Monday, June 6, 2016

Risk definition in ISO 9001:2015 and ISO 31000



What is the Difference in Risk definition between ISO 9001:2015 and ISO 31000?


The key difference of ISO 31000:2009 is that the Standard defines the requirements for Risk management as a System. Risk management system (as per ISO 31000) and Quality management system (as per ISO 9001:2015) can be seen as Integrated enterprise management systems (as well as ISO 14001, 45001, 27001, 11462, SA 8000 and others) .


P-D-C-A Cycle in Risk management system per ISO 31000:2009 is defined as follows:
Plan - Planning actions to address risks and opportunities. Project of risk management framework.
Do - Integration and implementation actions to address risks and opportunities into QMS processes.
Control - Evaluation of the effectiveness of actions to address risks and opportunities. Monitoring and analysis of risk management framework.
Act - Achieving improvement.

The key idea of ISO 9001:2015 is risk management provision in each QMS process– as per cl.4.4.1.f. Clause 6.1 of ISO 9001:2015 provides some details on how to do it. That is, the requirements of ISO 9001:2015 regarding risk management are limited to the stage ‘Do - Integration and implementation actions to address risks and opportunities into QMS processes’ of ISO 31000:2009.
Therefore, it is possible to implement the ISO 31000:2009 in the Quality Management System as per ISO 9001:2015 as a Full-scale or Small-scale program.
For the Full-scale program, it is necessary to develop and implement an ISO 31000:2009 Risk management system as a part of the QMS. These systems are easy to integrate, for example:
         create an organizational structure for risk management, led by the Risk Owner;
         distribute the responsibility and authority (by including them in job descriptions), identify interaction;
         Conduct risk management training at all levels of the company;
         develop guidance on risk management system - it is a good practice to do it in a format of QSP 6.1-01 ‘Actions to address risks and opportunities’;
         Integrate the risk management principles as part of the Quality Policy, for example: "Risk management is a part of decision-making. The efficiency of risk management is based on the commitment of the leadership at all levels of the organization. Risk management is systematic, structured, coordinated in time, based on the best available information, and corresponds to the level of corporate culture ";
         include risk treatment tasks in Quality objectives;
         include requirements of QSP 6.1 ‘Actions to address risks and opportunities’ in the QMS internal audit criteria.
This will be quite sufficient.
For the Small-scale program – the implementation can be limited to the ISO 31000:2009 requirements in terms of ‘Do - Integration and implementation actions to address risks and opportunities into QMS processes’ for each QMS process. For example, develop a Risk management methodology for the QMS processes, that includes:
         risk identification,
         risk analysis,
         risk evaluation,
         risk treatment.

 Free Downloads

More Risk Management Questions and Answers in Kindle Format

Have an ISO 9001:2015 related question? Get it answered by an expert!

No comments:

Post a Comment