Look Fors – Part 3: Planning for Risk and Change

Would you like to know what 3^rd party auditors are looking for when auditing how your company complies with quality system standards like ISO 9001:2015?

What are 3^rd party auditors looking for?  This is the third of a three part series by Jim Lee, President of simpleQuE

Clause 6 of ISO 9001:2015 – Planning for Risk and Change
In parts one and two of this series of articles, Context of the Organization and Leadership were covered. Next is the topic of Planning for Risk, which brings risk-based thinking to the forefront. Once the organization has identified the risks and opportunities in Clause 4, it needs to stipulate how to address these.  The planning phase examines who, what, how and when risks must be addressed.  It’s a proactive approach that replaces preventative action and hopefully reduces the need for corrective actions later on.

Particular focus is also placed on the objectives of the management system.  These should be consistent with the quality policy and be measurable, monitored, communicated and updated when needed.  Changes to the QMS should also be planned and consequences understood to assess risk and minimize potential negative impact.

Third party auditors may use the following for evidence of risk based thinking and integration into the quality management system:

• Design reviews
• Competitive analysis, benchmarking, recall analysis, competitive testing
• Process control plan, internally tighter tolerances and controls than customer specs
• Management reviews
• Process and design FMEA (Failure Mode and Effects Analysis)
• Corrective Actions, and replicating actions across similar products and processes
• Metrics related to objective in management review
• Customer scorecards, dissatisfaction, trends and performance
• Operational meeting minutes with action items for higher risks
• Change in leadership or new programs
• Processes to deal with new technology, new materials, new processes, new products, new suppliers, new packaging, moving production, changing equipment
• Program plan describing and monitoring change
• Equipment maintenance plans and programs
• Calibration frequencies
• Internal audit frequencies, and the need to audit some areas more than others
• Contingency plans
• Strategic or business planning, SWOT (Strength, Weaknesses, Opportunity, Threats) analysis, PEST (Political, Economic, Social and Technological) analysis, etc.
• Approval for capital, along with the justification and risks to invest now or delay to later
• Supply chain risk management with supplier performance, financial stability, sole sourcing, geography with lead times and inventory in transit, leverage, long term agreements, etc.

Not that all of the elements listed above will be needed, but organizations may experience potential issues if:

• Risks and opportunities are not identified when there is clear evidence of problems or need for action
• Risk-based thinking is not driven by leadership
• Actions to address risks and opportunities are not taken or not effective
• Risk evaluation is not applied throughout the QMS (supplier selection and evaluation, new product or service, short lead time, capacity constraints, etc.)
• Measurable objectives are not established
• Objectives are not monitored or changed as the context of the organization changes
• Action is not taken when objectives are not met, or trends are going the wrong direction
• The impact of change is not identified or magnitude of change not understood
• Costs/schedule are not included in defining change

Also, read more about Context of the Organization in Part 1 and Leadership in Part 2.

Source:  NQA’s Teaming Conference – August 2017