ISO 9001 And Risk Management
Under the ISO 9001:2008 standard risk management falls under strategic, operational, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, and marketing planning.
Risk management is basically very simple with the level of complexity prescribed by the nature of the situation that it applies to – usually a process, and the parties involved. In its basically speaking risk management involves:
1. Identifying risk – Looking for anything that threatens the successful operation of the process against the original requirement. Risks can be environmental, organizational, technical, legal, economic or commercial.
2. Neutralizing risk – Taking action to remove or reduce the probability of a risk being brought to fruition. The response depends on the nature or seriousness of the risk.
3. Acting when the risk incident occurs – Putting in place whatever contingency measures were planned for the risk that has occurred.
Risk management can be greatly simplified by using such tools as quality management software, and ISO 9001 templates that are designed to classify and indentify significant risks so that strategic plans can be put in place to neutralize them.
In Aviation and with the Mandating of Safety Management System (SMS) of which risk management is a big portion of. It also mandates Safety audits which makes it very close to Quality. Actually SMS and QMS are so intertwined that the UK CAA devotes a section in their guidance material on how both work together.
Being a small organisation roles overlap and since in terms of Quality every Non Conformance is potentially a risk I modified the NCR to add a Risk Assessment required similar to Root Cause Analysis required.
The auditee has to assess the risk and propose mitigating actions that makes it acceptable and manageable.