1/19/2016

1

ISO 9001:2015 Quality Management System

Requirements – Risk Management

CK Cheung

International Lead Evaluator for National Accreditation Body

ISO9001 有用吗? 还是它只是一个游戏

• 视乎企业的态度

• 系统中所订定的目标的水平

• 质量管理系统的可执行性

• 最高层管理的承诺

• 是一件整体工作人员的工作, 而不是一个个人的工作 (质量经理)

• 培训

ISO 9001:2008

Quality Policy

Quality Objective

Corrective Action

Preventive Action

Internal Audit

Management

Review

Preventive Action Preventive Action

River Thames Flood Barrier in London

To Prevent Flooding of London in 1 to 200 year Storm

1/19/2016

2

ISO9001:2015

Risk Management

“Risk” & “Opportunity”

ISO31000:2009

Risk Management

ISO 31000 “Risk Management”

1/19/2016

3

Risk Management

ISO9001:2015 的介绍

Training of Quality Personnel

1/19/2016

4

1/19/2016

5

1/19/2016

6

1/19/2016

7

质量是甚么? 达到或超越客户所陈述和

意味的要求

What is quality ? Meet customer requirement

Exceed their expectation

中國三峽工程 Three Gorges Dam

中國三峽總工程師 質量就是生命

1/19/2016

8

Sichun Earthquake Sichun Earthquake

Sichun Earthquake Sichun Earthquake

Florida Hurricane Katrina

1/19/2016

9

Quality Development

• Quality Control: 质量控制 : 1980s

• Quality Assurance : 质量保证 – 1994

• Quality Management :质量 – 2000 & 2008

• Quality Risk Management :质量 – 2015

ISO9001 : Development Background

• 1959: 英国国防部标准 MIL-Q-9858 • 1969: 北约标准系列 NATO AQAP Series of Std • 1974: BS5179 Guidance • 1979: BS5750 A Series of Standards • 1987: ISO9001 • 1994: ISO9001 • 2000: ISO9001 • 2008: ISO9001 • 2015: ISO9001

ISO9001:2008 – “4” Elements

• Management Responsibility (管理职责)

• Resource Management (资源管理)

• Product Realization (产品实现)

• Measurement, analysis and improvement

• (量度, 分析和改善)

ISO9001:2015 – “7” Elements

• Context of the organization

• Leadership

• Planning for the QMS

• Support

• Operation

• Performance evaluation

• Improvement

ISO9001:2015

1/19/2016

10

Plan-Do-Check-Act Cycle

Plan (企划)

Do (执行)

Check (检讨)

Act (修正)

CU

ST

OM

ER

RE

QU

IRE

ME

NT

S

(

客户要求)

CU

ST

OM

ER

SA

TIS

FA

CT

ION

(

客户满意)

CONTINUAL IMPROVEMENT (持续改善)

1/19/2016

11

New ISO 9001:2015 Users Survey Results 1

• - Communication

• - Time, speed, ability & related aspects

• - Quality management principles

• - Alignment with business management practices

• - Risk based thinking approach

• - Life cycle management

• - Plan source, make deliver

• - Focus on product conformance

New ISO 9001:2015 Users Survey Results 2

• - Clarification & differentiate of the multiple customers of an organization

• - (Process) innovation • - Maintenance of infrastructure • - Process management • Knowledge management • - Competence • - Structure of QMS & related to MMS • - Impact on technology & change in information

management

Quality Management Principles

2008 2015

Customer focus Customer focus

Leadership Leadership

Involvement of people Engagement of people

Process approach

System approach to management Process approach

Continual improvement Improvement

Factual approach to decision making Evidence-based decision making

Mutually beneficial supplier relationship Relationship management

Terminology

• Risk – effect of uncertainty (on an expected result

• Documented information – information required to be controlled and maintained by an organization and the medium on which it is contained

• Context of the organization – business environment combination of internal and external factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested parties

Concept of Exclusions

• Where a requirement of the ISO 9001:2005 CAN be applied then it SHALL be applied by the organization

• If any requirement(s) CANNOT be applied, this SHALL NOT affect the organization’s ability or responsibility to ENSURE conformity of products & services

1/19/2016

12

Where do we meet requirements regarding - ”Risks”

• - Determination of the processes taking under consideration risks & opportunity(4.4f)

• - Risks & “opportunity” that can affect conformity of products & services and the ability to enhance customer satisfaction should be determined & addressed (5.1.2b)

