The Relevance of Risk Based Thinking in ISO 9001:2015 and ISO 14001:2015 March 4, 2016 Our webinar will begin at 1:00 PM 1
The Relevance of Risk Based Thinking in ISO 9001:2015 and ISO 14001:2015 Carmine Liuzzi 2
Manage risk. Facilitate innovation. Now you can do both. 3 3
Presenter Carmine Liuzzi Industry Leader Learning & Improvement Solutions 23-year veteran with SAI Global Master s degree In polymer chemistry from Long Island University and a bachelor s in biochemistry from Manhattan College Areas of specialty include ISO 9001, ISO 14001, ISO/TS 16949 and OHSAS 18001, as well as process improvement techniques Exemplar Global certified Lead Auditor for Quality and Environmental Management Systems, Automotive expert, including ISO/TS 16949, APQP, PPAP, FMEA, MSA Coaches clients in all aspects of developing, implementing and integrating management systems, and provides services that range from training and consulting support to leading internal assessment teams 4
Webinar Objectives Discuss the concept of risk management To understand the requirements for risk identification and control in ISO 9001:2015 and ISO 14001:2015 Potential methods to evaluate and prioritize risk 5
ISO Standards and Risk-based thinking The concept of risk has always been a component of ISO 9001 and ISO 14001, by requiring the organization to plan its processes and manage its business to avoid undesirable results. Organizations have typically done this by putting greater emphasis on planning and controlling processes that have the biggest impact on the quality of the products and services they provide. 6
ISO Standards and Risk-based thinking The way in which organizations manage risk varies depending on their business context (e.g. the criticality of the products and services being provided, complexity of the processes, and the potential consequences of failure) Use of the phrase risk-based thinking is intended to make it clear that while an awareness of risk is important, formal riskmanagement methodologies and risk assessment are not necessarily appropriate for all business situations and organizations. 7
ISO Standards and Risk-based thinking Risk is the effect of uncertainty on an expected result and the concept of risk-based thinking has always been implicit in ISO 9001 and ISO 14001 The 2015 revisions to ISO 9001 and ISO 14001 makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of management systems Now includes identification of opportunities 8
Risk-based thinking Basis for increasing the effectiveness of the management system, achieving improved results and preventing negative effects Risk is the effect of uncertainty which can have negative or positive effects Actions taken to address opportunities can also include considerations of associated risk 9
Risk-based thinking Consideration of risk is essential for achieving an effective management system The concept of risk-based thinking has always been implicit in ISO standards in the requirements for preventive action Any organization needs to plan and implement actions to address risks and opportunities 10
Sustainable Business Success & Risk Being aware of the organization s environment, effectively managing opportunities and risks, learning from experience, and applying improvement and innovation Corporate sustainability is a business approach that creates long-term shareholder value by embracing opportunities and managing risks deriving from economic, environmental and social developments. Source: ISO 9004:2009 11
Taking A Risk Based Approach is Not A Risk Management System Risk-based thinking ensures risk is considered from the beginning and throughout the entire Management System Risk-based thinking is supported by the PDCA process approach Risk-based thinking makes preventive action part of strategic and operational planning Neither 9001 or 14001 require a fully functional Risk Management Activities to meet the requirements A documented procedure is not required 12
ISO 31000:2009 Risk Management - Principles and Guidelines on Implementation The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes ISO 31000 is a useful reference for organizations that want or need a more formal approach to risk Its use is not a requirement 13
ISO 31000:2009 Risk Management - Principles and Guidelines on Implementation ISO 31000 provides a framework for organizations to deal with their identified risks. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Accepting or increasing the risk in order to pursue an opportunity Removing the risk source Changing the likelihood Changing the consequences Sharing the risk with another party or parties (including contracts and risk financing) Retaining the risk by informed decision 14
Risk-based Thinking Organizations are required to understand their context (clause 4.1) and determine the risks and opportunities that need to be addressed as a basis for planning (clause 6.1) This represents the application of risk-based thinking to the planning and implementation of QMS / EMS processes (clause 4.4). No requirement for formal methods for risk management or a documented risk management process One of the key purposes of a management system is to act as a preventive tool 15
Where is Risk referenced in ISO 9001:2015 Clause 4.4 f) - QMS and its processes - determine the risks and opportunities in accordance with the requirements of 6.1.1 (see below) and plan and implement the appropriate actions to address them Clause 5.1.1d) promoting the use of the process approach and risk based thinking Clause 5.1.2 b) Customer Focus - the risks and opportunities that can affect conformity of products and services.. Clause 6.1.1 & 6.1.2 - Actions to address risk and opportunities.. proportionate to the potential impact.. 8.1 Operational planning and control - review the consequences of unintended changes taking action to mitigate any adverse effects, as necessary Isn't this Risk? 16
Where is Risk referenced in ISO 9001:2015 8.3.3 Design and development Inputs - e) the potential consequences of failure due to the nature of the products and services Isn't this Risk? Clause 8.5.5 Post-delivery activities in determining post-delivery activities that are required, the organization shall consider the potential undesired consequences Isn't this Risk? Clause 9.1.3e) the effectiveness of actions taken to assess risks and opportunities 9.3.2 Management Review - the management review shall be planned and carried out taking into consideration: e) the effectiveness of actions taken to address risks and opportunities Clause 10.2.1e) update risks and opportunities determined during planning, if necessary 17
