In recent months, there has been a lot of speculation into the addition of risk management into the 2015 version of ISO9001. This article will attempt to put this initiative into perspective and eliminate most of the fears and concerns that many have voiced on the subject.
Let’s start with the basics.
WHAT IS RISK?
Paraphrasing ISO 31000 risk is the effect of uncertainty on objectives; another definition is a threat to the achievement of goals or success. This article defines risk simply as the possibility of loss.
WHAT IS POSITIVE RISK?
The term “Positive Risk” is actually risk associated with an opportunity. What if a project required 10,000 units to be produced per month and the product took off and now the demand is for 20,000 units per month? What risks do we face when doubling the initial monthly production? Still, we view the negative effects of opportunity.
WHAT IS RISK MANAGEMENT?
There are many definitions used to describe risk management. ISO 31000 defines risk management as “the coordinated activities to direct and control an organization with regard to risk”. A broad definition for sure so for the purpose of this article I will use this definition; risk management planning to minimize or eliminate the impact of negative risk.
Rule number 1 of risk management is that you cannot manage what you cannot see or choose to ignore. Risks need to be identified, gauged for their potential impact and probability, and then analyzed for possible mitigation (reduction or elimination) leading to acceptance or rejection.
INTEGRATING RISK MANAGEMENT INTO A QMS
So now we look at integrating risk management into an ISO based QMS. How do we do this? As most businesses manage risk every day so incorporating risk management into a QMS should not be the daunting task that many fear.
Modern day Quality Management Systems are based on well defined interrelated processes. Rather than making risk management a separate entity or process, integrating the management of risk in each process is surely the way to go.
Processes are portrayed in both written and visual form. In order to integrate risk management into a QMS, it is best to use the visual form, process maps. As the saying goes, a picture is worth a thousand words.
When generating a process map, part of that map should be a flowchart showing not just the expected process flow, but also the decision gates for that process. The ‘what ifs’.’ Decision gates should be based on potential risks and the decisions that need to be made in order to mitigate, accept or reject those risks.
As an example let’s use a sales process, specifically an RFQ review for a new electronic widget. Using the basics of a proposal effort for a design and development process, there are the technical challenges, possible new manufacturing techniques, supplier challenges, regulatory issues, correct pricing and delivery schedules. Each one of these basic processes presents risk. By embedding risk management into the processes, risks can be identified, analyzed, prioritized, accepted or rejected. Day to day management of these risks can be accomplished through regular program management/development status meeting.
Adding risk management to a QMS should not be difficult and should already be inherent to existing QMS processes.
Bio:
Richard Murdock has worked in the aerospace industry for most of his 35 year career. He started writing embedded software for satellite earth station and quickly moved into the aerospace arena. Richard spent almost 10 years in Program Management and over 10 years in Quality Assurance.
In 2006, Richard started North Fork Support Services offering ISO9001 and AS9100 consulting services to small and medium size businesses giving them the edge to compete in a global market.
In the past year, North Fork Support Services has expanded its services to include Quality on Demand services for those companies that previously did not have the resources to support a full time Quality Assurance organization.