The document discusses auditing risk processes in ISO 9001:2015. It introduces the concept of risk and discusses why risk is an important but complex topic. It then covers auditing risk in the ISO standard, including the impact of outcomes, different audit methodologies, and how to apply auditing to risk threads. Finally, it discusses risk management processes and three perspectives on risk: within processes, related to products and services, and technical risks. The document provides information to help auditors understand and evaluate risk processes.
2. Introduction to Risk
• Why Are We Discussing Risk Again ??
– Can Be a Complex Concept
– Difficult to Understand & Distributed Across the Std.
– Difficult to Explain to Customers
– Need to Continue to Expand our Audit Skills and Learn
from Each Other
3. Auditing Risk in the ISO 9001:2015
• Short Revisit
–Risk Perspectives
–Risk in the ISO Standard
• Auditing Risk
–Impact of Outcomes
–Audit Methodologies
–Auditing Threads
–Application to Risk
• Case Studies
6. • Risk Planning (Organizational Plan)
– The step of developing and documenting comprehensive and interactive
strategies and methods for identifying and tracking risk areas, training,
developing risk mitigation plans, performing risk assessments to determine
how risks have changed, and planning/obtaining adequate resources.
• Risk Identification (When & Where)
– The step of discovering and defining all risks inherent in your program or
project.
• Risk Assessment (Who)
– The process of analyzing and prioritizing program and process risks
against cost, schedule and/or performance criteria.
• Risk Handling (Decisions & Actions)
– The step that identifies, evaluates, selects, and implements actions in order
to reduce risk likelihood or consequence to an acceptable level.
• Risk Monitoring
– The step that systematically tracks and evaluates the performance of Risk
Handling actions against established metrics throughout the acquisition
process.
Risk Management Processes
9. Product/Service & Technical Risk
• Complexity of Design
• Criticality of Product/Service for End Use
• New or Unproven Process or Technology
• Organizational Capability to Design or
Build Product/Service
– New or Unproven Process to Organization
– New Technology to Company
• Others??
11. • Here is Where “Risk Based Thinking”
Strongly Applies
– See a Risk >> Do Something about it.
– Identify and Communicate
Risk Based Thinking, Decisions &
Behaviors
• Risk Understanding
– Thinking & Awareness
– Understanding the Risks and How they affect your
Function or Process
• Risk Based Decision Making
– Making Choices on Handling Risk
13. • Identification (including Analysis & Prioritization)
– Discovering and defining risks inherent in your program,
project, process, or task.
• Communication
– Communicating Risks to all Relevant Individuals and Processes
• Risk Understanding
– Understanding the Risks and How they affect your Function or
Process
• Decision Making (Risk Based)
– Making Choices on application of ‘Individual Options’ and
‘Process Options’
• Risk Behaviors
– Knowledge of Identified Risks
– Knowledge of Process Options
– Application of Identified Risk Topics to ‘Process Options’
Risk Based Decisions & Behaviors
14. Proposal Contract Design Manufact.
Product
Delivery
Integrate
Purchasing
All Requirements are not created equal
Monitoring and Inspection Activities
Operational Options that Need Risk
Oriented Decisions associated with
Critical Requirements
•Design Approach
•V&V Approach
•Monitor & Insp. Approach
•Supplier Oversight
RFQ
Suppliers
Communication of
Supplier Requirements
-Key Characteristics-
Requirements & Risk Based Decisions
Where
Identified
How Communicated
What
Decisions
15. Risk Concept ISO 9001:2015
• Standard Process With Inputs & Outputs
P O
I
R
Risk Input
In Step
Prevention
Down Stream
Prevention
Risk PDCA in Incremental Process Steps
• Monitoring & Improving
• Risk Input to Process Visually Separated
• Risk Analysis, Plan & Handling
• Handling Risk within Process Step &
Down Stream Process Step
Risk
Decisions
Lessons
Learned
16. Risk Identification & Decisions
P O
I
R
P O
I
R
P O
I
R
P O
I
R
INPUTS
•Customer
•Regulatory
•Known
OUTPUTS
•Product
•Service
•Good Product
•No Escapes
•On-Time
•On- Budget
Managing Risks to Process EFFECTIVENESS
Multiple Prevention opportunity
Options per Step
18. Risk & Risk Like Wording
• Any Risk Impacted Processes Not Apparent or Weak??
