This is a continuation from Part 1: ISO 9001:2015 – IMPLEMENTING RISK BASED THINKING
- Conducting a Qualitative Process-Level Risk Assessment – Without a Flowchart
In many cases, the risk assessment team may choose not to list risks on the flowchart itself, but brainstorm a list of process risks instead. In order to do that, a simple table can be used to guide the thought process. The sheet could look like the example in Figure 2 below. Enter the name of the process, the internal and external customers for the process, the stakeholders or “interested parties” in the header.
Then the table can prompt for the name of the process step (which can be derived from the flowchart for that process), and allow space for risks to be collected from the group. The risk table can be broken up into the same 5M categories as suggested by the fishbone in Figure 1 above. Note that the risk categories can also be anything that the team desires; . For example, in a production process, the risk categories might be “parts inspection” “paperwork/reporting”, “raw materials”, “packaging/labelling”, etc.
| Process Name
Hiring and Orientation Process |
||||
| Customers – External and Internal
Internal Departments who have a need for a new employee |
||||
| Needs of Other Interested Parties (owners, employees, community etc)
Owners have a need for the best talent at a reasonable wage, the community has a need for satisfying employment for its citizens. The new-hire has a need for fair, challenging work |
||||
| Organizational Objectives related to the process
Hire the best employee at the best wage, achieve a low turnover, achieve a high degree of “fit” of the employee and a high level of job satisfaction |
||||
| Process Risks | Current Controls | Additional Controls Required? | ||
| Step 1 | Man | Job Requirements may be vague | Requisition Form | No |
| Hiring Manager fills in a Job Requisition | Material | No | ||
| Methods | The Requisition form may not address the type of job being filled | Requisition Form | No | |
| Machine | No | |||
| Measure-ment | Timing may be too short to find a suitable candidate | None | No | |
| Step 2 | Man | Skills may be in high demand | None | No |
| Requisition is reviewed and approved by HR Manager | Material | No | ||
| Methods | There may not be a sufficient budget or forecast for the position | Annual Strategic Plan and Budget | No | |
| Machine | No | |||
| Measure-ment | There is not a disciplined way to determine the veracity of the need | Manager provides a justification | No | |
Figure 2: A Risk Table for Capturing Outputs of the Team
In the chart above, the analysis is qualitative rather than quantitative. The quality of the risk analysis is dependent on the composition and rigour of the team performing the analysis. One will note that there is no scoring associated with this method as there would be with a Failure Modes and Effects Analysis (FMEA) or a Risk Matrix. In both an FMEA and Risk Matrix, the criticality/severity of the failure and the probability of occurrence are ranked on a scale between 1 and 10. Then these two scores can be added together or multiplied together to derive a combined risk index or Risk Priority Number. If the group determines that a quantitative ranking of severity and probability is useful, then it would be very easy to add these thin columns to the Risk Table in Figure 3 above. However, since these numbers are derived largely as a result of educated guesses by group, it can be just as valid to skip this step and simply decide whether or not the risk warrants additional process controls.
- Next Steps – Evaluation of Actions Taken During Management Review
As required by Clause 9.3.1 of ISO 9001:2015 (see Section 1.0 above), the effectiveness of actions taken as a result of the risk analyses will be brought forward for review by senior management.
Therefore, after the assessments are completed, one of two next steps can take place. The first course of action could be to take a list of proposed process improvement actions to Management Review for discussion and endorsement, after which the actions would be taken. The second half of this course would then be to submit results of the actions to Management Review. The second course of action could be for the group to autonomously perform their actions to improve the processes (if they have sufficient empowerment and authority to do so) and then simply report results to Management Review. The minutes of Management Review will then show evidence of the review of those improvement actions and any follow-up actions that are required subsequent to those actions. This provision of the standard is a very effective way of making sure that the risk assessments of each process owner were performed in an honest way.
- Conclusions
The long-awaited promise of including Risk Based Thinking in the ISO 9001 Quality Management Standard has finally been realized in the new 2015 version of the standard. Risk, using the definitions from both ISO 9000 and ISO 31000, is a very straightforward concept. Organizations can assemble a cross functional team to assess risks at the company level and at the process level. The goal of the risk assessment is to compare process risks to current process controls in order to determine if the level of control is sufficient, or if additional controls and contingency plans may be required. Practitioners can start with a flow chart whenever possible and list the risks and controls (enablers) and each step of the process. If a flowchart is not available or not desired, a simple Risk Table using risk categories based on the Fishbone Diagram to assist in brainstorming can be used. For this type of qualitative risk assessment, it is not necessary to use the numerical rankings and scores as would be required by an FMEA or Risk Matrix. Once improvement activities are taken, the results of those improvements will be reviewed during an appropriate Management Review.
BIO:
Denis Devos is a Fellow of the ASQ and a recognized expert in the application and auditing of Management System Standards. For 15 years, Denis has been servicing clients (primarily in the automotive industry) with customized training and support.
Denis began his work with the ISO 9001:1987 standard in 1992 and led the first ISO 9001 implementation of any General Motors plant in North America. Denis’ unique Risk-Is-The-Compass model for risk-based QMS auditing was devised in 2001 and has been proven effective over years of implementation and is published in the procedings of several ASQ conferences.
A variety of sectors benefit from Denis’ expertise including the automotive industry, financial services, wood working and printing, and healthcare.
denisdevos@sympatico.ca