Risk Based Thinking – And ISO 9001:2015
Tuesday, 15 September 2015
ISO 9001:2015 moves risk based thinking from a "should" or a good idea to enhance a QMS to a "shall" requirement. Both ISO 13485:2003 and AS9100 require users to address risk in Section 7 of their respective standards.
A good way to look at risk and to address risk is by utilizing the PDCA cycle - Plan, Do, Check and Act.
PLAN ( Section Numbers from ISO/FDIS 9001)0.3.3 Risk based thinking (Informational note)
Annex A - A.3 Risk Based Thinking (Informational note)
4.2 requires an organization to define the interested parties that have risks and/or opportunities.
4.4.1 QMS and Processes ( f ) address risk and opportunities in accordance to 6.1 (shall requirement)
5.1 Leadership and Commitment (d) promoting the use of risk base thinking
5.1.2 Customer Focus ( b ) risk and opportunity that effect conformity of products that can impact customer satisfaction are determined and addressed
6.1 During planning cycle, actions to address risk and opportunities must be determined.
6.1.2 The organization shall plan (a) actions to address these risks and opportunities
Summary – risk is always followed by opportunities in ISO 9001:2015. At the conclusion of planning, areas of potential risk and opportunities shall be defined and method for maintaining the status of current risk and opportunities.
Understanding needs and expectations (4.2) of interested parties is also part of the plan. This group could include customers, external providers (suppliers and outsourced processors) along with regulatory bodies, automotive, aerospace, and medical devices, if applicable.
DoSection 7 - Support
Section 8 - Operations
Summary - both sections generate records which can be used to evaluate risk and opportunities, but the word risk is not used in these two sections.
Check9.1.3 Analysis and evaluation ( e ) - the effectiveness of actions taken to address risk and opportunities.
9.2 Internal audits conforms to the organization's QMS, requirements of the standard, and is effectively implemented and maintained
9.3.2 Management review ( e ) the effectiveness of actions taken to address risk and opportunities.
Summary - this section reviews the actions that have been determined in the planning portion of ISO 9001:2015 and addresses effective planning and implementation of controls for interested parties such as customers, suppliers, and regulatory bodies.
Act10.1 Improvement - organization shall determine and select opportunities for improvement and implement actions to meet customer requirements.
These shall include (b) correcting and reducing undesired effects (risk)
10.2.1 Nonconformity and corrective action ( e ) update risks and opportunities determined during planning , if necessary.
Summary – Section 10 describes mandatory improvement A general statement (10.1.1) discusses reducing undesired effects. 10.2 addresses non-conformity and corrective action and the importance of updating any planned activities following corrective action.
ISO 9001:2015 is calling for risk and opportunities to be integrated throughout the QMS system. Risk addresses the product, but also can be applied to management opportunities for more business.
Example - a Michigan-based company purchased an electronic system from another major auto supplier for $700 million dollars. This is both a financial risk and an opportunity. If the company is successful, then it was a good decision to purchase the system and the opportunity was successfully implemented.
If the company was not successful, the decision to purchase could result in a risk to the company's financial future resulting in a limited return on investment.
Another example might be a two piece shell or container that has 10 holes used by the customer and 4 holes used by the organization to build the shell. The customer is complaining that some of the holes are not there or plugged with flash.
Error proofing is the discipline most companies will use to solve this type of problem. A fixture is used to check for the 14 holes important to both the customer and the manufacturer.
If the organization places this error proofing device in the machine used for assembly and connects it electronically so that the parts are probed prior to assembly, this solution will allow for the customer to receive 100% of the parts with all holes open.
This enhances customer satisfaction and the electronic probe prevents the organization from creating scrap. Some rework might be generated, but none of it will reach the customer. This is a good example of risk reduction and improving customer satisfaction. It is also an example of risk based thinking.
This example of "error proofing" has in the past been considered a preventive action and addressed in ISO 9001:2008 Section 8.5.3. Preventive action is not going away with the 2015 revision of ISO 9001. It is now renamed risk management or risk based thinking and pushed to the forefront of an organization's quality management system.
As organizations bring their existing QMS up to speed, they will want to capture internal and external risk issues and apply risk based thinking to ensure risks are addressed, and reduced or eliminated. This would apply to risks to the customers as well as risks from suppliers. An organization's existing metrics might demonstrate an effectively implemented risk thinking process.