Are These Expressions

Are these expressions: "Risk-based thinking", "Actions to address risks and opportunities" and "Risk management" different? Really?

The confusion over the term risk in the new ISO/DIS 9001:2015 and other MS standards could have been avoided simply if the ISO/TC 176 and the ISO/TMB had consulted (and understood) the terms and definitions in ISO 31000 and ISO Guide 73.

What does the expression address risk mean? And the footnote in DIS 9001 on the various options for addressing risks?

Answer: to address risk is nothing more than to TREAT risk!

And what should you do to treat risk?

Simple: you need to identify the risks, then analyze them and evaluate them (against a previously established risk criteria) in order to define the best options for the organization address these risks.

That is, briefly, the risk management process proposed by ISO 31000 and shown in this humorous figure:http://bit.ly/1FW9dzCbit.ly Comment(32) Like(12) Follow Report spam

Rob Jeges,Gabriela Salgueiro,Elena Morozova,+9like this

Rob JegesThe objectives of QM are just two, to meet customer expectations and to do so consistently. Risk on the latter is about statistical process control, and on the former about requirements elicitation, analysis, design and user acceptance.

Like Francesco says, it is nothing more than risk identification, assessment and treatment.Rather than introducing new terminology we should home on the language of ISO 31000 and understand the underlying theory of risk.

7 days ago

Like(2) Reply privately Report spam

Ahmed F. ShalabiWell said, Robert. Thank you.

6 days ago

Like(0) Report spam

David SeearI love the cartoon approach to the question! This is typical of the difference between Risk Professionals and common sense. Common sense would make you move well away from the edge of the cliff and you would not need to discuss it. Risk is all about discussing more and more options and them disagreeing with each other on what needs to be done. Only joking ! or am I?

6 days ago


ATHANASIOS FOURTOUNASThank you for sharing

6 days ago


David SeearFrancesco,The difference between "Risk Management" and "Risk Based thinking" is simple. ISO 9001 has had to be structured around Annex SL the new ISO format to allow certification standards to be easily integrated. As this new structure is generic it has to cover many different options some of which may not be necessary for some organisations. As stated in ISO 9001 2015DIS in clause 0.5 Risk Based thinking is the effect of uncertainty on an expected outcome AND the concept of risk based thinking has always been implicit in ISO 9001. In the past quality professionals did not have to have the word "Risk" in ISO 9001. In fact ISO 9001 2008 clause 4 catagorically states that "Risk Management" is not applicable to ISO 9001 2008. This did not mean that RISK, as related to the scope of ISO 9001, was not applicable just that the broader issues covered by "Risk Management" are not applicable. So the new Annex SL structure has a clause "6.1 Actions to address risks and opportunities". So how to deal with the new term "Risk" when the previous standard ISO 9001 2008 stated "Risk Management" was NOT applicable. That is easy it was removed from the new clause 0.6 in ISO 9001 Draft lines 339 - 340. (See clause 0.4 in ISO 9001 2008 to compare). So one problem solved. Like most things changing something can raise another question and this is the question being raised here what is the difference? If I say to you that ISO 9001 is all about meeting the agreed customer requirements that is simple and totally objective. Then "Risk based thinking" is just that. If you then check your own organisations quality management system and you can demonstrate that it can consistently meet the customer reqyuirements then NO action is necessary. You don't stand under the cliff thinking about "Risk" when the decision to be made is obvious.

6 days ago


Martin HopkinsonFrancesco,

For most of the three hundred of so years in which the principles of risk management were developed, suggested approaches were dominated by the question of how to make decisions under conditions of uncertainty. These approaches might be characterised as risk based thinking.

It is only recently (last 30 years) that most practice has changed to one in which risks are treated on a risk by risk basis. The focus has thus switched from decisions to risks and the approach can be characterised as actions to address risks and opportunities.

Processes that focus on risks are relatively easy to understand, whereas the methods used to make decisions under conditions of uncertainty are more sophisticated. As I see it, we have a problem because the decision-centred approaches are also much better in many circumstances, but are being swept aside by simplistic tools such as the probability-impact matrix.

