The authors of ISO 9001 recognize that dealing with risk is part of management, including quality management.  The 2015 standard will require risk-based thinking (RBT) as part of systemic quality management, just as the process approach is part of systemic quality management.  Good news: application of RBT, like that of the process approach, comes naturally to successful management personnel.

Systemic application of RBT and a process approach go hand in hand.  Systemic application of RBT, like that of the process approach, is demonstrable by the definition and operation of a management system.

NECESSARY BUT NOT SUFFICIENT RISK CONSIDERATIONS
Management of successful organizations naturally addresses the unique, specific risks relevant to quality within their organizations.  An international standard for assessing management systems cannot specifically address all risks encounterable by organizations of all shapes and sizes operating in a variety of industries and organizational contexts.

Management of any organization needs to take into consideration uncertainties and their impacts upon quality within their own operations, given their organizational contexts, regardless of ISO 9001 requirements.  In considering the risks to quality (e.g., uncertainties resulting in delivering late or bad product), of course organizations must take into consideration known sources of error that are common to any organization (and recognized by ISO 9001).

To be ISO 9001 compliant, the risks addressed by a QMS must include those represented in the basic, generic requirements of ISO 9001 (e.g., the risk of processing unidentified product, the risk of using uncontrolled documents, the risk of employing incompetent personnel to perform work affecting quality, etc.).

Management of successful companies took these risks to quality into consideration long before the first ISO MS standard was released.   Did management of any organization need the generic requirements of ISO 9001 to understand the potential problems associated with using uncontrolled documents, unidentified product, incompetent personnel, etc.?

ISO management system standard requirements are generic. They’re not a comprehensive set of requirements serving as any company’s planned arrangements or management system requirements for processing.  In defining how operations are conducted, management needs to take into consideration the relevant risks to their operations, given the organizational context—its industry, its size, the nature of its product and the processes, etc.

The generic requirements of ISO 9001 pertain to any company whose objectives include satisfying customers by providing timely quality products or services. While considering these common risks is necessary for proper quality management (and for ISO 9001 conformity), it’s not sufficient for proper quality management (or for ISO 9001 conformity).

Risks specific to organizations’ products and processes must be taken into account, and demonstrably so, in defining a management system designed to satisfy customers.  More good news: applying good sense to define and operate a management system isn’t difficult and it makes proving ISO 9001 conformity easy.

RBT AND THE PROCESS APPROACH
Although RBT and the process approach are two distinct concepts, they’re not unrelated. They work together as part of systemic quality management.  Evidence of effective application of RBT and a process approach can be found by looking at the documented information defining a management system.

Like the process approach, RBT has always been implicit in the standard.  While the process approach helps identify what system-level documentation is needed (i.e., documentation describing the system and its processes), RBT helps determine the extent of documentation.  The amount and detail of QMS documentation should be appropriate to the operations at hand, considering the risks to quality.  It should be appropriate to, or commensurate with, the risk involved in this context.

Risks to quality are those affecting an organization’s ability to meet customer requirements (and relevant statutory or regulatory requirements).  As soon as an organization accepts a PO from a customer, for example, a promise has been made to meet customer requirements, or, to deliver a certain quantity of product or service (within some timeframe).

A supplier might fail to meet customer requirements for a variety of reasons, each of which represents a realized risk to quality.  A robust management system takes into account risk from a variety of sources and addresses risk effectively and systemically via a combination of documented information and training.

A system meeting ISO 9001 requirements obviously takes into account the risk of not identifying product during processing, the risk of not applying sensible product preservation methods, the risk of employing incompetent personnel, the risk of not controlling documents, the risk making promises exceeding capacity and capability, etc. The standard requires these common, known sources of quality problems (risks to quality) to be taken into consideration and addressed somehow by a QMS, along with the unique risks to quality known by management (depending on their unique operations).

By reviewing documented information describing a management system, one can understand what risks are involved by understanding what controls are in place to assure proper processing.

Bio:

T. D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Holding an MA in Business Administration from the University of Iowa, Dan also has 12 years of experience as an IRCA-certified QMS Lead or Principal Auditor, conducting registration audits and surveillance audits, and training Lead Auditor candidates in accredited courses. Using a process approach, Dan has taken several scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS 9000, AS9100, ISO 13485, and ISO 17025). Dan’s numerous articles about the process approach have also been published by Quality Digest, Inside Quality, ASQ’s Quality Management Division, the Society for Manufacturing Engineers (SME), and the South African Quality Institute (SAQI); Dan has been featured as a guest blogger by RABQSA, and has been featured on Quality Digest Live.  Dan is available for management consulting, training, and coaching, as well as auditor training and coaching. Contact:                   dan@tdnelson.com                  720 412 7994