Risk-Based Thinking: Is This Something New?

Not really, but it does require a new way of planning

Traditionally, risk was considered but inferred and inadequately interpreted by organizations.
Mon, 03/27/2017 - 12:02

Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.”

ADVERTISEMENT

Per clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as detrmined in accordance with the requirements of 6.1.”

This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk.

 …

Want to continue?
Log in or create a FREE account.
By logging in you agree to receive communication from Quality Digest. Privacy Policy.

Comments

Submitted by Ian Hendra on Mon, 03/27/2017 - 13:07

Hi,

Nice article Dr Arora, thanks, I agree with you..but..there's always one of those!  

Corrective Action and Preventive action "in accordance with the risks encountered" was in the standard when I did my Lead Assessor course in 1984, long before BS 5750:1979 became ISO 900x in 1987 and it's been there with different words up to the 2008 version.

Even back then, and nothing has changed in my opinion, "preventive action" (= RBT) required two approaches, reality and crystal ball gazing.    

The reality approach came from the the investigation into the causes of the nonconformity that happened, where the idea was  to avoid REcurrence.  The "preventive" questions were, "How else, and where else could a similar nonconformity OCcur?".  The point here was that one was dealing with a real event and the answers were tangible.

The second approach was the proverbial crystal ball gazing that in my view was seriously less effective when it came to identifying real issues to deal with.  The reason for that was general ignorance of the tools necessary to do it properly, such as those described in ISO 31010 and those in the Memory Jogger II from GoalQPC.

Ok, that's all well and good, except that I'm seeing two alarming trends since ISO 9001:2015 destabilised a previously stable model.

The first is that ISO 9001 is about business excellence, it isn't and never has been, check the scope at clause 1.  It's still only a litany of check points to assess if a supplier is OK to do business with.  It doesn't even get into professional quality assurance (eg SPC, TGM, LSS), ensuring the business is commercially viable or that staff are being looked after properly (as per Sir Richard Branson's philosophy, perhaps).  

The second alarming trend is "management by internal audit".  Back in 1984 there was no internal audit requirement, it first appeared as ISO 9001:1987/4.17.  Beforehand system implementation was down to management plain and simple and quality management systems were much more effective because of it. 

So, to contain RBT within the defined scope of ISO 9001 all that is necessary is to consider the risks associated with being unable to deliver against the supply agreement, which is where the whole thing came from when the standard was known as the Allied Quality Assurance Procedures (AQAPs) released by NATO Committee AC-250 n 1969.

Cheers

Ian

 

Add new comment