Risk Management in ISO 9001:2015
Risk is defined as “Effect of uncertainty on an expected result”. The effect can be both negative and positive. Uncertainty is defined as the state of deficiency of information related to an event, its consequence or likelihood.
The new ISO 9001:2014 DIS incorporates risk based thinking into the Quality Management System more extensively and explicitly. Not managing risk properly can result in delivery of non-conforming product to the customer. The level of risk is not same for all processes in an organization. Delivery of non-conforming product can have different consequences for different customers. For example, defect in medical devices or medicines can have very serious and critical consequences for the patients but will have relatively less serious consequences for a furniture manufacturer. The organization has to manage risk effectively in all its processes in order to minimize the likelihood of occurrence of non-conformity.
The standard calls for adopting risk analysis into the Internal and External Context of the organization. Taking into account the external factors such as in PESTLE Analysis (Political, Economic, Social, Technological, Legal and Environmental, as well as Competitive and Market conditions. Internal factors should also be taken into account such as Values, Culture, Knowledge and Performance of the organization. It should be analyzed as to how these factors affect the ability of the organization to achieve and maintain its Quality Management system.
It also calls for determining the interested parties such as internal and external customers that are relevant to the quality systems and determining their needs that are relevant to the quality system.
Top Management must ensure that the risks and opportunities related to product or service conformance or customer satisfaction are determined and addressed in the best possible manner.
After determining the risks, the standard calls for integrating the risks defined above into planning to make sure that the quality management system can achieve its objectives and results, reduce or eliminate unwanted results and achieve Continual Improvement. Then the organization should take steps to eliminate or mitigate risk from its Quality Management System and evaluate the effectiveness of these steps.
The organization should develop and implement a Quality Management System and its processes for converting inputs into outputs, and the interactions between them taking into account the risk factors.
Finally the standard calls for evaluating the effectiveness of actions taken to address risks and opportunities in the management review meetings to ensure that the management system is capable of meeting the requirements.
The various clauses of ISO 9001 concerned with risk awareness and their interactions are given in the Risk Mind Map below:
Diagram 1. Risk Mind Map in ISO 9001:2015
Clause 4 – Determine the risks
Clause 5 – Top management commitment taken to ensure that risks identified in Clause 4 are to be taken into account.
Clause 6- Take action to address the risks in the Quality Management System
Clause 7- remove risk from the support areas such as equipment, infrastructure, human resources.
Clause 8- Develop the business processes by taking risk into account at each stage and addressing it.
Clause 9- Monitor, measure, analyze & evaluate risks and opportunities
Clause 10- Improve by responding to changes in risk by removing potential negative risks and capitalizing on opportunities.