Risk management

	At the end of 2009, the International Organization for Standardization (ISO) issued a new set of principles and guidelines that should benefit all organizations confronting the always problematic challenges of managing risk:
	Title/Link Date of Issue ISO 31000:2009 Risk management - Principles and guidelines Nov 13, 2009 ISO Guide 73:2009 Risk management - Vocabulary Nov 13, 2009 ISO/IEC 31010:2009 Risk management - Risk assessment techniques Dec 1, 2009
Standard ISO 31000 provides principles and generic guidelines on risk management and is not intended for the purpose of certification. ISO/IEC 31010:2009 describes more than thirty tools to use for risk assessment and explains their application. The ISO Guide 73:2009 contains risk management terminology and definitions. These three standards can be applied to any type of risk, whatever its nature, by organizations of any type or by individuals.
Risk, as defined by the ISO Guide 73:2009, is the impact of uncertainty on objectives. It is very important to emphasize that the impact of uncertainty can be positive as well as negative. "Not pursuing an opportunity" is also a risk.
John Shortreed **, PhD, who served on the ISO technical committees for Guide 73 (Risk Management—Vocabulary, 2002) and its revision (2009) as well as for ISO 31000 (2009), listed the following seven innovations introduced by ISO series 31000:
1. Formal principles for risk management and ERM (Enterprise Risk Management) that can be used for measuring the risk maturity of an organization. 2. Consideration of any risks or uncertainty that affects objectives of the organization, whether they have positive or negative consequences. 3. Organizational ability to tailor risk management to its own internal structure and governance processes.   4. Principle-based rather than performance-based. 5. Requires an organization to formalize and continuously improve a framework for ERM that integrates the management of risk into all processes in the organization. 6. Updates the risk management process used for assisting any decision through the five steps of context, risk assessment, risk treatment, communication, and consultation, followed by formal monitoring and review. 7. Requires accountability for any and all risks through the designation of a “risk owner” whose annual performance partly depends on how well risk is managed.

