#23 – RISK MANAGEMENT IN THE 2015 REVISION OF ISO 9001:2008 – SANDFORD LIEBESMAN

Posted on by

Sandford Liebesman pixISO 9001 (Quality Management) and ISO 14001 (Environmental Management) are scheduled for major revisions by the end of 2015. I recently attended a meeting of the US Technical Advisory Groups for these standards. Although there were many changes proposed, this article will focus on risk management and items left out of the Committee Draft (CD). The CD will form the basis of ISO 9001:2015. I will not discuss ISO 14001 since I am not on the technical committee.

The first step in developing the revised standards is to create a Committee Draft (CD) for 9001:2015. The CD contains the following ten clauses:

  1. Scope
  2. Normative References
  3. Terms and Definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operational Planning and Control
  9. Performance Evaluation
  10. Continual Improvement

Clauses 1 to 3 (Scope, Normative References and Terms and Definitions) are similar to the first three clauses in the current standards, although the wording has changed. However, new clauses 4 to10 that replace clauses 4 to 8 in the current standards are very different. The structure of new clauses is based on the Annex SL document developed by ISO[1] that sets out a high level structure, identical core text and common terms for ISO management systems standards. The goal is to provide common structures for companies that comply with multiple standards at the same time.

A DEFINITION OF RISK
A number of definitions are under consideration. The one I favor is “Risk is the potential loss resulting from a given action.” ISO 31000 defines risk as “the “effect of uncertainty on an organization’s objectives”, and an effect is a positive or negative deviation from what is
expected. So, risk is the chance that there will be a positive or negative deviation from the objective you expect to achieve.[2]

The 2015 revision of 9001 will consider risk-based thinking as part of its goals, but will not include risk management tools. Risk management is covered in the ISO 31000 series standards[3].

RISK AND PREVENTIVE ACTION
The proposedstructure for the 2015 revision of ISO 9001does not include specific requirements for ‘preventive action’. This is because the management system proposed is considered to act as a preventive tool. The final text in the 2015 version will require assessment of issues that relate to its purpose and will affect the organization’s ability to achieve it’s goals. The organization will have to address the risks and opportunities to achieve these goals and prevent, or reduce, undesired effects. Is the structure described in Annex SL considers sufficient to cover preventive action? Let’s look at the definition of preventive action from ISO 9001:2008.

ISO 9001:2008, CLAUSE 8.5.3, PREVENTIVE ACTION
The following is the statement in ISO 9001:2008 describing preventive action:

The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. A documented procedure shall be established to define requirements for a) determining potential nonconformities and their causes, b)            evaluating the need for action to prevent occurrence of nonconformities, c) determining and implementing action needed, d) records of results of action taken (see 4.2.4), and e) reviewing the effectiveness of the preventive action taken.

I don’t believe that risk and the management system provides sufficient coverage of preventive action to warrant not defining a process for accomplishing it. This seemed to be a concern of the standards group and it is a shortcoming of the proposed revision of ISO 9001:2008.

OTHER ITEMS LEFT OUT OF ISO 9001 REVISION
A review of the proposed 2015 revision indicated that the following key provisions were left out of the CD:

  1. Clauses 4.2.3 (Control of Documents), 4.2.4 (Control of Records), 4.2.2 (Quality Manual) and 5.5.2 (Management Representative) of ISO 9001:2008 are important and should not be eliminated from the 2015 standard.
  2. Clause 8.5.3 in ISO 9001:2008 requires a process to accomplish preventive action has been eliminated. See the explanation below from Annex SL.
  3. Clause 7.1.4, “monitoring and measuring devices” is incomplete. The details covered in ISO 9001:2008, Clause 7.6, Control of monitoring and measuring equipment are not included.
  4. Clause 4.2.3, control of documents contains less detailed requirements than ISO 9001:2008. Missing are requirements to assure that they are up-to-date and to prevent use of obsolete documents. In addition there are no requirements for control of records.
  5. There is no requirement for a quality manual.

NEXT STEPS IN DEVELOPMENT OF ISO 9001:2015
The US TAG to TC 175 voted not to accept the Committee Draft (CD) and proposed development of another draft by TC 176. Since we are only one vote out of 40 on the TC the committee draft may be accepted as is. The management of our TAG will have to influence the other countries to vote no on the CD.

[1] ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013, Annex SL.
[2] Executive Summary, ISO 31000:2009.
[3] ISO 31000:2009 provides principles and generic guidelines on risk management.

Bio:

Dr. Sandford Liebesman, Sandford Quality Consulting LLC and retired corporate ISO Manager Lucent Technology, had over 43 years experience in quality at Bell Laboratories, Lucent Technologies, Bellcore (Telcordia) and KEMA Registered Quality.  He is an ISO 9000 subject matter expert and auditor and is author of the books: Competitive Advantage: Linked Management Systems; TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, 1 st & 2nd Editions and Using ISO 9000 to Improve Business Processes. He has presented seminars and published articles on linking management systems and QMS/EMS support of Sarbanes-Oxley and led the team that developed the 2005 and 2006 ASQ SOX conferences. As part of the linking effort he joined the Institute of Management Systems (IMS) and helped develop the revision of the COSO guidance to SOX compliance. He has conducted over 95 registrar audits of ISO 9001 and TL 9000. He also conducted internal audits as a member of Lucent Technologies. Dr. Liebesman has an engineering degree from the United States Naval Academy and MSEE and Ph.D. (Operations Research) degrees from New York University. He taught statistics, quality control, quality management and operations research at Rutgers University. He is the Past Chair of the ASQ Electronics and Communications Division and a Fellow of ASQ.

Leave a Reply

Your email address will not be published. Required fields are marked *