Risk-based thinking in the DIS 2015 – What are Registrars offering for advice and guidance?

Risk-based thinking – What are Registrars offering for advice and guidance?

If you are a savvy quality person or top manager, you’re keeping current with the imminence of ISO9001:2015 and the exciting new requirement of “risk-based thinking” (RBT). No doubt you’ve probably read (or received) the latest literature from registrars with perhaps, even offerings of RBT training classes.

Registrar guidance documents do offer the particular perspective of that registrar. There may be pressure to define and implement the framework immediately for the new standard because, um, well, it’s new!

The interpretive guidance documents are…well, interpretive, especially concerning RBT. What did TC176 really have to say about risk-based thinking? After reading this article, you'll see that even the registrars can’t seem to agree on RBT.

Is it a concept, a requirement…or perhaps…neither?

The closer you get…the fuzzier it becomes.

The chocie was made to question some of the sources of the available CB guidance documents. In one Linkedin forum (https://www.linkedin.com/grp/post/8245759-5983907899645186052) – [albeit a private group – just join to gain access to it] one well-known registrar provided a link to its ISO 9001:2015 guidance document. Upon examination, there was only one reference within the document to “risk-based thinking”. The registrar contact was asked to provide an explanation,

“In this guidance document, there is no definition for "risk-based thinking", only one reference to it. In the DIS - there is also no definition. How does [registrar] propose to clients on how to be audited against a requirement with no definition?”

The registrar’s response was surprising,

“…it's true that the DIS does not define "risk-based thinking" (and it also uses the "quotes" when referring to it ..)…So we do have something to work with, albeit not formally defined.” [Bold added for emphasis]

Say that again? “The DIS does not define “risk-based thinking”.

Um, OK...so, where can I go to find how it is defined?

What another registrar told us.

Another large registrar recently promoted its guidance documents within a public LinkedIn group (https://www.linkedin.com/grp/post/1268337-5996585185037082624#commentID_discussion%3A5996585185037082624%3Agroup%3A1268337 ). What captured my eye was the lead-in promotional statement,

“You will need to prepare for change and adapt your quality management system to meet the new requirements…”

Like a hungry shark rising to snag the bait, boat, and fisherman, I asked the registrar to explain a bit more.

“…your lead-in mentions "the new requirements" but nowhere in the article are these requirements spelled out. In fact, it's a topic ignored. Or overlooked by accident?

It is well-documented that DIS is largely a re-shuffle of existing 9001:2008 requirements but with a spoonful of RBT added for flavor.

Can you explain?”

A response was received the very next day.

“Our Gap Analysis download details these differences and highlights new requirements, I can send this to you directly if you would like to PM me.”

I dutifully responded with a private email, and the next day received three PDFs of what appeared to be colorful (undated) brochures. The documents were reviewed, and I observed that the “new requirements” were largely focused on the addition of two “General” clauses along with some expansive wording. Most curious was absolutely no mention of “risk-based thinking” within any of these registrar guidance documents.

Writing back to this registrar, I asked for a resolution of this conundrum regarding risk-based thinking, in light of a competitor claiming it is not formally defined.

“Usually, audits are conducted to determine compliance against requirements but...the DIS makes it clear that RBT is only a concept. See line 300 in the DIS..."and the concept of risk-based thinking ..."”

The opinion of the competitor registrar was included in my question. No response was ever received.

What the infamous TC176 had to say about RBT.

Document N1222, dated July 2014, and issued by ISO/TC 176/SC 2, is a topical about “risk” in ISO 9001:2015. In addition to others, it specifically addresses two concerns for RBT:

• To address the concern that risk-based thinking replaces the process approach,
• To explain in simple terms each element of a risk-based approach.

The conclusions provided by Document N1222 are a little frightening. Italicized comments, below, are mine.

• Risk-based thinking is something we all do automatically.
• Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole management system. (If it was already there, under which clauses did it exist?)
• Risk-based thinking is already part of the process approach. (Oh? Where was this specified in previous versions?)
• Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found – this is sometimes seen as the positive side of risk.
• The concept of risk-based thinking is explained in the introduction of ISO9001:2015. 

Within DIS, RBT is described only as a concept, not a requirement, and nowhere in the DIS is it defined. This mirrors the opinion of the first registrar who responded to our query. RBT is not proffered anywhere under any clause as an explicit requirement.

Frankly, it all sounds very Orwellian, as if issued directly from the Ministry of Truth.

But wait! There’s more!

