© 2017 QSG, Inc.
“So, How Will You Audit a Risk Assessment in ISO 9001:2015?”
Bob Deysher Senior Consultant
Quality Support Group, Inc. [email protected]
©2017 QSG, Inc.
© 2017 QSG, Inc.
Questions? • Does ISO 9001:2015 “Risk Based
Thinking” require Risk Registers? No!
• If there isn’t a “Risk Register” how do you audit an organization against ISO 9001:2015?
With Great Difficulty !
2
© 2017 QSG, Inc.
So What Does ISO 9001:2015 Require?
3
© 2017 QSG, Inc.
ISO 9001:2015 Risk & Opportunities 4.4 Quality management system and its processes
The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall determine: f) the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them;
4
© 2017 QSG, Inc.
ISO 9001:2015 Risk & Opportunities
6 Planning for the quality management system 6.1 Actions to address risks and opportunities 6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s); b) prevent, or reduce, undesired effects; c) achieve continual improvement.
5
© 2017 QSG, Inc.
ISO 9001:2015 Risk & Opportunities
6.1.2 The organization shall plan: a) actions to address these risks and opportunities; b) how to: 1) integrate and implement the actions into its quality management system processes (see 4.4); 2) evaluate the effectiveness of these actions.(*) Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. (*) Sounds like ISO 9001:2008 Clause 8.5.3
6
© 2017 QSG, Inc.
What is Risk Based Thinking?
7
© 2017 QSG, Inc.
What is “Risk-Based Thinking”?
• Risk-based thinking is something we all do automatically and often sub-consciously
• The concept of risk has always been implicit in ISO 9001 – the 2015 revision makes it more explicit and builds it into the whole management system
• Risk-based thinking is already part of the process approach • Risk-based thinking makes preventive action part of the routine
• Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk
8
© 2017 QSG, Inc.
Why Should I adopt “Risk-Based
Thinking”? • To improve customer confidence and
satisfaction
• To assure consistency of quality of goods and services
• To establish a proactive culture of prevention and improvement
• Successful companies intuitively take a risk-based approach
9
© 2017 QSG, Inc.
What Should I Do? (continued)
• Analyse and prioritize the risks and opportunities in your organization – what is acceptable?
– what is unacceptable?
• Plan actions to address the risks – how can I avoid or eliminate the risk?
– how can I mitigate the risk?
• Implement the plan – take action • Check the effectiveness of the actions – does it work? • Learn from experience – continual improvement
10
© 2017 QSG, Inc.
So Where to Start?
How About Management Review?
11
© 2017 QSG, Inc.
Management Review Input Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization. The management review shall be planned and carried out taking into consideration: e) the effectiveness of actions taken to address risks and opportunities (see clause 6.1);
12
© 2017 QSG, Inc.
What is Risk?
Risk is the possibility of events or activities impeding the achievement of an organization’s strategic and operational objectives.
13
© 2017 QSG, Inc.
Risk – A Simple Definition
The volatility of potential outcomes. or
How surprised do you really want to be??
14
© 2017 QSG, Inc.
Food for Thought
• Why is Risk like Swiss Cheese?
Author needs to acknowledge that this idea was shown at the NQA Meeting, Boston Session, August 2014
15
© 2017 QSG, Inc.
What if the Organization Does not use Risk Registers?
What “Evidence” to look for?
16
© 2017 QSG, Inc.
What is an Auditor to Do?
You need to test how they have used the information relating to their internal and external issues and interested parties to determine risks and opportunities as well as the decision making process they have gone through to decide what actions they are going to take.
17
© 2017 QSG, Inc. 18
ISO 9001:2015 Risk Based Thinking Examples Item Clause Risk Based Thinking Demonstration
Quality Management System 4.4
Evidence is how issues taken from either the external or internal environment are evaluated and appropriate actions taken in the implementation and maintenance of an organization's QMS
Changes to the Quality Management System 6.3
Evidence is how risk and opportunities are used in the decision to change the quality management system
Business Opportunities 8.2
Evidence is how risk and opportunities are used in the decision to pursue new business initiatives
Design & Development Planning 8.3.1
Evidence is how risk based thinking is used in the planning and then translated into verification and validation activities
Design & Development Change Control 8.3.6
Evidence is using risk to determine the necessary evidence to be obtained and required to evaluate the effectiveness of the change
Control of Externally provided Processes, Products, and Services
8.4.2 Evidence is using risk to determine the type and level of control implemented to assure that processes, products and services provided by suppliers do not impact quality
Product & Service Provisions Planning 8.5.1
Evidence is how risk based thinking is used in the planning and then the implementation of the provisions
Production & Service Provisions Change Control
8.5.6 Evidence is using risk to determine the necessary evidence to be obtained and required to evaluate the effectiveness of the change
Internal Audit 9.2
Evidence of risk based thinking is using risk arising from previous audits, changes in technology, materials changes, current issues to adjust planned intervals
Management Review 9.3
Evidence of risk based thinking are decisions made in a review of actions taken for identified risks and opportunities
© 2017 QSG, Inc.
