Addressing risks in ISO 9001:2015
Q: I’m struggling with the implementation of subclause 6.1 in ISO 9001:2015—actions to address risks and opportunities. I’ve read and re-read the 2015 revision, and plotted different ways to implement this concept, but I can’t see the forest for the trees. Do you have any advice about how to implement this part of the standard?
A: ISO 9001:2015’s clause 6 is particular to quality management system (QMS) planning. For effective QMS planning, there are several essential components and activities, such as identifying risks and opportunities, using risk-based thinking (RBT) and applying the process approach.1
Note that subclause 6.1.1 refers to subclause 4.1, which requires an organization and its context to be understood. Understanding the organization, its context, strategic direction or method used to achieve its goals is not only necessary to identify risks and opportunities, but it’s also required to develop a robust QMS that includes a quality policy and objectives mandated by subclauses 5.2.1 and 6.2.1, respectively. Some organizations might maintain documented mission and value statements to communicate their goals and strategies, but this is not an ISO 9001:2015 requirement.
Subclause 4.1 also requires an organization to identify relevant external and internal issues that affect its ability to achieve its goals or QMS’s intended results. Examples of relevant external and internal issues you should consider are provided in subclause 4.1’s notes two and three. While this subclause requires relevant external and internal issues to be monitored and reviewed, it does not prescribe a frequency at which you should monitor and review them.
This is why it’s important to consider these activities during the QMS planning process. Who, when and how will identified external and internal issues be monitored and reviewed? According to subclause 9.3.2b, reviewing external and internal issues is a required input item for management reviews, but ISO 9001:2015 doesn’t prescribe a frequency for conducting management reviews.
Most organizations’ management reviews occur annually. For monitoring and reviewing external and internal issues, it may be acceptable to establish frequencies that coincide with scheduled management review dates. This timing, however, is probably best developed based on the level of risk associated with the issues identified.
Remember, ISO 9001:2015 does not require a defined frequency for monitoring and reviewing these external and internal issues. These are actions an organization may choose to conduct to improve the effectiveness of its QMS, or monitor and control identified risks.
Subclause 4.2 requires an organization to understand needs and expectations of interested parties, and monitor and review information about these relevant parties. So, who are "interested parties?"
Interested parties could include: customers; suppliers; employees; registrars; the organization’s financial stakeholders; insurance providers; or government agencies such as state, local or federal regulators. ISO 9000:2015’s subclause 3.2.3 defines an interested party as "a person or organization that can impact, be impacted by, or perceive itself to be impacted by a decision or activity."2
Identifying relevant interested parties, including their needs and expectations, is critical to a QMS planning process. By understanding these areas, an organization can effectively use RBT to identify risks and opportunities associated with meeting expectations and requirements. Having a firm understanding of requirements and interested parties’ expectations also is essential for establishing requirements for resources such as materials, external support services, process controls, equipment and personnel competencies.
Top management involvement and leadership is indispensable because it’s responsible for determining an organization’s risk appetite and identifying the level of risk it’s willing to accept. ISO 9001:2015’s subclause 5.1.1, requires top management to be responsible for providing resources and leadership, and maintaining accountability for the QMS’s effectiveness. Unlike ISO 9001:2008, the 2015 revision does not require the organization to appoint a management representative. These duties and responsibilities rightfully remain with top management.
While ISO 9001:2015 doesn’t require an organization to conduct formal risk assessments, it’s the organization’s responsibility to determine which RBT method to use that best matches with operational and product needs. There are many different strategies that can be used to assess risk—such as a turtle diagram; strength, weaknesses, opportunities and threats chart; heat map; barrier chart; or failure mode and effects analysis. The selected risk-assessment strategy should be appropriate to the complexity or criticalness of the product, related processes and the organization’s risk appetite. It’s essential for top management to promote the use of RBT and the process approach during QMS planning.3
While ISO 9001:2015 doesn’t have a defined frequency for monitoring and reviewing information about interested parties, it may be beneficial to do so. This is because it can identify changes that represent an unacceptable level of risk to the organization or QMS.
