ISO 9001:2015 Risk Based Thinking

Pierre Servan

Factor Quality, Inc.

October 30, 2015

Agenda

• Definitions and Understanding of Risk Based Thinking

• ISO Requirements • Context of the Organization

• Actions to address Risk and Opportunities

• Other sections

• Tools that may be used

Framing Risk within ISO 9001

• Main objectives of ISO 9001:

• to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services

• to enhance customer satisfaction

The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives.

The concept of “opportunity” in the context of ISO 9001 relates to exceeding expectations and going beyond stated objectives.

What is Risk Based Thinking

• Risk-based thinking is something we all do automatically and often sub-consciously to get the best result

• The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system

• Risk-based thinking ensures risk is considered from the beginning and throughout the process approach

• Risk-based thinking makes preventive action part of strategic planning

• Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk

Justification for RBT

• Successful companies intuitively take a risk-based approach because it brings benefits

• To improve customer confidence and satisfaction

• To assure consistency of quality of goods and services

• To establish a proactive culture of prevention and improvement

Risk based thinking in the QMS

• It is applied across the QMS taking into consideration the “context” of the organization.

• Not limited for an organization to use one tool. It can change from process to process

• Ultimate goals is to:

• Assure that organizations can consistently deliver “goods and services”

• Achieve Customer Satisfaction

• Reduce or eliminate undesirable outcomes

• It is expected that effectiveness of the practices/methods used are measured

Risk Management-traditional

RBT approach- suggested

-3 -2 -1 0 1 2 3

• +3= Breaking Improvement, leader industry/market

• +2= Strong Benefits- company wide

• +1= Minor Improvement-local

• 0= Neutral/No Change

• -1= Minor setback

• -2= Strong Setback

• -3= Devastating Setback, catastrophic

Examples

• Story of child at a pool

• Small engineering firm

Where to apply RBT?

Context of the Organization

OrganizationalObjectives/Strategic

Direction

Marketing Sales Research & Development

$

$ $

Purchasing Manufacturing Quality Assurance Shipping

Apply Risk Based Thinking

4.0 Context of the Organization

• Overall intend of the section is to help frame the QMS.

• 4.1 Understanding the organization and its context:

• Determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve intended results of its QMS.

• The organization must monitor and review information about these external and internal issues

• Issues can be positive or negative factors or conditions for consideration

• External context may be derived from legal, technological, competitive, market, cultural, social and economic environments.

• Consider issues related to values, culture, knowledge and performance of the organization

4.0 Context of the Organization

• Understanding the needs and expectations of interested parties

• Determine the interested parties that are relevant to the QMS

• Determine the requirement of these interested parties that are relevant to the QMS

• As they have an effect or potential effect on the organization’s ability to provide products and services that meet customer requirements and regulatory requirements.

4.0 Context of the Organization

• Scope of the QMS

• Take into account external and internal issues

• Requirements relevant to interested parties

• Products and services of the organization.

• In defining the scope the organization can also claim requirements in the standard that are not applicable to their QMS.

• However conformity to ISO can only be claimed if the section deem not applicable is proven not to affect the organization ability and responsibility to ensure conformity of its products and services and the enhancement of customer satisfaction.

Where to find information

• Quality Manual

• Scope already defined

• Introduction section in some Quality Manuals provide background of an organization

• Company website

• Marketing/Sales Material

• HR

• Employee orientation

• Employee Handbooks

Risk based thinking

• Risk is the effect of uncertainty and any such uncertainty can have a positive or negative effects.

• Risk has been implicit on previous versions of the standard:

• Preventive Actions

• Nonconformity data analysis

• Corrective Actions

• The whole goal of the QMS is to be a preventive tool.

• There is no requirement for formal methods for risk management or a documented risk management process.

6.1 Actions to address Risk and Opportunities

• When planning the QMS the organization shall consider 4.1 and 4.2 then determine the risks and opportunities that need to be addressed to: • Give assurance the QMS can achieve its intended result(s)

• Enhanced desirable effects

• Prevent, or reduce, undesired effects

• Achieve improvement

• The organization must plan • Actions to address these risks and opportunities

• How to: • Integrate and implement the actions into the QMS processes

• Evaluate the effectiveness of these actions.

• Actions taken must be proportionate to the potential impact on the conformity of products and services.

Risk in the clauses - Process Approach, Leadership, Planning

•Introduction- the concept of risk-based thinking is explained

•Clause 4- the organization is required to determine the risks which can affect its ability to meet these objectives

•Clause 5- top management are required to commit to ensuring Clause 4 is followed

•Clause 6- the organization is required to take action to identify risks and opportunities

17

Risk in Clauses – Operation, Evaluation, Improvement

• Clause 8 - the organization is required to implement processes to address risk

• Clause 9- the organization is required to monitor, measure, analyse and evaluate the risks and opportunities

• Clause 10- the organization is required to improve by responding to changes in risk

18

Readily available Tools

SWOT Analysis

Severity vs. Likelihood

Hoshin- X Matrix

Metrics

Leading

• Schedule Adherence

• Number of Complaints per Engineer

• New Product Introductions

Lagging

• On-time Delivery

• Complaint Resolution in X days.

• ROI/Increase of Revenue

Readily available Tools

FMEA Others

• Financial analysis

• Self developed tools • Financial/Performance

Suppliers

• Ease of Implementation of Changes

What should I do?

• Identify what the risks and opportunities are in your organization – it depends on its context:

• ISO 9001:2015 does not require a formal risk assessment or specific single document

• The information must be kept and available and could be electronic, audio, video, written or any other type of media

• Other ISO documents (i.e. ISO 31000, ISO 14791) may be a useful reference for organizations which want a more formal risk process, but is not obligatory

23

What should I do? (continued) • Determine the risks and opportunities in your

organization:

• What is acceptable?

• What is unacceptable?

• Which opportunities should be acted on?- Prioritize

• Plan actions to address the risks and opportunities

• How they can be avoided, eliminated or mitigated?

• How can opportunities be achieved?

• Implement the plan – take action

• Check the effectiveness of the actions/tools – does it work?

• Learn from experience – continual improvement

24

pierreservan@factorquality.com

844-ISO-GURU

www.factorquality.com