(6 Planning for the QMS) 6.1 Actions to address risks and opportunities
Relying on luck isn’t much of a strategy when creating a robust quality management system. This is why the standard has been revised to include a specific requirement that the organization make an effort to consider and identify their potential risks and take appropriate action to mitigate them.
It would seem that every organization would do this as a natural path to planning – of course risks would be considered. Thinking about the “what if’s” is part and parcel to any type of planning. But, the standard makes some strong statements in terms of “shalls” and specifically the term “risk” and this is what has the quality management industry up in arms. Some say the new requirements introduce risk management, which is much more in depth than a simple consideration of “what if’s” and has broad implications in terms of how it could impact ISO compliant quality management systems. Some say this particular section overreaches and actually connects ISO9001 to the requirements of ISO31000 which significantly increases the requirements of the quality management system.
And many are concerned about the auditability of these requirements. The standard isn’t terribly clear on exactly what type of objective evidence would support each of the requirements. And the language in the standard does leave open to interpretation whether the science of risk management is the actual requirement. If so, an auditor’s expectation may be much broader than a general demonstration of consideration of risk. They may interpret the requirements to be extensive studies in Failure Mode & Effects Analysis (FMEA), risk management plans and matrices, calculation of Composite Risk Index, and formal action plans to mitigate the identified risks (avoidance/reduction/sharing/retention) and whatever other tools and techniques used in the true science of risk management that the auditor may suggest. This could jeopardize compliance for some organizations and there is a lot of concern and discussion out there about how these changes will actually impact the industry. One may wonder whether the authors and panels of experts considered the risk of misinterpreting the standard as one they should have mitigated when writing this revision, but now I’m just being cheeky (and I’m not even British – I live in Florida).
So while we cannot predict how this bees nest will turn out, we can address the requirements as they currently stand.
The first “shall” says we “shall consider” the stuff we identified in 4.1 and 4.2 which was our context and interested parties. I would argue that they should have also included 4.4, our processes as well. Our processes determine our outcome, so the risks to the processes should definitely be considered and mitigated if our system is to be successful. In any case, the requirement of this clause 6.1.1 is that the organization must identify the risks and opportunities in order to:
a) give assurance that the QMS can achieve its intended results
b) prevent or reduce undesired effects and
c) achieve continual improvement
In addition to our interested parties, if we also consider risks to each of our identified key processes, we should have a good start to meeting this requirement. Does your organization do some sort of annual business planning? Is some form of SWOT (Strengths/Weaknesses/Opportunities/Threats) analysis used? This would support compliance for “consideration of risk”. There are many ways to demonstrate compliance to this requirement.
Next, let’s move on to 6.1.2 requiring the organization to “plan”:
a) actions to address these risks and opportunities and
b) how to integrate actions into its QMS processes (there they are!) and evaluate the effectiveness of those actions
So, if we did a good job of identifying our processes, we can now analyze those processes for risk and make a plan to deal with those risks. There is no requirement for documentation at this point, but there is an expectation that an organization should be able to demonstrate that these considerations have been made in a planning activity of some sort. And finally, the standard gives some unclear “clarification” of how extensive these activities should be by saying that it “shall be proportionate to the potential impact on the conformity of products and services”.
This clause does give us a lot to think about and plenty to debate about. But also, it inspires me and provides an opportunity to integrate some of my favorite tools together. How about this?
1. Identify the key processes of your QMS – use process flow diagrams
2. Use the process flow diagrams and construct FMEAs from them – no, FMEAs are not the only tool to use, but they are darn useful! The use of an FMEA provides the identification, analysis and action plan for each risk identified and will help you continue to improve the effectiveness and efficiency of your processes, which leads us to
3. Use the process flow diagrams and the improvements gained from using FMEAs to create value stream maps – these tools working together can create a powerful system and feedback loops to ensure you’re always improving – while incorporating some lean and Six Sigma tools while you’re at it!
THIS WEEK’S HOMEWORK
Work through 6.1.1 and 6.1.2 using some of the suggestions above. Does your planning process do enough to address these requirements? If not, take action and make a plan.
For more information on integrating these tools, check out my book,
TRIBAL KNOWLEDGE – The Practical Use of ISO, Lean & Six-Sigma Together
Or let me work with you one-on-one. My 8 Week Boot Camp is a powerful workshop to do a full review of each of your processes and build a robust quality management system in as little as 8 weeks!