What if the Organization Does use Risk Registers?
What “Evidence” to look for?
19
© 2017 QSG, Inc.
Risk Definitions
Risk can be defined by two (2) parameters
– Severity • This is the Seriousness of the harm
– Probability • This is the Probability that the harm will occur
20
© 2017 QSG, Inc.
Risk Assessment - Quantitative
21
Severity of Harm Probability of Occurrence S-5 Catastrophic O-5 Frequent S-4 Critical O-4 Probable S-3 Marginal O-3 Occasional S-2 Negligible O-2 Remote S-1 Minor O-1 Improbable
© 2017 QSG, Inc.
Risk Acceptable Regions
Generally Acceptable
Generally Un-Acceptable
As Low As “Reasonably”
Practical
22
© 2017 QSG, Inc.
Risk Assessment - Qualitative
23
© 2017 QSG, Inc.
Risk Registers
24
© 2017 QSG, Inc.
The Importance of a Risk Register
• The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken.
• It can be a simple document, spreadsheet, or a database system, but the most effective format is a table.
• A table presents a great deal of information in just a few pages.
25
© 2017 QSG, Inc.
Proposed Risk Model
26
Let’s look at Risk Definitions
© 2017 QSG, Inc.
Risk Definitions A risk is a specific event that could happen at some point in the future • “Insufficient test resources” is not a risk • “Project is delayed because of insufficient test
resources” is a risk
• “Aging work force” is not a risk • “Loss of Organizational Knowledge due to
retirements of our aging work force” is a risk
27
© 2017 QSG, Inc.
Proposed Risk Model
28
Let’s look at Risk Scoring
© 2017 QSG, Inc.
Scoring Clarity
29
Categories, like the ones above, can be interpreted differently by different individuals. Prior agreement prior to scoring is critical and will mitigate later discussions about which issues to address
Severity of Harm Probability of Occurrence S-5 Catastrophic O-5 Frequent S-4 Critical O-4 Probable S-3 Marginal O-3 Occasional S-2 Negligible O-2 Remote S-1 Minor O-1 Improbable
© 2017 QSG, Inc.
Probability Scoring Example
30
Rating Description Definition (Example)
1 Rare, very unlikely <10% chance of occurrence over life
2 Unlikely, seldom 10% - 35% chance of occurrence
3 Possible 35% - 65% chance of occurrence
4 Likely 65% - 90% chance of occurrence
5 Almost Certain 90% or greater chance of occurrence
Annual Frequency Probability
LIKELIHOOD/PROBABILITY OF OCCURRENCE
© 2017 QSG, Inc. 31
No noticeable impact
Severity
Rating Description Reputation Impact
Impact to Employees
Impact on Customers
1 Insignificant Below $xxxx Not reported in major media outlets
Little to no tangible disruption
Very low number of dissaisfied customers
Disruption to Day-to-Day Operations/ Productivity
Financial Consequence
2 Minor/ Small $xxxx - $yyyy Reported in local media but can be
managed
Minor disruption that is limited to
only a few departments or
employees
Inconvenience or upsets a modest
number of employees but no
lasting impact
Few customers in multiple business areas dissatisfied
3 Moderate /Medium $yyyy to $zzzz
Reported in national media and creates immediate need for response. Damage expected
to last < 3-6 months
Major disruption to a limited number of
employees or departments, or minor disruption affecting large
number of employees
Causes notable concern and/or
causes rumors to circulate. Adversely affecting ability of
employees in multiple
departments to perform job duties
Many customers dissatisfied and you must take action to
address directly
4 Major/Critical $zzzz to $aaaa
Negative impact requires
coordinated management response to
assuage fears. Persistent rumors have short mid-term impact on
corporate culture
Many customers dissatisfied.