• Cust. Reqts/Cont. Review (8.2)
• Purchasing/Supplier Management (8.4)
• Production Provision (8.5.1)
Subject
DIS
Ref.
Topic
Risk
Complex
Impact
Effect
Likelihood
Conseqnce
Prevent
Mitigate
Control
Constraint
Contingency
Essential
Reliable
QMS Plan/Change 6.1/6.1.2/6.3 QMS Plan, Control & Changes X X X X X X
Customer 4.2
5.1.2
8.2
Cust, Stat, Reg Requirements
Customer Focus
Customer Requirements
X
X
X
Design 8.3.2 - 8.3.6 Planning, Input & Changes X X X X X X
External Providers 8.4.1-3 Control of Ext. Suppliers X X
Ops Plan/Control 8.1
8.5.1-6
8.7
Ops Planning & Control
Production Provision
NC Control
X
X
X
X
X
X
X
X
X
X
QMS Processes 4.4/5.5.1
9.1.3
9.3.2
10.1-2
10.2.1
QMS Processes
Analysis
Management Review
Improvement
NC & CA
X
X
X
X
X
X
X
X
X
QMS Support 7.1
7.2/7.3
7.5
Resources
Competence/Awareness
Documented Information X
X X
X
X
X X
19. Risk Wording Observances
• Risk is:
• Explicit in Specific & Overarching Sections of Standard
• Implicit in Across a Wide Range of the Standard
• Have to Link Overarching Explicit Sections to
Some Implicit Sections Where Risk Application is
Important
• 4.4.1.f – Risk Process Applicability Across Entire QMS
• 6.1 – Risk & Opportunities Inclusion In QMS Planning
• 8.1 – Risk Emphasis in Operational Planning & Control
20. Variable Risk Application Approach
Varying Applicability to Different Functions (ISO 9001 A.4 )
– Not all process of a QMS represent the same level of Risk in terms of the
organizations ability to meet its objectives, an the effects of uncertainty are
not the same on all organizations
Type Project Production Service
Size Large Medium Small
Product X X X
Process X X X
People X X X
How Does Risk Approach Vary?.
• Organizational Application of Risk Can Vary Based on Situation, Customer,
Product Line, etc.
• Audit Approach & Questioning Will Need to Vary Also.
21. ISO 9001 – 6.1.2
Actions to Address Risk & Opportunity
Processes
Behaviors/
Decisions
The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its quality management system
processes (see 4.4);
2) evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be
proportionate to the potential impact on the conformity of products
and services.
NOTE Options to address risks and opportunities can include: avoiding
risk, taking risk in order to pursue an opportunity, eliminating the risk
source, changing the likelihood or consequences, sharing the risk, or
retaining risk by informed decision.
Decision
Options
Key Points – Explicit or Implicit ???
• Establishes a Risk Approach Within the QMS Infrastructure (4.4)
• Establishes Requirement for Risk Based Decisions Associated with Product And Services
• Others ??
22. ISO 9001 – 8.1
Operational Planning & Control
8.1 Operational Planning & Control
The organization shall plan, implement and control the processes (see 4.4)
needed to meet requirements for the provision of products and services and
to implement the actions determined in 6, by:
a) determining requirements ……….;
b) establishing criteria for the processes and for the acceptance ……….;
c) determining the resources needed to achieve conformity to ……….
requirements;
d) implementing control of the processes in accordance with the criteria;
e) retaining documented information to the extent necessary ……….
The output of this planning shall be suitable for the organization's operations.
The organization shall control planned changes and review the consequences
of unintended changes, taking action to mitigate any adverse effects, as
necessary.
Key Points – Explicit or Implicit ???
Identify
Decisions
Decisions
Communicate
Action
Process
Decisions
Action
• Establishes Requirement for Risk Based Actions (6.1)
• Operational Planning With Risk Based Decisions Across ‘Realization Process’ (8.1)
• Others ??
