Risk Assessment and the Quality Management System
(October 11, 2018)
Preventive action is a complementary function
In the world of quality management systems (QMS), the nature of the relationship between risk management and preventive actions is often confused and misunderstood. Indeed, some believe that a thorough risk assessment process replaces the need for preventive action.
In fact, risk management and preventive action are sequential, complementary elements that are essential to the QMS. The effectiveness of any preventive action depends on the extent to which the action addresses the root causes identified by the risk assessment. Therefore, the success of the risk assessment process depends on the extent to which it identifies root cause issues. When all root cause issues have been identified, it is possible to examine the proposed preventive actions to determine if all elements of risk have been satisfactorily addressed.
Risk assessment of changes to a QMS
All of the elements described in an ISO 9001-compliant QMS can benefit from a risk assessment evaluation. Let’s examine some of these elements from the risk management perspective.
• Documentation. A risk assessment of process documentation should be tangible since, by definition, process-related documents very specifically describe a process. The amount of detail required here depends on a risk assessment of the available training and the competence of the users. Even more critical in a risk assessment of documentation is an assessment of the potential risk associated with an incorrect interpretation of the documentation itself.
• Management Review. Documentation of the management review process should include a commentary on changes to the QMS. Although there is often a minimal amount of such commentary found in management review records, it can help to identify specific actions taken by business units or departments. However, when evaluating action items by department, the risk assessment of changes affecting anything from personnel to tools to work environment is often incomplete. Actions undertaken in support of continuous improvement efforts must incorporate a risk assessment to understand their potential effect on related processes.
• Competency and training. Continuous employee involvement is essential in any QMS initiative. As quality processes and actions are implemented, the absence of employee involvement can lead to non-conforming actions that can directly and negatively affect product quality, an aspect of implementation that is frequently overlooked. Therefore, risk assessment evaluations should include the potential consequence of non-involvement by employees.
• Planning, customer-related processes, design, purchasing and production. Any organization considering the implementation of a QMS is focused on two key processes. First, the organization must identify the needs of the customer (i.e., the end-user), and second, management must self-assess the organization’s ability to satisfy those requirements. In the first key process, potential risks include miscommunications, such as unmet expectations based on unspoken assumptions. Therefore, the assessment of all input requirements for a proposed product must include input from all involved parties. The second key process requires an objective assessment of the organization’s capabilities in product design, manufacturing, and other activities. Here too, a risk assessment can identify areas where capabilities may fall short of customer expectations.
• Measurement, analysis, and improvement. These areas are the most important risk assessment elements of a QMS. Again, preventive action as applied within the QMS is often misinterpreted as the risk assessment process. Preventive actions are actually the result of an effective risk assessment, and the subsequent analysis of its actual effect provides the ultimate assessment of the effectiveness of the actions taken. Therefore, any proposed actions for improvement should include an assessment of possible risks associated with their implementation.
Grading identified risks
The assessment of risk related to a QMS process can be graded according to a number of metrics, such as its effect on a related process or the effect on a customer. However, viewing a risk assessment solely as a preventive action within a QMS limits its usefulness. A documented risk assessment must include information on inputs, process controls, and outputs, and can be useful in grading risks over time. Effective record keeping can support efforts to grade the effect of a correction action once it has been implemented.
Effectiveness of actions resulting from a risk assessment
Every effective QMS includes some form of risk assessment, whether it has been expressly identified as such or not. However, evaluating actions stemming from a risk assessment is not always clear. When a specific risk has been identified, it usually leads to a clear statement of what will happen if certain actions are not taken. When preventive actions based on possible but not proven risks are implemented, however, the results are often difficult to verify. That’s because of the absence of objective evidence that the actions taken are directly responsible for preventing the risk from occurring.
In other cases, an action taken to reduce or eliminate a possible risk can inadvertently affect a related process. Often, this potential effect is neither identified nor investigated. When the potential risk does not occur, the effect of the related process is not considered as a possible cause.
Conclusion: risk and you
Risk can be an abstract and difficult concept to grasp, but it is effectively managed through the QMS once these and other inputs are understood.
About The Author
Hermann B. Ries is a lead auditor for TÜV SÜD America Inc. He has more than 10 years of regulatory and quality management systems experience, including second- and third-party audits in telecommunications, information technology, software/hardware development, engineering services, food safety, and finance. Ries has assisted in the certification of food producers, exporters, and distributors, and participated in numerous nationwide training activities for food safety initiatives. He has 15 years experience in public education. His auditor accreditations include RAB lead auditor, TÜV cert auditor, HACCP trainer, TL 9000 qualified expert, and ISO 9001:2000 and SQF training.
*Copyright on the content held by Quality Digest or by individual authors.