ISO/DIS 9001:2015 Risk-Based Thinking

Transcription

1 ISO/DIS 9001:2015 Risk-Based Thinking Whittington & Associates, LLC 6175 Hickory Flat Highway, Suite , Canton, GA Version 1.0: 01/10/ Whittington & Associates, LLC Slide 1 What is Risk? Risk is the effect of uncertainty on an expected result Effect is a deviation from the expected positive or negative. Uncertainty is the lack of information related to understanding or knowledge of an event, its consequence, or likelihood. Risk often refers to potential events and consequences Risk is often expressed as the consequences of an event and the associated likelihood or probability Version 1.0: 01/10/ Whittington & Associates, LLC Slide 2 Requirements V Whittington & Associates, LLC Page 1

2 What is Risk-Based Thinking? The concept of risk has been implicit in ISO 9001:2008 (however, risk is not mentioned in clauses 4 to 8) The ISO 9001:2015 revision makes it more explicit ( risk is mentioned 14 times within clauses 4 to 10) Risk-based thinking ensures that risk is considered from beginning and throughout the process approach Risk-based thinking makes preventive action part of your strategic planning and direction Risk is often thought of in the negative sense, however, risk-based thinking can also help identify opportunities Version 1.0: 01/10/ Whittington & Associates, LLC Slide 3 ISO/DIS 9001:2015 Risk-Based Approach (6.1, A.4) Determine and address risks and opportunities Use planning events to identify and analyze risks Don t want to say we should ve seen that coming Replaces the Preventive Action requirements Version 1.0: 01/10/ Whittington & Associates, LLC Slide 4 Requirements V Whittington & Associates, LLC Page 2

3 Risk-Based Approach Risk now considered throughout the standard: 4.1.f - Determine risks; take actions to address b - Ensure risks determined and addressed Plan to determine risks that need to be addressed to achieve intended results Plan actions to address risks; integrate into processes; evaluate effectiveness of actions a - Consider risks in post-delivery activities e - Review effectiveness of actions on risks. Version 1.0: 01/10/ Whittington & Associates, LLC Slide 5 Consequences and Constraints Risk relates to consequences and constraints : 6.3.a - Consequences of planned system changes a - Constraints on existing internal resources Consequences of unintended process changes e - Consequences of product or service failure a.2 - Consequences of nonconformities Version 1.0: 01/10/ Whittington & Associates, LLC Slide 6 Requirements V Whittington & Associates, LLC Page 3

4 Risk Assessment Consider scenarios that may impact your business: product failures late deliveries service issues supply chain disruption technology shifts competitive pressures currency changes raw material shortages oil price increases work stoppage economic downturn increased regulations Version 5: 8/05/ Whittington & Associates, LLC Slide 7 Risk Assessment Worksheet Identify and Rate Risks for Business Events (strategic, operational, financial, compliance) Rating Risk Probability (1 to 5) Rating Risk Consequence (1 to 5) Risk Index P x C = I (1 to 25) Risk Assessment Low - Med - High (1-8) (9-16) (17-25) Action Type Action Reference Version 1.0: 01/10/ Whittington & Associates, LLC Slide 8 Requirements V Whittington & Associates, LLC Page 4

5 Rating of Risk Probability Rating Probability Criteria (Likelihood of Risk Occurrence) 1 Rare Unlikely to occur, but possible 2 Unlikely Unlikely, but can be reasonably expected to occur 3 Possible Will occur several times 4 Likely Will occur frequently 5 Almost Certain Continually experienced Version 1.0: 01/10/ Whittington & Associates, LLC Slide 9 Rating of Risk Consequences Rating Consequence Criteria (Impact of Risk to Business) 1 Incidental Negligible business impact. Local media attention quickly remedied. Nothing reportable to regulator. No injuries to employees or third parties. Isolated staff dissatisfaction. Loss up to $x. 2 Minor 3 Moderate 4 Major 5 Extreme Slight business impact. Local damage to reputation. Reportable incident to regulator with no follow-up. No or minor injuries to employees or third parties. Some morale problems and turnover increase. Financial loss of $x to $x. Limited business impact. Short-term negative media coverage. Report of breach to regulator with immediate correction. Out-patient medical treatment for employees or third parties. Widespread staff morale problems and high turnover. Financial loss of $x to $x. Serious business impact. Negative media coverage. Significant loss of market share. Report to regulator requiring major corrective action. Limited in-patient care for employees or third parties. High turnover of experienced staff. Financial loss of $x to $x. Disastrous business impact. Long-term negative media coverage. Dramatic loss of market share. Significant litigation, prosecution, or fines. Significant injuries or fatalities to employees or third parties. Multiple leaders leave. Potential closure of business. Financial loss of $x or more. Version 1.0: 01/10/ Whittington & Associates, LLC Slide 10 Requirements V Whittington & Associates, LLC Page 5

6 Probability Range Risk Index Table P x C = Index Low: 1-8 Medium: 9-16 High: Consequence Range Version 1.0: 01/10/ Whittington & Associates, LLC Slide 11 Mitigation Actions Type Option Description 1 Avoid Risk Withdraw from the activity 2 Eliminate Risk Eliminate the risk source 3 Change Risk Change probability or consequence 4 Share Risk Outsource risk or insure against it 5 Retain Risk Accept risk by informed management decision Version 1.0: 01/10/ Whittington & Associates, LLC Slide 12 Requirements V Whittington & Associates, LLC Page 6

7 Mitigation Action Worksheet Reference Number 1 Risk Level Action Type Description of Action Person Assigned Due mm/dd/yy Actual mm/dd/yy Version 1.0: 01/10/ Whittington & Associates, LLC Slide 13 Optimal Risk-Taking Insufficient Risk-Taking Optimal Risk-Taking Excessive Risk-Taking Expected Value Risk Level Version 1.0: 01/10/ Whittington & Associates, LLC Slide 14 Requirements V Whittington & Associates, LLC Page 7

8 Risk Assessment Process 1. Identify relevant business objectives. 2. Identify events that could affect achievement of objectives. 3. Determine risk tolerance. 4. Assess inherent likelihood and impact of risks. 5. Evaluate the portfolio of risks and determine risk responses. 6. Assess residual likelihood and impact of risks. Inherent risk is the current level of risk assuming existing responses operate according to design. Residual risk is the estimated risk after responses under consideration are put into place. Version 1.0: 01/10/ Whittington & Associates, LLC Slide 15 Why Adopt Risk-Based Thinking? Successful companies usually take a risk-based approach because it brings benefits: improves customer satisfaction assures consistency of products and services establishes culture of prevention and improvement ISO/DIS 9001:2015 does not require a formal risk assessment, but requires documented information ISO 31000, Risk Management, provides guidance and may be a useful reference, but is not required Version 1.0: 01/10/ Whittington & Associates, LLC Slide 16 Requirements V Whittington & Associates, LLC Page 8

9 What Should I Do? Analyze and prioritize your risks and opportunities what is acceptable? what is unacceptable? which opportunities should be acted on? Plan actions to address the risks and opportunities how can I avoid, eliminate, or mitigate the risk? how can I realize opportunities? Implement the plan take action Check the effectiveness of the actions did it work? Learn from experience continual improvement Version 1.0: 01/10/ Whittington & Associates, LLC Slide 17 Questions If you have questions about ISO/DIS 9001:2015, please contact me at , or send an to Larry@WhittingtonAssociates.com. Version 1.0: 01/10/ Whittington & Associates, LLC Slide 18 Requirements V Whittington & Associates, LLC Page 9