Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Nikki, Sep 25, 2015.
I mentioned ISO 14971, which mentions FMEA. As I wrote, it's comprehensive.
I'm not really an expert in the ISO9001 risk management like the others here. I just thought I would give some general thoughts.
Imagine you're driving down the road and your car starts acting funny. You'll pull over to the side of the road. What do you do?
Do you call a significant other? Why? Can they fix it? A wrecker? Do you have AAA? Is the car in warranty? Do you have to contact the mfg.?
Basically, you would need to have a gameplan: If this occurs, here is what I will do.
I would engaga all the individuals in your Supply Chain, starting from Raw Materials to shipping finished goods to a distribution warehouse. It's asking What if, and assessing the associated risk. Then, your organization either has a game plan, or accepts the risk and will deal with it when it comes up.
I'm in Texas; getting hit by a tornado better be in business Risk Management plans. However, in other states where such natural disasters occur are low, there might be less of a plan.
The Resource has a link to a Risk Planner which is based on ISO31000. That might be a start.
We are using Bow Tie for HSSE so all I need to do is add an element of Quality.
Just want to share my thoughts on risk-based thinking. IMHO risk assessment should be factored into the following processes:
when the organization convenes during their strategic or business planning (SWOT and other Risk Management tools can be used);
during design and development of new products, services and processes (FMEA is useful for most companies, for ISO/TS companies they don't have a choice, for the food sector they have HACCP);
in identifying the necessary controls to prevent illnesses and injuries to ensure a "suitable environment" as specified in clause 7.1.4 of ISO 9001:2015 (job hazard analysis or HIRAC is useful);
in ensuring companies are environment friendly (Aspect/Impact ID and Assessment should be carried out);
in identifying controls to ensure Business Continuity (labor problems, equipment failure, alternative site, man-made and natural disasters should be considered);
whenever there are changes in the existing controls (a procedure for Management of Change should be considered);
when we introduce corrections or corrective actions (identification of the "residual risks" or the remaining risk after treatment can be considered);
when auditing the processes (auditors may check if there are controls in place on the risks that may occur in the realization of their processes, if not available then OFIs can be identified)
Just my two cents.
What are you trying to determine the risk of? lack of Business continuity? Not meeting customer specifications? Changing the production process? Introducing a new product? Bringing a process in house?
I would say that you need to assess risk from a certain perspective. I wouldn't worry too much about going back in time to assess risk, but going forward it should be taken into account. Business continuity is one that is easy to do look at without a change in process, but it sounds like you feel good about that one.
How about customer specs? Or maybe receiving policy and risks of contaminated product.
Determine that first, then start a list possible failures.
My understanding is that we needed to examine the risk of EVERYTHING.
Nah, not really. If we keep the focus on product quality and your ability to satisfy the customer, you can draw a narrower focus.
Great! Thanks Andy and everyone
I would agree with that from possibly a quality-requirement standpoint. However, I would caution against having that as the only risk assessment from an organizational perspective. Things can (and will) happen and random variance affects all organizations. The difference though, is having something of a game plan, instead of being caught totally unaware and standing there in shock.
True, Brad. However, you can get into "mission creep". Even with a narrow product quality focus, it can still be quite "all encompassing" to consider risks since what an organization does to satisfy customers is a substantial part of their corporate life. In answering Nikki's comment "everything", it certainly isn't (from an ISO 9001 compliance perspective - the reason for this thread) everything which has risk attached to it. It has to be considered in the context of the organization. I can see the beauty of this requirement, now, in terms of it helping answer a lot of these (seemingly) imponderable questions. Go back and understand the context of the organization and that will help define the risk "boundaries".
In my opinion, the best approach is to study each operational (business) process you have in your organization and analyze how each one of them can impact product conformity to requirements and customer satisfaction. Within such processes, I would then assess what can go wrong (e.g. via a process failure mode analysis, once again, from the perspective of product conformity to requirements and customer satisfaction) and improve the processes, via mistake proofing, appropriate checks and balances to minimize the chance of nonconforming products being purchased, designed, produced, inspected and shipped. By improving the processes in away you minimize "quality/cust. sat." problems, you are fulfilling the RBT aspect of ISO 9001:2015, which, according to the standard authors is very similar to the old "preventive action" requirement.
