Standards

One of the Observations we received from our 2015 certification, was based upon 4.1 Understanding the Context of the Organization. The Auditor commented that we did not have any external/ internal affects listed in our RISK Matrix, that were not Interested Party (IP) related. He gave the examples of power outages (IP: community), Severe weather (IP: Suppliers/sister companies), economic/ political climate (IP: customer/community), diverse client base (not within our strategic direction at this time). I believe that all that we do, and all that could affect us, has an affect on one of our already identified Interested parties (many not listed above).


I sat down and did a PESTLE (Political, economic, social, technological, legal, and environmental) with my Top Management, which gave us  34 more risks (great tool for those interested). All of the new risks would affect our interested parties...


What do y'all think? Am I missing the point of the Observation? Or do I have the concept covered?

I believe you have exceeded the expectation.  There is no requirement in ISO9001: 2015 to document anything in 4.1 or 4.2.  The output for 4.1 and 4.2 could have been conducted as a brainstorming session .  The prioritization for determining risks and opportunities could also have occurred by circling various items similar to the method for cause and effect diagrams.  What is required by the requirement of 6.1 is to take action on the items that have been determined to be risk and opportunities.  The number of these items is not designated by the requirements, only the fact that the organization performs their due diligence to fulfill the requirement to address risks that can hinder the system or opportunities that can create a level of improvmenet.

John, Thank you for your input! We did have an OFI (Opportunity for Improvement) based on our RISK Matrix. We had identified Risks, though were only managing those that we had deemed as "high" risks. Our auditor reminded us that the ISO does not rank risk, it tells us to mitigate all risks. (It stayed an OFI because there were one liner's for how each risk was managed, but it was not extensive)

I would agree with John Vandenbemden‍ that you have exceeded the expectations because there is no requirement for documentation in 4.1 or 4.2 of ISO 9001:2015. Additionally, 6.1 also does not have any documentation requirement. When we were pursuing ISO 9001:2015 upgrade, I emphasized to our leadership (and to a lesser extent personnel in general) that they needed to understand and be able to verbally explain their understanding of the organization in its context and how they understood the needs and expectations of interested parties. This led to good discussions about what this really meant to our company and the ability of our leaders to describe these requirements confidently with our auditor.


I think I would be include to disagree with your auditor in regards to ISO 9001:2015 not ranking risks. I have been reviewing 6.1 with that in mind and I keep landing on the word proportionate. I guess this depends on your definition of the word mitigate, but NOTE 1 states "Options to address risks and opportunities can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision." Mitigation to me implies action, I think a case could be made that some risks simply can be answered with a single word like accepted or retained. Again, there is no documentation requirement for this clause of the standard, so this could even take place in a meeting setting.


We have a rather unusual business and product, so we really have had to evaluate the standard and the expectations of auditors to determine what is really a requirement and what is auditor preference.

Thank you for your input Amanda! I was thinking along the same lines for the "accepted risk" (knowing that Notes are not "auditable" and so making it a grey area to auditors). My auditor was feeling rushed and so I feel that he did a 10,000 foot high view of our company. But I know what you mean about an unusual business, My company is under a larger umbrella and some of our departments are fulfilled by other "sister" companies under that umbrella... which makes us a grey area to each other and our poor auditor. I have also talked this over with my counterpart at one of the other sister companies and he agrees with you, that the acceptance of the risk is adequate, as long as it was addressed. The hardest part was getting buy-in from people who were driving off the rails with left field Risks. Dooms day type risks made us more stringent in our identified risks that we didn't have very many identified (which I believe caused our auditor to look more closely to it).

I am amazed that your CB still reports OFIs. Two of the CBs I work with no longer provide any OFIs since they look so much like recommendations.

William, We use DNV. I appreciate them using OFIs and Observations because it gives us a distinction between their recommendations. The newest ISO 19011 actually talks about OFIs and Recommendations in 6.4.8, Generating Audit Findings.

Also in A.18.4 Dealing with Findings related to Multiple Criteria, it says


(although the Annex's are not requirements, they are guidelines none the less). It was interesting findings usable definitions of OFI's and Observations (they are not in the 9000), on our last audit report from DNV, they gave a slide with their definitions:


Major Nonconformity (Category 1)
A nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
     ● if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements
     ● a number of minor nonconformities associated with the same requirement or issue that demonstrates a systemic failure and thus constitute a major nonconformity
Minor Nonconformity (Category 2)
A nonconformity that does not affect the capability of the management system to achieve the intended results
Observation
An observation is not a non-conformance, but something that could lead to a nonconformance, if allowed to continue uncorrected; or an existing condition without adequate supporting evidence to verify that it constitutes a non-conformance.
Opportunity for Improvement
Opportunities for improvement relates to areas and/or processes of the organization which may meet the minimum requirement of the standard, but which could be improved.


Something else to consider with the OFIs: they lend to the RISKs and Opportunities... ISO has so associated the pairing that to remove the OFIs would essentially remove the notion of RISKs that they have only recently included into the standards. I would question the CB that is trying to take out the newest portion of the ISO...

John is correct, there is not requirement for documentation so they couldn't write it as a finding / nonconformance. OFI is the proper way to write it, but as others have mentioned, OFIs are not being written as often. As a 9001 and AS9100 auditor myself, I know that it is becoming common for the auditors who audit registrars to come back, without context, and say that an auditor should have written something as a nonconformance instead of an OFI. That unfortunately drives auditors not to write OFIs for fear of backlash without understanding. I still write them but make sure that I can clearly document why something wasn't a finding. 


The intent of the OFI though is that you can choose to ignore it. OFIs do not have to be actioned upon. You did great and I love the work you did as a response because that is the intent of 4.1 (understanding your environment and the issues (positive and negative) that can affect your organization or that you can affect). Great job.