6 days ago


Terry McHugh FCQI CQP.It may be one thing to discuss risks but I have yet to see discussions regarding the identification and evaluation of hazards.Additionally it appears that Risk is all about the processes involved yet in some instances you must be aware of physical access to the workplace which has nothing to do with the outcome of the actual work involved.You may have to consider every aspect of your workforce from the time they leave their front gate until they return after a full working shift. how will that be interpreted by the standard.

5 days ago


Peter van NederpeltRisk is defined in ISO 9001:20015 DIS as "the effect of uncertainty on an expected result". This definition raises two questions: 1) who expects the results and 2) what are the expected results.

RBT can be applied in many different fields of expertise. However, the scope of RBT in ISO 9001 should be restricted to quality management. This means that the expected results can be specified as follows: the result expected by the customer is that the quality of the product/service is good and the result espected by the provider is that the customer will be satisfied. This way, RBT is related to the goals of ISO 9001. This could be mentioned in clause 0.5 of ISO 9001:2015 DIS.

Finally, the term 'adressing risk' is not defined in ISO 9001:2015 DIS. A normative reference is missing. So, it is up to the reader to define what it is. It could be the whole proces of identifying, analysing, evaluating and treating risk or just treating risk. Personally, I prefer the whole process.

5 days ago


Mark FenechDavid Seear - you might be border line between joking and not!

Usually humans are good at identifying risks, however I think there are times when we tend to be biased. And hence the need for a formal and logical approach (standards and guidelines and frameworks) to help us out.

5 days ago


Paul Thompson CMIOSH; MIIRSM; MSc; BA(Hons).Having a common understanding on the underlying theory of risk in my humble opinion depends on your frame of reference. The issue of definition has been raised numerous times. What this tells me is that we will only reach a consensus when definitions and terms serve all frames of reference or scope according to a specific reference?

Some thoughts....I don't think definitions such as "the effect of uncertainty on an expected result" is meant to be used as a normative reference, which is fulfilling a quality purpose and scoped accordingly. Different definitions of risk can be found in safety, security, health, finance etc. For me risk is more than a statistical process. Uncertainty and risk are not the same but are often used to mean the same thing. It has never been properly separated. Similarly, ISO 31000 and understanding the underlying theory of risk is not recognising all references in its definition. My point here is that framing is a fundamental problem with all forms of risk assessment, and until this is solved we shall continue with the differing terms and definitions. For me risk is a possibility of an undesirable event whatever the discipline, but the words 'undesirable' and 'event' needs context. This is different from risk definition stating 'objectives' and separates from any reference to positive risk.

5 days ago


Philip Scalise"What does the expression address risk mean? And the footnote in DIS 9001 on the various options for addressing risks?"

To not plead ignorance of risks. To have considered them and understood them for each and every value added activity under the scope of top management organizational responsibility.

"Options to address risks and opportunities can include: avoiding risk, taking risk in 1061 order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision."

I do recognize there is confusion surrounding risk based thinking and I do believe TC 176 has contributed to this confusion when in fact they should be alleviating concerns as opposed to contributing to the, personally I find nothing funny about risk and find cartoons less than helpful.

5 days ago


David SeearPhilipAbove the footnote you mention on clause 6.1.2 of ISO 9001 Draft it states - Actions to address risks and opportunities shall be proportionate to the potential impact on the conformity of the products or services. Please re-read this statement as it mentions "Proportionate" and "Product or Services" that are provided. The ISO 9001 Draft has the same scope as ISO 9001 2008. It is all about having a quality management system that can consistently meet the customers and relevant statutory and regulatory requirements from agreeing what is required to delivering it. What I see is "Risk Professionals" trying to use ISO 9001 as a standard that they can bring in any "Risk" they like. e.g. We aleady have a statement above "You may have to consider every aspect of your workforce from the time they leave their front gate until they return after a full working shift how will that be interpreted by the standard". All I can say it is NOT, I repeat NOT, covered by ISO 9001. This is "Risk Management" in its broadest sense and that is why "Risk Management" was excluded from ISO 9001. What is happening is what I feared would happen where everything you can think of is a RISK is trying to be included. It is this type of broad interpretation that worries me. I have even been told it includes the risk of having a poor meal in the canteen as staff could be upset. I could go on but there is no point as I see is too many "Risk Professionals" adding whatever they want and misusing ISO 9001. I will state again "Risk based thinking" is a term used to explain the restrictive activity as it relates to ISO 9001 and this is mentioned in line 301 and 302 of the Draft ISO 9001 where it states "Risk based thinking has always been explicit" in ISO 9001 whereas "Risk Management" is what covers all of an organisations "Risks". As already explained "Risk Management " is not covered by ISO 9001 unless the organisation itself has determined a risk should be dealt with to ensure they meet the customers requirements.