• - When planning for the QMS, the organization shall determine the risks & “opportunity” (6.1.1)

Where do we meet requirements regarding - ”Risks” (Cont’d)

• - The organization shall plan actions to address risks & “opportunity” (6.1.2)

• - Determining type & extent of control of external provision (8.4.2) –

• be careful, it doesn’t use the word ”risk” , but meaning is that risk is present

Where do we meet requirements regarding - ”Risks” 3

• - In determining the extent of post-delivery activities the organization shall consider the risks associated with the products & services (8.5.5a)

• - The management review shall be planned and carried out taking into consideration the effectiveness of actions taken to address risks & opportunities (9.3.1d)

Risk-based thinking (1)

• carrying out preventive action to eliminate potential nonconformities, analysing any NCs that do occur, and taking action to prevent recurrence that is appropriate for the effects of the NC

• needs to plan & implement actions to address ”risks and opportunities”

• establishes a basis for increasing the effectiveness of the QMS, achieving improved results and preventing negative effects

Risk-based thinking (2)

• Opportunities can arise as a result of a situation favourable to achieving an intended result, Example, a set of circumstances that allow the organization to attract customers, develop new products and services, reduce waste or improve productivity.

• Actions to address opportunities can also include consideration of associated risks.

• “Risk” is the effect of uncertainty and any such uncertainty can have positive or negative effects.

• A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities.

Risk

1/19/2016

13

Documentation requirements 1

• - QMS Scope (4.3) • - The org shall maintain “documented information” to

the extent necessary to support the operation of processes and to have confidence that the process are being carried out as planned (4.4)

• - Quality policy (5.2.2a) • - Quality objectives (6..2.1) • - Evidence of fitness for purpose of “monitoring” &

“measurement” resource (7.1.5) • - The basis used for “calibration” or “verification” where

no international/national standards exist (7.1.5) • - Evidence of “competence” (7.2d)

Documentation requirements 2

• - Confirmation of “conformity” of processes & products/services (8.1e)

• - Results of “review” of requirements for the products & services (8.2.3)

• - Confirmation that D & D requirements have been met (8.3.2g)

• - “Results” of D & D process (8.3.5)

• - D & D changes (8.3.6)

Documentation requirements 3

• - “Results” of evaluation , monitoring of the performance & re-evaluation of the external providers (8.4.1)

• - “Characteristics” of the products & services (8.5.1a)

• - “Activities” to be performed during production service provision & the results to be achieved (8.5.1b)

• - “Documented information” necessary to maintain traceability (8.5.2)

Documentation requirements 4

• - Results of the review of “changes”, of products/services, the personnel authorizing the change, and any necessary actions (8.5.6)

• - Traceability to the person authorizing “release” of products & services for delivery to the customers (8.6)

• - Actions taken on NC process outputs, products & services (8.7)

• - Results of “monitoring” & “measuring” activities (9.1.1) • - Evidence of implementation of the audit programme &

the audit results (9.2.2f) • - Results of management review (9.3.2) • - Nature of the NCs, action taken, results of action taken

(10.2.2)

ISO9001 Document Hierarchy 文件等级

手册QM

程序文件 SOP

作业指导书 WI

记录 Record

会做到甚么

怎样去做

详细解释个别工序的做法

记录已做的工作过程和结果

1/19/2016

14

Change in requirements 1

• New requirements

• - 4.1 “Understanding” the organization & its “context”

• - 6.1 “Actions” to address “risk” & “opportunities”

• - 7.1.6 Organization “knowledge”

• - 8.5.5 “Post-delivery” activities

Change in requirements 2

• Main changes

• - 4.2 Understanding the needs & expectations of “interested parties”

• - 4.3 Determining the “scope” of the QMS

• - 5.3 Organization roles, responsibilities & activities

• - 6.2 Quality objectives & planning to achieve them

• - 8.5.3 Property belonging to customers or external providers

• - 9.1.3 Analysis & evaluation

Change in requirements 3

• Eliminated requirements

• - Quality Manual (4.2.2 of ISO 9001:2008)

• - Management representatives (5.5.2 of ISO 9001:2008) (as a position management representative is “not” existing anymore, but responsibilities are present see 5.3)

• - “Preventive actions” (8.5.3 of ISO 9001:2008)

