Risk Management in ISO 9001 2015

One of key changes in ISO 9001 2015 standard with respect to ISO 9001 2008 is inclusion of requirement for Risk identification and addressing actions for same. This was some what included in ISO 9001 2008 edition. however it was not kept as requirement. ISO 9001 2015 clause 6.1 stats requirement for Risk identification and addressing actions for same.

Risk assessment is not tough  or difficult and none should get worried about it. We already are doing it in Quality management system implementation. However it has not been highlighted as Risk assessment. This time we need to highlight it as Risk and address actions for it. When we are saying addressing actions , it means addressing preventive actions to prevent the risk occurring first time. If  problems are already being faced in organization then they are not risk but issues as per clause 4.1 context of organization. For such issues, organization has to take corrective actions and address in the system.

Risk identification is a proactive way to prevent problems. in ISO 9001 2008 version, preventive action was a separate clause but was not implemented as per intention of the clause. Hence preventive action clause has been removed from the standard and clause 6.1 – identification of risk and opportunities and addressing actions has been included as requirement.

Risk is a potential problem.  A problem which may occur. Like Customer complaint is a risk. Customer dissatisfaction is a risk. Any kind of rework / rejection is a risk. Non achievement of planning is a risk….and so on. ISO 9001 2015 requires each process of organization ( processes as per 4.4 clause ) to identify risk. We would recommend that first process shall determine expected result. Once expected result is determined, risk is non achievement of this expected result.

For example, expected result of marketing / customer care process would be customer satisfaction. Risk is non achievement of this expected result. So risk would be customer dissatisfaction. Now once risk is identified, we need to address preventive actions to prevent occuring this risk in marketing process. Hence all cares to be taken in respective processes shall be addressed by which customer satisfaction is achieved. All such cares are nothing but preventive actions for prevention of Risk. ISO 9001 2015 clause also stats to integrate these preventive actions in the business processes. Integration of preventive action simply means changing existing work practices with modified practice due to inclusion of identified preventive action (s). ISO 9001 2015 further requires to verify / evaluate effectiveness of these preventive actions. We can select various ways by which it can be evaluated that preventive action is effective or not. One of the simplest way is maintaining records of actual risks triggered in the process. If such risk for which preventive action is taken is not triggered in the process then preventive action is said to be effective. There may be N number of ways by which effectiveness can be evaluated.

Opportunity is a positive Risk. Positive risk can be treated as Improvement risk. For example marketing takes a target of sales growth. Now there will be a risk that this sales target is not achieved. So preventive actions may be taken / initiated to ensure that risk of non achievement of sales target do not get triggered in the system. Also after achievement of sales growth, there will a risk of sustaining this growth. Hence all preventive actions shall be taken to sustain the growth.

Risk identification, identification of preventive action to prevent risk, integration of risk in business process and evaluation of effectiveness of preventive action are key requirement of cluase 6.1 of ISO 9001 2015. It doesn’t specify any specific way of doing it. Organization can chose its own way and take benefit.

Risk assessment has been evolutionary step in the ISO 9001 standard. It requires brain storming from top to bottom level of organization. It requires team work as top management knows strategy and bottom level workers knows practical problems. All should seat together and identify series of preventive actions to prevent risk under consideration.

Risk shall be identified which prevents Quality management system to achieve intended result which are

  • enhancement of customer satisfaction
  • compliance with legal requirements
  • achievement improvement.

We , Blue sky management services are leading ISO 9001 2015 certification consultants in ahmedabad, gujarat, india, We can provide training on ISO 9001 2015 requirements. We can also take entire ISO 9001 2015 consultancy projects for upgrading existing systems from present level to the expectations of ISO 9001 2015 standard. Organizations looking to get ISO 9001 2015 standard, how to upgrade ISO 9001 2008 system to ISO 9001 2015 standard. what are ISO 9001 2015 requirements. What is ISO 9001 2015 documentation, ISO 9001 2015 certification consultants in ahmedabad gujarat india, ISO 9001 2015 certification training providers in ahmedabad gujarat india, ISO 9001 2015 consultancy provider agency in ahmedabad gujarat india may contact us.