How to evaluate the effectiveness of actions to address these risks and opportunities

Hello all,

Anyone can help to explain more on 6.1.2 (b)(2) and the example of evaluation method?

6.1.2 The organization shall plan

b) how to:

2) evaluate the effectiveness of these actions.

 

This section deals with planning, risk identification, and the steps which are taken to mitigate risks which are identified.

As an example, the team identifies a risk of not being able to run the production line due to a compressor breakdown (low air pressure).
The preventive action is to partner with a supplier to have a portable compressor available for rental if required. In addition, the preventive/predictive maintenance schedule for this piece of equipment is enhanced to be more frequent/in depth.

To evaluate this, you would first look to see if there WERE any occasions where the compressor broke down, and if so, what was the cause?
Without a breakdown, you can still review the existence of a contract with the supplier (and confirm that the supplier still actually is in business (had that happen to us once). Also review the maintenance PM/PM records, and confirm that the planned schedule and actions are being adhered to.

You don't need to make it complicated - it is up to YOU to determine how you will evaluate the actions taken.

 

Hi
I work in a company that manufactures bicycles.

Can you share an example of risk analysis regarding the risks that may occur in the processes of bicycle production?

 

While ISAac has his third law which is "for every action, there's an equal and opposite reaction", ISO has it's own law which is "for every action, evaluate its effectiveness". This requirement is mentioned in:

• 6.1.2 - if there's action to address risk/opportunity, evaluate its effectiveness;
• 7.2 - if there's action to acquire the necessary competence, evaluate its effectiveness; and
• 10.2.1 - if there's action to address a nonconformity, evaluate its effectiveness.

The word effectiveness is defined by ISO 9000:2015 as "extent to which planned activities are realized and planned results are achieved". So, when evaluating effectiveness, gather information on whether the "planned activities" are realized and whether the "planned results" are achieved.

For the "planned activities": Check whether the planned actions to address risks/opportunities are implemented as planned. Were they completed in accordance with the target dates? Do the concerned functions that were tasked to implement the actions carry them out accordingly and properly?

For the "planned results": Since risk is better defined by ISO 31000:2018 (Risk management - guidelines) as "effect of uncertainty on objectives" and objective is defined (by ISO 9000:2015) as "result to be achieved" - check whether the objectives or expected outputs of the process or the organization that are supposed to be affected by the risks/opportunities are being achieved. See example below:

 

Can you point the requirements in the standard that says "quantify" the effectiveness? The standard only mentioned evaluate the effectiveness. Where does quantification come in?

Can you help us understand how? So, we can help people in this forum to "avoid unnecessary complexity in this subject".

 

Yes, I agree.

I agree also.

If quantifying effectiveness adds value to it. I guess I've read this somewhere: "(when it is appropriate and possible - sometimes purely Preventive actions are difficult to quantify as there is no quantifiable baseline, but a subjective assessment can be made)".

 

No worries @Jennifer Kirley. I really learn a lot from the exchanges in this forum. Thanks also for sharing your knowledge and experience.

IMHO qualitative or quantitative indicators are more suitable for review/evaluation of performance (9.1.3c and 9.3.2c). For review/evaluation of effectiveness, I usually stick to its definition (3.7.11 of ISO 9000) and would prefer to obtain data/information on whether "planned results are achieved" and whether "planned activities are realized".

 

Hi, you can quantify and measure the effectiveness of actions to address risks and oppos, if the actions taken are completed, then they are closed off and to verify if the actions is effective, common practice is to monitor the actions for say 90 days, and if the problem/ issue does not happen again, we can say it is effective otherwise it is not.
Effectiveness can also be measured using the kpis of the process, which tells you how effective you are running your process.

 

Although organizations may adopt this approach, the standard requires "evaluation of effectiveness" - not "quantify and measure effectiveness". According to the ISO 9000 Glossary, the word "evaluate", which is a verb, means "judge".


IMHO when we judge, there are at least 2 results. For example: either guilty or not guilty, pass or fail, accept or reject, etc. In management systems audit, the "result of the evaluation of the collected evidence against the criteria" can indicate either conformity or nonconformity (see 3.10 of ISO 19011).

When evaluating effectiveness I will need to gather information to determine whether the planned results are achieved or not achieved and whether the planned activities are realized or not realized. In gathering these information, I may need to obtain and analyze data from monitoring/measurement. The result of my analysis (meaning "detailed determination" as per the Glossary) will now be used for evaluation (see clause 9.1.3).

 

I take your advice on board, thanks