5 days ago


Terry McHugh FCQI CQP.David,I tend to agree with you and it is why I think that the inclusion of Risk into the standard will create problems as can already be seen by the varying comments. With regard to leaving the front gate and returning at the end of the shift there are situations where the quality of service and customer satisfaction may not be up to the required level & could be compromised due to tiredness, journey times or workload. In some instances these are mandated requirements for consideration and I worry that the confusion between Risk based thinking, Risk management and Hazard control will be lost on a lot of people. This continued meddling with the standard only helps to accelerate its demise.

5 days ago


Philip ScaliseDavid not sure why you addressed those comments at me, but thank you just the same. Be well friend.

4 days ago


Ahmed F. ShalabiPhilip: If this is the case, why then after various exchanges and over 200 comments on the ISO 9001 forum; there is no consensus on using the ISO 31000 definition for risk ? And NO ONE has been able to support the ill-conceived concepts of 'positive risk' or 'neutral uncertainty' --don't you think the idea to change the definition is based on NOT distinguishing between risks and opportunities which is consistent with what accountants do but contradicts the other professions, standard English usage, and how risk/uncertainty evolved? Is it really worth causing this confusion now, given other ISO 14001 and ISO 50001 will go through a similar experience?

As one commenter in the ISO 9001 forum, stated "ISO had accomplished the confusion, not us".

4 days ago

Like(0) Report spam

Philip ScaliseAhmed: In your comments addressed to me, you state;

"If this is the case, why then after various exchanges and over 200 comments on the ISO 9001 forum; there is no consensus on using the ISO 31000 definition for risk ?"

Are you under the impression that I am supporting risk based thinking or the manner in which it is being introduced when I have clearly stated otherwise? I find it beyond ironic that you would ask me why people do not understand such things while it appears you are misunderstanding a singular comment thread posting in which I have so clearly stated;

"I do recognize there is confusion surrounding risk based thinking and I do believe TC 176 has contributed to this..."

4 days ago


Philip ScaliseDavid Seear would it be possible for you to articulate a closed ended question for me as opposed to using me in a rhetorical implication and suggesting that I need to "reread" something? I am typically not one to take offense and I prefer to believe none was intended so forgive me if I find your desire to issue homework assignments just a bit presumptuous when you state;

"PhilipAbove the footnote you mention on clause 6.1.2 of ISO 9001 Draft it states - Actions to address risks and opportunities shall be proportionate to the potential impact on the conformity of the products or services. Please re-read this statement as it mentions "Proportionate" and "Product or Services" that are provided."

Did I somehow imply that it did not? How would this be any less arbitrary than for me to write in responses to your posting

David above the clause you mention in the ISO 9001 Draft it reads; Planning for the quality management system. Please re-read this statement as it mentions "Planning" for "quality" and "systems."

This is a great example of not planning for a reaction to an action that you have taken and it will prove very educational, so I truly do look forward to your response here.

4 days ago


Ahmed F. ShalabiPhilip: Now I'm confused...ISO TC 176 was 'asked' to use the risk-based thinking in ISO 31000 ( which if you've been following the forums over the last few months, it's definition of risk needs to be revised), so the confusion is not on the part of TC 176, as you claim.There's a separate ISO 9001 forum initiated by Christopher Paris on this issue--please review those comments and the lack of consensus on introducing RBT, from ISO 31000. Thank you, Ahmed

4 days ago

Like(0) Report spam

David SeearPhilip, You are correct I most certainly did not intend to offend anyone. I just responded to your question. In my second response (After the cartoon comment). I tried to explain why "Risk based thinking" had been introduced and explained that Annex SL was used to develop the new clause structure used by ISO certificable standards. My third comment tried to build on your response where you stated "What does the expression address risk mean? And the footnote in DIS 9001 on the various options for addressing risks?I then used the footnote you mentioned and took it one step back to the paragraph before in "clause 6.1.2 of ISO 9001 Draft where it states - Actions to address risks and opportunities shall be proportionate to the potential impact on the conformity of the products or services."I would like to remind everyone that ISO 9001 is about having a QMS that can comnsistently achieve the customer requirements. ISO 9001 does not cover all quality issues an organisation has to deal with.This is where once again I tried to remind everyone of the restrictive scope of ISO 9001 and when using the term "Risk based thinking" this restrictive role should be recognised.I can only hope that "Risk" is not misused because ISO 9001 is already misunderstood and adding in terms such as risk could cause confusion as indicated by the responses in this post.Your request for a closed ending is as follows. The three terms you mentioned in the original question are quite simple.* based thinking" is "As stated in ISO 9001 2015DIS clause "0.5 Risk Based thinking is the effect of uncertainty on an expected outcome AND the concept of risk based thinking has always been implicit in ISO 9001". So no change as "the expected outcome" is quite clear namely meeting customer requirements.

* to address risks and opportunities" This is a common clause heading for all ISO standards as develpoed from Annex SL and it has to be looked at in relation to the organisations activites. It is not something that can be decided in isolation. It is also the responsibility of the Organisation to decide what "risks or opportunities" are relevant no one else.

1. "Risk Management" MAY be applicable to some organisations as indicated in ISO 9001 Draft however as mentioned in the current ISO 9001 2008 clause 0.4 Risk Management is not applicable. The reason for this is it covers many subjective issues outside the scope of ISO 9001.

In fact I would remove the reference to ISO 31000 Guidance on Risk Management from ISO 9001 Draft as I believe this reference adds confusion.I recognise that my views may not be supported but I believe unless these issues are resolved ISO 9001 certification could be undermined to no ones benefit.

3 days ago


Philip ScaliseDavid I asked no questions. That was a cut and past from the headline discussion. My comments were in response. Thank you for explaining.

3 days ago


Philip ScaliseAhmed the source you mention is not one I use. I see now why you are confused now.

3 days ago


Francesco De CiccoThank you all for the comments. Some opinions seem not to take into account the paper published by ISO/TC 176 entitled "RISK IN ISO 9001:2015" (see it here:http://bit.ly/1F622Ty).

If you are not a newcomer in the risk management area, you can easily conclude that "risk-based thinking" (see the paper, item 6. How do I do it?) is (partially) the risk management process defined in ISO 31000 (the cartoon provided above shows the same process in an humorous way...).

The footnote in clause 6.1 - Actions to address risks and opportunities (included in ISO 9001:2015 and in ALL new management system standards - according to Annex SL) states that "Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision".

Wow! That is exactly what ISO 31000 calls "risk treatment"! as defined below:

risk treatmentprocess to modify risk

NOTE 1 Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source (2.18); changing the likelihood (2.21); changing the consequences (2.20); sharing the risk with another party or parties (including contracts and risk financing); and retaining the risk by informed choice.

When you talk (or think...) about risk, you most probably want to manage it.

Then we come to the question: What is risk management?

ISO 31000 defines it in a very simple way:

risk managementcoordinated activities to direct and control an organization with regard to risk.

Conclusions (in an undisguised way):

"Risk-based thinking" = "Risk management".

"Actions to address risks and opportunities" = "Risk treatment" (which is part of the risk management process).

And my final message to some ISO's Technical Management Board and Technical Committees members: Please do not complicate and do not create new terms and expressions with regard to risk!

3 days ago


David SeearFrancesco De"Risk based thinking" does not = "Risk management". I also believe you are being unfair to the TC 176 committee. Let us look at the facts. All new ISO standards that are certifiable will use the new Annex SL format for the structure of their clauses. ISO 9001:2015 Draft will use this format and the committee has to work out how this will work. ISO 9001:2008 states, quite clearly, that Risk management is not applicable to ISO 9001 (Clause 0.4). The new Annex SL has a clause 6.1 Risk and Opportunity. So how do you include risk and opportunity yet recognise that Risk Management is not applicable. The method they have chosen is to use is the term Risk based Thinking. This is relevant in the sense that, as stated in the draft ISO 9001 on lines 300-301, Risk based thinking has always been implicit in ISO 9001. In fact the whole purpose of ISO 9001 is to address the risk as it relates to the Organisations ability to consistently meet the customer requirements. So far so good then along comes the Risk specialists and a simple situation has become even more confused. Instead of recognising the situation that the committe was in the Risk specialists try to introduce Risk Management. Now risk management covers just about everything anyone can think of and it is very "subjective" as seen in this discussion. ISO 9001 is the opposite in fact it is totally "objective" as you know exactly what the customer requires and the standard has a restricted role where it just covers having an effective quality management system that can meet customer requirements. You mention "Risk appetite" and then terms such as, Risk tolerance, Risk acceptance, Risk threshold, Risk attitude and Risk Category to name just a few are banded about. Then you state that the committee should not introduce new terms and expressions regarding risk. I can see why you have so many of your own. The people wonder why I am concerned about Risk Management" being included in ISO 9001. At least "Risk Based Thinking" can be "Objective" as the risk is measured against the specification for the product or service the the customer requires..If you are concerned I would suggest you read the book ISO 9001 2015 Back to the Future. If we cant understand the Basics of ISO 9001 there is little point moving forward to the Future as without reference to the "ISO 9000 Family of Standards" and the restrictive role of ISO 9001 the changes will make it confusing and unworkable. Still trying to help...

1 day ago


Francesco De CiccoDavid S., you have your point of view on this subject and I have mine. This can be a never ending discussion. So I close my participation in this thread.

PS: I didn't mention the term "Risk appetite" nowhere. And I know very well the scope, etc. of ISO 9001 and all the ISO 9000 family. After all I have been using and applying these standards since 1991...

1 day ago


Rob JegesAchieving quality is an objective, and risk is the effect of uncertainty on objectives.

Quality management is the endeavour to manage the risk to quality. If properly done it should have a framework based on principles and a process.

Cl 0.4 of ISO 9001:2008 does not state that risk management is not applicable to ISO 9001. In fact it implies that they are aligned or integrated:

"0.4 Compatibility with other management standards(...) This International Standard does not include requirements specific to other management systems, such as (...) risk management. However, this International Standard enables an organization to align or integrate its own quality management system with related management system requirements."

This was written prior to the publication of ISO 31000. Cl 0.5 of DIS 9001:2015 provides clarification:

"0.5 "Risk-based thinking"Risk is the effect of uncertainty on an expected result and the concept of risk-based thinking has always been implicit in ISO 9001. This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. Organizations can choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts".

Risk-based thinking is positioned as a proper subset of risk management (as defined by ISO 31000) for the purpose of quality management. As the concept does not include anything that is not already part of ISO 31000 then one should not be surprised to find that it is fully contained within ISO 31000.

I am not sure that quality is totally "objective". Quality aims at satisfying expectations, and all theories of satisfaction are based on some form of cognitive dissonance. An individual expecting a high or low-value product and receiving the opposite experiences a state of dissonance, or a psychological discomfort, and I would consider this a highly subjective perception.

1 day ago


David SeearFranchesco,Thank you for the response it is much appreciated and I agree we have different views and I thank you for allowing me to express mine. What I am trying to do is ensure that certified organisarions are not afraid of the new ISO 9001 2015 as it is up to the Organisation themselves to decide what "Risk" is applicable. Yes ISO 31000 "Guidance on risk managemt" is one of many Guidance standards and it is up to the organisation to decide if they wish to use the "Risk" guidance standard no one else. I don't wish to see all the "Risk Management" issues forced onto organisations especially when they may not be beneficial or cost effective.Kind Regards David John Seear (Still trying to help)

1 day ago


David SeearRobert JThank you for your comments most of which I agree with, however, I do worry about the final paragraph as ISO 9001 still requires the organisation to agree with the customer what they require, That being the case there are no misunderstanding about what the outcome of the process should be. So your statement that If "An individual expecting a high or low-value product and receiving the opposite experiences a state of dissonance, or a psychological discomfort, and I would consider this a highly subjective perception." This is strange as the customer knows what they are buying as it is the product or service being offered or the one specifed by the customer. High or Low value product or service has little to do with ISO 9001 as the objective of having an effective quality management service is to consistently provide what the customer specified. ISO 9001 certification does not and never has given guidance on the High or Low value of a product or service just that the Certified organisation can consistetnly deliver the product to the specified requirements. This is what the restrictive role of ISO 9001 is all about. Surely meeting customer requirements is a priority? I had a discussion decades ago with a very senior person who stated that ISO 9001 Certificated organisation provides a better product. This is incorrect what ISO 9001 certification should do is give assurance that the agreed product or specified requirment will consistently be met. That is why it is totally objective . A much later comment was that ISO 9001 certified organisation cannot guarantee that it will meet the customer requirements. I accept it cannot guarantee however when a professional audit is carried out it certainly can give a level of assurance that the system is capable of consistently meeting the specified requirements or what is the point of certification?I am still trying to get acceptance that auditors should know what the outcome of a process should be or how can they judge the effectiveness of the management system.Note: - One of the 8 management principles have been dropped within the new draft revision process. It is "System approach to management" it seems there is some disagreement over the difference between "Process" and "System". If you look at ISO 9000 2005 you will see the difference quite clearly. I would love to know how many people reading this actually have ISO 9000 2005 because from my research it indicates that in excess of 60% do not have or know of ISO 9000 as they have never been made aware of the "ISO 9000 Family of Standards".That is the reason I still pursue the need to carry out process audits following an audit trail.If interested Google "David John Seear ISO 9001 Audit Trail". To see why "Quality" has not manged to achieve credible recognition. If we continue with the so called "System audit" where auditors are advised they don't need to know what the product/service or what the agreed specification is we will never improve. The current changes in 2015 could be open to the so called "System Audit" and the opportunity for improvement will be lost. I believe ISO 9001 should remain totally Objective or quality will be undermined and Certified organisation may reconsidering their position.Trust me I am a "Seer". Only joking I am however very concerned. The broader issues often discussed under ISO 9001 should come form ISO 9004.Kind Regards David John Seear (Still trying to help)

1 day ago


Rob JegesDavid,Sure, quality is about meeting customer specifications, but the problem is that this requires a shared understanding of the specification by both parties.

I am the first to confess my parochial view of the world based on limited experience; I know a thing or two about software development where one of the main problems is that requirements are not well communicated between the client and the developer.

The problem of meeting specifications is always subjective. No documentation is perfect, and RAD is not without its problems as each iteration cements design constraints that cannot be easily removed later on.

In the end quality is always subjective. Meeting written requirements is no assurance of success.

1 day ago


David SeearRobert,Once again at the beginning I agree with you. You state that where an organisation is trying to provide a Bespoke product or service then there is a lot of work that needs to be done in the design area and a lot of work obtaining agreement as it is not always well communicated. My experience in your sector of work is customers don't know what they want until you provide it then they realise that is not what the are after. I agree research and development can be very problematic but ISO 9001 is still a tool that you can use. In your case the new ISO 9001 2015 draft will help as it mentions in clause 0.5 lines 303 -306 that organisation may choose to develop a more risk extensive risk based approach and ISO 31000 provides guidance on formal risk management which can be "appropriate in certain organisational contexts". So although this is covered I would prefer ISO 31000 to be removed as I believe it has already caused confusion and will be even worse if it goes world wide. My concern is that this optional use of ISO 31000 should be understood as being OPTIONAL the same as any guidance standard is optional. What worries me is where the general opinion is that all the elements of "Risk Management" should apply. I recognise that people are trying to get the best out of the revision but as an ex naval officeer all I am asking is, like being at sea, you should know where you are trying to get to, where you are starting from before you start trying to manage the process of getting there. Some people seem to think I am against "Risk" that is so far from the truth. What I am trying to do is get "Back to Basics" understand where problems exist and then modify the standard in a manner that makes things clearer and more effective. I have tried to explain "Risk Based Thinking" and how this does not directly equate to "Risk Management".Once again it is your last sentence that worries me. Your statement that "In the end quality is always subjective. Meeting written requirements is no assurance of success." Where has it ever stated that the purpose of ISO 9001 is to "meet written requirements?". ISO 9001 requires few written requiremensts but what happens now causes a problem with auditing. If we don't carry out professional audits your comment is true. The problem is the "System Audit" approach is still being taught it is wrong. That being the case your last sentence is factual but still incorrect because that is not what is supposed to happen. My previous post covers some of these issues. We have a great opportunity in 2015 to get things right and understand the structure of ISO standards and how they should be used lets not miss it i the rush to make change as it should be about improvement.Kind regards and best wishes David John Seear (still trying to help)

