Munich - An increasing number of certified companies are starting to address the upcoming changes brought about by the ISO 9001 revision scheduled to be published by late 2015. So far, the standard has regarded preventive actions within the scope of a continuous improvement process as primarily the result of corrective actions. In the revision, risk-based thinking now plays a greater role as a cross-sectional function and characteristic quality-management system element. TÜV SÜD’s experts explain the new requirements to which organisations should now start adjusting.
"The revised ISO 9001 examines all risks and opportunities in very direct connection to the processes established in an organisation. For this reason, the standard also establishes a clear differentiation from an extensive risk management system", explains Helmut Keuerleber, product manager at the TÜV SÜD certification body. "In contrast to an extensive risk management system, quality management need not identify all risks existing in an organisation, establish consistent evaluation and reporting or take financial precautions, for example.“ The ISO 9001 standard combines the analysis and evaluation of risks – and most recently also opportunities – right from the stage of process definition or revision. Instead of relying on a higher-level risk manager, a quality management system according to ISO 9001 depends on the expertise and experience of process owners. They know best about any potential risks and opportunities – long before non-conforming processes may turn into obvious problems.
The new standard basically describes two basic PDCA (plan-do-check-act) cycles a macro cycle that concerns the total system and takes into account all quality-related risks and opportunities, and micro cycles for each individual process. Risk analysis is anchored in both and is one of the key building blocks for reaching the aspired-to degree of process maturity. To understand not only the specific procedures and/or processes of an organisation, but also its environment and its key relations, e.g. with its market and customers, the ISO 9001 includes the requirement of defining the context of the organisation. This context and process analysis then produce all relevant organisation-specific risks and opportunities which are important for future success.
From a methodological point of view, the new ISO 9001 is open to all suitable approaches to risk assessment; possibilities include the Turtle model, known from automotive industry, which covers systematic risk assessment. However, risks can equally well be analysed and mapped by using appropriate process sheets or a matrix with defined assessment criteria. The goal is to support the revised standard's approach of risk-based thinking instead of conventional preventive actions. In practice, addressing risks and opportunities extensively may be as least as effective as, or even better than, preventive actions, as it represents a preventive approach rather than a response to problems that have already occurred.