Risk-based thinking – What are Registrars offering for advice and guidance?
If you are a savvy quality
person or top manager, you’re keeping current with the imminence of
ISO9001:2015 and the exciting new requirement of “risk-based thinking” (RBT). No
doubt you’ve probably read (or received) the latest literature from registrars with
perhaps, even offerings of RBT training classes.
Registrar guidance
documents do offer the particular perspective of that registrar. There may be pressure
to define and implement the framework immediately for the new standard because,
um, well, it’s new!
The interpretive
guidance documents are…well, interpretive, especially concerning RBT. What did
TC176 really have to say about risk-based thinking? After reading this article, you'll see that even
the registrars can’t seem to agree on RBT.
Is it a concept, a requirement…or
perhaps…neither?
The closer you
get…the fuzzier it becomes.
The chocie was made to
question some of the sources of the available CB guidance documents. In one
Linkedin forum (https://www.linkedin.com/grp/post/8245759-5983907899645186052) – [albeit a private
group – just join to gain access to it] one well-known registrar provided a
link to its ISO 9001:2015 guidance document. Upon examination, there was only one reference within the document to “risk-based thinking”. The registrar contact was asked to provide an explanation,
“In this guidance
document, there is no definition for "risk-based thinking", only one
reference to it. In the DIS - there is also no definition. How does [registrar]
propose to clients on how to be audited against a requirement with no
definition?”
The registrar’s
response was surprising,
“…it's true that the DIS does not define "risk-based
thinking" (and it also uses the
"quotes" when referring to it ..)…So we do have something to work
with, albeit not formally defined.”
[Bold added for emphasis]
Say that again? “The
DIS does not define “risk-based thinking”.
Um, OK...so, where can I go to find how it is defined?
Um, OK...so, where can I go to find how it is defined?
What another
registrar told us.
Another large
registrar recently promoted its guidance documents within a public LinkedIn
group (https://www.linkedin.com/grp/post/1268337-5996585185037082624#commentID_discussion%3A5996585185037082624%3Agroup%3A1268337 ). What captured my
eye was the lead-in promotional statement,
“You will need to prepare
for change and adapt your quality management system to meet the new
requirements…”
Like a hungry shark rising to snag the bait, boat, and fisherman, I asked the registrar to explain a bit more.
“…your lead-in
mentions "the new requirements" but nowhere in the article are these
requirements spelled out. In fact, it's a topic ignored. Or overlooked by
accident?
It is well-documented that DIS is largely a re-shuffle of existing 9001:2008 requirements but with a spoonful of RBT added for flavor.
Can you explain?”
It is well-documented that DIS is largely a re-shuffle of existing 9001:2008 requirements but with a spoonful of RBT added for flavor.
Can you explain?”
A response was received the very next day.
“Our Gap Analysis
download details these differences and highlights new requirements, I can send
this to you directly if you would like to PM me.”
I dutifully responded
with a private email, and the next day received three PDFs of what appeared
to be colorful (undated) brochures. The documents were reviewed, and I observed that
the “new requirements” were largely focused on the addition of two “General”
clauses along with some expansive wording. Most
curious was absolutely no mention of “risk-based thinking” within any of these registrar
guidance documents.
Writing back to this
registrar, I asked for a resolution of this conundrum regarding risk-based
thinking, in light of a competitor claiming it is not formally defined.
“Usually, audits are
conducted to determine compliance against requirements but...the DIS makes it
clear that RBT is only a concept. See line 300 in the DIS..."and the
concept of risk-based thinking ..."”
The
opinion of the competitor registrar was included in my question. No response was ever received.
What the infamous TC176
had to say about RBT.
Document N1222, dated
July 2014, and issued by ISO/TC 176/SC 2, is a topical about
“risk” in ISO 9001:2015. In addition to others, it specifically addresses two
concerns for RBT:
- To address the concern that risk-based thinking replaces the process approach,
- To explain in simple terms each element of a risk-based approach.
The conclusions provided by Document N1222 are a little frightening. Italicized comments,
below, are mine.
- Risk-based thinking is something we all do automatically.
- Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole management system. (If it was already there, under which clauses did it exist?)
- Risk-based thinking is already part of the process approach. (Oh? Where was this specified in previous versions?)
- Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found – this is sometimes seen as the positive side of risk.
- The concept of risk-based thinking is explained in the introduction of ISO9001:2015.
Within DIS, RBT is
described only as a concept, not a requirement, and nowhere in the DIS is it
defined. This mirrors the opinion of the first registrar who responded to our
query. RBT is not proffered anywhere under any clause as an explicit
requirement.
Frankly, it all
sounds very Orwellian, as if issued directly from the Ministry of Truth.
But wait! There’s more!
Document N1223, dated
July 2014, and issued by ISO/TC 176/SC 2, is titled, “(Draft)
Transition Planning Guidance for ISO 9001:2015”. Tthis document was searched for
occurrences of “risk-based thinking”, and obtained two hits, most applicable is
the following statement.
“The main changes in the
new version of ISO 9001:2015 are: ...an explicit requirement for risk-based
thinking to support and improve the understanding and application of the
process approach…”
A search of DIS2015 shows no explicit requirement, unless one considers
the statements in clause 0.5 referencing risk-based thinking as a concept.
Document N1224, dated
July 2014, and issued by ISO/TC 176/SC 2, is a
cross-correlation matrix between DIS2015 and ISO9001:2008. It contains no
mention of risk-based thinking anywhere in the matrix. This means…yes…even if
DIS2015 has RBT as an embedded requirement, there is no mention of it.
