According to the new standard, “risk-based thinking has always been implicit in ISO 9001”. Quality management systems have always been concerned with preventing problems. That is why they have always said that we must ensure people understand their responsibilities. That is why we train them, validate designs, monitor and measure processes, and audit, to name a few. We perform these activities because we’re trying to manage risk. So, if we think of risk-based thinking in this way, it’s always been an inherent part of ISO 9001. Before it was implicit. Now it is explicit.
ISO 9001:2015 expects that your organisation will identify and address the risks that could:
- Affect your ability to provide compliant products and services.
- Affect your ability to satisfy customers.
- Influence the performance of your quality management system.
- Disrupt your operations.
When we think about risk we often only think of negative things, however, the new standard considers that risk-based thinking can, and should, help to identify opportunities. These opportunities could enhance your ability to provide compliant products and services and to satisfy customers.
Of course all of the above should be done in the context in which your organisation operates, the views of interested parties, and your scope.
Once identified, you are expected to determine the actions required to address these risks and opportunities, make these actions part of your quality management system, then implement, control, evaluate, and review the effectiveness of these processes.
Interestingly, although risk management is now a fundamental part of the new standard (the word risk appears 43 times), it does not state that you must have a risk management process in line with other risk management standards (namely ISO 31000:2009 Risk management – principles and guidelines). In fact it does not ask you to document your risk management approach at all. It does say that you should plan the actions to be taken to address the risks and opportunities you have identified though so a risk management plan sounds like a good idea. Don’t forget that you will have identified risks (issues) by complying with clause 4 Context of the Organisation.
There are two side effects, if you like, of this risk based approach. It means:
Less prescriptive requirements and more performance-based requirements.
There is no need for the term preventive action. In the 2008 version, preventive action was associated with the corrective action clause, which was not an appropriate place for an effective planning function. It caused confusion and was often inconsistently applied. In the 2015 version of ISO 9001 the term preventive action is no longer required because of the risk based approach applied through the standard.
Objectives & Measurement
Clause 6.2 Quality objectives and planning to achieve them, raises their importance to a new level. These objectives can be technical, operational or strategic and Clause 5 Leadership should help to ensure that we see more strategic objectives in quality management systems than ever before, thus making them business management systems.
Not only must objectives be consistent with the quality policy and measurable, but they must also be monitored, communicated and updated when appropriate, such as when the strategic direction of the organisation changes. In addition, objectives must include plans on how to achieve them, the resources required, and what will be done by whom and when.