23. ISO 9001 – 8.1
Other Risk Phrases of Interest
8.4.2 Type and Extent of Control of External Provision
The Organization shall ensure that externally provided processes,
products & services do not adversely affect…….
The Organization shall:
b)Define controls it intends to apply……..
c)Take into consideration the potential Impacts…… as well as the
effectivenss of controls……
d)Determine the verification activities necessary to ensure …….
Key Points – Explicit or Implicit ???
Decisions
Understand
Decision
Understand
• Decision on Controls tied to impact of Supplier on Product
• Variable Methods for Verification tied to Ensuring Supplier Does Not Have an
Adverse affect to Organizations Product/Service.
• Others??
24. ISO 9001
Other Risk Phrases of Interest
8.2.1 Customer communication
Communication with the customers shall include:
e) specific requirements for contingency actions, when relevant.
8.3.2 Design and development planning
In determining the stages and controls for design and development, the
organization shall consider:
a)the nature, duration and complexity of the design and development activities
f)the need to control interfaces between persons involved in D&D
i)The level of control expected for D&D processes by Customer & Int. Parties
8.3.3 Design and development Inputs
The organization shall determine requirements essential for the specific type of
products and services being designed and developed. The Organization shall
Consider
a) functional and performance requirements;
e) the potential consequences of failure due to the nature of the products and
services;
Key Points – Explicit or Implicit ???
Identify
Communicate
Identify
Identify
• Risk Associated Wording. Not Strongly Tied to Decisions or Actions.
Decision
26. Introduction to Auditing Risk
• Who has Audited to the New Standards?
– How are the Customers Adapting to Risk Based
Thinking?
– Any Unique Applications?
• What Are Your Experiences With Auditing Risk ?
– Explicit Wording Areas (Sections 4.4.1, 6.1, 8.1)
– Implicit Wording Areas
• Any Risk Based NC’s?
• Have You had to Change Anything About Your
Audit Approach
• Let’s Explore Options for Auditing Risk in the
New Standard!!
27. • Needs for an Audit Strategy
• For Compliance to Risk Requirements
• For Effectiveness of Risk Processes
• Implicit Risk Requirements -vs- Explicit Risk Requirements
• Needs for an Audit Approach
• Audit Planning & Sequence
• Audit Technique & Line of Questioning
• May Need to Alter Audit Approach & Focal Areas
– Minimal Solid Requirements
• 9.3.2.e - Risk In Man. Rev.
• 9.3.3 - Retained Doc. Info.
– Wide Application Of Risk
• Process, Capabilities, Controls
• Culture??
– Where in the Standard (4.1 Note 3 Context)
– How to Audit
Introduction to Auditing Risk
28. Back To The Basics
• What Are Auditing Basics
• 2 Eyes, 2 Ears, 1 Mouth – Use them in proportion
• Open Ended Questions
• IAF – Expected Outcomes http://www.iaf.nu/upFiles/IAF9001expectedoutcomes0112.pdf
• An organization with a certified quality management system consistently provides products that meet customer
and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.
• What Are Auditor Methods
• Down-stream
• Up-stream
• Cannonball
• What Are Auditor Sampling Approaches
• Random
• Biased
• (e.g., focusing on the results of performance / effectiveness metrics, focusing on specific customers)
• Comparative
• (e.g., comparing the work performed with procedures, verifying consistency between workers)
• Which Are the Best Methods, Approaches and Techniques to Use
For Various Risk Auditing Situations??
29. Auditing Risk – Building Blocks
• Audit For Risk in Process Model
• Context of Organization & Interested Party Impacts
• How Risk Can Impact Compliance and Effectiveness
• Occurrence –v– Recurrence Focus in Risk Auditing
• Understanding Requirements Threads
• Individual Requirements Weave Together to Form Cross Cutting Larger
Requirements
• Understand Best Strategy for Auditing Risk For Various
Scenarios
• What is the Audit Goal – IAF Expected Outcomes
• Which Sampling Technique to Use
• What Audit Paths to Focus on
• How to Combine Techniques and Paths for Maximum Effectiveness
• Where to Start!!