Major Difference in Terminology

Total Quality Management - TQM

• TQM is a new “paradigm” of management • IQM is both a philosophy & methodology for

managing orgs • TQM includes a “set” of principles, tools, and

procedures that provide “guidance” in the practical affairs of running an org

• TQM involves ”all” members of the org in controlling and continuously improving how work is done

• Orgs that use TQM agree that it is fundamentally different from traditional management

TQM Model Risk Management

1/19/2016

15

Crisis Management Definitions

• Crisis

• In Chinese “wei-ji” = danger & opportunity

• “Decisive moment, Crucial time, Turning point for better or worse”

• “An unstable time or state of affairs in which a decisive change is impeding”

• Crisis Management

• Is the art of “removing” much of the risk & uncertainty from a crisis

Crisis Characteristics

• Escalating in intensity

• Falling under close media or government scrutiny

• Interfering with the normal operations of business

• Jeopardizing the positive public image presently enjoyed by a company and its officers

• Damaging a company’s bottom line in any way

Crisis Management

• Crisis Management Plan • - What is Crisis • - Phases of a Crisis • - Crisis prognosis & prodromal symptoms • - Crisis management team • - Contingency planning • - Continuity management • - “Risk” analysis • - Management system auditing techniques

Crisis Management & Communication

• - Strategy

• - Uniform objectives & message

• - Media used on first announcement

• - Second news round, Long term crisis

• - Crisis resolution

• - “Internal communication”

• - Communication with special audiences

Defining Crisis

• “Risk” is defined as an “uncertain situation” or an action taken during a prevailing uncertainty when the circumstances or the results of such a situation are unsure of.

• “Risks” are the occurrence likelihood and occurrence consequences of an event

• “Risk” is an effect of uncertainty on objectives (ISO 31000)

Defining Risk Assessment

• Risk Assessment –

• It is defined as set of techniques and methods on the system level to predict future events and their consequences.

1/19/2016

16

Risk Assessment Defining Risk Management

• Risk Management = Risk Assessment + Risk Control

• Risk identification – Risk Management Planning

• Risk Analysis – Risk Resolution

• Risk Prioritizing – Risk Monitoring

Major Risks – Data from Europe

• National Legislations – 82% • Environmental Issues – 76% • Health & Safety at work – 72% • New Technologies – 64% • European Legislation – 50% • Political Changes – 50% • Society – 36% • Special Issues – 35% • Financial – 30% • Legal – 27%

Major Risks – Data from USA

• Health & Safety at work – 82% • Environmental Issues – 76% • Strikes – 72% • Products Recall – 64% • Ownership changes – 50% • Control of Corporate Management – 50% • “Leakage” to Mass Media – 36% • State Intervention – 35% • Terrorism – 30% • Financial Scandals – 27%

1/19/2016

17

More Risks Terminology

• Hazard is an act or a phenomenon posing potential harm to some person or thing and its potential consequences

• Reliability can be defined for a system or a component as its ability to fulfill its design functions under designated operating environmental conditions for a specific time period

• Reliability = 1 – Failure Probability • Event Consequences can be defined as the

degree of damage or loss from some failure

More about Risk Definition

• Risks are the occurrence likelihood and occurrence consequences of an “event”

• Risk = [ (P1, C1), (P2, C2),…….(Pn, Cn) ]

• Where:

• Pi = the occurrence probability of an outcome of the event and

• Ci = the occurrence consequence of outcomes of the event

More about Risk Definition

• RISK = Likelihood x Impact

• Risk (Consequence/Time) = • Likelihood (Event/Time) x Impact (Consequence/Event)

• Note:

• 1. Likelihood can be expressed as a “probability”

• 2. This equation presents risk as an expected value of loss or an average loss

Composite risk index

• Composite Risk Index = • Impact of risk event X Probability of occurrence • The impact of the risk event is commonly assessed on a

scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact of an occurrence of a risk

• The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event actually occurring while 5 represents a very high probability of occurrence.

• The composite risk index thus can take values ranging from 1 through 25

Risk options

• Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are:

• Design a new business process with adequate built-in risk control and containment measures from the start.

• Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.

• Transfer risks to an external agency (e.g. an insurance company)

• Avoid risks altogether (e.g. by closing down a particular high-risk business area)

1/19/2016

18

Project Management & Construction of a

High Speed Railway Train

Determine the Consequence

Determine of Likelihood

Determine the Risk Rating

Grading from 1 to 5

Grading from 1 to 5

Grading from 1 to 25

1/19/2016

19

Fire in a Ship in the Ocean End of Talk