Standards

Reading through the new ISO 19011:2018 has been interesting. I am marking the changes in the new standard but I noticed in 6.2.2d that Contact is to be made to "Request access to relevant information for planning purposes, including information on the risks and opportunities the organization has identified and how they are addressed;"


My question is: How can they request information (implying here that they want documented information, I am sure that they do not want a lengthy phone call about how a company is addressing RISK) when ISO 9001:2015 6.1 does not state that the RISKs need to be documented. So, by adding this in the 19011 are they in fact telling us to have the RISKs documented?


(as a side note, my company does document our RISKs on a FMEA, but I am wondering for consideration sake.)

You do point out a dilemma for auditing ISO9001: 2015.  This standard does not require documented information as a requirement but does require a determination of risks and opportunities.  The organization if not documented, must be able to present evidence if it verbal of a consistent method on how risks and opportunities were determines and associated planned actions taken to address them.  As an auditor it requires to assess where the organization states the actions have been planned and taken place.  This may be in the form of corrective actions, continual improvement, documentation revisions or even as opportunities for improvement.  Audit trails and following them properly is required to assess this if the organization does not document them.


It must be pointed out that ISO19011: 2018 is applicable to ISO14001 and ISO45001 where those standards do require the risks and opportunities be documented within the requirements.  This difference between ISO9001 and these standards results in the issue you identified for 6.2.2d Risks and Opportunities in ISO19011: 2018. Currently ISO19011 is only reference in ISO9001:2015.

John, actually ISO 9001 does not state that the organization SHALL produce any evidence, in regards to 6.1. They say that they shall PLAN, but I can have a meeting that plans changes without documenting the meeting, minutes, or follow up actions. (not that I would ever omit any of those) Having said that, in 6.1.2.b.1 it says that the org shall plan... "How to integrate and IMPLEMENT the ACTIONS into its QMS processes". This is the closest hint of documentation for RISK that I could think of in 6.1. If someone was to put something into QMS action, documenting it would be the only way to go.

That was my point that iso9001 did not state a documented information requirement but still must be audited for conformity.

Sent from my iPhone
John Vandenbemden
Principal consultant Q-Met.Tech
Mobile: 859-240-1739

John, On that we agree, but I was responding to your comment "must be able to present evidence ". The ISO does not explicitly state evidence, nor does it require documentation... Would we then only have to say "yes, we are mitigating risk", and move on to other topics of the audit? and if that were the case, then could I not argue that any comment from an auditor related to risk is invalid? and that any action towards a documented RISK process be annotated as a Noteworthy Effort?

Hi,


I would think that when planning an organizational audit, it would help if I knew how you addressed risk. This would help the auditors when they go on the ground to conduct the audit.

If you said that you managed it through FMEA then it would be a heads up for the auditors to expect it. 

If you said it is handled it as part of the Management review, then it would make sense to look for it there on how it is articulated to fulfill the requirements of the standard.


This would help the lead auditor plan his resources before engaging the organization on the ground. Imagine surprising the lead auditor by telling him that you perform cloud analytics with a sophisticated customized in-house software which you cant even pronounce when you ask the organization how risk is addressed.


My 5 cents,

Ernest

Requesting information, from an auditor's standpoint, is always a good practice to prepare for any audit. That's why this is in 19011:2018. In the case of ISO 9001:2015, you may not get risk / opportunity information in writing (you may though so it's worth the request on top of other relevant information). If they can't provide something in writing that only means that you will need to verify the information onsite during the audit as the evidence will come in a form other than in writing. As a 9001 auditor, you will still need to find evidence that 6.1 is complied with. 19011 can give you guidelines on requesting information, but it cannot guarantee you will get documented information because it is geared towards auditing many standards with different requirements. Hope that helps. Great question!

As far as evidence, not all evidence is documented. I know auditors were concerned with auditing ISO 9001:2015 when it was rolled out because there was so little required written documentation. In our company there is a lot of handling of risk during regular meetings. There is a management meeting once a week, a management plus administration once per week, senor management plus IT once per week, and I meet with senior management biweekly on the QMS. It is during these meetings that a lot of the risk and opportunity information is discussed. There are sometimes written outputs from these meetings, but not always.


Corroborated interview information would serve as audit evidence in this situation.

As a quick note - make sure that you have a way to collect any actions you determine need to made against risk/opportunities as you are required to review their effectiveness of those actions as part of management review which DOES have to have documented. Just had a little conversation with a company I'm auditing about that. They didn't make the connection between 9.3 and 6.1 and the documentation requirements for 9.3. 

Good point Christianna Hayes‍, I already have risk/opportunities on my template for management reviews, but I could see how that connection could be missed!

With our Quality System Review Meeting (Management Review), our slides were a mirror of 9.3.2 A-F. We also made sure to create a form (excel) for "Action Items and Recommendations". The Form was awesome because it helped me to keep track of what outputs needed addressing, and their status. Then for next years meeting, I can print that form out with the hand-out while we talk about 9.3.2A 'the status of actions from previous management reviews'.

Emily Labs‍, that is very similar to what I have done. Forms may not always be required, but a good form sure makes things easier!