“So, How Will You Audit a Risk Assessment in ISO …

1 So, How Will You Audit a Risk Assessment in ISO 9001:2015? . Bob Deysher Senior Consultant Quality support Group, Inc. 2017. 2017 QSG, QSG,Inc. Inc. Questions? Does ISO 9001:2015 Risk Based Thinking require Risk Registers? No! If there isn't a Risk Register how do you Audit an organization against ISO. 9001:2015? With Great Difficulty ! 2017 QSG, Inc. 2. So What Does ISO 9001:2015. Require? 2017 QSG, Inc. 3. ISO 9001:2015 Risk & Opportunities Quality management system and its processes The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall determine: f) the risks and opportunities in accordance with the requirements of , and plan and implement the appropriate actions to address them.

2 2017 QSG, Inc. 4. ISO 9001:2015 Risk & Opportunities 6 Planning for the quality management system Actions to address risks and opportunities When planning for the quality management system, the organization shall consider the issues referred to in and the requirements referred to in and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s);. b) prevent, or reduce, undesired effects;. c) achieve continual improvement. 2017 QSG, Inc. 5. ISO 9001:2015 Risk & Opportunities The organization shall plan: a) actions to address these risks and opportunities;. b) how to: 1) integrate and implement the actions into its quality management system processes (see );. 2) evaluate the effectiveness of these actions.(*). Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. (*) Sounds like ISO 9001:2008 Clause 2017 QSG, Inc.

3 6. What is Risk Based Thinking? 2017 QSG, Inc. 7. What is Risk-Based Thinking ? Risk-based thinking is something we all do automatically and often sub-consciously The concept of risk has always been implicit in ISO 9001 the 2015 revision makes it more explicit and builds it into the whole management system Risk-based thinking is already part of the process approach Risk-based thinking makes preventive action part of the routine Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk 2017 QSG, Inc. 8. Why Should I adopt Risk-Based Thinking ? To improve customer confidence and satisfaction To assure consistency of quality of goods and services To establish a proactive culture of prevention and improvement Successful companies intuitively take a risk- based approach 2017 QSG, Inc. 9. What Should I Do? (continued). Analyse and prioritize the risks and opportunities in your organization what is acceptable?

4 What is unacceptable? Plan actions to address the risks how can I avoid or eliminate the risk? how can I mitigate the risk? Implement the plan take action Check the effectiveness of the actions does it work? Learn from experience continual improvement 2017 QSG, Inc. 10. So Where to Start? How About Management Review? 2017 QSG, Inc. 11. Management Review Input Top management shall review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization. The management review shall be planned and carried out taking into consideration: e) the effectiveness of actions taken to address risks and opportunities (see clause );. 2017 QSG, Inc. 12. What is Risk? Risk is the possibility of events or activities impeding the achievement of an organization's strategic and operational objectives. 2017 QSG, Inc. 13. Risk A Simple Definition The volatility of potential outcomes.

5 Or How surprised do you really want to be?? 2017 QSG, Inc. 14. Food for Thought Why is Risk like Swiss Cheese? Author needs to acknowledge that this idea was shown at the NQA Meeting, Boston Session, August 2014. 2017 QSG, Inc. 15. What if the Organization Does not use Risk Registers? What Evidence to look for? 2017 QSG, Inc. 16. What is an Auditor to Do? You need to test how they have used the information relating to their internal and external issues and interested parties to determine risks and opportunities as well as the decision making process they have gone through to decide what actions they are going to take. 2017 QSG, Inc. 17. ISO 9001:2015 Risk Based Thinking Examples Item Clause Risk Based Thinking Demonstration Quality Management Evidence is how issues taken from either the external or internal System environment are evaluated and appropriate actions taken in the implementation and maintenance of an organization's QMS. Changes to the Quality Evidence is how risk and opportunities are used in the decision to Management System change the quality management system Business Opportunities Evidence is how risk and opportunities are used in the decision to pursue new business initiatives Design & Development Evidence is how risk based thinking is used in the planning and then Planning translated into verification and validation activities Design & Development Evidence is using risk to determine the necessary evidence to be Change Control obtained and required to evaluate the effectiveness of the change Control of Externally Evidence is using risk to determine the type and level of control provided Processes, implemented to assure that processes, products and services Products.

6 And Services provided by suppliers do not impact quality Product & Service Evidence is how risk based thinking is used in the planning and then Provisions Planning the implementation of the provisions Production & Service Evidence is using risk to determine the necessary evidence to be Provisions Change obtained and required to evaluate the effectiveness of the change Control Internal Audit Evidence of risk based thinking is using risk arising from previous audits, changes in technology, materials changes, current issues to adjust planned intervals Management Review Evidence of risk based thinking are decisions made in a review of actions taken for identified risks and opportunities 2017 QSG, Inc. 18. What if the Organization Does use Risk Registers? What Evidence to look for? 2017 QSG, Inc. 19. Risk Definitions Risk can be defined by two (2). parameters Severity This is the Seriousness of the harm Probability This is the Probability that the harm will occur 2017 QSG, Inc. 20.

