One of the many wonderful aspects of the new revision of the ISO 9001 standard, is that an attempt has been made to enable more interpretation of the requirements of a thoughtful quality management system. It clearly implies that as we the owner of such a system, we get to determine what we need to include in order to meet our own commercial needs.
However, they then go on to draw the indifference, that in order to do so we must make such decisions based on a process approach and risk based thinking. A nice enough throwaway line to finally bring such best practices to the fore. At this point a footnote to explain where you can find further info would have been helpful, but to go on with 16 separate uses of the word risk or risks, eight of them used in 6.1.2 alone was perhaps a little overkill. This is especially so, when the standard then does not require any documented information around such aspects. Unfortunately the auditing fraternity has grabbed these aspects and are seeking evidence in the field by making quality management systems have ‘formal’ risk assessments and records. But I will deal with this much later in another post.
What we need to know now, is how can you implement a simple risk process to keep everyone happy. Links to templates can be found here and here and here. A very simple risk protocol follows in the next paragraph.
1. Decide you want to have a risk protocol in your business decision making.
2. Decide when to trigger a risk review. We do this during the corrective action process, internal audit process, management review process and or during strategic planning. It is simple really. Is during any of the above processes, the business needs to evaluate a risk, a problem, an opportunity, a concern, a system change or whatever, raise a ‘review’ and apply the risk score.
3. Don’t go too crazy with the risk scale. We normally have a scale of 1~2 [do nothing], 3~4 [consider doing something], over 5 [escalate].
4. The proof of the pudding is the escalation. Raise a secondary review to manage the expanded assessment. Or add the escalation into a simple risk register so that you can apply mitigation controls and re-assess. Or add to the quality management system goals and objectives. And with the most important stuff, add to your strategic business plans. Simples.