ISO9001 in 2021 Week by Week - Week 11 – 6.1 Actions to address risks and opportunities

This is a 52 week discussion of ISO9001:2015. Each week, we discuss a specific clause of the ISO9001:2015 standard in detail and look for ways to trim the fat. (As a member of TAG/TC176, the committee responsible for review and revision of ISO9001, (possible revision in 2023), I’ll keep you posted on what I learn all year!)

(It is strongly recommended that you purchase a copy of ISO9001:2015  for reference).  And, be sure to do your homework!

Relying on luck isn’t much of a strategy when creating a robust quality management system.  This is why the standard includes a specific requirement that the organization make an effort to consider and identify their potential risks and take appropriate action to mitigate them.

It would seem that every organization would do this as a natural path to planning (of course risks would be considered!).  Thinking about the “what if’s” is part of any type of planning.  But, the standard makes some strong statements in terms of “shalls” and specifically the term “risk” and was the most significant shift in the quality management industry in 2015, the most recent revision of ISO9001.  Some say the requirements introduce risk management, which is much more in depth than a simple consideration of “what if’s” and has broad implications in terms of how it could impact ISO compliant quality management systems.  Some say this particular section overreaches and actually connects ISO9001 to the requirements of ISO31000 which significantly increases the requirements of the quality management system.

And many are concerned about the auditability of these requirements.  The standard isn’t terribly clear on exactly what type of objective evidence would support each of the requirements.  And the language in the standard does leave open to interpretation whether the science of risk management is the actual requirement.  If so, an auditor’s expectation may be much broader than a general demonstration of consideration of risk.  They may interpret the requirements to be extensive studies in Failure Mode & Effects Analysis (FMEA), risk management plans and matrices, calculation of Composite Risk Index, and formal action plans to mitigate the identified risks (avoidance/reduction/sharing/retention) and whatever other tools and techniques used in the true science of risk management that the auditor may suggest.  This could jeopardize compliance for some organizations, should the auditor try to take things too far.  One may wonder whether the authors and panels of experts considered the risk of misinterpreting the standard as one they should have mitigated when writing this revision, but now I’m just being cheeky (and I’m not even British – I live in Florida).

The first “shall” says we “shall consider” the stuff we identified in 4.1 and 4.2 which was our context and interested parties.  Our processes determine our outcome, so the risks to the processes should definitely be considered and mitigated if our system is to be successful.  In any case, the requirement of this clause 6.1.1 is that the organization must identify the risks and opportunities in order to:

a) give assurance that the QMS can achieve its intended results

b) prevent or reduce undesired effects and

c) achieve continual improvement

In addition to our interested parties, if we also consider risks to each of our identified key processes, we should have a good start to meeting this requirement.  Does your organization do some sort of annual business planning?  Is some form of SWOT (Strengths/Weaknesses/Opportunities/Threats) analysis used?  This would support compliance for “consideration of risk”.  There are many ways to demonstrate compliance to this requirement, but a SWOT is really simple.

Next, let’s move on to 6.1.2 requiring the organization to “plan”:

a) actions to address these risks and opportunities and

b) how to integrate actions into its QMS processes (there they are!) and evaluate the effectiveness of those actions

So, if we did a good job of identifying our processes, we can now analyze those processes for risk and make a plan to deal with those risks.  There is no requirement for documentation at this point, but there is an expectation that an organization should be able to demonstrate that these considerations have been made in a planning activity of some sort.  And finally, the standard gives some unclear “clarification” of how extensive these activities should be by saying that it “shall be proportionate to the potential impact on the conformity of products and services”.

This clause does give us a lot to think about and plenty to debate about.  But also, it inspires me and provides an opportunity to integrate some of my favorite tools together.  How about this very simple path?

1. Use a simple SWOT analysis to evaluate external and internal risks around your interested parties and their needs.  Prioritize those risks and make a plan to take action. 
2. Identify the key processes of your QMS – use process flow diagrams – and then identify the risk points within each process.  Again, prioritize those risks and make a plan to take action.

