RISK MATRIX

Risk Matrix

A Risk matrix is a matrix that is used during risk assessment to define the various levels of risk as the product of the harm probability categories and harm severity categories. This is a simple mechanism to increase visibility of risks and assist management decision making.

Risk Matrix Chart Diagram



Likelihood = How likely is the event of risk to occur
Rare / Very Unlikely = Only in exceptional circumstances
Unlikely = Might occur in future time
Moderate /Possible = Might occur at some time
Likely = Probably occur in most circumstances
Very likely = Almost certain = Expected in most circumstances

Impact = A marked effect or influence
Negligible = No injuries, No damages
Minor = Minor injuries, Minor damages, First aid required
Moderate = Some injuries, Medium damages, Medical help necessary
Major / Significant = Extensive injuries, High damages, Medical help necessary
Extreme / Severe = Death or major injuries, High level damages, Medical help necessary


Note: Above 'Risk Matrix Chart Diagram' is an example. Every organization may have its own Risk Matrix Chart.

ISO 9001 QMS CERTIFICATION WORLDWIDE - ISO SURVEY 2015

ISO 9001 QMS CERTIFICATION WORLDWIDE - ISO SURVEY 2015

International Organization for Standardization (ISO) has released the 2015 results of the ISO Survey, showing the number of certifications to ISO management systems worldwide. The ISO Survey of certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide.

ISO 9001 QMS Certifications results as per ISO Survey 2015 are as under:

Number of ISO 9001 certificates in 2014 - 1,036,321*
Number of ISO 9001 certificates in 2015 - 1,033,936**

Change in comparison to 2014 - (-) 2,385
Change in % - (-) 0.2%

* All certificates in 2014 were issued to ISO 9001:2008
** In 2015 - 1.029,746 Certifications to ISO 9001:2008 + 4,190 Certifications to ISO 9001:2015 = 1,033,936

A total of 1,036,321 certificates were issued to ISO 9001 in 2014 and 1,033,936 certificates (including 4,190 issued to 2015 version) were issued to ISO 9001 in 2015, there has been a slight decrease of 0.2% on 2014 figures.

Top 10 countries

Top 10 countries (with number of certified organizations) for ISO 9001 certifications in 2015 are as under:

China - 292,559
Italy - 132,870
Germany - 52,995
Japan - 47,101
U.K. - 40,161
India - 36,305
U.S.A. - 33,103
Spain - 32,730
France - 27,844
Romania - 20,524

Although there is a slight decrease for ISO 9001 QMS certifications in 2015, however still this is the standard that is being used world-wide.

- Keshav Ram Singhal

Courtesy: ISO Website

RISKS AND OPPORTUNITIES IN ISO 9001:2015 QMS - PROCESS-DIAGRAM

RISKS AND OPPORTUNITIES IN ISO 9001:2015 QMS

PROCESS-DIAGRAM

- Keshav Ram Singhal

For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.

For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.

World Standards Day 2016

World Standards Day 2016

Each year on 14 October, the members of the IEC, ISO and ITU celebrate World Standards Day. World Standards Day is a means of paying tribute to the collaborative efforts of the thousands of experts worldwide, who develop the voluntary technical agreements that are published as international standards.

The themes of earlier 'World Standards Day' were as under:

World Standards Day 2015 - "Standards - the world's common language"
World Standards Day 2014 - "Standards level the playing field"
World Standards Day 2013 - "International standards ensure positive change"
World Standards Day 2012 - "Less waste, better results - Standards increase efficiency"
World Standards Day 2011 - "International standards - Creating confidence globally"
World Standards Day 2010 - "Standards makes the world accessible for all"
World Standards Day 2009 - "Tackling climate change through standards"
World Standards Day 2008 - "Intelligent and sustainable buildings"
World Standards Day 2007 - "Standards and the citizen: Contributing to society"
World Standards Day 2006 - "Standards: big benefits for small contributors"
World Standards Day 2005 - "Standards for a safer world"
World Standards Day 2004 - "Standards connect the world"
World Standards Day 2003 - "Global standards for the global information society"
World Standards Day 2002 - "One Standard, one test, accepted everywhere"
World Standards Day 2001 - "The environment and standards: close together"
World Standards Day 2000 - "International standards for peace and prosperity"
World Standards Day 1999 - "Building on standards"
World Standards Day 1998 - "Standards in daily life"

The theme of 'World Standards Day 2016' is 'Standards build trust'.