Where is Risk referenced in ISO 14001:2015 6.1.1 Actions to Address Risks and Opportunities - Determine the risks and opportunities related to its environmental aspects (6.1.2), compliance obligations (6.1.3) and other issues, requirements, identified in 4.1 and 4.2 that need to be addressed EMS can achieve intended outcomes; prevent or reduce undesired effects including the potential for external environmental conditions to affect the organization. maintain documented information of its risks and opportunities that need to be addressed; processes needed to have confidence they are carried out as planned. Clause 6.1.2 Planning Action The organization shall plan: to take actions to address its risks and opportunities. Integrate into the EMS (6.2; 7; 8; 9.1). and evaluate the effectiveness of these actions. (9.1) 18
Where is Risk referenced in ISO 14001:2015 8.1 Operational Planning and Control - The organization shall control planned changes and review the consequences of unintended changes Isn t this risk? 8.2 Emergency Preparedness and Response - establish implement and maintain processes needed to prepare for and respond to potential emergency situations identified in 6.1.1 Isn t this risk? Take action to prevent or mitigate the consequences of emergency situations. Isn t this risk? 9.3 Management Review - the management review shall include consideration of b) changes in: risks and opportunities Clause 10.2. react to the nonconformity and as applicable - deal with the consequences, including mitigating adverse environmental impacts Isn t this risk? 19
Risk-based Thinking There is no separate clause or sub-clause titled Preventive action The concept of preventive action is expressed through a riskbased approach to formulating QMS / EMS requirements The organization is responsible for the application of risk-based thinking and the actions required to address the identified risks Determine level of risk for QMS / EMS processes to meet intended outputs, objectives, etc. 20
Plan-Do-Check-Act Cycle The methodology known as Plan-Do-Check-Act cycle can be applied to all business processes and to both quality / environmental management systems as whole entities PDCA cycle which can be briefly described as follows: Plan: establish the objectives of the systems and its component processes and resources Do: implement what was planned Check: monitor and where applicable measure processes, product and services against policies, objectives and requirements, and report the results Act: take actions to improve process performance, as necessary 21
0.3 Process Approach (ISO 9001:2015) 22
Process Approach Input CONTROLS PROCESS set of interrelated or interacting activities which transforms inputs into outputs Output Process effectiveness Extent to which planned activities are realized and planned results achieved Product People/Equipment /Material RESOURCES Process efficiency Relationship between the result achieved and the resources used A desired result is achieved more efficiently when activities and related resources are managed as a process 23
Fig 2- Representation of a Process based (PDCA) 24
Why use risk-based thinking? Successful organizations intuitively apply risk-based thinking because it brings benefits that: Improve corporate governance Establish a proactive culture of improvement Enable compliance activities Assure consistency of processes, products and services Improve customer confidence and satisfaction 25 25
What is Required? Identify the risks to your organizations success both internal and external to the organization Use risk-based thinking to prioritize the way you manage your processes ISO 9001:2015 and ISO 14001:2015 do not require formal risk management process 26 26
Basic Steps of Risk Assessment Balance risks and opportunities Analyse and prioritize your risks - What is an acceptable / unacceptable risk? Plan Actions to address the risk - How can the organization eliminate / mitigate the risks? Implement the determined controls Check for the effectiveness of the controls Look for continual improvement opportunities 27 27
Creating a Risk Register The Risk Register is a useful tool to record, evaluate and monitor the organization s risks Format is your choice - a simple spreadsheet or database are the most common All identified risks and actions taken complied into one document Spreadsheet Example 28 28
Risk Register - Example 29
Risk Register - Example 30
Conclusions Risk-based thinking: Is not a new concept Is iterative Provides increased knowledge of risks throughout the organization and improves preparedness Enhances the likelihood of achieving objectives Reduces the probability of undesired results or surprises 31 31
Balance risk and encourage innovation. With confidence MANAGE COMPLEXITY WITH TRUSTED SOLUTIONS The business world is experiencing unprecedented change. Global expansion. Emerging markets. Nimble competitors. Digital disruption. Mobile staff. Empowered customers. Every business in every country is facing increased complexity in every operation. Those who are succeeding are using a new approach to risk management. 32 32
INTEGRATED RISK MANAGEMENT SOLUTIONS By partnering with SAI Global you ll have peace of mind knowing your risk management activities are controlled. By using solutions that monitor, measure and inform, we can help you build trust throughout your organisation and with stakeholders. 33 33
GLOBAL EXPERIENCE, LOCAL SOLUTIONS Our experience stretches across 29 countries in Europe, North America, Asia and Australasia. Our expertise extends across many industries from resources, automotive to healthcare and property. You can draw on our global strength no matter where you are located, your industry challenges, or the size of your business. 34
DISCOVER AND ASSESS EVALUATE AND IMPROVE Review program performance Realign processes, people and objectives Drive continuous improvement and growth Identify legal, regulatory and compliance obligations Map obligations to business processes Align business values and objectives to risk management strategy SAI Global Risk Management Solutions DEVELOP POLICIES, PROCEDURES AND CONTROLS Design and document endto-end processes Map and assign accountability Develop tools to monitor program effectiveness 35 MONITOR AND ACT Monitor and report key risk indicators and trends Real time visibility of compliance status and issues Validate program effectiveness TRAIN AND COMMUNICATE Engage and train employees to drive behavioural change Develop methods to monitor employees engagement Capture and assess training effectiveness 35
Learning & Improvement Solutions Public training (classroom) On-site training / In-house training* Free Webinars Interactive Webinars elearning courses On-site consulting, including*: On-site Gap analysis Management system implementation Kaizen Event Program review & development Product specification building 36 *SAI Global s Improvement Solutions Business and Certification Services Business operate independently. Any audit provided by our Certification Services Business is totally independent of any work we may have done through our Improvement Solutions Business and will not provide our clients with any special treatment.
Questions and Answers 37
Carmine Liuzzi Industry Leader SAI Global Assurance Services, Learning & Improvement Solutions Phone: 203-300-3776 carmine.liuzzi@saiglobal.com www.saiglobal.com/assurance