#68 – RISK BASED THINKING – NO PROBLEM – T. DAN NELSON

T. Dan NelsonEvidence of risk-based thinking can be found all over a good quality management system (QMS).  From definition of the system itself, to the processing controls in place, to each action taken to improve the system and its processes. Therefore, no additional documentation should be needed to comply with upcoming ISO 9001 requirements demanding risk-based thinking.  While no additional procedures or forms will be needed, though a mention of risk-based thinking somewhere in QMS documentation seems appropriate.

SYSTEM DEFINITION
How do the common clause-by-clause or 6-procedure-only approaches demonstrate risk-based thinking?  Regardless of organizational context or risks involved with product or processing, systems defined by these approaches respond to requirements uniformly without regard for their impact on the organization and without regard for the risks involved with processes left undefined by these approaches.

The resulting system structure suggests risk-based thinking was directed toward managing certification rather than toward managing quality.   We can tell because QMS documentation is written in response to ISO 9001 requirements instead of being written in response to the risks involved with processing.  In these cases, QMS procedures are uniformly dedicated to ISO 9001 requirements instead of being dedicated to internal, unique QMS processes affecting quality.

QMS documentation should be developed to ensure proper processing, bearing in mind the risk involved, thereby reducing likelihood of improper processing and nonconforming product.  A standard-based approach to quality management misplaces risk-based thinking, focusing it on risks of failing audits instead of properly focusing it upon risks of improper processing and failing to perform to customers’ expectations.

Even if a proper approach has been applied, and QMS procedures describe how real QMS processes are supposed to be carried out, a simple system in a relatively low risk circumstance could still be overkilled with complex processing requirements (“because we thought the standard required us to”).  Or, in a high-risk situation, a system could exist so minimally we would worry about its adequacy to assure quality (given the risks involved).

While the former may sacrifice efficiency by overkilling effectiveness, the latter may sacrifice effectiveness in an effort to be efficient.  Given the context and circumstances, effective risk-based thinking helps balance between the two to produce desired results.

CONTROLS IN PLACE
Work instructions are written to encourage proper processing and reduce the risk of improper processing.  If an instruction states, “Insert nut A onto bolt B and torque to 20 foot pounds,” this instruction increases the likelihood that nut A will be threaded onto bolt B and torqued to 20 lbs.  This promotes effective, efficient processing.  It also reduces the risk of nut A being inserted on bolt C, D, or E.  It also reduces the likelihood that the bolt will be torqued to 30 pounds—too much—or being torqued to 15 pounds—too little.

Or, any mistake-proofing efforts are implemented to reduce the risk of improper processing, thus reducing risk of nonconforming product.  If effective, all of these provide evidence of effective risk-based thinking.

ACTIONS TAKEN
Records of any effective, efficient action taken by management relevant to the QMS should provide evidence of risk-based thinking, whether these actions reactive or proactive.  If an action resolves an issue or improves operations without undue expenditure of resources, it provides evidence that the action was planned taking into consideration context and likely consequences.  Good actions aren’t successful by accident or due to hope-based thinking or wishful thinking.

When actions result in making things worse, or overkilling problems, or not solving issues intended to be solved by taking actions, we have evidence of poor or absent risk-based thinking.

REQUIREMENTS CREEP
One problem this requirement will help to alleviate is “requirements creep.”  When auditors assess large organizations with complex processing and sophisticated process controls, sometimes these auditors will later arrive at a very small company expecting to see the same level of sophistication in process control that they had witnessed earlier.  They get the idea that these practices are actually required regardless of risk to product or process quality or risk to the world.

While sophisticated processing controls in force within the larger organization with complex processes may be appropriate, auditors may view these as “opportunities for improvement” for other companies where the risk isn’t such to require such sophisticated process control.

Worse, they might get the idea that, for example, that a sophisticated Engineering Change Order (ECO) routine must be defined for any organization to satisfy requirements of ISO 9001.  The risk-based thinking requirements afford management of a small organization a good argument for why a sophisticated ECO routine isn’t in place:

“It isn’t needed.  The risk posed by this source of error isn’t of great concern in our context.  Crude though they may be, our controls are effective, given the risk involved.  The standard requires effectiveness.  Do you have evidence that these controls are not effective, or are you raising this issue because you believe the standard requires us to have a sophisticated ECO routine?”

“Oh, we didn’t think of that . . .”

When quality problems happen, somebody didn’t think ahead with risk-based thinking very well, did they?  Management can’t claim, for example, “Oh, we didn’t think of providing training to personnel expected to operate that new multi-million dollar piece of equipment that was trashed immediately due to improper operation.”

Well, they CAN, but they are admitting that they didn’t apply good risk-based thinking.  If management is doing a good job, risk-based thinking underlies all of their business decisions.  A record of any good action taken, a look at existing process controls, and definition of the system itself can all provide evidence of effective or ineffective risk-based thinking.

Bio:

T. D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Holding an MA in Business Administration from the University of Iowa, Dan also has 12 years of experience as an IRCA-certified QMS Lead or Principal Auditor, conducting registration audits and surveillance audits, and training Lead Auditor candidates in accredited courses. Using a process approach, Dan has taken several scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS 9000, AS9100, ISO 13485, and ISO 17025). Dan’s numerous articles about the process approach have also been published by Quality Digest, Inside Quality, ASQ’s Quality Management Division, the Society for Manufacturing Engineers (SME), and the South African Quality Institute (SAQI); Dan has been featured as a guest blogger by RABQSA, and has been featured on Quality Digest Live.  Dan is available for management consulting, training, and coaching, as well as auditor training and coaching. Contact:                   dan@tdnelson.com                  720 412 7994

Leave a Reply

Your email address will not be published. Required fields are marked *