To Risk or Not to Risk – Part 3

Last time we looked at the evolution (or DEVO) of Risk in ISO 9001 up through the 2008 revision. This time we will start with ISO 9004:2009, which is still the current revision.

…But first a little story. ISO 9004 is a companion to ISO 9001. It is not an auditable guidance document but specifically drafted to give additional guidance, explanation and advice to Top Management. It is not what you might call ‘spellbinding,’ it is ‘chock-full’ of ideas the will improve the ROI on registration.

Analogy – Think of Cadillac or Lincoln passing down their innovations to subsequent year models of Chevy or Ford and you can better understand ISO 9004. What is in there today will be in your auditable Standard tomorrow.

I had my Eureka-moment back in 2000. I was auditing and consulting for a major CB (Certification Body) who provided the 2000 revision suite (ISO 9000, 9001 and 9004.) I actually read it! I could not understand why all ‘this extra stuff’ was in there but (being still, fairly new) I thought if it was there, it must be there for a reason. I looked back to my copy of ISO 9004:1994 (which I had never paid attention to) and said to myself, “Ah Ha!” I was hooked! I tracked down a copy of the ISO 9001 and 9004:1987 Standards and finally MIL-Q-9858 so this post is a long time coming.

Guess what ISO 9004:2009 now brings home the ‘risk’ idea in Section 4.3 The organization’s environment, “An organization’s environment will be undergoing change continually, regardless of its size (large or small), its activities and products, or its type (for profit or not-for-profit); consequently this should be monitored constantly by the organization. Such monitoring should enable the organization to identify, assess, and manage the risks related to interested parties, and their changing needs and expectations. Top management should make decisions for organizational change and innovation in a timely manner in order to maintain and improve the organization’s performance. NOTE: For more information on risk management, see ISO 31000.” Up until now, there has been no clear guidance on how to satisfy the requirements, but now, a non-auditable guidance document is given as a nominal reference. Risk is here to stay!

Thank (your own designated) God the auditors missed all this because CB auditors are not expert at Risk Management. In fact, CB auditors are not experts at many things coming down the pike!

Not needing to repeat the pattern, I will just jump forward to tomorrow (with qualification.) I believe I know where this is all going but I do not know when. Face it, ISO (International Organization for Standardization) is not a compliance organization, it is a publisher. It only makes money if we buy their publications. Therefore, since they write the Standards… How many do you think they want us to buy? All of them!

Moving forward, I believe, the next revision ISO 9001:202x will add additional aspects of Financial Resources (Lean,)Work Environment (Human Factors,) Knowledge Management, Self Assessment and Innovation. Guess what, standards for these either exist or are in development. I will say more about these in a future blog series.

In addition, I believe a future revision may have auditable requirements for Environmental Management (ISO 14001) and Occupational Health & Safety (ISO 45001) but this is not a bad thing because an Integrated Management System might just satisfy the new requirements. In the very least, it positions you for SHARP or VPP recognition (depending on company size) and that is a really, good thing. Every State has a local OSHA office, which offers ‘voluntary status consultation.’ Do the prep work (the Kilpatrick Group has assisted 25% of all RI recognized SHARP participants) and go for the ‘brass ring.’

Although ISO 31000:2010 Risk management guidance document (and ISO 30010 listing the multiple and popular assessment tools) are non- auditable, guidance documents, there are some CBs lobbying to make them full-blown, auditable quality management system status. I saw this coming and began building full-blown Enterprise Risk Management Frameworks back in 2011 in anticipation of the 2015 revision.

Based upon ISO9004 revision history (Cadillac Analogy) my thought is that the following revision of ISO 9001 will roll in full-blown Risk Management, Corporate Social Responsibility (ISO 26001), Information Security (ISO 27001 & 2) and Energy Management (ISO 50001) sometime around 2030. God help us because the auditors will not be qualified to audit these new competencies. I guess you will just have to follow my postings to keep up to date!

Note: These are only the opinions of this author. What happens in the future remains to be seen.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s