Risk management Part 7 – Impact assessment

Once the undesired effects have been determined, and in order to continue with the Risk Analysis, we must assess how much the different clients are impacted. Giving an impact value will help us to understand the type of control that will need to be implemented in the following phases of Risk Analysis.

 

In the FMEA methodology, impact assessment is known as Severity and it assigns a numerical value that gives us an idea of the impact of the Undesired Effect.

 

The severity table used by FMEA defines quantitative end-user impact values and the following process:

End User Severity Following Process
Security / Legal without warning 10 Security without warning
Security / Legal without warning 9 Security with warning
Loss of primary function 8 Waste – 100%
Degradation of primary function 7 Waste –  A portion
Loss of secondary function 6 Reworking – 100%  out of station
Degradation of secondary function 5 Reworking –  A portion outside the station
Appearance – High Discomfort 4 Reworking – 100%  at the station
Appearance – Medium Discomfort 3 Reworking –  A portion at the station
Appearance – Low Discomfort 2 Discomfort
No impact 1 No impact

 

A qualitative impact assessment criterion can be generated, such as the following

Impact Criteria
Critical Security / Legal Violations
Major Failure to comply with customer requirements
Moderate Compliance with customer requirements, but with inefficiency (cost)
Minor Non-compliance with internal requirements
Low Full compliance with requirements

 

Each organization may define the criteria that best suit it, but the requirement is that each Undesired Effect must be assessed at its level of impact (severity).

 

◄Part 6

Risk management Part 6 – Unwanted effects

The ISO 9001:2015 standard requires that once the Issues to be considered in the Quality Management System have been defined, the Desirable Effects should be increased and undesirable Effects should be prevented or reduced; furthermore, the actions taken should be proportionate to the potential impact.

 

When analyzing the Effects of the Issues on the processes in the Quality Management System processes, all clients must be taken into account:

  • Effects on the end user
  • Effects on the following process.
  • Effects on OEMs.
  • Effects on laws and regulations.

 

It is important that the organization bases its Risk Analysis on the appropriate information for each of the effects, such as:

  • FMEA of Design, Critical Features in Design Registrations.
  • Rejects in process, rework, repairs, and waste data.
  • Customer complaints, resident staff information, etc.
  • Names, laws and regulations applicable to the product, process, industry, transport, etc.

 

IATF 16949:2016 requires organizations to consider the Issues that are essential to maintaining production outputs and ensuring that customer requirements are met. When the possible impact on the customer is the interruption of the supply of the product to the customer, Contingency Plans must be defined that:

  • They should include a process of communication with the client and stakeholders.
  • They should be tested regularly to confirm their effectiveness.
  • It should be reviewed and updated.
  • Documented information must be documented and retained.

 

◄Part 5 – Part 7 ►

Risk management Part 5 – Subjects to consider

The ISO 9001:2015 standard requires consideration of Issues regarding the Pertinent requirements of the relevant concerned parties to the Organization’s Context and identification of Risks and Opportunities that need to be addressed in order to:

a) ensure that the Quality Management System can achieve its intended results.
b) increase the desirable effects;
c) prevent or reduce undesirable effects;
d) achieve improvement.

 

When we perform a Risk Analysis, the Issues are those unexpected exits in any of the processes of the Quality Management System, which may be favorable (Opportunities) or unfavorable (Risks) for the performance of the process. In the Failure Mode and Effects Analysis (FMEA) vocabulary, the Issues are known as Failure Modes. Here are some examples related to the production process:

 

Process of SGC: Production

Favorable Issues: Little variation in production processes, available production capacity, pleasant working environment, use of state-of-the-art technology, etc.

Unfavorable Issues: Non-compliance with product specifications, late delivery dates, high production costs, regulatory non-compliance, frequent accidents in work areas, etc.

