In part 1 we looked at the origins of risk and preventive action in the ISO 9000 family. This time we’ll look at its evolution from 1994 to present.
In 1987 the Standard was totally product based with accountability to the customer (no longer just the government.) The 1994 revision which was generally viewed as a re-write which is essentially the case but it does establish Preventive Action as its own entity in clause 4.14.3. The effects of risk, nonconformities, issues and concerns are still product focused. Section 4.2.1 states, “The supplier shall establish, document and maintain a quality system as a means of ensuring that product conforms to specified requirements’ but the Standard is starting to shift focus into the processes as well.
Section 220.127.116.11 states, “The responsibility, authority, and the interaction of personnel who manage, perform, and verify work affecting quality shall be defined and documented, particularly for personnel who need the organizational freedom and authority to: a) initiate action to prevent the occurrence of any nonconformities relating to product, process, and quality system…” Regrettably, most auditors either didn’t pick up on this or chose to keep the ‘blinders’ on, only writing product-related findings. Furthermore, the only reference to ‘risk’ has been diluted down to a general comment in 4.14.1 which states, “Any corrective or preventive action taken to eliminate the causes of actual or potential nonconformities shall be to a degree appropriate to the magnitude of problems and commensurate with the risks.
ISO 9004:1994 is a different animal; explaining, expanding and introducing a whole ‘cast of characters,’ such as Human Factors, which will come back to haunt us in days of ‘Christmas Future.’ In section 0.4 Benefits, Costs, and Risks statements pertaining to risk (copied word for word from the 1987 version) but expand into Health and Safety.
Section 3 Definitions contains a frightening foreshadowing. It introduces the concept of social consciousness in 3.3,“Requirements of Society: Obligations resulting from laws, regulations, rules, codes, statutes, and other considerations.” This continues in the notes, ”’Other considerations’ include protection of the environment, health, safety, security, and conservation of energy and natural resources” and “All requirements of society should be taken into account when defining the requirements for quality” – and in one brief paragraph, consternation turns to elucidation, but more on this later in Part 3.
Other subjects introduced include:
- Product Life-Cycle
- Configuration Management
- Guidelines on ‘how’ to audit the quality system (which later becomes ISO 19011)
- Continuous Improvement
- Financial Reporting of QMS Effectiveness – (auditable?)
- Supplier Relations Management
- Change Control (both product and process)
Noticeably absent is any further discussion on risk?
Fast forward to the year 2000. Unlike its predecessors, the 2000 revision does not contain any reference to risk in itsintroduction other than to say, “This International Standard does not include requirements specific to other management systems, such as… Risk Management.” Moreover, with this one exception, the word ‘risk’ is conspicuously missing from the document. Maybe this is the beginning of the myth that risk has never been part of the system. I look at the cross-section of consultants out there and it is no wonder. From their bio pics, few of them have been in business 15 years or more so on to ISO9004:2000. This is where it should get interesting!
And so it goes… starting in the introduction 0.1 (this time,) Benefit, Cost, Risk, just as I expected.
Section 5.1.2 Issues to be considered states, “Consideration should be given to:… identifying and managing risks and exploiting performance improvement opportunities…” You should notice the Standard said performance not product.
Section 5.6.3 [Management] Review output states, “Additional outputs to enhance efficiency include, for example… loss prevention and mitigation plans for identified risks…” Section 6.3 Infrastructure states, “The plan for the infrastructure should consider the identification and mitigation of associated risks…”Section 7.1.3 Managing Processes, 18.104.22.168 General states, “An operating plan should be defined to manage the processes, including… identification, assessment and mitigation of risk…”
Essentially, risk has been introduced as a key element to all of the auditable clauses as highlighted in section 8.5.3 Loss Prevention which states, “To be effective and efficient, planning for loss prevention should be systematic. This should be based on data from appropriate methods… Data can be generated by use of risk analysis tools such as fault mode and effects analysis…” Is this good – do we get the point?
- This revision also expands on the ‘Ghosts of Christmas Future’ with:
- Interested parties and their needs
- Employee Engagement
- Physical and Human Factors (including ergonomics)
- Innovation (implied)
- Emphasis on environmental concerns
- Health and safety concerns (including PPE)
- More social responsibility
- Knowledge Management
- Information Security
Moving on to ISO 9001:2008 thought of as the ‘clarification’ Standard with very few changes and a couple of explanations – except ‘risk’ is back. Section 0.1 of the introduction, in the second sentence states, “The design and implementation of a quality management system is influenced by a) its organizational environment, changes in that environment, and the risks associated in that environment…”
Although it was careful not to ‘bang the risk drum’ too loudly, the use of words such as ‘factors,’ ‘concerns’ and ‘issues’ communicated (at least) to some of us that risk was going to be a ‘big deal.’ We will look at ISO 9004:2009 and its relationship with ISO 9001:2015 next time in Part 3. Let us move on to ISO 9004:2009.