The next stages in the evolution of ISO 9001

The latest version of ISO 9001 was released two years ago (2008) with very minor changes to the requirements. This is in contrast to the he previous version of the standard (released in 2000) which resulted in significant changes including the introduction of an entirely new concept of a process approach. At QPRC we wanted to know what to expect from the next stages in the evolution of the requirements of ISO 9001, and invited Dr. Gary Cort who currently chairs ISO Technical Committee 176 to answer our questions:
QPRC: When ISO 9001 will be updated again?
	Dr. Cort: If the past is any guide, then we should expect a six to eight year update cycle, which would have the next revision coming on line around 2015. While many of us in ISO Technical Committee 176 believe that we could reduce this time by half (at least), to do so will require fundamentally restructuring the standards writing process, which is completely serial today. Imagine separating the standards writing process into design (i.e. deciding what the content of a revision will be) and development (the iterative process implementing the design, i.e. creating the standards documents, circulating for comments, balloting, etc.). This would allow one team to complete the development of the current revision while another team simultaneously works on the design of the next revision.
QPRC: What are the major trends in the development of ISO 9001 quality management systems?
Dr. Cort: To date there have only been two substantive versions of ISO 9001 – the original 1994 standard and the year 2000 revision – so it is not really reasonable to talk about trends. But there are many proposals, each of which enjoys its own constituency within the Technical Committee and throughout the international community.
There are strong arguments for keeping ISO 9001 essentially unchanged as a minimal entry-level quality management system. Others believe it should be continually updated to reflect state of the art quality thinking. There are champions for specific additions, such as addressing risk management or resource management. Many think the architecture of the standard needs a fundamental overhaul, perhaps incorporating a maturity model or providing mechanisms for leveraging other standards from the ISO family or beyond.
We have also begun a campaign to create an ISO 9000 ecosystem—a dynamic, user-focused environment to sustain and invigorate the ISO 9000 family of standards, make our products more robust and easy to use, and propel them into new application domains, adapting as they go. We are populating the ecosystem with downloadable tools, templates, examples, case studies, decision trees, metrics, and reference material—practical information to help users apply our standards successfully in the real world.
If you would like more information on potential directions for ISO 9001, check out any of the following webinars that I have given over the past year or so:
https://csa.webex.com/csa/lsr.php?AT=pb&SP=EC&rID=620022&rKey=7B7CFF8DA57DDCDD
https://csa.webex.com/csa/lsr.php?AT=pb&SP=EC&rID=41372&rKey=733a4f1e04381d72
https://csa.webex.com/csa/lsr.php?AT=pb&SP=EC&rID=41837&rKey=5d9746a5acc8cbc3
QPRC: Can we anticipate that the sustainability notion reflected by ISO 9004:2009 guidelines will affect the next revision(s) of ISO 9001?
Dr. Cort: Sustainability is a bedrock concept across ISO today. Our mantra is “International Standards for a Sustainable World.” So we will certainly see the notions of sustainability included more explicitly in ISO 9001 and the other 16 standards that comprise the ISO 9000 family. It is my opinion, however, that the ISO 9000 family of standards is already innately compatible with the ideas of sustainability and sustained success. Using them as is can provide a powerful framework for sustainable operations.
QPRC: Do you envision possible connections between “to be released” ISO 26000 and the next revision(s) of ISO 9001?
Dr. Cort: While I don’t anticipate any direct references between the two standards, I firmly believe that the greatest opportunities for the ISO 9000 family of standards lie at the intersection of quality and society. I am immensely proud to report that ISO 9001 has already had some very important (and highly successful) forays into the world of social responsibility. Through International Workshop Agreements (IWAs), ISO 9001 has been used as the basis for international standards for Reliable Local Governments (IWA-4) and Secondary Education (IWA-2). It is also the basis for the landmark legislation in Colombia that requires registered quality management systems for public institutions. Furthermore, the Republic of Panama has become the first nation in the world to register its national Electoral Tribunal against ISO 9001, and there is a growing movement to develop an ISO-9001-based international standard for electoral bodies.
QPRC: Are there any specific actions that you would recommend for the users of ISO 9001 to take to be better prepared for the evolution of ISO 9001?
Dr. Cort: The best way to prepare for the evolution of the ISO 9000 family is to become part of it. More than ever we need to understand your concerns and needs. But even more than that we need your contributions to build a dynamic ISO 9000 ecosystem that delivers on the value proposition of our standards. If you have a useful tool or implementation system, we would love to make it available through our ecosystem. If you can share case studies, lessons learned, hints and tricks, example implementations, or anything else that can help unlock the potential of the ISO 9000 family – there is a world of users and potential users who hunger for this information. Get involved, showcase your knowledge and results, and help make the world a better place.
QPRC: .Can the user of ISO 9001 as an individual or as a company provide feedback and/or recommend some changes to the standard?
Dr. Cort: ISO standards are drafted (principally) by technical committees comprised of representatives of the international community of nations. ISO Technical Committee 176 is one such committee and is responsible for the 17 international standards that comprise the ISO 9000 family. The national standards bodies of the participating countries – more than 80 in our case – provide our membership. These are the people who actually write the standards.
In order to do this job effectively, however, we need lots of input from the public. We are able to gather some of this input through formal instruments like surveys, but these just scratch the surface. We desperately need comments, criticisms and suggestions from business and society in general.
In today’s fast-moving business world, communication is more important than ever for establishing expectations and setting priorities. Help us create a high bandwidth channel for collecting your crucial input.
QPRC: Thank you very much, Dr. Cort.

Business Process Documentation with ISO 10244:2010

The new international standard ISO 10244:2010 “Document management - Business process baselining and analysis” was issued on July 16, 2010 by the International Organization for Standardization (ISO) headquartered in Geneva, Switzerland.

This standard reflects two major trends in document management. One trend is represented by the rapidly increasing amount of information that needs to be managed, both internal and external to the organization.

Another trend is represented by the increasing popularity and growing capabilities of electronic document management systems (EDMSs). A number of old issues related to paper based document management are gradually being taken off the agenda with the help of EDMSs, for example:

Providing unique identifiers for documents   Providing appropriate version control and archival   Recording time stamps for changes and revisions   Ensuring document retention over agreed time   Identifying individuals issuing and modifying documents   Providing easy location and tracking of documents

Most current EDMS systems are capable of supporting the functions listed above and prevent document management issues related to malfunctioning in these areas from happening.

As is mentioned by the ISO 10244:2010, some of the issues that many organizations need to handle with respect to document control and process management today are the following:

How much and what information needs to be gathered   The level of required details for each piece of information

The ISO 10244:2010 standard provides practical advice on the following aspects of process baselining and analysis:

defining the level of information required to be gathered,   selecting methods of documenting the processes,   establishing procedures for analysis of business processes.

The guidelines of ISO 10244:2010 standard include a number of examples and flowcharts. The guidelines are contained on 8 pages, not including bibliography. See more ISO documents on document and record management @ QPRC Blog