1 day ago


Terry McHugh FCQI CQP.If committees continue to meddle and make changes to standards in areas that they appear to have little understanding of, then confusion, that is starting to appear here will continue to get worse. Risk Management doesn't apply unless it affects the quality of goods and services so then it does apply. All that needed to be added to the standard, if it had to be added at all was a sentence that stated 'All risks andf hazards, relative to the business or company must be considered.' Nothing else would be needed, auditors could clearly ask a simple question and check any pertinent records and the business management would have a clear understanding of what was needed.Instead it is beginning to look as if the new revision will be going down the route of previous ones where the title should be 'Do what you want because the content here is meaningless'The standard is starting to become less relevant as the confusion between system and process audits continues and the increasing meddling does nothing to help matters.

16 hours ago


David SeearTerry,I agree committees should not make changes where they have not fully understood the purpose or scope of the standard. ISO 9000 Fundamentals and vocabulary Draft is a classic example. The terms "Objective/Audit Evidence" is now considered to be the same (Clause 3.10.15.) yet there still is a clause "Objective Evidence" 3.8.4 and the objective evidence 3.8.4 is the same as the previous version in ISO 9000 2005. So both cannot be correct. In fact all they have to do is delete the term "Objective" from "objective/audit evidence" and all would be well. I can only hope they will do that.If you are interested in some other definitions concerns go to www.pdqms.co.uk and look under "articles" to see my concerns. All of this has been advised to members of the committeess and the ISO, CQI, IRCA, UKAS etc so I live in hope these anomolies will be corrected.I would however point out my concern over one sentence you have written. "All risks and hazards, relative to the business or company must be considered". This is incorrect. If you had stated "All risks or conditions that could affect the ability of the organisations management system to consistently provide product or service that meets the customer and applicable statutory and regulatory requirements it would be correct. Where you indicate that it covers ALL risks and hazards relative to the business then this is incorrect as it fails to take into account the restrictive role of ISO 9001. However, all I am saying is we should all take into account the scope. You do mention earlier that it is only to do with the quality of goods and services so this may have been a slip of the keyboard. If we all refered back to the Scope of ISO 9001 before we made a decision on what something meant then we would use ISO 9001 correctly and remove confusion. If we recognised that the introduction and the clause 1 - 3 are important and not just consider clauses 4 - 8 we would also improve. How many of you have read ISO 9001:2008 from cover to cover? Clause 2 Normative references states that ISO 9000 2005 is indispensile to the application of ISO 9001. So in affect ISO 9001:2008 cannot be used without reference to ISO 9000. Clause 3 also states that where the term "product" occurs it can also mean "service". Who knows reading the standard fully may mean we don't have to make any changes ?Sorry I am being silly again. I am however still trying to ensure that the changes being made make things clearer not more confusing. Kind Regards David John Seear

10 hours ago


Richard MurdockIn my opinion, the text in the DIS uses terms such as "shall determine ) the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them". Since there is a shall involved, there needs to be objective evidence of planning and implementation. Is this not part of Risk Management?

"Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed" Once again, the shall in this statement requires objective evidence. And again is this not part of risk management?

As you all have the DIS and can read, I will not quote the remain clauses that call for the same objective evidence pointing to Risk Management.

Call it what you want, but when the requirements call for planning and implementation, that to be is a round-a-bout way of calling for risk management.

Documents

Are These Expressions