ISO 9001:2015 Update Series:
Integrated-Standards.com has many tools to help you integrate ISO Standards in their existing
format, which will be simplified with Annex SL.
This is the next part of our continuing series on the ISO 9001-2015 revision. Our previous installments dealt with the general revision process and the new Annex SL underlying template being used for this revision and for other quality standards.
Making Risk Part of the Quality
Management Process
Preventing and correcting unwanted actions and outcomes have long been a part of ISO 9001, but it has been limited to specific elements of the quality management process. ISO 9001:2015 is about to change that.
As an organization, ISO has already addressed the notion of a more global risk management approach to businesses in its ISO 31000 standard, which provides an organizational-level risk management approach. ISO 31000 deals with crucial risk management concepts like:
Avoiding activities associated with a given risk
When to or not to accept risk when taking advantage of a key opportunity
Acceptable ways to remove a risk source entirely
Another example of ISO’s move into risk management is ISO 9004, which addresses many aspects of risk management such as including the needs and expectation of interested parties and risk's impact on strategy and innovation. Is ISO Risk Management Emphasis Really New?
But what about risk management at the individual standard’s level? Here too, ISO has essentially built whole standards around the concept of planning for and responding to risk. Key examples are ISO 14001 which in effect is a blueprint for dealing with environmental problems before, during and after their inception. The same goes for AS9100 which requires identification, assessment and communication of risks throughout product realization, identification, implementation and management of actions to mitigate risks that exceed the defined risk.
A Giant Risk That ISO 9001 2015 Could Have
Mitigated
The Northeast region of Japan has been the major supplier of key auto components, not only for Japanese car companies, but other automakers worldwide. After the 2011 earthquake/tsunami hit the area, Toyota, Nissan and many other producers were forced to halt production with resulting sales
declines of almost 20% for some. Dependence upon a small, but vital set of suppliers would be a major risk that the new ISO 9001 2015 emphasis on risk
mitigation would have required addressing.
And yet ISO 9001, perhaps the most broadly used management process in history, seems to have remained focused on quality management. And for many involved in the quality process from quality managers to consultants to auditors, keeping it that way preserves a unique and important focus within most organizations on keeping quality as high as possible.
ISO 9001:2015: Revolutionary or
Evolutionary?
The draft text of the ISO 9001:2015 revision expands the more limited view of trying
to find the "root cause" of a problem, then fix it and keep it from happening again. Instead, it elevates the idea of risk management into higher priority. It examines system-wide risks that can be concerns of a broader base that the organization may serve. This can include not only customers, but other "stakeholders" as well including employees, vendors, communities in which the company operates, unions, regulators and beyond. It also asks the company to balance the likelihood versus the impact of these potential events.* (So for instance the impact of a meteor strike is enormous, but the likelihood very small.)
But is the notion of charging a quality management system with the
responsibility of anticipating and responding to organizational such a major reach? Perhaps not if you view ISO 9001 previous involvement with risk management in specific areas of the standard, since clauses dealing with subjects ranging from human resources to purchasing seem to address it. (See the table below for some "indirect" examples of risk management included in the current ISO 9001:2008 revision.)
ISO 9001:2008
clauses Comments
5.6. Management review
Review should include an assessment of improvement opportunities and needs for changes in the quality management organization. One of the conditions of this review is to analyze changes that could affect the quality management system
6.2 Human Resources
By meeting the requirements to ensure the necessary competence, you can manage the risks associated with human resources.
6.3 Infrastructure
The provision and maintenance of infrastructure (i.e. buildings, equipment, information environment) needed to achieve conformity to product
requirements, would manage the risks associated with the control of infrastructure
7.2.2 Review of requirements related to the product
The requirement to review contract prior to its signing, including determining the organization's ability to fulfill certain requirements, significantly reduces the risk of default on contractual obligations in the future
7.3.7 Control of design and development changes
It is necessary to evaluate the effect of the changes on constituent parts and product already delivered.
7.4 Purchasing
Definition of criteria for evaluating vendors and their systematic evaluation reduces risks of the
vulnerability of organizations associated with the activity of suppliers and partners
7.5. Production and service provision
Provision of controlled conditions for production (i.e., availability of necessary information, instructions, equipment, measurement and testing, etc.) significantly reduces the risk of release of nonconforming products.
8.2.1 Customer satisfaction
Monitoring information relating to customer
perception as to whether the organization has met their requirements is an important element for the identification of risks associated customer
dissatisfaction, and hence the risk to the reputation / image of the organization and, consequently,
declining market share 8.2.2 Internal
audit Internal audits help to identify operational risks
8.5.3 Preventive action
The organization shall determine actions to eliminate causes of potential non- conformances in order to prevent their occurrence, i.e. to conduct risk assessment.
The new ISO 9001-2015 revision focuses on risk management at the organizational level. While this may seem a departure from a strict quality
management focus, there is ample focus within the existing standard on controlling risk to justify an expanded focus. Above are just some of the clauses that in effect mandate risk management, albeit for specific activities.
The new revision in its current draft form appears to expand these more tactical risk management elements into a more programmatic view.