Generally, subclause 6.1.1 requires an organization to determine risks associated with subclauses 4.1 and 4.2. These identified risks and opportunities must be addressed to improve the QMS and ensure that it can achieve intended results, enhance desired effects and minimize undesired effects.
Similarly, opportunities associated with subclauses 4.1 and 4.2 must be addressed. These identified opportunities may include increased market share via greater customer satisfaction, the development of new products or services, improved resource and supply chain management that might lead to decreased costs of materials or services, and opportunities to develop personnel competencies and training.
Subclause 6.1.1 (subparts A through D) requires an organization to determine process inputs and outputs, and the sequence of QMS processes, process controls and criteria. It also must determine how it will identify resource requirements, assign responsibilities, implement changes as needed to ensure requirements are met, and improve the effectiveness of the QMS and its processes.
These data can be used to ensure requirements are met for subclause 6.1.1—such as enhancing desired effects; preventing or reducing undesired effects; and improving a product, quality system and its processes. This is classic plan-do-check-act cycle.
These areas are further supported by ISO 9001:2015 requirements, such as developing:
- The QMS scope.
- A quality policy.
- Quality objectives and product-quality objectives.
- Product-acceptance criteria.
- Internal audits and control of nonconformances.
- Corrective action and management reviews to be included in the QMS planning process.
Subclause 6.1.2 is important because of its requirement for an organization to plan actions to address risks and opportunities, and determine how to integrate and implement these planned activities into the QMS. The organization also must evaluate the effectiveness of actions taken. Subclause 6.1.2 (the organization shall plan) also references subclause 4.4 and is the foundation for several important events that must be considered during QMS planning.
Subpart A of subclause 4.4.2 establishes requirements for documented information (procedures) to be maintained that support the processes, and subpart B identifies requirements for an organization to retain documented information (records) to provide confidence that processes were performed as planned.4
Subclause 6.1.2 requires an organization to plan its actions to address risks and opportunities, and to integrate and implement them into the QMS. Although not specifically stated in this subclause, planning actions to be taken ensures:
Actions are evaluated prior to implementation to determine whether there will be adverse effects on a QMS, its processes, products or interested parties.
Implementation of planned actions are communicated to appropriate parties and responsibilities are assigned.
Criteria are established to evaluate the effectiveness of actions taken.
Actions to be taken are appropriate to a risk or opportunity that’s being addressed.
For organizations transitioning from ISO 9001:2008 to ISO 9001:2015 or those planning to obtain their first ISO 9001:2015 certification, I recommend taking online or classroom transition training. Additional guidance about risk assessments is available in ISO 31000:2009.
You should consider reading ISO: Risk Based Thinking (CERM Academy, 2016) by Greg Hutchins. The Juran Quality Handbook (McGraw-Hill Education, 2010) also contains a wealth of information about quality management and should be a standard reference for every quality professional.
Aston Technical Consulting Services LLC
Reference and notes
- For more information about risk-based thinking and the process approach, read annex A.4, "Risk-based thinking in ISO 9001:2015," in ISO 9001:2015—Quality management systems—Requirements.
- International Organization for Standardization (ISO), ISO 9000:2015—Quality management systems—Fundamentals and vocabulary, subclause 3.2.3—interested part.
- Read Bill Aston’s "Standards Outlook: Leaders of Change" (July 2016, pp. 54-55) for additional information about what responsibilities top management should provide with regard to leadership and the promotion of risk-based thinking.
- Additional information about documented information that should be maintained versus retained is provided in ISO 9001:2015’s annex A.6. For more information on annex A.6, read QP’s "Keep Calm and Prepare for ISO 9001:2015," (September 2015, pp. 18-28).
ISO, ISO 31000:2009—Risk management—Principles and Guidelines.
ISO, ISO 9000:2015—Quality management systems—Fundamentals and vocabulary.
ISO, ISO 9001:2008—Quality management systems—Requirements.
ISO, ISO 9001:2015—Quality management systems—Requirements.