I was on a quality management discussion forum the other day and stumbled upon an argument that made me wonder if I had lost my sanity
The gist of it was whether or not the management of “risk” had anything to do with quality management and whether an understanding of “risk” was necessarily a knowledge pre-requisite for a QMS auditor. The case for the defence cited that nowhere in ISO 19011 was there any specific reference to “risk”. And on that point, they were quite right – I checked
That really made me wonder whether the “quality fraternity” had actually lost the plot. Or, more to the point, whether they had ever had it in the first place
It started me on a bit of a quest to see if I could unravel any semblance of rationale from this apparent nonsense. After all, it could be just me. So I started by looking in ISO 9000:2005. I found this
“2.8.1 Evaluating processes within the quality management system
When evaluating quality management systems, there are four basic questions that should be asked in relation to every process being evaluated.
a) Is the process identified and appropriately defined?
b) Are responsibilities assigned?
c) Are the procedures implemented and maintained?”
d) Is the process effective in achieving the required results?”
On the face of it that doesn’t introduce much controversy. those are, after all, reasonable questions. But there is no mention of assessing how well risks are controlled, so should there be?
Well I’d have to say “yes” to that, and my reason for that is why should a quality management system be any different to any other management system? If we take the example of ANY other management system, financial, information security, environmental, occupational health & safety, the identification and control of risk is an absolute cornerstone. It is the inarguable starting point. No debate about that at all. So why is “quality” different? What is it about quality management that justifies developing the management system from a completely different starting point, with almost completely different priorities, and to somehow justify side-stepping the whole concept of risk management at every stage?
One question that it does leave unanswered (for me at least) is how this all sits with the inclusion of “quality” within an integrated management system?
So, what do you think? Am I right? Am I the one who has lost the plot? Am I missing something? Seriously, tell me