In both cases, the action plans should be reviewed regularly – perhaps as an input to management review?  And just like that, you have “considered the risks” to your quality management system.  As you take action to mitigate your risks, don’t forget to update your SWOT and process maps when risks have been reduced or removed.

To take things further, here are some additional suggestions that can pair your foundational quality management system with lean and Six Sigma to really seek out more consistent products and better value. 

1. Use the process flow diagrams and construct FMEAs Failure Mode & Effects Analysis from them – no, FMEAs are not the only tool to use, but they are darn useful!  The use of an FMEA provides the identification, analysis and action plan for each risk identified and will help you continue to improve the effectiveness and efficiency of your processes, which leads us to
2. Use the process flow diagrams and the improvements gained from using FMEAs to create VSM value stream maps – these tools working together can create a powerful system and feedback loops to ensure you’re always improving –incorporating some lean and Six Sigma tools while you’re at it!

THIS WEEK’S HOMEWORK

Work through 6.1.1 and 6.1.2 using some of the suggestions above.  Does your planning process do enough to address these requirements?  If not, take action and make a plan.  And don’t forget to make a plan on how you’ll track your progress. 

THIS WEEK’S FREE STUFF!

Use the form below and download a FREE step-by-step guide on how to integrate SWOT (with enhanced risk ranking), process maps and submaps and report and track risk in management review.  This quick visual aid will help you unlock a quick and robust method for “risk-based thinking”.

This weekly series is a DIY guide including lots of FREE STUFF.  So, SUBSCRIBE today and we’ll keep it coming to your inbox weekly.

But, if you’re ready for more - if you’re ready to TRANSFORM your organization, we can team up LIVE for 100% VIRTUAL IMPLEMENTATION of ISO9001 Clauses 1-6 (there are only 10 clauses total!).  We’ll lead your team and build a fully compliant foundation for your quality system so you and your team can understand the requirements and have the confidence to continue forward on your ISO9001 journey toward BETTER QUALITY.   World Class Quality, ISO9001 certification, lower costs and higher yields are just the beginning of the benefits of a robust quality system.  Connect with us today and LET'S GET STARTED!

Here are some other VIRTUAL LIVE options,  Connect with us today and we'll create an exciting and engaging experience for your team on:

• VIRTUAL LIVE SWOT Analysis - We'll facilitate and help your team capture your Strengths, Weaknesses, Opportunities and Threats as the foundation of your quality strategy
• VIRTUAL LIVE Process Maps - We'll help your team learn to create an Interactive Process Map and Subprocess maps to create a roadmap to navigate your entire business

Or perhaps your organization is more advanced and is ready for some training that will transform your organization and start solving problems and diving deep into identifying and reducing your risks:

• VIRTUAL LIVE Problem Solving Training - We'll teach your team 3 powerful problem solving techniques ("5 Why", "Fishbone" and "Pareto") with a workshop to solve one of your organization's REAL LIFE problems
• VIRTUAL LIVE FMEA Failure Mode & Effects Analysis - We'll lead a dynamic, hands-on workshop to teach your team how to perform an FMEA and how that tool can be leveraged to launch powerful lean, Six Sigma and Continuous Improvement

And the options don't stop there.  

Watch this 3-minute video about another great resource to accompany this series.   Get the self-directed, on demand, online learning series  ISO9001 in Plain English, today and you'll get:

• A clear understanding of the requirements of ISO9001:2015
• Proven tips to build a robust quality system that's easy to use
• Ways to reduce documentation and paperwork (yes, really!!)

Each video is about 15 minutes and targets a specific element of ISO9001, (with over 6 hours of total content!).  We translate all the gobbledegoop into Plain English you can understand and leverage the requirements to get maximum VALUE from your quality efforts. 

For a deeper dive into the process side of your quality system, get Tribal Knowledge - The Practical Use of ISO, Lean and Six Sigma Together, a simple guide to UNITE ISO9001, lean and Six Sigma to create a robust quality system with better results.  Read what ASQ American Society for Quality - Quality Progress Magazine had to say about it. 

We look forward to taking this YEAR LONG journey with you.  SUBSCRIBE today and the series will come to you weekly to get you off to a great start and your quality system reinvigorated. 

And join me on my journey to always keep improving!