NQA works with a number of customers throughout the world covering the aerospace, automotive, telecommunications, food safety and information technology industries. NQA provides accredited certification, training and support services to help clients improve processes, performance, products and services. Having issued more than 43,000 certification to clients in more than 90 countries, NQA helps organizations perform better in terms of quality, the environment, energy, sustainability and health and safety management.
Manufacturing Today recently was able to connect with NQA and discuss the new ISO 9001:2015 standard and how it can help manufacturers prepare for the future.
Manufacturing Today: Why was risk featured so prominently in the new ISO 9001:2015 standard?
Buddy Cressionnie, NQA Aerospace, Space and Defense Fellow: Risk determination, consideration and control have been effective business practices for years. ISO 9001 was revised in 2015 as one of the first standards published to utilize the Annex SL common management system structure and terminology. Management system standards expect organizations to be proactive in management of their process controls and quality systems. Prior versions of ISO 9001 used the concept of preventive action. This concept is now reflected in risk-based thinking that is peppered throughout the ISO 9001:2015 standard to encourage a risk-based approach for processes and the quality management system.
MT: When should a company consider risk for product and services? When it takes on a new customer, a new product or service? Is there any other area(s) where a company can apply risk?
BC: The expansion of risk in ISO 9001 emphasizes the shift from mere compliance to business effectiveness for achievement of desirable effects and intended results. There are several areas where risk and opportunities should be considered:
- Contracting – Ensuring that contract risks are understood prior to accepting a tender is critical. The contract should be examined to determine if there are delivery schedule concerns, process complexity issues or past performance issues, along with the maturity of the industry. Examples include performance requirements imposed by the customer that are at the limit of a company’s technical or process capabilities.
- Business Planning – The business plan and schedule should manage product and service provision in a structured and controlled manner including scheduled events performed in a planned sequence to meet requirements at acceptable risk, within resource and schedule constraints. All of these considerations should be subject to the company’s risk process.
- Engineering – Technical risk in meeting customer, contractual and regulatory requirements need to be understood and risk-mitigated to ensure delivery of items. The application of risk can be through engineering controls, tighter tolerance, materials and processes, and production and service controls. Any product or service safety risks should be included in the risk assessment.
- Purchasing – Risk should be applied throughout the purchasing process. The organization needs to understand supplier risk when qualifying and selecting suppliers. The supplier selection process should be robust and understand risk to include the development of mitigation activities to minimize surprises in the future. In addition to that, suppliers should be confirming material test reports for high-risk products. Risks should also be evaluated when determining supplier flow-down requirements and the amount and type of verification needed for incoming supplier product. Verification activities include inspection or periodic testing when there is high risk of nonconformities, including counterfeit parts. The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular suppliers and externally provided processes, products and services.
- Production – Readiness for production should be evaluated to determine if the production processes, documentation and tooling are able to produce products that meet customer requirements. These processes should have sufficient risk analysis performed to determine if they can meet production capacity, capability and controls.
- Post-Delivery – To ensure end-user customer satisfaction, organizations should utilize risk-based thinking to understand the risk associated with product or service usage so appropriate planning can occur to ensure serviceability and provision of spare parts.
MT: Are risks associated with the product or service the only areas where risk should be assessed? How else can risk be applied to any business?
BC: Risks can be applied effectively to any business process including:
- Organizational context – There are risk uncertainties and opportunities when organizations define organizational context, including economic business factors, social factors, political stability, new technology, competitor analysis, statutory/regulatory impacts to the work environment, organization performance, human aspects, operational factors and organizational governance.
- Interested parties – There are potential risks and opportunities when identifying relevant interested parties, their relevant requirements and how they impact an organization.
- Process controls – Processes are monitored and measured with control points throughout the process. Risks and opportunity should be considered within process development and execution so any process adjustments can be implemented to achieve planned results.
- Financial controls – Risk applied to understand how future income and expenses will be impacted based by market conditions, competition, changing needs, new technologies, world events etc.
MT: Why are risk and opportunity linked? How can a risk be turned into an opportunity?
BC: Risk is defined in ISO 9000 as the risk of uncertainty. When analyzing the business, there is frequently a positive outcome, which may arise from the uncertainty, or a new opportunity based upon evaluating the business. A fundamental ISO 9001 principle is improvement that can be realized from taking advantage of opportunities and preventing undesirable results to ensure business sustainability.
MT: During a third-party ISO audit, what do you say to a company that claims it evaluates risk everyday but doesn’t document it?
BC: To conform to ISO 9001:2015 requirements, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.
MT: Does a company have to have a have a formal risk method or tool?
BC: There is no requirement for formal methods or tools for risk management or a documented risk management process even though ISO 9001:2015 clause 6.1 specifies that the organization shall plan actions to address risks. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by ISO 9001. The ISO 9001:2015 standard introduced risk-based thinking, though it is expected future revisions will require a more rigorous approach.