How ISO 9001:2015 Will Ask You To
Manage Your Risk
Interestingly, the current working draft of ISO 9001:2015 no longer even mentions the specific term preventive action (although this may of course
change as the standard develops into a final form). This may be the first clue on how the revision aims to take risk management to a higher level by
assuming that a management system (and in this case a quality management system or QMS) is designed as a whole to prevent unwanted outcomes - and that this function of isolating potential risks is really also implicitly preventing them. In the draft, clause 4.1 requires your company to identify risks and ways to address them so that the QMS can deliver upon its objectives. Clause 6.1 does require a “traditional” prevention or reduction of unwanted outcomes, but more in a more global sense and at a higher priority level. The clause also asks the organization to consider opportunities, since many risks contain both "opportunities" and "threats." Essentially ISO 9001:2015 will likely ask organizations to do the common sense (but not commonly executed) task of asking and answering key questions such as:
How will the organization identify potential threats?
What are they ways to prevent, or reduce, undesired effects? How will the organization ensure that it can achieve its intended
outcomes?
Who will be responsible for ensuring that this process works correctly? When and how will the risk management actions be triggered?
What are the priorities and cost impacts of each threat?
Where could these threats come from, and who are all of the potential players that could help identify and deal with these risks?
How can such a system for dealing with these risks be evaluated, tested and kept up to date to ensure it will work when needed?
What The 9000 Store Is Doing
We're here To Help You Address Potential ISO 9001:2015 Risk Management Requirements
Since we are in the business of helping companies more quickly and more cost effectively gain and maintain ISO 9001 certification, we are planning
major revisions of our document templates, training, software and registration relationships to accommodate the risk planning features in the
new ISO 9001(2015) revision. We are also planning more education and updates on specific areas of the standard. If you have not done so already,
we encourage you to sign up for our newsletter series to stay abreast of these important changes.
In effect, 9001:2015 risk management asks the organization to establish an end-to-end process for risk management and then to execute that process consistently, carefully and widely. And while the process for creating and applying risk management may never be overly specific because of the need to apply in so many different situations, ISO has already provided a fairly rich reference set in this area including:
ANSI/ASSE Z690.1-2011 Vocabulary for Risk Management (U.S. Adoption of ISO Guide 73:2009),
ANSI/ASSE Z690.2-2011 Risk Management Principles and Guidelines (U.S. Adoption of IEC/ISO 31000:2009)
ANSI/ASSE Z690.3-2011 Risk Assessment Techniques (U.S. Adoption of IEC/ISO 31010:2009
How Risk Management in ISO
9001:2015 May Change Quality
Management
In a sense, quality management has always been about ensuring the output of a group meets a consistent, acceptable level. But this new emphasis on higher level risk impact may put quality management representatives (including organizational quality personnel, consultants and auditors) in the position of managing higher level business risks.
And where other planning is present (as perhaps in the case of larger organizations), that role may also include reconciling or integrating those other management systems around the risks identified through the new ISO 9001:2015 risk management process. (This may be even beyond current responsibilities for integrating multiple standards into areas of strategic business planning.) At whatever level the quality representatives operate, the increased emphasis upon higher level risk management may necessitate a broader perspective, increased organizational knowledge, and expanded skill sets. This may be in opposition to others who see the role of quality
management shrinking and being "subsumed" by other departments or functions such as engineering, human resources or financial management. For example, the growing dependence upon global suppliers and outsourcing of management functions, may shift the responsibility for assessment and accountability in these functions to the quality representative, since the risks associated with these functions could be one of the keys to creating and managing risk under ISO 9001:2015.
Questions That Remain About
Implementing ISO 9001:2015 Risk
Management
The objectives of injecting more risk management into ISO 9001 may be aimed at addressing a variety of management needs such as:
Moving to more of a data-driven decision process that increases objectivity
Being able to more accurately prioritize risks and allocate resources to mitigating them more successfully
Being truly preventative with respect to those risks that have the potential for greatest harm
Capturing, retaining and transferring organizational knowledge regarding risk mitigation as employees and managers change Broadening the knowledge base regarding risk and creating
However, because of the major shift that this approach entails, and because the revision is still very much a work in process, there are major questions and concerns regarding ISO 9001:2015 risk management as proposed including:
Will the inclusion of risk management make ISO 9001 (2015) more confusing and less likely to be applied and audited correctly either by the certification body or the registered organization?
How will ISO 9001:2015 risk concepts be harmonized and prioritized with those expressed in other standards such as ISO 31000 since they are to some extent unique?
Correctly implementing organization-wide risk management will likely require more internal authority and access than many quality
representatives currently hold; will the new standard including
anything to help quality representatives gain this access and resources Risk management may be a more abstract concept than other
elements of ISO 9001; will internal auditors, lead auditors and registrars be able to audit these concepts?
Other more mature risk management systems include processes for Governance, Risk and Compliance (GRC) and Enterprise Risk
Management (ERM) which are considered essential but are not yet included in ISO 9001:2015's risk management approach.
*Some "risk-based thinking" models also consider the potential frequency with which the threat can occur.