Document N1223, dated July 2014, and issued by ISO/TC 176/SC 2, is titled, “(Draft) Transition Planning Guidance for ISO 9001:2015”. Tthis document was searched for occurrences of “risk-based thinking”, and obtained two hits, most applicable is the following statement.

“The main changes in the new version of ISO 9001:2015 are: ...an explicit requirement for risk-based thinking to support and improve the understanding and application of the process approach…”

A search of DIS2015 shows no explicit requirement, unless one considers the statements in clause 0.5 referencing risk-based thinking as a concept.

Document N1224, dated July 2014, and issued by ISO/TC 176/SC 2, is a cross-correlation matrix between DIS2015 and ISO9001:2008. It contains no mention of risk-based thinking anywhere in the matrix. This means…yes…even if DIS2015 has RBT as an embedded requirement, there is no mention of it.

Is it hiding from us, in plain sight? If so…where?

Some Other Registrars and their Interpretations

BM Trada, a registrar in the UK ( www.bmtradagroup.com ), published a technical bulletin titled, “ISO 9001:2015 – Introducing the Changes”. The publication was searched for the phrase “risk-based thinking” and found…no hits. Searching on “risk-based” yielded only one hit, that for “Control of externally provided products and services”.

“Organisations will be required to take a risk-based approach to determine the type and extent of controls appropriate to each external provider and all external provision of products and services.”

This statement resides at lines 1691 and 1692 in Annex A of the DIS. However, under Clause 8.4 to which this applies…there is absolutely no mention of a requirement to use risk management or to use risk-based thinking to achieve compliance to Clause 8.4. Is a risk-based approach the same thing as risk-based thinking? Remember - this is supposed to be a standard! Curiouser and curiouser…

BSI published a fact sheet titled, “ISO 9001:2015, Frequently Asked Questions, Approaching Change”. This publication was searched for “risk-based thinking” and found…no hits. I next searched for all occurrences of “risk”, and found four hits, and three of them are associated with using ISO 31000 as a risk-management standard.

Interestingly, the BSI FAQ discusses risk in the context of an organization being certified to ISO 31000. However, the ISO website confirms that ISO 31000 cannot be used for certification (http://www.iso.org/iso/home/standards/iso31000.htm ). The proofreaders at BSI better check on this one.

UL-DQS offers its publication with the title, “ISO 9001:2015 FAQ”. Numerous occurrences of “risk based thinking” were found (the hyphen between “risk” and “based” was dropped in the UL-DQS document). At Note C8 (page 7 of 8) is an example of what the objective evidence would look like for compliance to a “risk based approach” within the organization.

“Evidence will need to demonstrate that risks and opportunities have been identified, actions have been planned and implemented to minimize the most significant risks and that the effectiveness of these actions has been checked.”

But as with the other registrars’ materials, no clear definition for “risk based thinking” or how it will be audited for compliance.

Summary

We can conclude four things from the research of certain TC176 documents and a sampling of available registrar brochures and guidance documents about “risk-based thinking”.

1. The registrars’ understanding of risk-based thinking doesn’t jive with what TC176 has promoted and promulgated.
2. Registrars’ material and guidance documents don’t harmonize with each others’ perceptions and interpretations. Each has their own approach (or no approach!) toward the phrase “risk-based thinking”
3. Because of this lack of harmony amongst registrars, a client's QMS will be assessed (and certificated!) differently as influenced by that registrar's army of auditors.
4. “Explicit requirements” within DIS2015 which mandate “risk-based thinking” do not seem to exist. Search yourself in the DIS! 

So, where can one go for help? TC176 is not accessible by the general public, and registrars are discovering that they and their clients will be looking at each other, one side with more questions than the other can provide answers to. Registrars may be making the best of educated interpretations but frankly, clients want facts because they are paying for facts.

Not for colorful interpretive brochures.

Still undecided about DIS versus 2008 version?

If you are still sitting on the fence over going with the 2008 or 2015 version of ISO 9001, it might be wise to go with the devil you know – the 2008 standard. It is well-known, and CB auditors know how to audit for compliance (more or less) to the 2008 standard. If you are already certificated to the 2008 standard, well, you need to prepare to bite the pretty apple and risk finding half a worm.

Have you asked your registrar for guidance documents and a gap assessment of DIS against the 2008 standard? What did you receive? Is “risk-based thinking” a concept, a requirement, or neither?

In closing

Be very careful with assessing and integrating registrar information, especially from only one source. Check the competitors, check within your professional peer networks, and talk to consultants. Yes, consultants are human and are available to help you navigate those TC176-infested waters of the new standard.

 

Follow My Blog:
www.Lawrence-international-LLC.Blogspot.Com