Leaders of Change
A case for risk-based thinking
and organizational transformation
by Bill Aston
ISO 9001:2015 included several changes after last year’s revision, but the mandate for top management to demonstrate leadership and commitment to the quality management system (QMS)—as described in subclauses 5.1.1 and 5.1.2—is an important one.
For example, top management must:
- Take responsibility for the effectiveness of the QMS.
- Incorporate QMS requirements into the organization’s business processes.
- Encourage the use of the process approach and risk-based thinking (RBT).
- Directly engage persons (employees) to contribute to the effectiveness of the QMS and support this.
- Ensure risks and opportunities that may affect the QMS are identified and addressed.
- Ensure the enhancement of customer satisfaction.1
Leadership and commitment
Top management’s responsibility to demonstrate leadership and commitment can’t be delegated to a management representative because ISO 9001:2015 no longer requires the appointment of one such person. Yes, ISO 9001:2015 subclause 5.3 does require top management to assign responsibility and authority to relevant persons to ensure QMS requirements are communicated and understood.2 But it’s important to know the primary responsibilities to champion the effectiveness of the QMS, and encourage the use of the process approach and RBT remain with top management.
The requirement for C-level management to demonstrate its commitment to the QMS’s continual improvement also is identified in subclause 5.2.1D.3
Most people don’t like change. This can be particularly true if the need for change wasn’t explained or communicated from C-level management to the individuals who will be affected by a change or expected to implement it. The establishment, implementation and maintenance of a QMS are not one-person activities. They require the involvement of all management, process owners and employees, as well as top management’s involvement, leadership and commitment.
Retooling your RBT
Using the process approach and RBT are hot topics for organizations implementing ISO 9001 for the first time and others transitioning to its revised requirements. There’s nothing new about RBT. In fact, ISO 19011:2011—Guidelines for auditing management systems highlighted the need for organizations to identify risk as associated with QMSs, environmental management systems, and occupational health and safety management. ISO 19011:2011 also included a reference to using risk-based auditing (RBA).
RBT is ingrained in product and service planning processes for a majority of organizations. Although it may not be recognized as such, RBT is a natural part of the planning process. It includes the identification of resources such as personnel qualifications, equipment, facilities, manufacturing processes, material suppliers and control of outsourced services needed to meet specified requirements.
RBT is integral to the standardization of processes and activities to minimize variation, which lower the risk of nonconformance. In this case, RBT would be evidenced by ensuring the availability of controls—such as procedures or work instructions—to address an identified risk.
When you consider the QMS in its entirety, RBT is evidenced in the identification of the interrelated processes that comprise the QMS and the risks associated with each of its supporting processes. RBT includes identifying a risk that could prevent an expected output from being achieved. Identified risk could affect probability of the unavailability of qualified or skilled personnel, materials, defined manufacturing or product requirements, or specified acceptance criteria.
The higher the level of risk and the lower an organization’s risk appetite, the more controls (procedures) are required to manage the risk. Conversely, the lower the risk and higher the risk appetite, the fewer controls are necessary to address the risk.4
Risk-based inspection and RBT
RBT is much more than a trending buzzword. It’s a useful tool that has existed for years. During the early 1990s, for example, risk-based inspections (RBI) were used in the oil and gas industry to establish testing and inspection (T&I) frequencies for process equipment. Equipment inspection results included remaining life and T-min,5 calculations based on D-meter, corrosometer or pit gauge readings to determine whether process or utility-piping systems, pressure vessels, tanks and other equipment continued to be fit for service.6
RBI and RBT continue to be used to reduce operational downtime by scheduling and focusing T&Is based on identified risks. The higher the risk, the more frequent the T&I intervals.
This same method applies to the implementation and maintenance of a QMS. As opposed to inspections, audits are used to assess the health of a QMS and its processes, and to identify a risk that may adversely affect the effectiveness of a QMS or product quality.7
RBT is integral to RBI and RBA: These strategies have performance histories that have proven their value, and effectively using them depends on a practitioner’s familiarity with risks associated with an industry, relevant industry standards, manufacturing processes and the product or service.
The new requirements introduced by ISO 9001:2015 should encourage many to rethink what we know about quality management. Quality professionals will need to retool their existing knowledge base to include new approaches for maintaining and auditing management systems.
References and notes
- International Organization for Standardization (ISO), ISO 9001:2015—Quality management systems—Requirements, subclause 5.1.1—Leadership and commitment.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 5.3—Organizational roles, responsibilities and authorities.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 5.2.1—Establishing the quality policy.
- For more information about risk-based thinking, read Value Added Auditing (Quality Plus Engineering, 2014) and ISO: Risk Based Thinking (CERM Academy, 2016) by Greg Hutchins.
- A T-min calculation is used to determine the minimum wall thickness, as well as hoop stress, for piping or pressure vessels based on known internal pressure, material strength and outside diameter. This calculation is sometimes used in conjunction with Barlow’s formula. For more details, visit http://tinyurl.com/barlows-formula.
- A D-meter is an ultrasonic device used to measure the wall thickness of steel. These measurements are also referred to as UT wall-thickness readings. Corrosometer probes and instruments determine metal loss from corrosion or erosion. In locations where it is not possible to use a D-meter due to material surface roughness, a pit gauge can be used to measure actual pitting depth. These readings are more subjective and may vary based on the experience of the technician taking the readings.
- You can find additional information about risk-based inspections in the American Petroleum Institute’s (API) RPs 580 and 581, Risk-Based Inspection Methodology (API, April 2016).
Bill Aston is the managing director of Aston Technical Consulting Services LLC in Coldspring, TX. He is an ASQ senior member, ASQ-certified quality auditor, Exemplar Global principal auditor, and a Professional Evaluation and Certification Board-certified lead auditor and trainer. Aston is a member of American Petroleum Institute’s Quality Subcommittee 18 and U.S. Technical Advisory Group to ISO Technical Committee 176. He is a regular contributor QP’s Expert Answers department and ASQ’s Ask the Experts blog.