• What is Best Entry Point for Auditing Risk in an Organizations
Management System
30. Risk and Down Stream Audit Approach
• What is Downstream Auditing
• Start at the Beginning of a Process and Follow Trails to End of Process(s)
• What Are Strengths & Weaknesses
• Good for Following Planning to Outcome Trail (PDCA)
• Can Be Weak for Auditing Outcomes
• Other
• How To Use For Auditing ‘Risk Based Thinking’
• Follow PDCA Trail
• Look at Leading Indicators for Potential of Risk Impacts to Process
• Look for Risk ID, Communication & Understanding for Prevention of Occurrence
• Use Comparative Sampling to Evaluate Consistency of Risk Based Thinking
• Other?
Prevent Control Mitigate Emergency
Audit Trail
31. Down-Stream Auditing & the “Turtle “ Model
?
Checklist How?
Outputs
Inputs
How? What Results?
With Who
With What?
Process
(Support Processes)
6.1
6.1
6.1
6.1
6.1
6.1
Plant and machinery (7.1.3)
Measuring equipment (7.1.5)
Tooling (7.1.3)
Maintenance (7.1.3)
Packaging/labelling (8.5.4)
Cleanliness of premises (7.1.4)
Customer property (8.5.3)
Transportation (7.1.3)
Customer schedule (8.2.1)
Raw materials (8.4.1)
Control plans (8.5.1)
Work instructions (8.5.1)
Preventive maintenance (7.1.3)
SPC (9.1.3)
Nonconforming product procedure (8.7)
Dispatch process (8.6)
Contingency plan (8.5.6/6.1)
Document control/ records (7.5.3)
Change control (8.5.6)
IT (7.1.3)
Human resource (7.1.2)
Logistics (7.1.3)
Sales (7.4)
Preventive maintenance (7.1.3)
Identify risks (6.1)
Analysis of data (9.1.3)
Customer satisfaction (9.1.2)
Other Organisational objectives (6.2)
Maintenance objectives (8.5)
Cost of poor quality (9.1.3)
Process capability (9.1)
Management review (9.3)
Continual improvement results (10.3)
Audit records (9.2)
Conforming product delivered to
customer schedule (8.6)
Induction/ training/competence records
(7.2)
Agency/ Contract labour (7.3/8.4)
Job responsibilities/ authorities (5.3)
Training effectiveness (7.2)
SPC awareness (7.2)
Personnel safety (7.1.4)
Awareness of policy / objectives (5.2.2)
Manufacturing Process (8.5)
How Do Process Owners Understand
Context, Requirements, Capabilities,
Regulatory, etc. and Determine Risks and
Plan for Prevention Actions for
Appropriate Steps of the Process
Audit Trail
32. Risk and Up-Stream Audit Approach
Prevent Control Mitigate Emergency
Audit Trail
• What is Up-stream Auditing
• Start at the End of a Process and Follow Trails to Earlier Stage of Process(s)
• What Are Strengths & Weaknesses
• Good for Following Trails on Adverse Process Outcomes (CAPD)
• Supportive of IAF Expectations on ‘Expected Outcomes’
• Potential for Not Understanding Full Process Before Starting the Audit Trail.
• How To Use For Auditing ‘Risk Based Thinking’
• Use Biased Sampling and Start with a ‘Known’ Negative Issue or Lagging Indicators
Showing ‘Unintended Outcomes’
• Follow Trail Back to Planning and Decisions
• How Where Potential Risk were ID, Communication & Understood
• Were Appropriate Risk Decisions Applied Based On Understanding of Risk
• Look for How Risk ID, Communication &
Understanding will be used for
Prevention of Recurrence
• Note - Comparative Sampling can then
be used to determine if other personnel
are applying similar ‘Risk Based
Thinking’
• Other?
33. Upstream Auditing & the “Turtle “ Model
?
Outputs
Inputs
How? What Results?
With Who
With What?
