrong and come up with Plan B's in the event that they happen.

    We are medical plastics compounder. Basically, we compound the plastics (every type you can think of) to the customer's specification. They are produced in pellet form and then sold to medical device companies. The pellets are molded into medical devices or extruded into catheters.

    So what could go wrong?

    • An extrusion line could go down / damage / not work
    • We receive a large order that exceeds our capacity
    • Damage to the facility (already covered)
    • We experience a high turn-over rate suddenly
    So is the right approach? Should I be looking at this from a different POV??

    I know it will take time, but I want to make sure I am doing this in the right manner.

    Thanks in advance for any help!

    -Nikki
     
  2. equilibrium

    equilibrium Member

    Joined:
    Aug 10, 2015
    Messages:
    32
    Likes Received:
    26
    Trophy Points:
    17
    As I understand it, identification of risks is really only step one. There also needs to be an assessment, which is to ask how big or small a threat each risk is. This is judging the likelihood of a risk occurring. Finally, each risk is prioritized as to how much impact it may have. This gives an idea of what order these risks need to be addressed in forming a contingency plan, which is a fancy way to say "if this happens, then we will take these steps."

    This may be an oversimplification, but in many cases simple works. If you find you need to expand upon it later, at least the basic structure is already there.
     
    Nikki likes this.
  3. Nikki

    Nikki Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    236
    Likes Received:
    134
    Trophy Points:
    42
    Location:
    Maine
    Thank you very much Equilibrium :)
     
  4. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    169
    Likes Received:
    117
    Trophy Points:
    42
    A fishbone diagram is helpful for this as it covers the outside factors as well - the 6M's, Manpower, Machines, Mother Nature, Methods, Materials, Measurements -
     
    equilibrium and Nikki like this.
  5. Nikki

    Nikki Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    236
    Likes Received:
    134
    Trophy Points:
    42
    Location:
    Maine
    Thank you :)
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Risk management isn't, but "risk based thinking" is! I use my photo to demonstrate "RBT". Unlike some folks, I don't care to put my welfare in the hands of people I don't know... So:
    • I wear a full face helmet
    • My clothes are all EU padded, even the jeans which also have Kevlar sewn into them. I wear this or something similar every time "ATGATT"
    • I attended an MSF foundation course and will sign up for the advanced course next year.
    • I've got 40 years of driving experience in many countries, different vehicles and terrains. I've studied the British Police motorcyclist's "bible".
    • I've added louder horns
    • I've studied and can tell you the typical reasons for motorcycle accidents and where to position myself in the road, look for escape routes in the event.

    None of this is written anywhere by me - I can show someone what I researched etc. I understand the risks and, importantly, the opportunities presented. I LOVE riding my bikes...
     
    Nikki, Alpine and Ganesh Sundaresan like this.
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    479
    Likes Received:
    275
    Trophy Points:
    62
    Location:
    Laguna Philippines
    However, most of us would expect CB auditors to look for documentation on "risks and opportunities".:(
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why? Surely, it's going to be based on the "context of the organization"? I didn't write it down because my risk and opportunities are personal. In a small organization, it might not be needed to commit risks to paper. However, as the size of the organization grows, products become complex etc, then yes, writing it down may well be necessary for risk treatment purposes etc. But to flat out accept that auditors will expect it to be documented is capitulation to the old school world of doing things to please auditors...
     
    Nikki, Somashekar and tony s like this.
  9. Ronen E

    Ronen E Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    133
    Likes Received:
    70
    Trophy Points:
    27
    Nikki,

    Since you're in the medical devices industry, you could make good use of ISO 14971. It provides a very comprehensive and detailed risk management process, with lots of examples and built-in guidance (there's also 24971 which is a guidance for the implementation of 14971, but in my opinion you could do without it).

    ISO 14971 would not normally / directly apply to your type of org, so you don't have to document aything, or even follow everything, but it will give you a very structured approach which covers all the critical factors.

    Cheers,
    Ronen.
     
    rob73@work and Nikki like this.
  10. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Let us not overreact to risk based thinking (not in capitals) and certainly not overdo things. How about just pulling out the existing procedures or practices (where there is no documented information) and examine the checks and balances already available in it. Be there a loophole that can breakdown the system and therefore achieving our Objectives is at stake, let's plug it. Honestly I guess a mere brainstorming will do.
     