IEC President Dr. Junji Nomura, ISO President Zhang Xiaogang and ITU Secretary-General Houlin Zhao, in their joint message have conveyed the following message on the World Standards Day 2016:

"Standards connect us with reliable modes of communication, codes of practice and trusted frameworks for cooperation. Introducing common interpretations on reciprocal sides of a communication or transaction, standards are essential to mutually beneficial trade and resource efficient international commerce.

Social interaction relies on common respect for fundamental sets of norms, concepts or meanings – international standards codify these norms to ensure that they are accessible to all.

A product or service conforming to an international standard is imbued with a trusted symbol of quality, safety or compatibility. Standards speak to the diversity of our interconnected world, introducing uniformity at the interfaces where we need to be certain that we are speaking on the same terms."

World Standards Cooperation

The World Standards Cooperation is a high-level collaboration between the IEC (International Electrotechnical Commission), ISO (International Organization for Standardization) and ITU(International Telecommunication Union). Under this banner, the three organizations preserve their common interests in strengthening and advancing the voluntary consensus-based International Standards system.

IEC, ISO and ITU have undertaken several initiatives that are organized under the World Standards Cooperation (WSC) banner. Such initiatives include workshops, education and training, and the promotion of the international standards system.

IEC, ISO and ITU believe that International Standards are an important instrument for global trade and economic development. They provide a harmonized, stable and globally recognized framework for the dissemination and use of technologies. They encompass best practices and agreements that encourage more equitable development and promote the overall growth of the Information Society.

International Standards are consensus based and transparent. They invite the contribution of all interested stakeholders through an extensive network of national members. International Standards increase market relevance and acceptance and are the corner stone of global trade and development.

International Organization for Standardization (ISO)

International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges. ISO has published more than 21000 International Standards and related documents, covering almost every industry, from technology, to food safety, to agriculture and healthcare. ISO International Standards impact everyone, everywhere.

Let us strive to create awareness on standards. Happy 'World Standards Day 2016'.

With best wishes,

- Keshav Ram Singhal

*Courtesy sources*

- ISO Website
- World Standards Cooperation Website

*Please keep visiting my blogs and keep commenting too.*

Blog on "Quality Concepts and ISO 9001:2015 QMS Awareness"

Blog on "Quality Concepts and ISO 9001:2008 QMS Awareness"

Blog on "Senior Citizen Awareness"

Blog on "ISO 9001 QMS Awareness" in Hindi

Blog on "Risk Management Awareness"

Blog on "EMS Awareness"

WHY WE NEED RISK-BASED THINKING?

WHY WE NEED RISK-BASED THINKING?

Please read my earlier articles:
(i) 'DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES'
(ii) 'A SIMPLE METHOD TO DETERMINE RISKS AND OPPORTUNITIES'.

Why we need risk-based thinking? A general question needs answer. Risk is an inherent part of daily life. Risk also depends on the fragilities and capacities in a system, which are often not manifested until there is a triggering event. Risk may lead to disaster. Risk may be a path to disaster if protective capabilities of the system cannot deal with the negative consequences of the event.



Risk is a dynamic concept as it changes over time as the vulnerabilities or weaknesses in the system or society changing in time. Risk is not static, constant but rather a dynamic term that is constantly adjusting to changing vulnerabilities, weaknesses and hazards.

Risk is a fundamental reflection of the normal life. We calculate and deal with risk in everyday life - wear safety belts to reduce the likelihood of injury, get vaccination to reduce the risk of illness. Life or any system without risk is generally neither possible nor conceivable. Our response to natural and environmental hazards is often influenced by our perception of risk. Sometimes we choose to take a risk, knowing the associated risk. For example, people choose to smoke or drink, knowing the risks associated to their health. Risk perception is influenced by past experience and knowledge. Understanding a risk allows us to make informed decision by weighing the risk of certain activity or process with the benefits or outcomes derived from that activity or process. Without factual information, or with misinformation, we are faced with making an uninformed decision.

Risk-based thinking thus helps us to understand risks through a systematic valuation of determining risks associated in each process or system.

- Keshav Ram Singhal


For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.
For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.

A SIMPLE METHOD TO DETERMINE RISKS AND OPPORTUNITIES

A SIMPLE METHOD TO DETERMINE RISKS AND OPPORTUNITIES

Please read my earlier article 'DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES'.

