Let’s say Pete’s company has been in business for over thirty years. Now ISO 9001:2015 comes out requiring risk-based thinking. Does that mean Pete must therefore engage in formal risk management, and that management must use a risk assessment tool to provide evidence of risk-based thinking?
No. Really, such an exercise offers questionable value in and of itself, as the following attempts to illustrate. If an organization is operating successfully (and consistently satisfying customers), it already has a good handle on quality management and risk-based thinking, or else it wouldn’t be successful.
If a successful organization is not currently using any form of risk assessment tools, then ISO 9001:2015 will not require them to start. If such tools are appropriate to manage the system, that conclusion would result from application of RBT (by management), not by application of ISO 9001:2015 (by an auditor).
A QUALITY CONVERSATION?
Tim (QMS Manager) says: “Pete, the new version of ISO 9001:2015 is going to require us to prove risk-based thinking. That means we need to complete a risk register—like a FMEA—to prove to an auditor that we’ve applied risk-based thinking to our system.
Tim: “So, I’ve modified this FMEA form for use as a QMS risk assessment tool. Let’s fill it out and be done with it.
Tim: “First, basically, we consider all the risks we can think of that might challenge our abilities to meet quality objectives—like delivering good product on time. Then we need to estimate the likelihood that an event representing each risk will occur. Then we need to consider the consequences, should the event occur. Then, we need to weigh the likelihood and the consequences to determine if mitigating action is necessary. When mitigating action is necessary, we need to come up with some action. Okay?
Pete: nods affirmatively, eyes rolling.
Tim: “Let’s start. If we promised to supply product to a customer, and we weren’t clear about what the customer’s product requirements are, would that impact our ability to deliver quality product?”
Pete (CEO) replies: “Yep.”
Tim: “Okay, so we must enter this risk to our risk register. Let’s just keep identifying risks for now. We’ll do the analysis stuff later.”
Pete: “Okay.”
Tim: “So, if we promised to supply product to a customer without considering whether or not we could actually produce the requested product, would that affect our ability to deliver quality product?”
Pete: “Yep.”
Tim: “Okay, so we must enter this risk to our risk register. Actually, this can cause two entries, since there are at least two reasons why we might not be able to produce the requested product. The first uncertainty is with our capability to produce the requested product, the second is with our capacity to produce the requested product within the requested timeframe.”
Pete: “Okay.”
Tim: “Next, if we have confirmed our ability to meet requirements (eliminating these uncertainties), if our suppliers provided us with poor or late materials, would that affect our ability to deliver product to our customers on time?”
Pete: “Yep.”
Tim: “So, let’s take a quick break from identifying risks to quality to doing some analysis on the risks already identified. First, the risk of being uncertain about the customer’s product requirements. How likely would failing to deliver quality product on time be if we were unclear about what the customer wanted in the first place?”
Pete: “Very highly likely.”
Tim: “Okay, good. So, what would the consequences be, I guess, for failing to ship quality product on time because we didn’t understand the customer requirement?”
Pete: “That would be catastrophic to customer satisfaction.”
Tim: “Okay, well, according to the math, since this is likely to happen and the results would be catastrophic, we need to take an action! Whatever will we do?!”
Pete: “Well, right now, we make it the responsibility of Sales personnel to verify the customer requirements are clear before we accept their orders—that’s already part of the procedure for taking sales orders.”
Tim: “Oh, wow! Great, we already have a mitigating action that we can record on the FMEA: “procedural provision” or, we could even say “assignment of responsibility.
Tim: “Okay, great. Now how about the uncertainty of our capability to meet customer requirements. How likely is it that we would fail to ship quality product on time if we lacked the capability to produce the requested product?”
Pete: “Almost certain.”
Tim: “Okay, good. So, how devastating would the consequences be?”
Pete: “Very.”
Tim: “Well, according to the math, since this risk to quality is almost certain and the consequences would be devastating, we need to take a mitigating action! Oh goodness, what will we do?”
Pete: “Well, right now we make Sales personnel responsible for verifying that customer’s requested products fall into our current capabilities. They consult with engineering if there’s any question. That’s already part of the procedure.”
Tim: “Great! We already HAVE a mitigating action to address this risk to quality. I’ll write it down: “procedural provision” or, I guess this one could also be “assigned responsibility.”
Tim: “Okay, now we’re getting somewhere. Whew! So, about the risk to quality presented by uncertain capacity to meet due dates. How likely would it be for that to result in our shipping product late?”
Pete: “Very.”
Tim: “’Very.’ Okay, good. So, about the consequences?”
Pete: “Again, devastating to customer satisfaction.”
Tim: “Okay, good. So, we need an action. What’s it going to be?”
Pete: “Well, right now, we make Sales personnel responsible for verifying appropriate band-with in production to meet customer’s due dates. They do this by consulting with the Production Scheduler or by looking at the electronic production schedule. That’s already in our procedure.”
Tim: “Great! Mitigating action: “procedural provision,” or, again, “assignment of responsibility.”
Tim: “Okay, now how about our suppliers’ abilities?”
Pete: “You know, Tim, I’m busy. I have lots of things to get done. I can already tell you that our suppliers’ performance is also critical to our ability to deliver quality product to our customers on time. I really don’t need to go through every line on your risk form, do I?
Pete: “I’m getting kind of tired of jumping trough unnecessary hoops because somebody told me I had to in order to keep auditors happy. Isn’t this a bit like telling me that I needed 20 procedures back in 1987 all the way to 2000? Remember that, Tim? Remember the 6 procedures after 2000 that were supposed to capture the good planning we’ve done here over the years to keep this company running—plans for running a company I’m damned proud of? Remember that, Tim—that wasn’t so long ago!”
Tim: nods affirmatively and sheepishly.
Pete: “Furthermore, Tim, it seems to me that there is a pattern developing here. Is going through this exercise really going to help me identify or address risks to quality that have NOT already been obviously considered and included in the QMS already? Will this exercise make me think of something that we aren’t already managing?
Pete: “Or, is the objective of this exercise merely to back-fill a risk register to tell me to take mitigating actions that have already been taken and are, in fact, implemented in our system designed to manage the risk to quality?”
Tim: “Uhh.”
Pete: “Does the standard actually require this waste of time? Or is it the auditors who can’t see through the trees of our risk-based thinking forest who need these signs clearly pointing to each piece of evidence proving we applied risk-based thinking in the development of this QMS? If we were to develop the signs these auditors seem to think they need to recognize RBT, we wouldn’t even see the forest through the signs. How about we select auditors who can recognize each tree they see as naturally being part of our RBT forest?”
Pete: “I thought I was paying you to make this stuff easier to understand and implement! If quality professionals want to keep their jobs, they better wake up and start adding value, instead of allowing ISO 9001 to be their gold mine resulting in negative-value added BS in my operations. If you weren’t my brother-in-law . . .”
Bio:
T. D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Holding an MA in Business Administration from the University of Iowa, Dan also has 12 years of experience as an IRCA-certified QMS Lead or Principal Auditor, conducting registration audits and surveillance audits, and training Lead Auditor candidates in accredited courses. Using a process approach, Dan has taken several scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS 9000, AS9100, ISO 13485, and ISO 17025). Dan’s numerous articles about the process approach have also been published by Quality Digest, Inside Quality, ASQ’s Quality Management Division, the Society for Manufacturing Engineers (SME), and the South African Quality Institute (SAQI); Dan has been featured as a guest blogger by RABQSA, and has been featured on Quality Digest Live. Dan is available for management consulting, training, and coaching, as well as auditor training and coaching. Contact: dan@tdnelson.com 720 412 7994