Process
(Support Processes)
6.1
6.1
6.1
6.1
6.1
6.1
Plant and machinery (7.1.3)
Measuring equipment (7.1.5)
Tooling (7.1.3)
Maintenance (7.1.3)
Packaging/labelling (8.5.4)
Cleanliness of premises (7.1.4)
Customer property (8.5.3)
Transportation (7.1.3)
Customer schedule (8.2.1)
Raw materials (8.4.1)
Control plans (8.5.1)
Work instructions (8.5.1)
Preventive maintenance (7.1.3)
SPC (9.1.3)
Nonconforming product procedure (8.7)
Dispatch process (8.6)
Contingency plan (8.5.6/6.1)
Document control/ records (7.5.3)
Change control (8.5.6)
IT (7.1.3)
Human resource (7.1.2)
Logistics (7.1.3)
Sales (7.4)
Preventive maintenance (7.1.3)
Identify risks (6.1)
Analysis of data (9.1.3)
Customer satisfaction (9.1.2)
Other Organisational objectives (6.2)
Maintenance objectives (8.5)
Cost of poor quality (9.1.3)
Process capability (9.1)
Management review (9.3)
Continual improvement results (10.3)
Audit records (9.2)
Conforming product delivered to
customer schedule (8.6)
Induction/ training/competence records
(7.2)
Agency/ Contract labour (7.3/8.4)
Job responsibilities/ authorities (5.3)
Training effectiveness (7.2)
SPC awareness (7.2)
Personnel safety (7.1.4)
Awareness of policy / objectives (5.2.2)
Manufacturing Process (8.5)
If defect sent to Cust,
Where did risk
thinking fail??
Same Scenario if
Internal Data shows
an adverse issue
Audit Trail
34. Risk Case Studies
• What Have We Covered?
– General Discussion on Risk Theories
– Risk Wording in ISO 9001:2015 Standard
– Audit Strategies, Methods and Techniques
Associated with Risk Based Thinking
• Time to put your Auditor Hats Back On
– Case Studies
35. Downstream Auditing & the “Turtle “ Model
?
Checklist How?
Outputs
Inputs
How? What Results?
With Who
With What?
Process
(Support Processes)
6.1
6.1
6.1
6.1
6.1
6.1
Plant and machinery (7.1.3)
Measuring equipment (7.1.5)
Tooling (7.1.3)
Maintenance (7.1.3)
Packaging/labelling (8.5.4)
Cleanliness of premises (7.1.4)
Customer property (8.5.3)
Transportation (7.1.3)
Customer schedule (8.2.1)
Raw materials (8.4.1)
Control plans (8.5.1)
Work instructions (8.5.1)
Preventive maintenance (7.1.3)
SPC (9.1.3)
Nonconforming product procedure (8.7)
Dispatch process (8.6)
Contingency plan (8.5.6/6.1)
Document control/ records (7.5.3)
Change control (8.5.6)
IT (7.1.3)
Human resource (7.1.2)
Logistics (7.1.3)
Sales (7.4)
Preventive maintenance (7.1.3)
Identify risks (6.1)
Analysis of data (9.1.3)
Customer satisfaction (9.1.2)
Other Organisational objectives (6.2)
Maintenance objectives (8.5)
Cost of poor quality (9.1.3)
Process capability (9.1)
Management review (9.3)
Continual improvement results (10.3)
Audit records (9.2)
Conforming product delivered to
customer schedule (8.6)
Induction/ training/competence records
(7.2)
Agency/ Contract labour (7.3/8.4)
Job responsibilities/ authorities (5.3)
Training effectiveness (7.2)
SPC awareness (7.2)
Personnel safety (7.1.4)
Awareness of policy / objectives (5.2.2)
Manufacturing Process (8.5)
Audit Trail
You are auditing a Company that designs and manufactures valves and other pressure related piping components
for commercial industries. From the Management Interview, you find that the organization is branching out into the
Chemical Processing industry which is new to the organization. You have selected a contract that is for supplying
valves to a customer involved in chemical processing. During your audit of this contract you are told that the
customer is looking to use these valves for a chemical process that they have not been used for in the past.
36. Downstream Auditing & the “Turtle “ Model
?
Checklist How?
Outputs
Inputs
How? What Results?
With Who
With What?
