Risk-based thinking – You’re already doing it.
The spring months of 2015 have seen many blog articles and
LinkedIn forums touch on the topic of risk-based thinking. Consulting services and registrars alike are offering their advice and guidance on “how to do RBT”: how to train for it, how to implement it, how to audit
it, how to prepare for when the registrar’s auditors arrive.
What made me think carefully about RBT was a statement
in one of the TC176 documents, endorsing risk-based thinking. “It has always
been in ISO 9001.” At first, my reaction was Orwellian – another statement from
the Ministry of Truth. I began to ponder the contrasting comments and
perspectives in LinkedIn forums, and I started reading what was being offered
by registrars in their “guidance documents”.
In a sense, risk-based thinking has always been
in ISO 9001. What is it you wish to address as you implement ISO 9001 QMS? You want
to reduce costs, reduce exposure to unseen problems, you want to produce your product
consistently, you want to improve your financial position, and want to ensure
the customer receives what it ordered. In short, you want to reduce your
exposure to risk. I’m not going to touch the simmering debate between positive and
negative risk.
How you are doing it already in ISO 9001:2008
Formal risk management does not seem to have ever been
a requirement in ISO 9001. Yet, most clauses demand and depend upon some kind
of risk assessment/risk analysis to reduce the exposure to and fallout from
mistakes. Some of the most overlooked risk-based processes are the six mandatory
documented procedures:
- Control of documents,
- Control of records,
- Internal audits,
- Corrective action,
- Preventive action, and
- Control of Nonconforming Material.
Hiding in plain sight, these six processes form a
basic frame for risk-based thinking. You might ask, “How can this be so? The
standard never told us that!” Well, I had agreed with this story-line, too, all
along. We do what the standard tells us to do. But, my framework of thinking had
to become jolted or shocked to consider an alternative viewpoint.
Consider: the lowly internal audit, clause 8.2.2. What
is its purpose? To assess compliance to the QMS, to the standard, to customer
requirements, and to statutory and regulatory requirements.
Why “assess”? One reason is to reduce the risk of having the CB auditor find and
issue nonconformances.
It’s that simple. “To reduce the risk…” Isn’t this
risk-based thinking? It doesn’t get easier than that.
Let’s look at Control of Documents, clause 4.2.3. The
2008 ISO 9001 standard is clear on requirements to define the controls needed:
a)
to
approve documents for adequacy prior to issue,
b)
to review
and update as necessary and re-approve documents,
c)
to ensure
that changes and the current revision status of documents are identified,
d)
to ensure
that relevant versions of applicable documents are available at points of use,
e)
to ensure
that documents remain legible and readily identifiable,
f)
to ensure
that documents of external origin determined by the organization to be
necessary for the planning and operation of the quality management system are
identified and their distribution controlled, and
g)
to
prevent the unintended use of obsolete documents, and to apply suitable
identification to them if they are retained for any purpose.
Break it down into the risks:
a) Reduce the risk of releasing an inadequate, vague, or
inappropriate document,
b) Reduce the risk of unapproved, obsolete, or
mistake-laden documents being released,
c) Reduce the risk of using the wrong version of the
document,
d) Reduce the risk of not providing current and relevant
documents where they are required or needed,
e) Reduce the risk of damaged or unreadable documents
being released and used,
f) Reduce the risk of documents from outside the
organization (purchased, stolen, downloaded, plagiarized) being used without
appropriate permissions,
g) Reduce the risk of the wrong/obsolete document being
used in production.
This is risk-based thinking. It doesn’t get
easier than this!
A final example, that of Customer Requirements,
clauses 7.2.1 and 7.2.2. The organization must comply with several
product-related customer requirements listed under these two clauses.
Why? Briefly, to reduce the risk of producing the wrong product, to reduce the risk of violating applicable laws and regulations, and to reduce the risk of not being able to produce the product for the customer.
Is this not risk-based thinking?
In closing
The soon-to-be-released 2015 version of ISO 9001
incorporates the new phrase “risk-based thinking”, which is assumed to be a new requirement, and the standard (still slated for release this September) incorporates the need to think about risk. Suddenly, training classes are
being promoted by registrar and consulting firm alike to address the need for
risk management and risk-based thinking. But, wait...you’ve been doing it already.
Some summary points to consider about risk-based thinking -
- Risk-based thinking is introduced as a concept, not a requirement.
- Annex A declares that there is no requirement for formal risk management or a documented risk management process.
- The phrase “risk-based thinking“ appears under clauses 0.5 and 0.6, which are normally not auditable.
- Annex A, clauses A.4 and A.8 discuss the “risk-based approach” but not risk-based thinking.
- Objective evidence for “risk-based thinking” could take the form of the output from the already-implemented processes and procedures under ISO 9001:2008.
- If you are already certificated to the 2008 standard, you can begin to consider evolving the context of how you view and perceive your existing processes - toward one of risk-based thinking. If your culture already embraces this, very well! If there is resistance, better to address and mitigate that resistance now before you are forced to "upgrade" to the 2015 standard.
- CB auditors must rely on objective evidence and not personal opinion as they attempt to audit the client (you!) for compliance to “risk-based thinking” under the 2015 standard.
- Think carefully before signing up for training classes for implementing or for compliance to risk-based thinking or risk management related to the 2015 standard. You may be more experienced than the person offering the training!
Follow My Blog:
www.Lawrence-international-LLC.Blogspot.Com
www.Lawrence-international-LLC.Blogspot.Com
No comments:
Post a Comment