There may be various methods by which an organization can determine its risks and opportunities. My earlier article 'DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES' provides details of FEMA method, a commonly used method of risk identification and risk analysis.

ISO 9001:2015 QMS standard does not provide any specific procedure or method to determine risks and opportunities. It is for the organization to apply any procedure or method to determine risks and opportunities.

This article provides you a simple method by which, you can identify risks and opportunities associated with all functions and processes in the quality management system of your organization.

Top management of the organization should form a team of identified personnel, well versed with organization's processes and functions, with a coordinator to determine, monitor and review organization's risks and opportunities. The coordinator of the team should design a simple format for identification of risks and opportunities that should have following details:
- Process
- Department
- Risk/potential problem identified
- How critical is the risk/potential problem?
- Is risk acceptable or unacceptable?
- Proposed action to address the risk/potential problem (What should be done?)
- Opportunity identified with relevant details
- Proposed action to address the opportunity, so that it remains an opportunity and not turns to risk (What should be done?)
- Remark, if any

The above parameters are indicative. You can add a few more as per your needs. An illustrative example of the format designed for this purpose is shown in the below figure:




Suitable instructions should be issued to all process owners and department heads of the organization to fill the designed format and submit the same to the coordinator by a given date. For the first time, the management of the organization will set up a target date, but thereafter all process owners and department heads should report new identified risk or opportunity as soon as it comes to their notice. The coordinator of the team should collect relevant data, compile them, discuss with other team members through formal and informal meetings. He should make a summary of determined risks and opportunities with proposed actions and report the same to the top management. The top management of the organization should issue relevant guidelines and instructions within the organization, including department heads and process owners. This activity should not be a one-time activity. The top management and the coordinator need to take proactive active action regularly. Regular reviews (say quarterly or half-yearly) should be done and the author hopes that this simple method will be able to address the determined risks and opportunities in a proactive way.

A few examples of a few risks are mentioned in my earlier article. Here-in-below you will find a few examples about opportunities.

Opportunities

Opportunities lead to progress. Opportunities give assurance that the system can achieve its intended results. Opportunities enhance desirable effects. Opportunities prevent, or reduce, undesired effects. Opportunities achieve improvement.

Examples of opportunities

- NABL certified laboratory within the organization that provides verification and calibration services. Monitoring and measuring resources are verified and calibrated within the organization.
- Particular process is well defined and documented. Dealing person is well aware of the process.
- Learning from the past.
- Organization strives to implement 5-S Practice in the organization.
- Maintenance schedule is monitored and maintained.
- Process workers are trained and well-versed with the associated process.
- Organization provides complete engineering installation and commissioning service to customers.
- Organization provides after sales service support to its customers.
- Excellent team of work force.
- High standard of work culture.
- Use of information technology (IT)

- Keshav Ram Singhal

For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.
For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.

ISO/TS 16949:2009 Revised: New Standard aligned with ISO 9001:2015 QMS

Awareness News

ISO/TS 16949:2009 Revised

IATF 16949:2016, the automotive quality management system (QMS) standard that’s based on ISO 9001 is published on 3rd October 2016.

IATF 16949:2016 has used the high-level structure of Annex SL. ISO 9001:2015 QMS standard has also used the high-level structure of Annex SL. IATF 16949:2016 is now aligned to ISO 9001:2015 QMS standard. IATF 16949:2016 standard includes the following 10-clause framework:

- Scope
- Normative references
- Terms and definitions
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement

IATF 16949:2016 standard includes several new requirements, not previously found in automotive standards, such as:

- enhance competency requirements for 1st and 2nd party auditors
- defining a "Whistle Blower" policy in order to report and escalate ethics issues
- a Code of Conduct policy that extends to the individual team member
- an Anti-bribery policy
- an increased focus on managing CSRs (customer-specific requirements)
- continued reduction of waste and variation in the supply chain
- increased focus on safety-related products and processes
- requirements for products with embedded software

All organizations currently certified to ISO/TS 16949:2009 will need to successfully transition to IATF 16949:2016 by 14th September 2018.

- Keshav Ram Singhal

Internal Audit - A Requirement of ISO 9001:2015 QMS Standard

Internal Audit - A Requirement of ISO 9001:2015 QMS Standard

Keshav Ram Singhal

Internal audit is a requirement of ISO 9001:2015 QMS standard. Clause 9.2 of the standard mentions requirements for internal audit, which are summarized hereinbelow:

Purpose - (i) Whether the QMS conforms to requirements of ISO 9001:2015 and requirements determined by the organization, (ii) Whether the QMS is effectively implemented and maintained.