 

During the Risk Analysis, the Unfavourable Issues to consider can be determined from:

  1. Customer complaints – Non-conforming departures from the past that reached the customer.
  2. Internal process rejections – Non-conforming outputs from the past that could have been contained by the same process.
  3. Similar processes – Non-conforming outputs from the past that have occurred in other processes, products, etc.
  4. Assumptions – Potential outings that have never occurred but are thought to occur.

IATF16949:2016 requires that at least the following Issues be considered:

  • Lessons learned from product recalls.
  • Product audits.
  • Field returns.
  • Field repairs in the market (field repairs).
  • Complaints (complaints).
  • Scrap
  • Reprocessing (rework).

In the same way, favorable Issues can be determined from:

  1. Customer acknowledgements, awards, etc.
  2. Internal best practices, innovation and improvement.
  3. Benchmark, industry best practices.
  4. Assumptions.

 

◄Part 4 – Part 6 ►

Risk management Part 4 – Quality Management System and its processes.

Once the organization has determined the Pertinent requirements of the relevant concerned parties and has understood the Context of the organization in which it must carry out its operations, it needs to establish the necessary processes that will make up the Quality Management System. Risk management is based on the analysis of these processes and their interactions.

 

The quantity and complexity of the processes that make up the Quality Management System in the organization will depend on its organizational structure and its own management model. The following are some of the processes that organizations commonly determine to be necessary:

  • Production / Manufacturing / Product realization.
  • Design and development of new products.
  • Management review.
  • Purchases / Supplies / Materials / Logistics.
  • Calibration and testing laboratory.
  • Training.
  • Document control.
  • Maintenance.
  • Sales / Marketing.
  • Shipping / Transportation / Distribution.
  • Internal Audits.

 

For each of the necessary processes, the following must be determined:

  • Required inputs and expected outputs.
  • Sequence and interaction with other processes.
  • Resource requirements:
    • People.
    • Infrastructure.
    • Environment.
    • Documented information.
  • Responsibilities and authorities.
  • Indicators for monitoring and measuring performance.

 

Once the necessary processes of the Quality Management System have been determined, Risks and Opportunities must be addressed in all of them.

 

◄Part 3 – Part 5 ►

Risk management Part 3 – Context of the Organization

Once the organization has determined who the Pertinent Concerned Parties and what are their Pertinent Requirements, must understand the environment in which it must conduct its operations to meet these Pertinent Requirements, this environment is called the Organizational Context.

 

The Organization context, in accordance with ISO 9000:2015, is the combination of internal and external issues that can have an effect on the organization’s approach to development and achievement of its objectives. This context is also known as Business Environment, Organizational Environment or Ecosystem, and considers internal factors of the organization such as the values, culture, knowledge and performance of the organization, as well as external factors such as legal, technological, market competitiveness, cultural, social and economic environments.

 

The Organization context is currently characterised by rapid change, the globalisation of markets, limited resources and the emergence of knowledge as a major resource. The impact of quality extends beyond customer satisfaction and can also have a direct impact on the reputation of the organization. Understanding the Organizational Context is a process that determines the factors that influence the purpose, objectives and sustainability of the organization.

 

Within Risk Analysis, we must identify the external and internal issues within the organization that are relevant to its purpose and strategic direction and that affect its ability to achieve the expected results of its quality management system.

 

Here are 2 important elements:

  • Expected results in the SGC.

Refers to compliance with the Pertinent requirements of the relevant concerned parties.

  • External and internal issues that are pertinent.

These are the positive and negative, internal and external factors that must be considered by the organization due to their potential impact on compliance with the Pertinent requirements of the relevant concerned parties.

 

Although the ISO9001:2015 standard does not require the use of any specific tool for the analysis of the Organization context, the use of the SWOT Analysis, with its complement CAME, has become popular:

 

Step 1 – Determine Strengths.

They are the positive and internal factors of the organization that impact the fulfillment of the Pertinent requirements of the relevant concerned parties. The organization should take action to MAINTAIN these factors and thus reduce risks.

