Tell us a little about your self?
I have worked in manufacturing quality for over 40 years in a wide variety of industries, including pulp and paper, chemical, plastic and rubber processing, battery manufacturing, converting, electronics assembly and machine building. I was employed by the Polaroid Corporation for 27 years as a process engineer; manufacturing manager and technical director. My last assignment at Polaroid was Director of Materials for World Wide Instant Film Manufacturing. In this role I was responsible for supplier quality. Additionally, I was Plant Manager for the Custom Coating Plant of the Furon Company (now Saint Gobain) for several years.
What do you think are the biggest challenges to ISO 9001:2015 registration?
ISO 9001:2015 requires the organization to integrate the quality management system (QMS) requirements into the organization’s business processes and understand the context (external and internal issues) of the organization and expectations of interested parties. Additionally, the new standard requires the organization to provide a program plan to achieve its quality objectives; who is responsible, what is the schedule and what techniques or methods will be utilized to manage the program.
A significant change for organizations upgrading to ISO 9001:2015, is the requirement to develop a process to address risks and opportunities. The Organizational Knowledge requirement is also new to ISO 9001:2015. Organizations, depending on its operations, are now required to have some formalized program for succession planning, technology updating and supplier contingencies.
A challenge for organizations upgrading to ISO 9001:2015 is that some of the new clauses contain requirements that are somewhat difficult to interpret. In my opinion, Annex “A”, of the standard: “Clarification of new structure” does not effectively clarify the new requirements, but in fact dilutes the potential positive impact of the ISO 9001:2015 standard.
Clause 6.1 of ISO 9001:2015 “Actions to address risks and opportunities” requires
the organization to determine the risks and opportunities that need to be addressed to give assurance that the quality management system can achieve its intended results and plan actions to address these risks and opportunities. This requirement replaces the preventive action from prior ISO 9001 versions.
Seems logical and a good replacement for the often confused preventive action requirement, and a nice way to link ISO 9001 into the business strategy of the organization- a new requirement of ISO 9001:2015. Unfortunately, Annex “A” eliminates the requirement of a formal risk management process.
A.4 Risk-based thinking:
Although (6.1) specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process.
In my book, “The ISO 9001:2015 Implementation Handbook”, I suggest organizations should document their approach to risk management based on the context of their business model. A small machine shop might utilize a SWOT (strength, weakness, opportunity and threats) approach as part of their risk based management strategy, while a multi-site, international contract manufacturer should employ a more complex risk analysis and mitigation approach. A basic principle in auditing: “If it is not documented, it didn’t happen.” I am concerned that the caveat to risk-based thinking described in A.4 will cause confusion and conflicts for auditors and the audited organizations. I suggest organizations document their approach to risk management as a good business practice. Where confidentiality of business strategy is an issue, organizations should expose only the process of RBT to external auditors.
Annex “A” creates additional confusion related to documentation. While I acknowledge that too many ISO certified organizations are still employing a quality manual and procedures that include inefficient paraphrasing of the ISO 9001 requirements (going back many revisions), I suggests organizations continue to follow the documentation guidelines required of ISO 9001:2008- but streamlined to add value to the organization. My Handbook suggests options on what should be included in a well-structured, useful quality manual and document system. The overarching principle in documentation should be to formalize and control what is needed to ensure users of the documentation have a source for information and instructions that is accurate and timely, providing consistency in managing the business.
How do you define RBT?
I’m not sure I can provide a definition of Risk Based Thinking that will be useful to anyone who actually has to manage a quality system or business. Some of the writings and seminars on RBT recently promoted are quite simplistic and not very helpful in my opinion. Suggesting that “risk is like Swiss cheese” – or “everyone is responsible for RBT”- won’t provide much traction for quality or manufacturing managers seeking to establish a process to protect their companies from unexpected events.
While Risk Based Thinking can be valuable in assisting the organization in managing risks and improving their quality management system, I have concerns that RBT as a cultural change for organizations will not be very successful. In the past 30 years, there have been several quality improvement initiatives that attempted to bring about a change in a company’s culture that have not had a sustainable impact on the company’s quality or business results. Noted examples where quality initiatives attempting to change a company’s culture were often unsuccessful include: Quality Circles (QC) in the 1970s; Total Quality Management (TQM) popular in the 1980s; and Business Process Re-engineering (BPR) in the 1990s.
While each program had successes, a common reason for their lack of sustainability was the failure of the programs to become part of the day to day functioning of the business. Unfortunately, the programs were often considered as management’s latest “fad”. I fear RBT will become another fad, if risk analysis is not properly applied and supported by both executives and managers.
Quality managers planning to establish Risk Based Thinking as a new culture in their company as part of implementing ISO 9001:2015 may want to review the failures of the programs listed above. Before embarking on a RBT program, quality managers should ensure both top management and middle managers are on board and committed to supporting and implementing this new thought process.
Quality initiatives that have been successful the last several years are Six Sigma and Lean Manufacturing. These programs have achieved success because, while they do include some level of culture change for the organization’s employees- or different thought process, they are results driven. Top management support is important; however, the middle managers and work staff can operate quite independently and effectively once they are provided a charter by management for a Six Sigma or Lean initiative
How does a company adopt RBT with its QMS and other good business practices?
