There are twelve posts in this series. To read Part IX, please click here.
In this and the following two posts we shall show examples of the type of documented needed to support the Six Step process for applying RBT; namely, documents for: (1) Statement of Context (External and Internal), (2) Risk & Opportunities (R&O) Register, (3) Semi-Quantitative Risk Assessment Calculator and Graph, and (4) Risk Treatment Plan Summary.
Recommendations for documenting risk-based thinking in Quality processes
The full and proper application of the risk management process should generate a range of information and data that needs to be stored and reviewed.1 This includes statements of context (SoC) and briefing notes. Documented information of this kind may be generated in separate software and stored in various places on hard disks or in the cloud, but preferably it should be contained in a centralised system that permits the analysis of data and the production of reports. It should be controlled and maintained by the organization2, and we strongly recommend that you implement a document management system (DMS) to ensure that documents are current, relevant and approved by the organization.
Documented information can refer to: - the quality management system (3.33), including related processes (3.12); - information (3.50) created in order for the organization (3.01) to operate (documentation); - evidence of results achieved (records). The documented information that we are proposing as part of your quality management system is designed to help determine risks and opportunities in accordance with the requirements of Clause 6.1, and plan and implement the appropriate actions to address them.3 Our method identifies, analyses, evaluates and treats risks that affect the conformity of the organization's products and services and the documented information that we recommend supports these processes.
In this way, the risk management methodology is designed to enhance customer satisfaction by helping the organization to think about relevant risks and opportunities to give assurance that the quality management system can achieve its intended result(s); prevent or reduce undesired effects; and achieve continual improvement, as required by ISO 9001.4
1. Statement of Context
The first example of documented information we would suggest is appropriate when applying risk-based thinking in a QMS is a context review summary or Statement of Context (SoC) - External and Internal.
The design and implementation of an organization's quality management system is influenced by the context of the organisation and the changes in that context.5 Understanding the context of the quality management system and related processes is a requirement of ISO 9001:2015 (Clause 4). The organization's context is its business environment, organizational environment or ecosystem: a combination of internal and external factors and conditions that can have an effect on an organization's (3.01) approach to its products (3.47), services (3.48) and investments and interested parties (3.02).6
This document is a summary review of the organization's external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system, and its specific objectives. Risks and opportunities associated with the organization's context and objectives can be determined by assessing the external and internal issues that are relevant to its purpose and its strategic direction, and that affect its ability to achieve the intended result(s) of its quality management system (QMS).
The context is important with regard to two clauses in ISO 9001:2015; namely, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact on the planning of the quality management system.7 An organization should be able to demonstrate through its QMS processes the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and that it aims to enhance customer satisfaction.8 Therefore, understanding the external and internal context described in clause 4.1 is necessary to determine the risks and opportunities that need to be addressed (6.1).
The template below is used to record the name of the organization (box 1), its purpose (box 2) and objectives derived from senior management strategy (box 3), the external and internal context of the organization (boxes 4a and 4b), the relevant interested parties (box 5a) and the needs and expectations (requirements) of those interested parties (box 5b). The form also records objectives for the risk assessment (box 6) and specific changes to criteria (box 7) identified from monitoring & review (Step 6).
Click on the document icon to download the PDF, or visit the Free Templates page in our Documents Library.
Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local.9 Therefore, you should record the relevant issues identified from the research that you have conducted using documented information maintained by the organization, and brainstorming or other Supporting Methods described in ISO 31010:2009, in the boxes provided.
In this way, you will have established and documented the external context of the quality management system and its associated processes.
To same process applies to:
Understanding the internal context, which can be facilitated by considering issues related to values, culture knowledge and performance of the organization.10
The Statement of Context is the information document in which to record interested parties that are relevant to the quality management system. In addition to establishing the needs and expectations of these third parties, the organization should determine which issues and requirements impact on the planning of the quality management system and related processes.
The context of an organization can include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates.11 Determining what documented information is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that (a) meet customer and applicable statutory and regulatory requirements, and (b) enhance customer satisfaction.12
In summarising the important factors and their implications for risk assessment in relation to context, the Statement of Context records the findings of Quality Management in respect of the external and internal context, and the needs and expectations of relevant interested parties, as outlined in Step 1: Establishing the Context, of this RBT process model.
RBT or “Risk-based thinking” means considering risk qualitatively (and, depending on the organization’s context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities.
Therefore, it follows that determining both the external and internal context, and taking account of customer requirements and aims for the purposes of enhancing satisfaction, is central to the consideration of risk.
Clauses 4.1 and 4.2 provide for alignment with other management system standards. This includes ISO 31000 Risk management — Principles and guidelines, which provides guidelines on formal risk management processes which can be appropriate in certain organizational contexts. ISO 9001:2015 recognises that for some organizations, the consequences of delivering nonconforming products and services can result in minor inconvenience to the customer; for others, the consequences can be far-reaching and fatal. It can be appropriate in some contexts to develop a more extensive risk-based approach than is required by this Standard.
1 Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014, p.124.
2 ISO/DIS 9001:2014, 3.11 Documented Information, p.14.
3 Ibid. 4.4 - Quality management system and its processes, p.26.
4 Ibid. 6.1 Actions to address risks and opportunities, p.28.
5 Ibid., Introduction, 0.1 General, p.6
6 Ibid. 3.24, p.17.
7 Ibid. A.3 Context of the organization, p.45.
9 Ibid. 4.1, p.25.
12 Ibid. A.3. Context of the organization, p.45.
There are twelve posts in this series. To read Part XI, please click here.
This post is written by Michael Shuff.