    Raffy, Nikki and Andy Nichols like this.
  11. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    637
    Likes Received:
    190
    Trophy Points:
    42
    We already have a documented HSSE Risk assessment. I will just add the process Risk to it.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Do you mean your process owners will do this? Please don't overlook the fact that ISO 9001:2015 doesn't HAVE a management representative to (in part) stop one person doing all the work...
     
    Nikki and Jennifer Kirley like this.
  13. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    584
    Likes Received:
    425
    Trophy Points:
    62
    Location:
    USA
    I agree with Andy that the clause "context of the organization" applies, and I would add "relevant" which is determined via the organization's self definition of its context.

    Where the standard requires documented information, CB auditors can be expected to ask for it. Otherwise, the expectation is to "demonstrate" which can be accomplished with (one or more of) documentation, observation and interviews. If your auditor is insisting for documentation that is not required, you have the right to dispute if a resulting nonconformity is issued. Like kids and puppies, auditors who get it wrong should be corrected as soon as possible. For that reason (and I expect some auditors to misinterpret the requirements) I hope to see clients exercising their right to dispute.

    There is an idea out there that everything will need to be written down. But if you have identified risks to success through faulty raw materials, mis-processing, incapable operators and poor handling during shipping process, you can establish controls to manage outcomes in these things and a means to know it's working. Do that and it's pretty obvious you have addressed risks... we don't need to be hit over the head to absorb facts, but it would be helpful for client organizations to develop a comfort level necessary to walk us through how you've determined and addressed risks.

    Opportunities can be harder to identify. They are considered the positive side to risk. Machine maintenance can help ensure ship dates are met, but can also avoid time consuming repairs and replacing costly parts. A consultative approach to communicating with employees can help the flow of improvement ideas from the "trenches" to levels where resources are allocated, but they may provide the added benefit of reducing turnover and recruitment costs among demographics in which employees like to have some say in how their work areas are managed. Projections for both of these types of prevention can't be pinpointed specifically but should still be recognized as what we could call collateral benefits.
     
    Last edited: Sep 27, 2015
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It can't be too difficult for an auditor to (begin to) ask: "What's the process?" then expand on things like what are the objectives, how do you measure it and control it, and did you identify any risks which can impact achievement of those objectives. It's NOT rocket science...
     
    Jennifer Kirley and MCW8888 like this.
  15. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    637
    Likes Received:
    190
    Trophy Points:
    42
    Thank you Andy. Since everyone is familiar with the HSSE risk assessment, we are using the same format and each process owner will have to conduct a risk assessment of the activities that they do. Do you have some suggestions in mind? I know there is no management rep, but someone has to be the administrative assistant to senior management (aka top management).
     
  16. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    637
    Likes Received:
    190
    Trophy Points:
    42
    Thanks for your suggestion. Sometimes we overlook these things.
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Jennifer has given an excellent example. What about "key equipment" in the manufacturing process? I walked the line with a client and found that a simple assisted lift was an item of key equipment which could shut the production down if it wasn't maintained (simple enough to do) and no-one had thought about it. There was no work around available, either.
     
  18. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    169
    Likes Received:
    117
    Trophy Points:
    42
    "None of this is written anywhere by me - I can show someone what I researched etc. I understand the risks and, importantly, the opportunities presented."

    I agree with you Andy, but it has been my experience that while CB auditors are being referenced here, most of our audits are from our customers, and their auditors are generally less skilled and more checklist oriented. I fully expect to have to document all risks in triplicate, and there is not much arguing you can do with your customer, unless you really no longer need them as a customer.
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,638
    Likes Received:
    837
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Excellent point HHF. So, in that case, we can tie back to the "context of the organization" once again and show why it was decided to write this down as "documented information"...
     
  20. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    488
    Likes Received:
    560
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Nikki,

    Did you come up with the list on your own? Did you come up with these Plan Bs on your own? Do you feel competent, qualified and comfortable with the outcome? Is "Nikki made a list" the risk management process? ;-) Don't get me wrong. I think you've captured a good solid few points in your list, but they are very internal to your organization.

    What about risk management from a Customer's perspective? As you said, you compound the plastic to the Customer's specification. Yet, what if quality checks don't catch a flaw and there's a need for recall? Or what if the Customer's spec is wrong for the application?

    I'm surprised no one has mentioned FMEA, yet. In my opinion, it gives you a solid starting point for determining where you want to start auctioning possible risks. Granted, the scope creep on it can be extreme if you don't clearly define the borders. What about FMEA sessions with the process owners for each process?
     
    Raffy, Emmyd, rob73@work and 2 others like this.

Share This Page