Dissatisfaction leads to business
losses
Reported globally and results in PR crisis, requiring
coordination with and crisis, requiring
coordination with and direction from
OT to address. Damage expected
to last < 1 year
Major disruption that affects large
number of employees but is of
limited duration
5 Severe/ Catastrophoric
Financial Consequence
exceeds $aaaa
Reported globally, for prolonged
period, and results in major PR crisis. Requires sustained and ongoing efforts
to manage. Significant long-
term damage to the brand
Create widespread panic and/or
confusion. Reduces morale across the
company and negatively changes
employee perception of the
company on a permanent basis
Many customers cancel
business/stop purchasing.
Dissatisfaction leads to
direct/immediate loss of very crucial
business
Major disruption that affects large
number of employees and is
expected to last for a prolonged period
of time
© 2017 QSG, Inc.
Proposed Risk Model - Populated
Let’s look at Action Planning
Date-
KeyProcessStep Name
InitialDate
UpdateDate RiskItem Sev Prob Risk ActionPlan
NewSev
NewProb
NewRisk
Step1 RiskItem1-1 3 3 9 ALARP 0RiskItem1-2 2 2 4 NoPlanRequired 0RiskItem1-3 4 5 20 ActionPlanRequired 0RiskItem1-4 1 5 5 VerifyProbability;ifOKthenALARP 0
0 0Step2 RiskItem2-1 5 3 15 ActionPlanRequired 0
RiskItem2-2 3 2 6 ALARP 0RiskItem2-3 1 4 4 VerifyProbability,thenNoPlanRequired 0
0 0Step3 RiskItem3-1 4 4 16 ActionPlanRequired 0
RiskItem3-2 3 3 9 ALARP 0RiskItem3-3 2 5 10 VerifyProbability,thenNoPlanRequired 0RiskItem3-4 2 2 4 NoPlanRequired 0RiskItem3-5 3 1 3 NoPlanRequired 0
DeysherManufacturingLLC-RiskRegister
© 2017 QSG, Inc.
Can ISO 9001:2015 Provide Guidance?
• NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
• NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
33
© 2017 QSG, Inc.
Proposed Risk Model - Populated
New Risk Value Post Action Plans
Let’s look at Effectiveness
© 2017 QSG, Inc.
Effectiveness • Rescore Severity & Probability looking
for improvement • Add the improvement into the continual
planning and implementation of the process
• Roll up all effectiveness of actions taken to Management Review
35
© 2017 QSG, Inc.
But What About FMEA’s? • Review the requirements in ISO 9001:2015, Clause 6 • Do your FMEA’s integrate Context of the Organization
as well as Needs and Expectations of Interested Parties information (as well as Risks of the Processes)
• If YES, use them but remember you are to assess risk across your entire Quality Management System.
• ISO 9001:2015 is a process /system standard, not a product or service standard
36
© 2017 QSG, Inc.
Food for Thought
• Why is Risk like Swiss Cheese?
Author needs to acknowledge that this idea was shown at the NQA Meeting, Boston Session, August 2014
37
© 2017 QSG, Inc.
Addressing Risk
38
© 2017 QSG, Inc.
Integrating Risk Based Thinking with the Process Approach and PDCA
39
© 2017 QSG, Inc.
Plan-Do-Check-Act The Plan-Do-Check-Act (PDCA) methodology can be a useful tool to define, implement and control corrective actions and improvements. Extensive literature exists about the PDCA cycle in numerous languages.
Plan•What to do?•How to do it?
Do•Do what wasplanned
Check• Did things happenaccording to plan?
Act•How to improvenext time?
40
© 2017 QSG, Inc.
Inte
ract
ion
with
oth
er p
roce
ss Interaction w
ith other process
Do – Carry out the process
OUTPUTS INPUTS
Check – monitor/measure process performance
Act- Incorporate improvements as necessary
Plan the process (Extent of planning depends on RISK)
Process + Risk + PDCA Model
41
© 2017 QSG, Inc.
Conclusions • Risk Based Thinking is an element in the Process
Approach • Risk Based Thinking is an input to Management
Review • Risk Based Thinking is an element in the continual
improvement process that is focused on prevention. • Risk Based Thinking has be be demonstrated during
audits; a risk register is documented information that validates an organization has done Risk Based Thinking.
• I use Risk Registers with all my clients; it is a living document
42
© 2017 QSG, Inc.
Final Thoughts
How about “Opportunity Based Thinking”? How about replacing “Severity” with “Benefits”?
43
© 2017 QSG, Inc.
Questions???
44