Organization needs to:
Consider - Importance of processes concerned, changes affecting the organization, and results of previous audit(s).

Plan and establish - Audit programme (also include the frequency, methods, responsibilities, planning requirements and reporting)

Define - Audit criteria and scope (for each audit)

Select - Auditors to carry out internal audit (Ensure objectivity and impartiality)

Implement and maintain - Planned and established audit programme

Conduct - Internal audits at planned intervals (Ensure objectivity and impartiability)

Report (to relevant management) - Results of the audit

Take - Appropriate correction and corrective actions at an early date (without undue delay)

Retain documented information - (i) Implementing audit programme, (ii) Audit results

Although maintaining a documented information, describing the internal audit procedure, is not a requirement of the standard, however it is always better if an organization creates, update and maintains a documented information on internal audit describing the audit programme, frequency, methods, responsibilities, planning, conducting, reporting, scope, selection of internal auditors, retaining documented information as evidence etc.

For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.

For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.

DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES

DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES

- Keshav Ram Singhal

One of the key changes in ISO 9001:2015 QMS standard is to establish a systematic approach to consider risks as an integral part of the QMS, rather than to treat 'prevention' as a separate need.

Risk is inherent in all aspects of the QMS. Each action we take has some risk or opportunity. All processes, functions and systems have some risks. Risk-based thinking helps to identify, consider and control all risks.

Risk can be defined as a deviation from the expected. It can be positive or negative. When a student appears in an examination, he may pass or fail depending upon his preparation and studies of the subject. Likewise, in an organization, all processes, functions and systems have some risks.

Earlier version, ISO 9001:2008 QMS standard, has a separate clause on preventive action. But the new version, ISO 9001:2015 QMS standard, uses risk-based thinking, where consideration of risk is integral. It is now a proactive action, rather than to be reactive (as it appeared in the earlier version). With the introduction of risk-based thinking, we need to: (i) determine risks and opportunities in all processes and functions, and (ii) plan and take actions to address risks and opportunities.

Risk-based thinking is something every person does automatically and regularly every day, but sometimes there have been omission in taking the preventive action that may cause an unfortunate incident. When we cross a road, we look to the traffic risk on the road; or when we board a coach of a train, we look that we get into the coach safely. We strive to take proactive action so that unfortunate incident does not happen.

Risk-based thinking was in the earlier version of ISO 9001 as requirements of preventive action, however the new version, ISO 9001:2015 QM standard, builds it into the whole management system from the beginning and throughout the system. Now preventive action, present in risk-based thinking, is inherent to planning, operation, analysis and evaluation activities.

Process approach also includes risk-based thinking.

Risk-based thinking is evident/mentioned in the following Para and clauses of ISO 9001:2015 QMS standard:

- Introduction - This Para explains the concept.
- Clause 4 - Organization needs to address risks and opportunities in accordance with requirements.
- Clause 5 - Top management needs to (i) promote use of risk-based thinking, and (ii) ensure determining and addressing the risks and opportunities that can affect conformity of product/service.
Clause 6 - Organization needs to (i) determine risks and opportunities, (ii) plan actions to address risks and opportunities, (iii) ensure actions taken (to address risks and opportunities) must be in proportionate to the potential impact on product/service conformity.
Clause 7 - Organization needs to determine and provide necessary resources for QMS. Risk is inherent in all aspects of the QMS.
Clause 8 - Organization needs to manage operational processes. Risk is inherent in all aspects of QMS.
Clause 9 - Organization needs to analyze and evaluate data and information with regard to the risks and opportunities. Management review includes consideration of the effectiveness of the actions taken to address risks and opportunities.
Clause 10 - Organization needs to correct/prevent/reduce undesired effects and update risks and opportunities determined during planning.
Since the risk-based thinking is evident in various requirements of ISO 9001:2015 QMS standard, auditors will look to the objective evidence of risk-based thinking during audits, including internal, certification, and surveillance audits.


Benefits of using risk-based thinking

Risk-based thinking:
- promotes proactive culture in the organization that improves organization's governance,
- assists organization to comply legal requirements,
- assures consistency of product/service quality, and
- improves customer confidence and satisfaction.

