by Lance Coleman:
ISO 9001:2015 is replacing preventive action with risk-based thinking, placing a great deal more emphasis on risk. There is no need to fear! Many companies that are ISO 9001 registered are already meeting many of the new requirements pertaining to risk management. Organizations need to translate those existing procedures and practices into the new risk management framework of ISO 9001:2015. Then a gap analysis can be done to see what gaps still remain in developing a system-wide risk management program.
Because an effective risk management program must operate across departments and functions, it’s essential that upper management be behind the effort, in order to provide the access and resources the program will need to succeed.
What is risk?
- ISO 31000:2009 defines risk as the effect of uncertainty on objectives.
- ISO 14971:2007 defines risk as the combination of the probability of occurrence of harm and the severity of that harm.
12 steps to prepare for ISO 9001:2015
- Establish a baseline knowledge of risk management for the management team.
- Read ISO 31000:2009—Risk management; it’s a very readable document. Also read ISO 14971:2007 if you operate within the medical devices field.
- Establish internal consultants on risk management that can assist the quality manager and the rest of the management team in making needed modifications to the existing quality management system (QMS).
- ISO 13485:2003 (the quality management standard for medical devices) says this about risk management in clause 7.1: The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained. I wouldn’t expect that ISO 9001:2015 would be any more specific in its requirements than the above statement, regardless of how often risk management may be referred to throughout the document.
- Make it about your organization. Remember risk is defined from the perspective of the organization for the organization.
- Keep it simple. Your risk management program doesn’t have to be complex, just appropriate for your organization.
- Identify and chart or map core organizational processes. This is the first step in determining where risk may lie in your organization.
- Treat it as a process. A robust risk management program should be integrated (receiving input from multiple other organizational processes), monitored, provide actionable feedback to management, and be periodically reassessed.
- Develop training for risk. Training (at different levels) in risk management must take place at all levels of the organization.
- Develop a requirements matrix between organizational documents and the clauses of ISO 9001:2008 then one between the clauses of ISO 9001:2008 and ISO 9001:2015; this will help identify existing gaps.
- Understand that there will be a grace period for companies to attain compliance to ISO 9001:2015.
- Take this opportunity to implement risk-based quality auditing.
About the author
Lance Coleman is a quality engineer and lean program leader at The Tech Group in Tempe, Arizona, where he also serves as site CAPA and customer complaint coordinator, in addition to managing the internal quality audit program. He is principal consultant of Full Moon Consulting LLC. Coleman has a degree in electrical engineering technology from the Southern Polytechnical University in Marietta, Georgia. He is a Senior Member of the American Society for Quality (ASQ) as well as an ASQ Certified Quality Engineer, Six Sigma Green Belt, Quality Auditor, and Biomedical Auditor. Coleman is an Exemplar Global Provisional QMS Auditor. His book The Customer Driven Organization: Using the Kano Model was released in November 2014 by Productivity Press. He is an instructor for the ASQ CQA Exam refresher course and presently serves as newsletter editor for both the ASQ Lean Enterprise and Audit divisions.