As for the breadth of risks you should be concerned with, Andy is correct. From an ISO 9001:2015 perspective, the risks we need to concern ourselves with are product conformity to requirements and customer satisfaction risks and, depending on your interested parties, something along this line.
However, as any business has to concern itself with MANY other types of risks, such as occupational safety risks, financial risks, information security risks, environmental risks, etc., FROM a business perspective the "quality" risks are an important, but just a fraction of the whole enterprise risk scenario.
It is going to be important to understand risk and opportunity, and the affect that risk of an event happening has on other aspects of the business.
To Sidney's point, a poor quality product escape will have an affect on financial and potentially, your reputation. If the org. looks at reputation first, it's going to be tougher to deal with than the other way around.
I think if you frame the requirements for Risk assessment solely in terms of "compliance perspective", you can end up with a very myopic, "do just what we need to do to get by" approach.
If the reality of the situation is that "Bob" gets put in charge of Risk and has to do everything on his own, certainly a minimalist approach is needed. So Bob focuses on "the main things".
However (as an example), no one ever thought about the shipping lady; the only one who can drive the forklift. She left. Now, no one can figure out how to even start the thing; let alone have the proper certifications and operate it correctly.
No one ever gave any thought (a second example) to their B vendor. After all, they've been using B for years. But for some reason which no one knows, they up and close their doors one day. Now... you're at least three month researching, qualifying, negotiating for a new vendor.
Hopefully the organization has good understanding their processes, including having them mapped. If this is the case, the organization can run what-if/ simulation exercises around those processes to first, 1) determine those critical elements that do contribute to their core compentencies (context of the organization), and then assess criticality/impact, etc.
I belabor this point not to muck up the water regarding the ISO element. Yall are way more knowledgable than I on that. What I'm saying is that we must try to walk a tightrope by doing just what is needed for compliance satisfaction, while also trying to install a more open Culture in the organization to ask "what if". That way key personnel throughout the organization is encouraged to identify some potentially critical areas. If this culture is not created and cultivated; no one will care about Risk; and it becomes "quality's responsibility; something they do".
I've received some pretty enlightening responses simply by asking "what would happen if "this" broke?
Excellent stuff Brad - so let's try this. Let's look at the "context of the organization" for the answers to the point you raised. Are some organizations just doing this to comply? Because that's where they are in life? Haven't reached a point of maturity? Just doing the best they can to meet what the customer wants. Not rocket scientists, kinda thing? Wouldn't they have a simple compliance based focus on risk? Let's not overlook the point that there are plenty of organizations still doing 1994 ISO 9001 stuff, but got a certificate. What are THEY going to do? It's the old story of the poor kid in the band carrying the euphonium slowing everyone down!
Great points, Andy. Something certainly for me to think about. This is why I think you folks hung the moon. You challenge the status quo; and challenges me to think and view things in a different perspective. There is something new to learn everyday; and today, is no different.
The approach to risk management is hidden within the standard. The clue is Risk Based Thinking.
But just this RBT is a non starter.
So first, go to your organization context.
Understand it .... ? How
Pick your interested parties. Customers / Suppliers / organization people / others as relevant to the organization.
List out each parties needs and expectations.
Is the organization now meeting all the needs and expectations ?
You will find aspects., like Being met OR Partially being met OR Not met.
Evaluate risks to the organization in cases of Partially being met OR Not met, which are the impacts of your aspects
Plan actions and Prioritize actions.
Focus on product quality / service quality and customer requirements / expectations, with emphasis on relationship management
You are almost there. Now follow the PDCA
Excellent description, Soma! This is the kind of analysis which is missing from those posts in other group (not here) where people are nay-saying risk based thinking! They are singling it out for criticism as being "unauditable: etc, when it is auditable if it's approached in the manner you've described - or something very similar.
A stakeholders analysis perhaps.
The real world business risk based thinking ...
This is awsome! I shared it with my team.
Separate names with a comma.