Process
(Support Processes)
6.1
6.1
6.1
6.1
6.1
6.1
Plant and machinery (7.1.3)
Measuring equipment (7.1.5)
Tooling (7.1.3)
Maintenance (7.1.3)
Packaging/labelling (8.5.4)
Cleanliness of premises (7.1.4)
Customer property (8.5.3)
Transportation (7.1.3)
Customer schedule (8.2.1)
Raw materials (8.4.1)
Control plans (8.5.1)
Work instructions (8.5.1)
Preventive maintenance (7.1.3)
SPC (9.1.3)
Nonconforming product procedure (8.7)
Dispatch process (8.6)
Contingency plan (8.5.6/6.1)
Document control/ records (7.5.3)
Change control (8.5.6)
IT (7.1.3)
Human resource (7.1.2)
Logistics (7.1.3)
Sales (7.4)
Preventive maintenance (7.1.3)
Identify risks (6.1)
Analysis of data (9.1.3)
Customer satisfaction (9.1.2)
Other Organisational objectives (6.2)
Maintenance objectives (8.5)
Cost of poor quality (9.1.3)
Process capability (9.1)
Management review (9.3)
Continual improvement results (10.3)
Audit records (9.2)
Conforming product delivered to
customer schedule (8.6)
Induction/ training/competence records
(7.2)
Agency/ Contract labour (7.3/8.4)
Job responsibilities/ authorities (5.3)
Training effectiveness (7.2)
SPC awareness (7.2)
Personnel safety (7.1.4)
Awareness of policy / objectives (5.2.2)
Manufacturing Process (8.5)
During the audit you find that the customer rejected a lot of 50 valves due to lack of material
certifications that were required by chemical industry codes referenced in the customer’s contract.
You also find that the organizations Purchasing Department was not aware that they needed to
specifically request material certifications from the supplier, but had referenced the Chemical
industry codes to their supplier.
Audit Trail
37. Downstream Auditing & the “Turtle “ Model
?
Checklist How?
Outputs
Inputs
How? What Results?
With Who
With What?
Process
(Support Processes)
6.1
6.1
6.1
6.1
6.1
6.1
Plant and machinery (7.1.3)
Measuring equipment (7.1.5)
Tooling (7.1.3)
Maintenance (7.1.3)
Packaging/labelling (8.5.4)
Cleanliness of premises (7.1.4)
Customer property (8.5.3)
Transportation (7.1.3)
Customer schedule (8.2.1)
Raw materials (8.4.1)
Control plans (8.5.1)
Work instructions (8.5.1)
Preventive maintenance (7.1.3)
SPC (9.1.3)
Nonconforming product procedure (8.7)
Dispatch process (8.6)
Contingency plan (8.5.6/6.1)
Document control/ records (7.5.3)
Change control (8.5.6)
IT (7.1.3)
Human resource (7.1.2)
Logistics (7.1.3)
Sales (7.4)
Preventive maintenance (7.1.3)
Identify risks (6.1)
Analysis of data (9.1.3)
Customer satisfaction (9.1.2)
Other Organisational objectives (6.2)
Maintenance objectives (8.5)
Cost of poor quality (9.1.3)
Process capability (9.1)
Management review (9.3)
Continual improvement results (10.3)
Audit records (9.2)
Conforming product delivered to
customer schedule (8.6)
Induction/ training/competence records
(7.2)
Agency/ Contract labour (7.3/8.4)
Job responsibilities/ authorities (5.3)
Training effectiveness (7.2)
SPC awareness (7.2)
Personnel safety (7.1.4)
Awareness of policy / objectives (5.2.2)
Manufacturing Process (8.5)
In review of Inspection data from the weekly Manufacturing Department report, you see an
increasing trend of workmanship nonconformances and scrap dispositions. In follow-up
questions, you find that no apparent changes are being made to the manufacturing process.
Audit Trail
38. What’s Next
• Understanding the Varied Potential Applications of Risk in a
QMS, Process, or Product lifecycle
• Educate Yourself on the Broadness of Risk Applicability in a
QMS
• Develop Sensible But Meaningful Approaches to Auditing Risk
• Auditing Homework
• Get Comfortable with the Risk Wording in the Standards
• Develop Concepts On Audit Strategy & Planning
• Determine Approaches for Auditor/Auditee Engagements
• Down Stream & Up stream Audit Paths
• Comparative & Biased Sampling
• Ask Questions We Always Learning