Risk Based Thinking ISO 9001:2015
(The answers provided are not to be deemed as solutions but basic guidelines, please contact me for further details of consultancy and training)
Q : Do I issue NCR for Risk Identification/Assessment? (i.e. HIRARC)
A : Risk Identification/Asessment and even HIRARC itself is an assessment NOT an audit/inspection. Please do not confuse the two. When we talk about risk, the word "proactive" must always come into the picture. Risk Based Thinking in the new ISO 9001:2015 is previously known as "Preventive Action" but spoken in a wider sense.
If you are using HIRARC, then there are "marks" to denote severity and likelihood of the risk being identified. You can note suggestion or instruction for improvement based on your findings and discuss in your Management Review.
Q : I am a newbie in Risk Management, where to start on Risk Based Thinking during upgrading from the old version?
A: ISO 9001:2015 do not make it "a must" to have a full risk management. Unless it's already part of your core business process (especially planning), e.g. using HIRARC, then that's different. Look at your core business process and identify/ brainstorm the possible risk associated with every process where applicable. Using the Risk Register would be a good idea.
The reason why "Risk Based Thinking" is introduced into ISO 9001:2015 is because to reduce non-conformance and customer complaints, to justify clearly (substantiated with evidence) the Department/Unit Objectives, KPI/KRA, Balance Scorecard etc. (not simply pick up a figure from 'the sky')
The reason why "Risk Based Thinking" is introduced into ISO 9001:2015 is because to reduce non-conformance and customer complaints, to justify clearly (substantiated with evidence) the Department/Unit Objectives, KPI/KRA, Balance Scorecard etc. (not simply pick up a figure from 'the sky')