7 Risk Assessment - Quantitative Severity of Harm Probability of Occurrence S-5 Catastrophic O-5 Frequent S-4 Critical O-4 Probable S-3 Marginal O-3 Occasional S-2 Negligible O-2 Remote S-1 Minor O-1 Improbable 2017 QSG, Inc. 21. Risk Acceptable Regions Generally Un-Acceptable As Low As Reasonably . Practical Generally Acceptable 2017 QSG, Inc. 22. Risk Assessment - Qualitative 2017 QSG, Inc. 23. Risk Registers 2017 QSG, Inc. 24. The Importance of a Risk Register The risk register or risk log becomes essential as it records identified risks , their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. 2017 QSG, Inc. 25. Proposed Risk Model Let's look at Risk Definitions 2017 QSG, Inc. 26. Risk Definitions A risk is a specific event that could happen at some point in the future Insufficient test resources is not a risk Project is delayed because of insufficient test resources is a risk Aging work force is not a risk Loss of Organizational Knowledge due to retirements of our aging work force is a risk 2017 QSG, Inc.

8 27. Proposed Risk Model Let's look at Risk Scoring 2017 QSG, Inc. 28. Scoring Clarity Severity of Harm Probability of Occurrence S-5 Catastrophic O-5 Frequent S-4 Critical O-4 Probable S-3 Marginal O-3 Occasional S-2 Negligible O-2 Remote S-1 Minor O-1 Improbable Categories, like the ones above, can be interpreted differently by different individuals. Prior agreement prior to scoring is critical and will mitigate later discussions about which issues to address 2017 QSG, Inc. 29. Probability Scoring Example LIKELIHOOD/PROBABILITY OF OCCURRENCE. Annual Frequency Probability Rating Description Definition (Example). 1 Rare, very unlikely <10% chance of occurrence over life 2 Unlikely, seldom 10% - 35% chance of occurrence 3 Possible 35% - 65% chance of occurrence 4 Likely 65% - 90% chance of occurrence 5 Almost Certain 90% or greater chance of occurrence 2017 QSG, Inc. 30. Severity Disruption to Financial Reputation Day-to-Day Impact to Impact on Rating Description Consequence Impact Operations/ Employees Customers Productivity Very low number of Not reported in Little to no tangible No noticeable 1 Insignificant Below $xxxx dissaisfied major media outlets disruption impact customers Minor disruption Inconvenience or Reported in local that is limited to upsets a modest Few customers in 2 Minor/ Small $xxxx - $yyyy media but can be only a few number of multiple business managed departments or employees but no areas dissatisfied employees lasting impact Causes notable Major disruption to concern and/or Reported in a limited number of causes rumors to national media and employees or Many customers circulate.

9 Adversely creates immediate departments, or dissatisfied and you 3 Moderate /Medium $yyyy to $zzzz need for response. minor disruption affecting ability of must take action to employees in Damage expected affecting large address directly multiple to last < 3-6 months number of departments to employees perform job duties Reported globally Negative impact and results in PR requires crisis, requiring coordinated Major disruption Many customers coordination with management that affects large dissatisfied. and crisis, requiring response to 4 Major/Critical $zzzz to $aaaa coordination with number of assuage fears. Dissatisfaction employees but is of leads to business and direction from Persistent rumors limited duration losses OT to address. have short mid- Damage expected term impact on to last < 1 year corporate culture Reported globally, Create widespread Many customers for prolonged panic and/or Major disruption cancel period, and results confusion. Reduces that affects large business/stop in major PR crisis.

10 Morale across the Financial number of purchasing. Severe/ Requires sustained company and 5 Consequence employees and is Dissatisfaction Catastrophoric and ongoing efforts negatively changes exceeds $aaaa expected to last for leads to to manage. employee a prolonged period direct/immediate Significant long- perception of the of time loss of very crucial term damage to the company on a business brand permanent basis 2017 QSG, Inc. 31. Proposed Risk Model - Populated Deysher Manufacturing LLC - Risk Register Date - Key Process Initial Update New New New Name Risk Item Sev Prob Risk Action Plan Step Date Date Sev Prob Risk Step 1 Risk Item 1-1 3 3 9 ALARP 0. Risk Item 1-2 2 2 4 No Plan Required 0. Risk Item 1-3 4 5 20 Action Plan Required 0. Risk Item 1-4 1 5 5 Verify Probability; if OK then ALARP 0. 0 0. Step 2 Risk Item 2-1 5 3 15 Action Plan Required 0. Risk Item 2-2 3 2 6 ALARP 0. Risk Item 2-3 1 4 4 Verify Probability, then No Plan Required 0. 0 0. Step 3 Risk Item 3-1 4 4 16 Action Plan Required 0.