Clause 6 has a number of new requirements, but you’re already doing some of them. For example, if you have an estimating department, they are already practicing ‘risk management’. If you have project managers, they are following the path of a project and trying to anticipate what could go wrong. Letting Top Management in on this fact will help them meet their requirements for ‘…promoting the use of risk-based thinking and the process approach…’ (5.1.1 d). More importantly, your organization will be demonstrating that they are proactive in their approach to preventing non-conformances. You probably already know that the clause on preventive action (8.5.3 in ISO 9001:2008) has been removed. Your entire management system is your preventive action tool!
Other examples of managing risk could be your environmental aspect matrix, your OHS hazard identification, WHMIS training, supplier evaluations (supply chain management) and any other activities you engage in to prevent problems.
By identifying your internal issues, external issues and interested parties (4.1 and 4.2) you are demonstrating risk-based thinking, too. Even doing root cause analysis after a non-conformance (NC) demonstrates that you are considering various risks. In fact, if it’s not possible to completely eliminate the cause of the NC, you’ll probably make a statement something along the lines of ‘…lowering the risk to an acceptable level…’ or words to that effect.
The flip side of risk is ‘opportunity’. When most of us spot an opportunity we almost immediately calculate the risk. This happens constantly in our organizations when we assess the credit worthiness of a potential new client – will we have to add staff? New competencies? Larger work spaces? Normal production has risks associated with it, and we manage those every day. We’re doing a lot of risk-based thinking, we just may not always recognize it!
If you use Deming’s Plan-Do-Check-Act cycle as part of your processes, you’re demonstrating risk-based thinking. Pretty much any method you use to manage the process flows in your organization will fit the bill. Tie them into your interested parties and you’re good to go!
The other ‘new’ section of this clause is the beefing up of the action plan to hit targets. There isn’t a requirement to document the plan, but it sure makes it easier to monitor the results and review them at Management Review time (9.3). We’ll be talking about the new review requirements in clause 9, but this risk-based thinking idea has further implications. If you use the model in 6.2.2, you’ll be demonstrating the use of a solid framework for managing risk while trying to hit quality objectives – a fine bonus, indeed.
For the ‘Managing changes’ clause, you’re probably doing most of it already. Just be aware that change can happen anywhere, but it occurs in 5 major areas, often connected. Clause 6.3 talks about changes to the management system itself, very high level. Working our way down into the system we may find that customers request a change in their order (8.2.4). This may result in a change to the design (8.3.6) which could lead to new requirements for suppliers (8.4.3) and even a new way of providing the process, product or service to our clients (8.5.6). Finally some of these changes will mean updates to documented information (7.5).
Managing all these changes (rather than crossing our fingers and hoping for the best) is likely happening in your organization right now and you may not have to add anything. Or, this is a chance to tighten up this part of your organization for better results, and lower risk.
To find out if your ISO life can be simpler…
[separator icon=”icon-chevron-down” hex_color=”a1a1a1″]
Here’s the link to our Youtube channel: https://www.youtube.com/watch?v=V7I1MLs8oH0&t=19s