The words “risk” or “risks” have been sprinkled throughout the 2015 revision of the ISO 9000 standard. Although some “requirements” will be easy to satisfy using well-established process monitoring or capability techniques other references to risk are so vaguely stated as to be open to a myriad of interpretations and thus become meaningless. Having read and re-read the current references to risk spread over several paragraphs I wonder if it would not have been better to address risk in one paragraph at the beginning of the standard. I have “cut and paste” most of the current references to risk and included brief comments.
4.4.2 Process approach
The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;
What is the meaning of “unintended output”? Nonconforming product? Unintended output from a process can either be: reprocessed (chemical industry), scrapped or sold at a discount. The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved (the analogy would be a process operating at 4.5 sigma vs. 5 or higher.) The lower the ppm the lower the risk of producing “unintended output” but one must not forget that depending on the industry (airline, nuclear, medical vs. pencil manufacturers or other similar industries), these risks have different end-user impact and/or costs. Fortunately this is recognized in the last line of 6.1
5.1.2 Leadership and commitment with respect to the needs and expectations of customers
Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;
This can be achieved by establishing process capabilities for each process from manufacturing and/or assembly to packaging and product delivery and/or installation. The computation of a simple Cp or Cpk index would help management quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process thus minimizing the risk of producing so-called “unintended output.”
6.1 Actions to address risks and opportunities
When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 (4.2 Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to
a) assure the quality management system can achieve its intended outcome(s),
b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction,
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.
The word “risks” in the above context is at best difficult to interpret given the requirements stated in a) – d). For example, how does one determine the risks and opportunities to assure the quality management system can achieve its intended outcomes? The intent has always been to insure that the quality management system is effective and this is verified via the audit process; the insertion of the word “risk” does not help any and confuses things. Nevertheless these risks can be quantified by simply looking at nonconformance percentages (per process and at final output) but this is already established via the use of process capability measures!
The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction.
Good to know and a wise decision but this could well be seen as an escape clause by many companies.
8.3 Operational planning process
In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate,
b) actions to identify and address risks related to achieving conformity of goods and services to requirements;
This is nothing more than a repeat of what has already been stated!
8.5.1 Development processes
In determining the stages and controls for the development processes, the organization shall take account of:
e) the determined risks and opportunities associated with the development activities with respect to
1) the nature of the goods and services to be developed and potential consequences of failure,
2) the level of control expected of the development process by customers and other relevant interested parties, and
3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.
This is already done in some industries (automotive and avionics) but is not likely to be documented for all to see. Who will document these risks for future lawyers to see? If a company acknowledges that there is a small risk (let’s say one in a million chance) that something wrong COULD happen, lawyers would say that the company knew that there was a risk and is therefore liable. You can’t have zero risk and no one will want to pay the cost of developing a product with zero risk. This idea to either quantify and/or document risk for all to see is unrealistic from a legal point of view; of course lawyers will love it..
8.6.5 Post delivery activities
The extent of post delivery activities that are required shall take account of
a) the risks associated with the goods and services,
This sounds like a rephrasing of warranty cost analysis; major companies have done this for a long time but I don’t know about small to medium size companies.
9.1 Monitoring, measurement, analysis and evaluation
The organization shall take into consideration the determined risks and opportunities and shall:
This is vague but there are important issues to address relating to inaccurate measurements or insufficient measurements. Gage R&R addresses many if not most of these issues and I don’t see how adding the word risk brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk.
9.2 Internal Audit
The organization shall:
a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;
Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure; this would be challenging to quantify and assess. Potential risks would also have to be assessed! Even more challenging.
10.2 Improvement
The organization shall improve the quality management system, processes and goods and services, as appropriate, through responding to:
c) changes in identified risk (see 6.1);
One could do FMEAs to show that the RPN (Risk Priorty Number) has decreased as a result of a process change not difficult to do but full of uncertainties since FMEAs are based on subjective assessment. All of this work can give the illusion that all is well or that things are getting better until the famous Black Swan (unforeseen outlier) shows its ugly head thereby demonstrating that risk analysis is by definition a risky business!.
Bottom Line: ISO 9001 (2015) may truly be a paradigm shift standard.
Note: Reference italicized clauses of ISO 9001 (2015) are (C) ISO and are used within the context of “Fair Use” for public review of the standard.
Bio:
James Lamprecht is a management consultant and Six Sigma Master Black Belt. In his career spanning over three decades, Dr. Lamprecht has worked as a consultant, teacher, and statistician. He has audited over one hundred companies here and abroad and has conducted hundreds of seminars and classes in applied industrial statistics, ISO 9001 and Six Sigma. He has authored 11 books including Interpreting ISO 9001:2000 with Statistical Methodology (ASQ Quality Press, 2001), Applied Data Analysis for Process Improvement: A Practical Guide to Six Sigma Black Belt Statistics (ASQ Quality Press, 2005) and Dare To Be Different: Reflections on Certain Business Practices with Renato Ricci (ASQ Quality Press, 2009). Dr. Lamprecht who has consulted in Europe, Canada and Latin America received his doctorate from UCLA.