Is it hiding from us,
in plain sight? If so…where?
Some Other Registrars
and their Interpretations
BM Trada, a registrar
in the UK ( www.bmtradagroup.com ), published a technical bulletin titled,
“ISO 9001:2015 – Introducing the Changes”. The publication was searched for the phrase
“risk-based thinking” and found…no hits. Searching on “risk-based” yielded
only one hit, that for “Control of externally provided products and services”.
“Organisations will
be required to take a risk-based approach to determine the type and extent of
controls appropriate to each external provider and all external provision of
products and services.”
This statement
resides at lines 1691 and 1692 in Annex A of the DIS. However, under Clause 8.4
to which this applies…there is absolutely no mention of a requirement to use risk
management or to use risk-based thinking to achieve compliance to Clause 8.4. Is a risk-based approach the same thing as risk-based thinking? Remember - this is supposed to be a standard! Curiouser
and curiouser…
BSI published a fact
sheet titled, “ISO 9001:2015, Frequently Asked Questions, Approaching Change”. This publication was searched for “risk-based thinking” and found…no hits. I next searched for all occurrences of “risk”, and found four hits, and three of
them are associated with using ISO 31000 as a risk-management standard.
Interestingly, the
BSI FAQ discusses risk in the context of an organization being certified to ISO
31000. However, the ISO website confirms that ISO 31000 cannot be used for
certification (http://www.iso.org/iso/home/standards/iso31000.htm ). The proofreaders
at BSI better check on this one.
UL-DQS offers its
publication with the title, “ISO 9001:2015 FAQ”. Numerous occurrences of “risk
based thinking” were found (the hyphen between “risk” and “based” was dropped
in the UL-DQS document). At Note C8 (page 7 of 8) is an example of what the
objective evidence would look like for compliance to a “risk based approach”
within the organization.
“Evidence will need
to demonstrate that risks and opportunities have been identified, actions have
been planned and implemented to minimize the most significant risks and that
the effectiveness of these actions has been checked.”
But as with the other
registrars’ materials, no clear definition for “risk based thinking” or how it
will be audited for compliance.
Summary
We can conclude four things from the research of certain TC176 documents and a sampling of available
registrar brochures and guidance documents about “risk-based thinking”.
- The registrars’ understanding of risk-based thinking doesn’t jive with what TC176 has promoted and promulgated.
- Registrars’ material and guidance documents don’t harmonize with each others’ perceptions and interpretations. Each has their own approach (or no approach!) toward the phrase “risk-based thinking”
- Because of this lack of harmony amongst registrars, a client's QMS will be assessed (and certificated!) differently as influenced by that registrar's army of auditors.
- “Explicit requirements” within DIS2015 which mandate “risk-based thinking” do not seem to exist. Search yourself in the DIS!
So, where can one go
for help? TC176 is not accessible by the general public, and registrars are
discovering that they and their clients will be looking at each other, one side
with more questions than the other can provide answers to. Registrars may be making
the best of educated interpretations but frankly, clients want facts because
they are paying for facts.
Not for colorful
interpretive brochures.
Still undecided about
DIS versus 2008 version?
If you are still
sitting on the fence over going with the 2008 or 2015 version of ISO 9001, it
might be wise to go with the devil you know – the 2008 standard. It is
well-known, and CB auditors know how to audit for compliance (more or less) to the
2008 standard. If you are already certificated to the 2008 standard, well, you
need to prepare to bite the pretty apple and risk finding half a worm.
Have you asked your
registrar for guidance documents and a gap assessment of DIS against the 2008
standard? What did you receive? Is “risk-based thinking” a concept, a
requirement, or neither?
In closing
Be very careful with
assessing and integrating registrar information, especially from only one
source. Check the competitors, check within your professional peer networks, and
talk to consultants. Yes, consultants are human and are available to help you navigate those
TC176-infested waters of the new standard.
Follow My Blog:
www.Lawrence-international-LLC.Blogspot.Com
www.Lawrence-international-LLC.Blogspot.Com
"we’re here to help you navigate those TC176-infested waters of the new standard"
ReplyDeleteGreat! you need to copyright that phrase.
Regards
Miguel Piedras
It is becoming clear that a lot of the misconceptions about the significance of the changes inherent in the 2015 revision originated with rumors and speculation that arose when the Committee Draft was first issued. The idea that there was something new... That Preventive Action was being phased out and replaced with “risk-based thinking”. This was interpreted as the most significant aspect of the change by many – but what did it mean? Given the most substantial change was in a lack of prescriptive policy – ISO actually realized that it was over-stepping the bounds between the Standard and how one does business by requiring documentation where only a procedure is required - it is not surprising that there is no prescriptive methodology in how to approach risk. Indicators, that it is “a concept” or is an inherent part of the process approach should be enough to discern how it applies. It all starts with the customer - With the requirements of the customer as quoted, flowed on the contract, reviewed, understood, disseminated to all interested parties and verified as having been met. At each step the risk associated with dropping the ball should be considered and avoided or, as applicable, mitigated. Objective evidence of a successful implementation of a risk-based approach would take the manifest form of an absence of complaints, rejects, etc. that indicate requirements were not met due to avoidable circumstances. Use common sense and the overall intent of the standard as a guide – save money on a consultant – we’re all too busy anyway…
ReplyDelete