ISO 9001:2015 Risk Management

TOOLS FOR RISKS MANAGEMENT

Summary

Although Risk Based Thinking is something new in the formal ISO 9001:2015. However, the concept has been the basis of Quality Management Systems since its inception in the US Military, and then brought into the civilian arena by the International Organization for Standardization (ISO Standard).

The base methodology for handling risks was also developed by the US Military in the 1950’s for reducing failures in equipment in the materiel. The core methodology was and is called Failure Mode and Effects Analysis (FMEA). Initially it was used by Reliability Engineers but was readily adopted by industries for improving Quality and Reliability.

In the manufacturing arena, Quality Engineers use Process Failure Made and Effect Analysis (PFMEA) version, while Design Engineers use the DFMEA version.

The processes and tools are explained below. A demonstration of the system can be seen by contacting http://www.qisssoftware.com/Contact-Quality-Institute-Software-Solution.aspx 

Article

Background:

Technically, Risk is defined as effect of uncertainty on objectives. Risk Management is defined as an organization’s response to a defined risk and management of its consequences. An effect is a deviation from the expected positive and/or negative. We will concern ourselves with only the negative effects of risk, and build systems to avoid those that need to be avoided, and deal with escapes.

·        Risk Management can be seen as consisting of the  following components:

o   Risk Assessment. This consists of a systematic method for identification, analysis and evaluation of risk:

§  Identifying a Potential Failure Mode in a component of the Quality Management System, such as a work process or a result of the work process, such as a product at various points of its’ life-cycle. Some people just name this as the Risk Management.

§  The next step is to identify the effect of the potential failure mode. Some call it the Consequence. The Consequence needs to be given a score.

§  Failure Mode and Effects Analysis (FMEA). It is common to identify potential cause(s) of the Failure Mode. This becomes useful for refining the analysis, since the nature of the cause could affect ultimate Effect (Consequence).

§  Corresponding to the cause, current preventive controls are identified that should prevent the risk from occurring.

§  A final step in the analysis is to assign a measure of the Consequence of the Risk Management, should it happen under current control mechanisms. This RPN (Risk Priority Number) is usually a product of the Consequence, times the (probability of) Occurrence, times the (difficulty of) Detection. Some companies use sum of these metrics (S, O, D commonly remembered as SOD).

o   Risk Management This consists of Risk Assessment, Risk Prevention, Contingency planning, and disseminating Lessons Learned.

§  Risks with high RPNs need to be addressed.

§  Risk Prevention consists of addressing the potential causes, by planning a Preventive Action, which would change some aspects of the current system process(es), thereby reducing the RPN from the unacceptable level to a level that is acceptable, or tolerable.

§  The potential causes could be removed, the likelihood reduced.

§  A contingency plan should also be done, in case the Preventive Action does not work as planned.

Tools

The following tools can be used for conducting the various components

Risk Assessment

Root Cause Analysis (RCA)

Local Prevention

 

Global Prevention

Management of Change (MoC)

Conclusion

The avoidance of risk has been the core motivator for the design of Quality Management Systems and Standards to facilitate same. The new ISO 9001:2015 has finally brought this to the forefront, with about seventy five references to risk, risk management based thinking and “opportunities”, a positive rendition of risk.

The tools described above should assist the user to address risks, all the way from identification to close out on a global basis. Students of Quality Management Systems will notice that the amalgam of the different tools can be considered to be a complete treatment of the erstwhile Corrective and Preventive Actions in previous Quality Management Standards QMS. In fact, some companies may elect to string the different components together to produce a robust Corrective Action and Preventive Action!. The difference is that the concept of “Risk Based Thinking” encourages users to think through what applies to particular circumstances and use the best combination. For example, the chain of techniques could be aborted when appropriate.

Risks could be identified from Nonconformance, in which case the resultant string would be a traditional Corrective Action. Risks that are forecasted (without Nonconformance) would result in the traditional “Preventive Action”.