I prefer to describe the ISO 9001 requirement for RBT and response as risk analysis, which is more practical in my opinion than requiring the company to establish a new way of thinking. Inherent in several clause of ISO 9001:2015 are various levels of risk and threats to the organization in satisfying their customers’ needs and preventing the organization from meeting their improvement objectives. “The ISO 9001:2015 Implementation Handbook” includes examples where risk analysis can be applied. How organizations manage changes can be valuable in reducing risks and ensuring customer requirements are met and improvements maintained. I would suggest quality managers seeking to initiate risk based thinking in their organization consider employing risk analysis specific to changes in the organization’s processes. While most well-run companies understand the risks related to change control, the implementation of ISO 9001:2015 related to RBT, may be a good opportunity to ensure change controls are maintained as planned. I would expect that many readers of this article have experienced expensive failures in changes implemented the last few years related to at least one of the following processes.
Process or equipment changes: When production equipment or processes are changed, the implementation plan should include the potential risk for product quality. Testing prior to release of “new” product to customers is a common technique employed, along with the application of FMEA (Failure Mode and Effects Analysis).
Raw material specification control: Any change in materials used in production should be tested before release to customers. The organization should ensure their suppliers are aware of the need to maintain control and communication of any changes in their specifications or processes.
Document control and review: The organization should ensure documents used by employees are maintained and controlled to avoid mistakes. Employee instructions should be reviewed at some frequency to ensure employees are not by-passing operating instructions.
Design: During the design process, a robust verification and validation plan should be employed to eliminate risks related to new designs. The new design process should also include the risk analysis related to the impact the new design process may have on employee safety and the organization’s environmental impact, including end of life disposal issues.
Regulatory updates: The organization should maintain a process to be aware of changes to statutory and regulatory obligations related to its products to eliminate risks related to non-compliance.
Outsourced processes: Processes performed by external parties can create a risk for the organization in meeting its commitment. External supplier selection should include controls related to the impact the supplier can have on producing acceptable product or services. Inspection of externally supplied products should be based on inspection cost vs. risk related to supplier errors.
Effectiveness of corrective actions: An important part of the corrective action process is how effective the correction was to reduce the risk of a recurrence of the same issue. Time and resources allocated to measuring the effectiveness of the correction should be commensurate with the risk of recurrence.
Internal Audits: The internal audit plan should be based on the impact a process may have on quality performance as well as the history the particular process has in generating nonconformances. By focusing on the history and impact of each process, the organization can allocate auditing resources to reduce risk of errors.
How would you see a company implementing RBT and other risk requirements?
After many years’ experience in manufacturing, I have come to appreciate how difficult it is to initiate a cultural change, such as risk based thinking, into the core of a company’s values. A paradigm shift I would encourage all organizations to embrace is a strong program for change control as part of their risk based thinking.
An example where change control and risk management can compete with other company business needs is the tragic ignition switch failure at GM several years ago. The automotive sector has a requirement for new part approval: PPAP (production part approval process), a generic part qualification process used to determine if all customer requirements are understood by a supplier and if the process has the potential to produce product meeting requirements. PPAP is a very powerful tool, particularly as it relates to change control and reducing risks in new product introduction.
Did GM and its supplier Delphi apply PPAP properly before and during the ignition switch failure in 2004? The evidence suggests PPAP was not employed when the ignition switch was changed; a drawing revision change was used when a new part number should have been instituted as the redesign impacted the functionally of the component. (Portions from CNN Money Magazine, February 28, 2014).
Why was PPAP not used in the ignition switch redesign? Certainly, GM and Delphi have a culture of change control imbedded in their many years of successful quality performance. I would suggest that PPAP was by-passed because a drawing revision change requires fewer approval signatures than a PPAP, and can be implemented quickly. The desire to reduce time- to-market trumped change controls.
Companies of all sizes can use the PPAP process as part of their risk management and change control. I would suggest the process be streamlined to fit their operation and reduce non-value added bureaucracy of some PPAPs.
A change control process used by many organizations is the ECN (engineering change notice) that manages how functions or processes interact when changes are made in product, materials or processes. An almost military-like administration of the ECN process needs to be maintained if an organization is committed to RBT.
How do companies become knowledgeable on risk and RBT?
I think the often abused concept that “one size fits all” is a manifestation of why new quality initiatives or business improvement programs don’t take hold in many companies. Risk Based Thinking and its linkage to ISO 9001:2015 is a prime example. Companies wishing to expand their knowledge and application of RBT should first understand who they are and what they want to become in the next few years. The extent an organization needs to learn about RBT should relate to the context of their business. As previously mentioned, a small machine shop might utilize a SWOT approach as part of their annual risk management strategy, while a multi-site, international contract manufacturer might employ a more complex risk analysis and mitigation approach.
There are many professional consultants and organizations available that can assist companies with RBT training. As always, before employing a consultant, it is highly recommended references from clients who used the consultant should be carefully reviewed. Beware of the “risk is like Swiss cheese” philosophy peddlers!
Thank you for your time. Great interview:
BTW: You can order Milt’s books by clicking:
ISO 9001:2015 Implementation Handbook
ISO 14001:2015 Implementation Handbook