 

Step 2 – Determine Opportunities.

It is the positive external factors that impact on compliance with the Pertinent requirements of the relevant concerned parties. The organization should take action to EXPLOIT these factors and thus reduce risks.

 

Step 3 – Determine Weaknesses.

These are the negative and internal factors that impact on compliance with the Pertinent requirements of the relevant concerned parties. The organization should take action to CORRECT these factors and thus reduce risks.

 

Step 4 – Determine Threats.

It is the negative external factors that impact on compliance with the Pertinent requirements of the relevant concerned parties. The organization should take action to AFRONT these factors and thus reduce risks.

 

◄Part 2 – Part 4 ►

Risk management Part 2 – Concerned Parties

The risk analysis begins with the identification of the Concerned Parties in the quality management system. The concept of Concerned Parties is a recent addition to the latest revision of ISO 9001 and it is important to review its definition, in accordance with ISO 9000

Concerned Party (stakeholder), is a person or organization that may be affected, affected or perceived to be affected by a decision or activity of our organization. Examples of Concerned Parties are: customers (buyers, interns, end users, etc.), owners, persons in an organisation, suppliers, banks, legislators, trade unions, partners or society in general that may include competitors or lobbyists with opposing interests.

The following is a recommendation on how Concerned Parties could be approached from a risk analysis perspective.

 

Step 1 – Determine the concerned parties in the SGC.

The organization must determine which persons or organizations have an interest in its decisions or activities within the organization itself. This is an activity for Senior Management and may include a List of Stakeholders in the Organization that includes, for example:

Governments (federal, state and local), Direct Customers, OEMs, End Users, Regulatory & Regulatory Bodies, Investors, Suppliers, Employees, Society, etc.

 

Step 2 – Determine the Pertinent Concerned Parties (relevant) to SGC.

The organization must determine which Stakeholders are relevant to it. This is an activity for senior management and it is recommended that the Mendelow Matrix be used for stakeholder ranking. The Pertinent Concerned Parties are the most important to the organization and have the most influence (power) over it.

As Pertinent Concerned Parties you would expect to find, for example, Governments, Principal Clients, Industry Policymaking Bodies, etc.

 

Step 3 – Determine the needs and expectations of the Pertinent Concerned Parties (relevant) to SGC.

The organization should determine the needs and expectations of the Relevant Stakeholders, i.e., what they expect to achieve from the organization or what they want to achieve or happen. Senior management can carry out a List of Needs and Expectations of Pertinent Concerned Parties for each of the Concerned Parties.

The needs and expectations can be at the legal, normative, regulatory, product, process, management system, organization, commercial, ethical, social, etc. levels.

 

Step 4 – Determine the relevant requirements (relevant) of Pertinent Concerned Parties (relevant) to SGC.

When the organization decides that the need or expectation of a Concerned Party is pertinent (relevant) to the organization, it becomes a requisite (requirement) for the QMS and its processes. Senior management can carry out a List of Relevant Requirements of Pertinent Concerned Parties based on the commitments (legal, contractual and even verbal) that have been agreed with the Pertinent Concerned Parties.

 

◄Part 1 Part 3 ►

Risk management Part 1 – Concepts and Definitions

The latest revisions of the ISO 9001, IATF 16949 and ISO 14001 standards have incorporated Risk Management as a requirement to be considered in the processes that make up the management systems of organizations. The intention is to ensure that the objectives of the management systems are achieved, to increase the desired effects, to prevent or reduce undesirable effects and to achieve the improvement.

With this first installment of a series of articles, I propose a simple and logical methodology to meet the new regulatory requirements for risk management in management systems within organizations.

 

It is important to define and understand some concepts before starting the risk analysis:

  • Risk. “Effect of uncertainty” as defined in ISO 9000:2015 Fundamentals and vocabulary.
  • Uncertainty. “State, even partial, of information deficiency related to the understanding or knowledge of an event, its consequence or probability”.
  • Risk is, then, the effect of not understanding or ignoring an event, its consequence or probability.

