This is huge. More than 1,100,000 companies world wide will be impacted. But, a lot of questions exist.
The working draft of the ISO 9001 (2015) has been circulating. It is a paradigm shift and will be a challenge for many registered companies.
As result of several CERM Risk Insights articles, we’ve been asked to address the risk challenges and opportunities in the transition with articles and videos (Vlogs) on Youtube. We’ll be addressing our hard lessons learned as we moved from a 100% quality consultancy to a 100% risk consultancy.
CERM RISK INSIGHTS QUALIFICATIONS
As you read the below questions, you may ask: “Who is Greg Hutchins” and “Is he a subject matter expert/authority?” Hopefully:
- Risk engineering for global, national, companies at the enterprise, programmatic, project, process, product, and operational levels including critical infrastructure protection..
- Developer of Future of Quality: Risk™ slide deckthat went viral on the web.
- Author of global best selling ISO 9001 and quality books and products (translated into more than 8 languages).
- Author of Value Added Auditing® – one of the first risk based auditing and assurance books.
- Author of multiple risk based auditing books, which have been approved by national authorities.
- Author of 100’s of quality articles for ASQ, PMI, IEEE, IIE, QD, and many other journals.
- Involved with the first TC 176 (1987) and first hand observer of the evolution of ISO 9001, ISO 14001, ISO 27001, and most management systems.
- Lead instructor and consultant for first North American registrar.
- Developer of Certified Enterprise Risk Manager® and other risk certificates such as CERM® – Electric Reliability™.
- Founder of CERM Risk Insights™.
CERM Risk Insights intends to be the global go-to source for trustworthy information on your journey to operational ISO 9000 (2015) and supply ERM.
FUNDAMENTAL QUESTIONS
We were asked to develop a Frequently Asked Questions (FAQ) Guide for quality risk management especially in light of the new ISO 9001 (2015).
Here is a preliminary list of FAQs that we’ll address in CERM Risk Insights:
- What are the risk requirements in each phase of the ISO 9001 standard: Committee Draft (CD), Draft International Standard (DIS), Final Draft International Standard (FDIS), and Standard.
- Is the new ISO 9001 (2015) a paradigm shift in quality? And if yes, what should a company do and in what order?
- How does the ISO 9001 fit into a Governance, Risk and Compliance (GRC) system or an Enterprise Risk Management (ERM) system?
- Should an ISO registered company focus on compliance, integration of management systems, ERM, GRC or all the previous?
- What do ERM, GRC and other acronymics really mean and how do they fit into the ISO world?
- Does ISO 9001 (2015) in its latest draft require or recommend an ERM system?
- Should a company develop an ISO 31000 or an ERM system and processes?
- What are the relevant risk frameworks, taxonomies, syntax, and deployment models?
- How does a company benchmark its risk management system against ISO 9001 (2015) requirements?
- How does a company benchmark its risk management system against ERM systems?
- How does ISO 9001 deal with governance and the Board of Directors Audit Committee?
- Does the ISO 9001 risk management system comply with listing requirements, SEC requirements, or Standard & Poor’s ERM ratings.
- What are the risks, challenges and solutions for implementing risk into the quality management system or any other ISO management system?
ISO 31000 QUESTIONS
- How can ISO 31000 be used to meet the ISO 9001 risk requirements?
- Is ISO 31000 an Enterprise Risk Management (ERM) system? If not, why not?
- Why implement ISO 31000 into ISO 9001?
- Is ISO 31000 a standard, guideline, or what?
- What are other risk standards that can be used?
- How does the scope and risk processes of ISO 31000 compare with other risk standards?
- How do COSO and ISO 31000 integrate?
- What is the value proposition of implementing ISO 31000?
- How do you build a business case for risk implementation?
- How does the ISO 9001 and ISO 31000 meet the COSO ERM Integrated Framework?
ROLES AND RESPONSIBILITIES QUESTIONS:
- Who are the critical stakeholders in the ISO 9001 (2015) risk initiative and how do you get them engaged?
- Who should or can be the executive sponsor for the integration of risk into the QMS?
- Who owns ISO risks?
- How do you integrate risk management system into a quality management system?
- What are the key steps in implementing a risk management system and processes?
- What is the role of Internal Audit (IA) in ISO 9001 implementation?
- How will quality auditing adapt to conduct risk based audits?
- What levels of assurance will the new ISo 9001 (2015) require?
- Are there other risk management systems that can be implemented into ISO 9001?
- Is there official risk taxonomy and language? And if so, what is it?
- Who should participate in the ISO 9001 risk management process and how?
- How do you develop a business case and project plan for implementing the new ISO 9001 requirements?
- Should you discuss the risk integration of ISO 9001 with the Board and other risk stakeholders? If so, what is the optimal method for this?
- How do you develop a business case and ROI for quality and for the integration of risk into ISO 9001 (2015)?
CONDUCTING RISK ASSESSMENT QUESTIONS
- What is the organization’s risk appetite at the organizational, business unit, program, project, process, product and transactional levels?
- What is the relationship between risk management and risk assessment?
- Is the risk appetite described in dollars/euros, etc?
- Should you take an enterprise, program/project, process, tools, transactions, or product risk approach?
- How does one complete a risk map?
- Also, are there different risk maps and what are the differences?
- Can you design a risk map that addresses your industry and risks?
- What are the differences between an event, threat, and risk?
- What are common risk assessment approaches and how are they different?
- What quality tools assist in the risk assessment?
- What are common errors and lessons learned from conducting risk assessments?
- What is the difference between a heat map and a FMEA, PFMEA, turtle diagram, and other quality tools?
- What is better a quantitative or qualitative risk assessment?
- How do you conduct a risk based Capability & Maturity assessment (CMM)?
GETTING STARTED QUESTIONS:
- What does the Board of Directors require or expect from the ISO 9001 risk implementation?
- Who should be your executive sponsor if you don’t have a Chief Risk Officer?
- Are ISO risk goals, objectives, and plans defined?
- What types of skills are required for implementing risk based systems into a QMS system?
- What are your risk training options?
- What are the ‘best’ steps to take in the ISO 9001 (2015) risk implementation?
- How do you conduct internal and external (registrar) risk audits?
- Do the registrars know how to conduct risk based audits?
- How can ISO risk systems be integrated into other organizational risk management systems?
- What is the cost of implementing a risk management system?
- What are the steps (WBS) to get started?
- What does a large ISO registered company do differently than a smaller company to implement risk management system?
- How long does it take to implement a risk management process into a quality management system?
SEND US YOUR QUESTIONS
While ISO 9001 (2015) is almost 2 year away, start planning the transition NOW. Send us your questions and we’ll answer them in CERM Risk Insights or in a Vlog.
If you want to talk with us on risk management or quality, give us a call. We’ve implemented a number of risk based systems in a number of sectors.
Greg Hutchins PE CERM
GregH@CERMAcademy.com
503.233.1012
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: