To Risk or Not to Risk: That is the Question – Part 2

In part 1 we looked at the origins of risk and preventive action in the ISO 9000 family. This time we’ll look at its evolution from 1994 to present.

In 1987 the Standard was totally product based with accountability to the customer (no longer just the government.) The 1994 revision which was generally viewed as a re-write which is essentially the case but it does establish Preventive Action as its own entity in clause 4.14.3. The effects of risk, nonconformities, issues and concerns are still product focused. Section 4.2.1 states, “The supplier shall establish, document and maintain a quality system as a means of ensuring that product conforms to specified requirements’ but the Standard is starting to shift focus into the processes as well.

Section states, “The responsibility, authority, and the interaction of personnel who manage, perform, and verify work affecting quality shall be defined and documented, particularly for personnel who need the organizational freedom and authority to: a) initiate action to prevent the occurrence of any nonconformities relating to product, process, and quality system…” Regrettably, most auditors either didn’t pick up on this or chose to keep the ‘blinders’ on, only writing product-related findings. Furthermore, the only reference to ‘risk’ has been diluted down to a general comment in 4.14.1 which states, “Any corrective or preventive action taken to eliminate the causes of actual or potential nonconformities shall be to a degree appropriate to the magnitude of problems and commensurate with the risks.

ISO 9004:1994 is a different animal; explaining, expanding and introducing a whole ‘cast of characters,’ such as Human Factors, which will come back to haunt us in days of ‘Christmas Future.’ In section 0.4 Benefits, Costs, and Risks statements pertaining to risk (copied word for word from the 1987 version) but expand into Health and Safety.

Section 3 Definitions contains a frightening foreshadowing. It introduces the concept of social consciousness in 3.3,“Requirements of Society: Obligations resulting from laws, regulations, rules, codes, statutes, and other considerations.” This continues in the notes, ”’Other considerations’ include protection of the environment, health, safety, security, and conservation of energy and natural resources” and “All requirements of society should be taken into account when defining the requirements for quality” – and in one brief paragraph, consternation turns to elucidation, but more on this later in Part 3.

Other subjects introduced include:

  • Product Life-Cycle
  • Configuration Management
  • Guidelines on ‘how’ to audit the quality system (which later becomes ISO 19011)
  • Continuous Improvement
  • Financial Reporting of QMS Effectiveness – (auditable?)
  • Supplier Relations Management
  • Change Control (both product and process)

Noticeably absent is any further discussion on risk?

Fast forward to the year 2000. Unlike its predecessors, the 2000 revision does not contain any reference to risk in itsintroduction other than to say, “This International Standard does not include requirements specific to other management systems, such as… Risk Management.” Moreover, with this one exception, the word ‘risk’ is conspicuously missing from the document. Maybe this is the beginning of the myth that risk has never been part of the system. I look at the cross-section of consultants out there and it is no wonder. From their bio pics, few of them have been in business 15 years or more so on to ISO9004:2000. This is where it should get interesting!

And so it goes… starting in the introduction 0.1 (this time,) Benefit, Cost, Risk, just as I expected.

Section 5.1.2 Issues to be considered states, “Consideration should be given to:… identifying and managing risks and exploiting performance improvement opportunities…” You should notice the Standard said performance not product.

Section 5.6.3 [Management] Review output states, “Additional outputs to enhance efficiency include, for example… loss prevention and mitigation plans for identified risks…” Section 6.3 Infrastructure states, “The plan for the infrastructure should consider the identification and mitigation of associated risks…”Section 7.1.3 Managing Processes, General states, “An operating plan should be defined to manage the processes, including… identification, assessment and mitigation of risk…”

Essentially, risk has been introduced as a key element to all of the auditable clauses as highlighted in section 8.5.3 Loss Prevention which states, “To be effective and efficient, planning for loss prevention should be systematic. This should be based on data from appropriate methods… Data can be generated by use of risk analysis tools such as fault mode and effects analysis…” Is this good – do we get the point?

  • This revision also expands on the ‘Ghosts of Christmas Future’ with:
  • Interested parties and their needs
  • Employee Engagement
  • Physical and Human Factors (including ergonomics)
  • Innovation (implied)
  • Benchmarking
  • Emphasis on environmental concerns
  • Health and safety concerns (including PPE)
  • More social responsibility
  • Knowledge Management
  • Information Security

Moving on to ISO 9001:2008 thought of as the ‘clarification’ Standard with very few changes and a couple of explanations – except ‘risk’ is back. Section 0.1 of the introduction, in the second sentence states, “The design and implementation of a quality management system is influenced by a) its organizational environment, changes in that environment, and the risks associated in that environment…”

Although it was careful not to ‘bang the risk drum’ too loudly, the use of words such as ‘factors,’ ‘concerns’ and ‘issues’ communicated (at least) to some of us that risk was going to be a ‘big deal.’ We will look at ISO 9004:2009 and its relationship with ISO 9001:2015 next time in Part 3. Let us move on to ISO 9004:2009.

To Risk or Not to Risk: That is the Question – Part 1

Since June 3rd 2013, when the first Committee Draft (CD) of ISO 9001 was released for formal review there has been much ado of nothing when it comes to, what has come to be known as Risk-Based Thinking. This single topic has been central to the objections of the 2015 revision and debated ad nauseum – with Supporters claiming Risk has always been a part of ISO quality management systems and Opponents arguing TC-176 (authors of the Standard) just made it up. Once and for all, we will settle the argument!

RiskIn the Introduction to this Committee Draft, section (d) it states, “Annex SL, Appendix 2 High Level Structure and core text does not include a clause giving specific requirements for ‘preventive action.’ This is because one of the key purposes of a formal management system is to act as a preventive tool.” It goes on to say, “Consequently,the High Level Structure and Identical text require an assessment of the organization’s external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) and to determine the risks and opportunities that need to be addressed to: assure the quality management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement . ‟ And so, the concept of Risk-Based Thinking was born. Or was it? The answer is Yes… and No. The introduction also states, “Although risks have to be identified and acted upon there is no requirement for formal risk management.”

It may be the first use of the term Risk-Based Thinking but TC-176 had been ‘thinking’ about risk for a long time. To find out, we’ll have to go back to the very beginning – all the way back to MIL-Q-9858*. Remember that one? In section 1.3 (Scope) it states regarding Quality Program Requirements, “This program shall provide for the prevention and ready detection of discrepancies…” This demonstrates the reality that; a) Preventive Action is a fundamental part of a quality management system and, b) because the nature of preventive action is proactive rather than reactive, it requires that issues and concerns be identified and acted upon. That my friends sounds like risk management.

*Note: Interestingly enough, the MIL-Q-9858 also introduces the concept of Cost of Poor Quality in section 3.6 which unfortunately never made into the ISO version (ISO 9001:1987.)

Enter the new kid on the block, ISO 9001:1987. In section 4.14 Corrective Action it states, “The organization shall have a procedure for each of the following purposes: …c) Preventing problems consistent with the risk they may present.” There it is folks and they even connected the dots for us. The concept of preventive action linked with risk have always been there. But wait, there’s more!

Imbedded in ISO 9004:1987, (US equivalent ANSI/ASOC Q94), section Q94.0.4.1 is “Risk, cost, and benefit considerations have great importance for both company and customer” and section Q94.0.4.5, “A well-structured quality system is a valuable management resource in the optimization and control of quality in relation to risk, cost, and benefit considerations. It continues with section Q94.4.4.4, “The quality system should function in such a manner as to provide proper confidence that… c) emphasis is placed on problem prevention rather than dependenceon detection after occurrence.”

With this discovery, we see from the Standard we all read, ISO 9001 and the one we never looked at ISO 9004, TC-176 has presented the concepts of prevention and risk as ‘joined at the hip.’ How did so many miss this. Es machtnichts – We’ll bring it full circle and beyond in Part 2.

Which Way Did They Go?

Organizational Roles, Responsibilities and Authorities

We’re almost done with Clause 5 Leadership and as a final reiteration of the importance top management plays in this new revision we’ll hit them one last time, reminding them of their roles and responsibilities and what they can ‘get away with’ delegating.

Unlike the 2008 revision, ISO 9001:2015 requires that the top management be accountable for the effectiveness of the QMS. ISO9001:2008 required top management establish, implement and maintain a quality management system. ISO9001:2015 further requires, top management ensures the processes interact with each other.

This is a direct result of the additional emphases on the process approach. As such, the organization will have to prove that inputs and outputs of processes are defined, products services are produced in sequence and delivered to the next appropriate process according to process flow and that the process is effective.

ISO 9001:2008 required top management assign a (management) representative, who, among other things, is responsible for the quality management system. ISO9001:2015 no longer requires a management representative, however, the specific duties remain, so, as part of top management’s responsibility, they must appoint an authority(ies) that will have the task of bringing the quality policy and expectations of top management to the organization and to receive feedback regarding the status and performance of the QMS which will be reported back to top management.

The requirement to demonstrate leadership and commitment in clause 5.1.1 can be partially achieved by assuming roles of responsibility and authority in clause 5.3.

The Standard states in 5.3 Organizational roles, responsibilities and authorities:

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization.

Top management shall assign the responsibility and authority for:

  1. ensuring that the quality management system conforms to the requirements of this International Standard;
  2. ensuring that the processes are delivering their intended outputs;
  3. reporting on the performance of the quality management system and on opportunities for improvement, in particular to top management;
  4. ensuring the promotion of customer focus throughout the organization;
  5. ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.

For those who maintain the traditional approach of continuing with a single management representative, clause 5.3 is the smallest of changes because the standard clearly allows the organization to assign these responsibilities and authorities any way it sees fit.

With the 2015 revision, however, delegation opportunities in clause 5.3 make it possible for several members of top management to maintain key organizational roles within the QMS. Imagine the positive impact on QMS effectiveness if you delegated oversight to more than one member of the management team?


  • This clause replaces old clause 5.5.1 on responsibility and authority.
  • Adds that responsibilities must be assigned and understood.
  • Identifies some specific responsibilities to be assigned.
  • Lack of management representative for assignments.
  • Old duties can be spread among top management.
  • Introduces use of term “innovation” to the standard.

Innovation is defined in ISO9000:2015 (3.6.15) as the process resulting in a new or substantially changed object (and that activities resulting in innovation are generally managed.) And, yes folks, ISO is working a standard for that too (ISO/AWI 50501 Draft.)

What will the auditors look for?

  • Auditors know that there is no longer a requirement for Management Representative (MR), although the duties currently assigned to the MR under ISO 9001:2008 must still be fulfilled and can be assigned to different personnel.
  • Auditors will seek evidence that organizations personnel have not only been advised of their QMS responsibilities &authorities, but also that they understand these in the context of the overall purpose of the quality management system.
  • Auditors will also seek evidence that top management has assigned responsibility and authority for preserving the integrity of the organization’s QMS during revisions or updates
  • Auditors will be looking for documented information (other than an organizational chart which only shows chain of command) defining and delineating roles, responsibilities and authorities.

We’ll be moving on to Clause 6 in our next post.

How to Meet the Leadership Requirements in ISO 9001:2015 – Part 4

Part 4 will conclude this series on the role of top management

5.3 Organizational Roles, Responsibilities, and Authorities

Top management must ensure that the responsibilities and authorities for relevant roles are assigned, communicated, and understood within the organization. Top Management must assign the responsibility and authority to ensure that the system conforms to the requirements of ISO 9001 and that the processes are delivering their intended outputs. Top Management must assign the responsibility and authority for reporting on the performance of the system, on opportunities for improvement, and on the need for change or innovation. Top Management must assign the responsibility and authority to ensure the promotion of customer focus throughout the organization and ensure that integrity of system is maintained when changes to system are planned and implemented.


Top management must establish the organization necessary to implement a QMS. It must define the structure, hierarchy and lines of reporting. Additionally, it must ensure that duties, responsibilities and authority of all personnel are defined and communicated. All personnel must be clear on their duties, responsibilities and authority in meeting customer and regulatory requirements. Organization charts, job descriptions, Standard operating procedures, work instructions, etc. are some of the many ways that top management may use to define and document this. These must be communicated and available, as applicable, throughout the organization. Orientation training, appointment postings, training on procedures and work instructions, etc. are some of the many ways in accomplishing this. The organization structure and lines of reporting; responsibility and authority of managerial functions and departments may be established by top management and the responsibilities and authorities for the rest of the organization may be established by the HR function working with various process owners. Again, this would depend on the size, complexity and culture of the organization. The effective planning, operation and control of internal communication processes may be demonstrated through the performance indicators.

The following is a Top 10 list of some of the roles (including responsibilities and authorities) which Top Management needs to identify:

  1. Understanding the company mission, vision, policies, and objectives carefully, and communicating the same in simple language down the line. The role should ensure that people have understood of the same and will be able to demonstrate it in their routine activities.
  2. Helping Process Owners in determining departmental objectives, policies and goals considering the company’s objectives and policies. The concerned Process Owner is responsible for writing the policy and goals for his/her department and sections.
  3. Explaining the concepts of ISO 9000 throughout the organization. Help of expert professionals can be obtained in giving training.
  4. Communicating the importance of meeting customer as well as regulatory requirements during the training program or in any other occasion found suitable for this purpose.
  5.  Identifying the processes required for implementing quality management systems that can help achieving company goals.
  6. Getting the documents; SOPs, work instructions, job descriptions, process parameters, and specifications, etc. prepared by the concerned personnel and bringing them under control.
  7. Identifying the need for a team of internal quality auditors to periodically audit the systems throughout the organization. Identifying the potential internal quality auditors and arranging their training programs.
  8. Maintaining of records for internal quality audits, management review, corrective and preventive actions, follow-up for the actions decided in the management review and the correspondences relating to the implementation of quality management systems.
  9. Reporting the progress on trends in performance, to the top management from time to time.
  10. Ensuring the integrity of the management system is maintained when changes are planned and implemented.

Some of the above tasks may be delegated, but it is the management’s responsibility to ensure they are planned, implemented and achieved. The implementation and adherence to systems is the responsibility of the top management. Unless the top management drives and follows up, the system cannot be implemented effectively. The above task may be given to one person or to a group of persons depending on the size of the organization.

How to Meet the Leadership Requirements in ISO 9001:2015 – Part 3

Well, here we are; part 3 of a 4-part post. So far we have looks at the roles of top management, the ISO expectations and some of the things that might demonstrate management commitment. Now in this part we will explore customer focus and direction top management should be leading.

5.1.2 Customer focus

Top management needs to demonstrate leadership and commitment to customer focus. This can be done by ensuring that all applicable statutory, regulatory and customer requirements are determined, understood and are consistently met. Top management should determine all the threats and opportunities that can affect the conformity of the product and services or have the ability to affect the satisfaction of customer requirements. The associated risk and opportunities must be adequately addressed and at all times the focus of enhancing customer satisfaction should be maintained.


Your organization depends on your customers, so it is important that customer relationships be effectively managed. Accordingly, you must understand current and future needs of customers; you must meet their requirements and strive to exceed their expectations because without them there is no point in you getting up in the morning.

A simple adage – No Customer, No Work!

Customer satisfaction should be the aim for everyone in the organization. They should strive to achieve the same, but in a number of cases may fail because of unforeseen problems. There are risks associated with achieving customer satisfaction. Top management needs to educate staff in identifying these risks in advance and help them to develop alternate solutions to meet the customer expectations.

To ensure satisfaction, you must understand your customer’s specific needs and requirements in terms of products, price, delivery, communication, service and support. You must have an effective communication process; for discussion, review, timing, action and responsibility on the above issues. You must have an effective process for review of the above requirements by relevant personnel or departments within your own organization. It is top management’s responsibility to provide the leadership and commitment of time and resources to ensure this happens. Auditors will look for evidence of this. Clause 8.2.1 provides the details of Customer communication and Clause 8.2.2 the details of understanding and processing customer requirements. Clause 9.1.2 sets forth the requirements for monitoring and measuring customer satisfaction. Clause 5.1.2 provides the top management’s overall responsibility for customer relationship management, while clause 8.2.1 & 8.2.2 provides the ‘alpha’ of the If you take care of them, they’ll take care of you!sales process and clause 9.1.2 provides the ‘omega’ of the underlying and detailed activities of customer relationship management. The requirements of clause 5.1.2 – customer focus, can be included in the following processes – business planning; communications; sales and marketing; and customer satisfaction feedback; etc. You must also identify what specific documents may be needed for effective planning, operation and control of these processes. Examples of such documents may include a business plan, statement of customer related policies and objectives etc.

The success of a business organization lies in effectively meeting the customer requirements. Hence. it is the responsibility of the top management to ensure that customer requirements are understood clearly by all in the who are involved in providing the products and services to the customer.

Another adage – Everyone is in Sales. If you are not in Sales, You’d better be supporting Sales.

5.2 Policy
5.2.1 Establishing the Quality Policy

Top management is required to establish, implement and maintain a Quality Policy that is in line with the purpose and context of the organization while at the same time supporting its strategic direction. It should provide a framework for the organization’s quality objectives and must include a commitment to satisfy applicable requirements and must be the basis on which the continual improvements in the quality management system can be achieved.

5.2.2 Communicating the Quality Policy

The Quality Policy should be applied within the organization by ensuring that it communicated and understood within the organization. The Quality Policy must be maintained as a documented information and as appropriate should be made available to relevant Interested parties.

Developing a QMS is a strategic business decision and therefore top management must provide the necessary direction and leadership, starting with establishing the Quality Policy and objectives. The Quality Policy must be consistent with the scope of the QMS and other business, management and organizational strategies within the organization. Clause 5.2.2 (a) requires that you document your quality policy, clause 5.2.1(c) requires that you specify your commitment to ‘satisfy applicable requirements’ and clause 5.2.1(d) ‘continually improve the effectiveness of your QMS.’ What you state in your Quality Policy must lead to establishing quality objectives (e.g. if you state in your quality policy that you will “meet customer requirements”, then you might develop customer focused objectives for – product defects; customer complaints and returns; on time delivery, etc.) Similarly, for the phrase, “meet ISO 9001 requirements,” you might develop process objectives for effectively using ISO 9001 requirements to manage, control and improve your QMS processes. Stating that you will continually improve the effectiveness of your QMS in your Quality Policy can lead to a number of objectives, as your QMS is composed of many processes and you could have one or more objectives for each process. Each statement in your Quality Policy may result in one or more quality objectives. These quality objectives do not need to be stated in your Quality Policy, but top management must clearly be involved in providing direction, establishing and reviewing these objectives. Leadership needs to establish, review and maintain a policy, but also needs to ensure that it is applied within the organization.

The establishment of the Quality Policy should be part of the business planning or QMS planning processes. A review of the Quality Policy for continuing suitability should be part of your management review process. As a quality document, the Quality Policy is also controlled by 7.5.3 control of documented Information.

In part 4, we will conclude this series with a look at the organizational roles, responsibilities and authorities.