 

In this definition we find 3 basic elements of risk analysis:

  • Event – Something that happens or can happen (potential) that is a deviation from what is expected.
  • Consequence – Effect or impact of the event on the stakeholders of the management system.
  • Probability – Estimated Occurrence or Possibility of Event Occurring.

 

From the understanding of these concepts we conclude that:

  1. The greatest risk is not knowing what events can happen in the management system processes.
  2. The risk is high when we don’t understand the events that can happen in the management system processes.
  3. The risk increases as the severity of the consequences increases if the event occurs.
  4. The risk increases when the probability of the event increasing.

 

 Part 2 ►

New ISO 45001:2018 Occupational Health and Safety Management System (OHSMS)

This past March, it was published the new standard ISO 45001:2018  “Occupational safety and health management systems – Requirements with guidelines for use” which replaces the previous one OSHAS 18001. The new standard specifies the requirements for occupational health and safety management (OH&S) and enables organizations to prevent injuries and illnesses in the workplace.

ISO 45001 is usable for any type of organization, regardless of its size, type and activity.

Its objectives are:

  1. Continuous improvement of OHS performance.
  2. Compliance with legal and other requirements.
  3. Achieve the objectives of OHS.

Some of the most important changes are:

Range

The range has been expanded to include all laboratory activities, including testing, calibration and sampling.

New structure

A high-level structure is adopted to align with the new structure of the ISO family of standards.

Context of the organization

The organization should identify the external and internal issues that impact its purpose, as well as the needs and expectations of the stakeholders in the organization.

Focus on processes

Greater emphasis is placed on the results of the processes and the management of their elements, replacing the detailed description of activities and steps.

Risk-based thinking

Risks and opportunities in the processes need to be identified and addressed through a preventive approach.

Leadership

Senior management must demonstrate leadership and commitment.

Consultation and participation of workers

The organisation shall establish a process of consultation and participation of workers at all levels.

 

New standard ISO/IEC 17025:2017

The new update of the standard ISO/IEC 17025 “General requirements for the competence of calibration and testing laboratories” was published in November 2007. This standard is applicable to all types of laboratories using standard or non-standard methods, and is useful for them to develop a system of quality, resource and technical operations management.

The standard had not been updated since 2005 and the recent additions are relevant because they incorporate some of the latest changes in the standards for management systems of the ISO family. Some of the most important changes are:

 

Range
The range has been expanded to include all laboratory activities, including testing, calibration and sampling.

New structure
A high-level structure is adopted to align with the structure of the ISO/IEC 17000 family of conformity assessment standards. While ISO/IEC 17025:2005 had 5 requirements + 2 attachments, the new version ISO/IEC 17025:2017 contains 8 requirements + 2 attachments.

Focus on processes
Greater emphasis is placed on the results of processes and the management of their elements, replacing the detailed description of activities and steps.

Electronic information systems
It incorporates the use of information and communication technologies, the use of computers, electronic records and reports.

Risk-based thinking
Risks and opportunities in the processes need to be determined and addressed through a preventive approach.

Traceability
Greater emphasis is placed on metrological traceability as a calibration requirement.

Management review entries

Management review is a very important process within the quality management system ISO 9001:2015.

Management review should be planned and carried out including considerations of:

a) The status of previous management review actions;

b) Changes in external and internal issues relevant to the quality management system;

c) Information on the performance and effectiveness of the quality management system, including trends relating to:

  • Customer satisfaction and feedback from relevant stakeholders;
  • The extent to which the quality objectives have been achieved;
  • The performance of the processes and the conformity of the products and services;
  • Non-conformities and corrective actions;
  • Monitoring and measurement results;
  • The results of the audits;
  • The performance of external suppliers;

d) Adequacy of resources;

e) The effectiveness of the actions taken to address the risks and opportunities.

f) Opportunities for improvement.