Risk in the quality process

Tim Akerman
Categories:   iso9001:2015   Quality Management System   Risk Based Thinking  

Under the revised ISO quality systems standard ISO9001:2015 there is a requirement for risk assessment, but what does that really mean?

It is relatively easy to understand risk in the context of safety or environmental contamination, but how does risk apply to quality? The best way to start looking at this is to think about what a complaint is; complaints happen when the business has failed to deliver the customer’s expectations against an order. A specification was agreed, the customer had a clear vision of the benefit they would experience from purchasing your product, but it failed to deliver.

Sometimes the product attracts complaints even though it meets the specification. Why?

Part of the revised standard requires businesses to understand the context of their business, in other words do you understand your business strategy and the market segments you are targeting? Also who will buy from you and who are your competitors?

From start to finish of delivering a product or service there are risks. Did we understand what the customer asked for, does the customer understand what they need, did we produce what we expected to produce, was it delivered on time? There is a tendency to assume that the customer knows what they want , understands how my product will achieve their aims and knows how to use my product. Sometimes this is true, but often there are assumptions and misunderstandings in the buying process that make this a false view.

There are several points at which the risk of providing the wrong product or service can be controlled. The first is ensuring we understand what the customer wants, which involves not only understanding the stated requirements of the customer, but also the unstated requirements such as obvious or  industry standards in the customers business that they would just expect us to know. One example would be renting a room in a hotel – do you need to specify the the room has a bed in it? If our standard products don’t satisfy the customer needs or their stated requirements, what else do they need that we don’t know about. the risk of failing to address this is the customer choosing another supplier.

These considerations were implicit in ISO9001:2008, but have been made explicit in ISO9001:2015. There are many ways to manage risk, but we can only manage risks when we assess what the risks are.

One of the most significant changes in ISO9001:2015 is bringing the requirement to understand the legislation that is relevant to your business. This was always a requireemtn, but with the harmonisation of standard structure from Annex SL, the legislative requirement has been made more obvious.

Another area that has been strengthened with more rigorous risk analysis is handling of non-conformance. Whilst consideration of the risks associated with releasing the product have always been considered, an FMEA approach requires us to consider both performance and commercial risks, which may not have been clear before. What are the potential costs of failure compared to the cost of rejecting or scrapping the product? This is not a licence to release anything, far from it. An effective FMEA on a non-conforming product should involve all stakeholders, which must include the customer. Can we afford to involve the customer in a decision about defective stock? Surely it is healthier for the supply chain if we do, it also gives the customer a chance to consider the real impact of a defect, not only on their process, but also on their total supply chain costs.

Rejecting something that is out of specification seems an easy choice, but it creates costs which will come back later in the form of price increases.

Auditing is an area where risk has become an explicit consideration. It is no longer acceptable to simply audit on the basis of auditing all procedures every year, now we must consider the risk to the business of a failure in a particular area. When you consider the risk it becomes obvious that just auditing every process every year is not the right thing to do. For example if there is a manufacturing process that is absolutely critical to customer quality, would it make sense to audit that process at the same frequency as a process that causes a minor inconvenience if there is a defect?

In conclusion, applying risk analysis techniques as part of the QMS encourages the business to consider its strategy, objective and environment in a structured and rational way. Using risk analysis in this way helps a business integrate its quality functions into the daily business operations and makes it almost impossible for a business to run a QMS in parallel to standard business  operations. Integration at this level results in safer products, more accountability and better customer satisfaction.