Using risk-based thinking

First question comes in our mind, how to use risk-based thinking in the QMS. Simple, we need to identify, understand and then address risks. ISO 9001:2015 QMS standard does not provide any specific procedure or method to determine risks and opportunities. It is for the organization to apply any procedure or method to determine risks and opportunities. Risk analysis is the important step of identify potential problems. One commonly used method of risk identification and risk analysis is known as 'Failure Modes and Effect Analysis' (FMEA) that is done during the design of a product or process. The purpose of FMEA is to identify all potential problems that could arise in the product or process, identify how critical is the risk and decide what to do about it.

FMEA process includes four steps -
(i) Identify your risks - It can be done in a brainstorming from different areas of your organization. List all potential problems that could arise. Considering external and internal issues and interested parties (as determined as per clause 4.1 and 4.2 of the standard) will be helpful in identifying the risks.
(ii) Determine how critical each risk is - You should assess the risk against probability of occurrence, severity of occurrence and chance of detection of occurrence. Brainstorm each risk that you identify. What is the probability of risk occurring? What is its impact?
(iii) Rank the risk - You should decide the rank of the risk, whether the risk is acceptable or unacceptable. What is your priority with regard to the risk?
(iv) Determine actions - After understanding the risk, determine your actions, what should be done. What you plan? Plan actions to address the risks. Mention mitigation steps to eliminate or reduce the risks.

FMEA process is simple. It is easy to use. FMEA process gives results that are easy to determine acceptability, and thus provides a framework to assign resources to risk reduction that is easily supported. You should clearly understand that FMEA is a way of dealing risk analysis, and it is in no way mandated by ISO 9001:2015 QMS standard that you must use it. Any method you find useful, relevant and efficient can be used.

After FMEA process, you need to address the risk:
(i) Implement the plan - Take action
(ii) Check the effectiveness of the action
(iii) Improve your action on the basis of check results

Examples of some risk factors

(i) Lack of trained staff - Not aware of procedure, process, task adequately
(ii) Infrastructure - Availability of material in time
(iii) Project goals not clearly defined
(iv) Cultural risk - Employees take leave without prior information, Employer-employee relationship
(v) Changes in legislation
(vi) Theft
(vii) Competition - Entry of too many competitors in the market, market size shrinks
(viii) Poor production process, process not clearly defined
(ix) Inadequate equipment/tools
(x) Poor/unattractive packaging
(xi) Late delivery of incoming materials
(xii) Customer does not provide timely feedback
(xiii) Insufficient test resources
(xiv) Data security
(xv) Workplace safety
(xvi) Material handling
(xvii) Improper use of protective equipment (such as, eye-glass, safety shoes, gloves etc.)
(xviii) Injury to workers due to water/oil leakage

Above list is indicative.

Format for risk identification and determining actions

Design a format for risk identification and determining actions with following columns: (i) Serial number, (ii) Date, (iii)Details of risk identified, (iv) How critical is the risk, (v) Acceptable or unacceptable (vi) Action to address the risk (what should be done?). Ask each department head and process owner to fill the format as soon as a new risk is identified. A copy of this determined information should be sent by the department head and process owner to an authority (say, QMS Coordinator) in the organization, who should consolidate relevant information in a Risk Register and share the information within the organization for the benefit of others.

Risk Register

Maintaining or retaining a Risk Register is not a requirement of ISO 9001:2015 QMS standard. However, maintaining risk register and retaining appropriate data will be a good practice. Risk register may have following columns:
(i) Date
(ii) Details of risk
(iii) Risk type - Classification of risk
(iv) Likelihood of occurrence
(v) Severity of effect
(vi) Actions to be taken to prevent, reduce or transfer risk
(vii) Owner - Who is responsible to take action?
(viii) Status - Current or ended
(ix) Remark

The columns are indicative.

Conclusion

- Risk is inherent in all aspects of the QMS. Each action we take has some risk or opportunity. All processes, functions and systems have some risks. Risk-based thinking helps to identify, consider and control all risks.
- Risk-based thinking helps to improve processes, functions and systems.
- Risk-based thinking implementation helps building an effective quality management system.
- Effectiveness of the actions taken to address risks and opportunities are the inputs to management review.
- Risk-based thinking helps continual improvement that focuses on prevention.
- Auditors will look to the objective evidence of risk-based thinking during audits, including internal, certification, and surveillance audits.



Suggested reading - (i) Guidance document on 'Risk-based thinking in ISO 9001:2015'.published by International Organization for Standardization (ISO)
(ii) ISO 31000:2009, Risk management - Principles and guidelines

For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.
For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.