1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

When risk is detected, should procedures of processes have to be modified?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Qualmx, Jul 19, 2017.

  1. Qualmx

    Qualmx Well-Known Member

    Oct 7, 2015
    Likes Received:
    Trophy Points:
    Hi everybody

    I have two questions, hopefully you can help me.
    I have 9001 2008 and I am starting the implementation of the 2015
    I have already identified the risks of each process and have created a list of risks and have defined the mitigation, residual risk and the follow-up.

    I have two questions:
    1 -In the existing procedures, it is necessary to change something? That is, modify it? or at least refer the list of risks?

    Example: if in Sales process , I have detected as a risk, the loss of an important customer, well, I already measured its impact and the mitigation is a plan to contact other customers and also will do the follow-up, but all this is it necessary to refer it in the sales procedure? I mean to modify the procedure "because of a potential loss of a client, it is necessary......."

    2- Can only opportunities be detected and managed or should the risk always be detected and on this the opportunities?

    That is to say if always the detection of opportunity must be accompanied by the detection of the risk?.

    Thanks for your inputs
  2. Nick1

    Nick1 Member

    Jan 27, 2016
    Likes Received:
    Trophy Points:
    Hi Qualmx

    I don't see why you would have to change anything. You can use your risk register to point to the procedure. Don't see a reason why you should do the opposite, of course you can do it. However, if you do something in an existing proces to mitigate a certain risk you should change it. Like adding an additional check to the offer procedure to make sure you offer what the customer asks for. Then you should change the procedure.

    Every opportunity embeds a certain amount of risk. Like hedging against currency fluctuation. This might be an opportunity and a risk at the same time. The same is true for going after some big projects. The big projects are a huge opportunity to the company but they also embed risk like cash-flow issues. In the end it depends how extensive you want your risk register to be.
    Qualmx likes this.
  3. tony s

    tony s Well-Known Member

    Sep 10, 2015
    Likes Received:
    Trophy Points:
    Laguna Philippines
    No not necessary. Normally, since you've already documented your procedures (due to certification to ISO 9001:2008), most of the actions to address risks are already included in the existing procedures. You might document risks in a register but IMHO most of these risks are already being taken care of your controls mentioned in your existing procedures. As a "living document", if your risk register captures/identifies new risks and new actions/controls, this may trigger updating of your existing procedures.

    Yes and No. Yes, you can identify opportunities even without identifying the risks. No, you are not required to identify risk/s on every opportunity.
    Janene and Qualmx like this.