Quality risk

I was on a quality management discussion forum the other day and stumbled upon an argument that made me wonder if I had lost my sanity

The gist of it was whether or not the management of “risk” had anything to do with quality management and whether an understanding of “risk” was necessarily a knowledge pre-requisite for a QMS auditor. The case for the defence cited that nowhere in ISO 19011 was there any specific reference to “risk”. And on that point, they were quite right – I checked

That really made me wonder whether the “quality fraternity” had actually lost the plot. Or, more to the point, whether they had ever had it in the first place

It started me on a bit of a quest to see if I could unravel any semblance of rationale from this apparent nonsense. After all, it could be just me. So I started by looking in ISO 9000:2005. I found this

“2.8.1 Evaluating processes within the quality management system

When evaluating quality management systems, there are four basic questions that should be asked in relation to every process being evaluated.
a) Is the process identified and appropriately defined?
b) Are responsibilities assigned?
c) Are the procedures implemented and maintained?”

d) Is the process effective in achieving the required results?”

On the face of it that doesn’t introduce much controversy. those are, after all, reasonable questions. But there is no mention of assessing how well risks are controlled, so should there be?

Well I’d have to say “yes” to that, and my reason for that is why should a quality management system be any different to any other management system? If we take the example of ANY other management system, financial, information security, environmental, occupational health & safety, the identification and control of risk is an absolute cornerstone. It is the inarguable starting point. No debate about that at all. So why is “quality” different? What is it about quality management that justifies developing the management system from a completely different starting point, with almost completely different priorities, and to somehow justify side-stepping the whole concept of risk management at every stage?

One question that it does leave unanswered (for me at least) is how this all sits with the inclusion of “quality” within an integrated management system?

So, what do you think? Am I right? Am I the one who has lost the plot? Am I missing something? Seriously, tell me

This entry was posted in Quality Improvement, Risk & Assurance and tagged , , , , , , . Bookmark the permalink.

6 Responses to Quality risk

  1. Clause 5.2.1h) of ANSI/ISO/ASQ QE19011S-2004 includes this recommendation regarding risk. Please see below.

    Objectives should be established for an audit programme, to direct the planning and conduct of

    These objectives can be based on consideration of:
    a) management priorities;
    b) commercial intentions;
    c) management system requirements;
    d) statutory, regulatory and contractual requirements;
    e) need for supplier evaluation;
    f) customer requirements;
    g) needs of other interested parties;
    h) risks to the organization.

    Fortunately, risks (associated with the organizational environment) are introduced by ISO 9001:2008 as design inputs for the management system.

    I will admit that some people seem to have stopped thinking beyond the specifics of their favorite system standard. For some reason they seem not to understand many of the principles of management.

    Indeed if the blinkered-thinkers rely on ISO/TC176 for the scope of their thinking they will be let down as the eight quality management principles that do not even mention risk.

  2. Shaun says:

    Quite so John. I can’t understand how the other management system standards appear to get it, but QMS does not. In simple terms risk management is action you take to stop undesirable things happening (or at least to reduce the chances or mitigate their effects)

    A management system on the other hand is a mechanism for increasing the chances that the right things will repeatedly happen. An awareness of “the bad things that can happen” is fundamental to being able to apply the principle of preventive action in any sensible way. However I often find that “preventive Action” is applied in a very cosmetic way. Where would an OHSMS be without proper risk assessment? Or EMS without proper aspects and impacts evaluation? It is unthinkable, but many QMS’ seem to plod on quite happily without an equivalent process. Quite bizarre

  3. Rob says:

    Assessment of risk should be part of every managers and business leaders job, regardless of an ISO standard saying you don’t or do have to do it. I often find that arguments over what this or that sentence or word means in an ISO standard to be rather futile. Working in quality for more years than I care to think about, at a senior level, has taught me that general application of the requirements of ISO 9001 is just good business practice. Nothing more really. Getting hung-up over semantics is of no interest to 99% of people in a business.

  4. shaun says:

    Tell me about it, Rob. For a real treat you should check out the IRCA forum now and again. The occasional decent debate, but generally a veritable pedants playground

    These attitudes go back to the contractual aspect of ISO 9001. When contracts are involved people generally try to walk along the line, doing no more and no less, and when ISO 9001 is part of the contractual requirement, the whole approach to quality management is tarred with that same brush

  5. Travis says:

    When organisations use ISO 9001 only for contractual reasons, they have no interest in it what so ever.
    Even if they considered using best practice for their own business, then they would have some form of QMS.

  6. admin says:

    While this is often true I would not go so far as to say it is always true. I can’t understand why people think it is somehow immoral to pursue certification “just because it is a customer requirement”. It is probably the best reason. If the customer says “jump” generally it is wise to say “how high?” and making operational decisions based on commercial considerations is not, in my book at least, such a bad thing

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.