qsg quarterly meeting - 03 25 2016 - risk based...
TRANSCRIPT
©2015 QSG, Inc.
Quarterly Meeting
Risk-Based Auditing
Welcome, Introductions and Expectations
2
ISO 9001:2015 Structure4 Context of the organization
5 Leadership 10 Improvement6 Planning for the quality management system
7 Support 8 Operations 9 Performanceand evaluation
Understandingof the organization and its context
Understanding the needs and expectations of interested parties
Scope of management systems
QMS
Leadership and commitment
Quality policy
Organizational roles,responsibilitiesand authorities
Action to address risk and opportunity
Quality objectives
Planning of changes
Resources
Competence
Awareness
Communication
DocumentedInformation
Release of products and services
Operationsplanning and control
Requirements for products and services
Design and development of products and services
Control of externally provided products and services
Production and service provisions
Control of non-conforming outputs,
Monitoring,measurement.analysis andevaluation
Internal audit
Management review
Nonconformity and correctiveaction
Continual Improvement
Plan
Do
Check Act
General
3
Key Themes• Process Approach• Risk Based Thinking• Context of the Organization• Leadership• Planning the Quality Management System• Documented Information• Organizational Knowledge• Control of Externally Provided Processes, Products and Services• Exclusions/Scope• Evaluation• Internal Audit• Plan Do Check Act (PDCA)
4
Why Audit?
It is a requirement in ISO 9001:2015!
It is a value added process!
5
Why Audit? ISO 9001:20159.2 Internal audit9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:1) the organization’s own requirements for its quality management system;2) the requirements of this International Standard;
b) is effectively implemented and maintained.
6
Why Audit? ISO 9001:20159.2.2 The organization shall:a) plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;b) define the audit criteria and scope for each audit;c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;d) ensure that the results of the audits are reported to relevant management;e) take appropriate correction and corrective actions without undue delay;f) retain documented information as evidence of the implementation of the audit program and the audit results.
7
Why Audit? ISO 9001:20159.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:1) the organization’s own requirements for its quality management system;2) the requirements of this International Standard;
Conformance/Compliance to: – Customer Requirements– Statutory & Regulatory Requirements– Organization’s SOP’s & Policies– ISO 9001:2015
8
Why Audit? ISO 9001:20159.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
b) is effectively implemented and maintained.System/Process Based Audit :
– Effective is a measure that an organization is getting the results expected
– It suggests a horizontal approach looking at the outputs of processes
– All processes are inter-connected into a QMS
9
Why Audit? Value Added9.2.2 The organization shall:
plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;d) ensure that the results of the audits are reported to relevant management;
Consider more frequent audits where– Areas have had prior findings– Known changes have taken place in processes
10
Why Audit? Value AddedConsider more frequent audits where
– Areas are considered higher risk . Risk can be due • New customer requirements• Supplier Issues• Technology• Regulations• Process changes• Material, equipment, etc.
Consider fewer audits in areas that have demonstrated few or no issues
Develop an audit schedule based on data and risk; this adds value
11
Why Audit? Value AddedInternal audit management programs should:• Schedule based on risk and customer feedback rather
than something done simply for compliance. • Elevate the role of auditor to a strategic one, rather than a
job of simply checking compliance. • Improve the internal audit program to ensure corrective
actions are seen as important to process results • Demonstrate the management reviews of the quality
management system become an integral way of managing the business.
12
Process Approach
13
Example of a Process Sequence and its Interactions
14
Process(Major Elements & Boundaries)
StartEndProcess Owners:
Outputs Customers(for Whom?)
InputsSuppliers(By Whom)
Materials(With What?)
Measures(Trend Charts)(Metrics)
Manpower(Training)(Skills)
Methods(How?)
Machine(With What?)
Environment (Area Conditions?)
15
Process8.1,2,3,4,5,6 Operations
:
Outputs8.6 Conforming products and
services8.5.5 Post
Delivery Activities
Customers
Inputs8.2 Customer Requirements
4.4 QMS Requirements
4.1 Context4.2 Interested
Parties
Suppliers
Materials8.4 Externally provided7.1.3 Infrastructure
Measures9.1 Measurements9.2 Internal Audit9.3 Mgmt Review
4.3 Scope
Manpower7.1.2 People
7.2 Competence7.3 Awareness
6.2 Quality Objectives5.2 Quality Policy
7.1.6 Organizational Knowledge5.3 Org. Roles/Responsibilities
Methods7.5 Documented Information
Machine7.1.5 Monitoring and
Measuring7.1.3 Infrastructure
Environment7.1.4 Environment7.4 Communication
ISO 9001:2015 Elements to Consider During a Process Audit
Risk6.1 Planning
4.4 QMS
Evaluating QMS ProcessesEstablishing Appropriate Measures
• At least one “measure” should be established for each “key” QMS process
Evaluating the Use of Measures to Assess Effectiveness and the Need for Improvement
• Review for adequacy the system for using measures to: establish and carry out objectives and plans, and identify and carry out improvement initiatives
17
Context of the Organization
18
Understanding the Organization and its Context
This is a New Requirement
The organization shall understand their internal and external environments • Determine the issues that are relevant to the organization in both
environments• Assess those issues, and if not mitigated, which could prevent the success
of quality management system implementation• Using these issues, understand how they will influence the quality
changes in their organization on a continual basis.
ISO 9001, clause 4.1
19
Understanding the Organization and its Context
Analyzing the External Environment• Your organization may already be doing this type of analysis
• Are you doing any strategic planning, market research, or benchmarking which identifies external issues which are being acted on in your business/quality management system?
• Does it drive your Vision, Mission, Quality Policy, Strategic Planning, Business Objectives,Policy Deployment, etc.?
• Can you demonstrate how you are doing it?
• Unfortunaterly, ISO 9001:2015 provides no suggested methods to analyze the context of an organization
20
Understanding the Organization and its Context
Analyzing the Internal Environment
Understanding the structure/hierarchy and positions of the organization related to the scope at the levels:• Who sets the policies and strategic directions of the organization?• Who coordinates and manages the operations?• Who is involved in production, service and support activities?
21
Understanding the Organization and its Context
It is necessary to identify the structures comprising the various bodies and relations between them (hierarchical and functional). • These include segregation of duties, responsibilities,
authority and communication within the organization that should be studied.
• The functions outsourced to the subcontractors should also be identified.
Analyzing the Internal Environment
22
Interested Parties, Needs, & Expectations (Continued)
NOTE Although most organizations use similar descriptions for their interested parties (e.g. customers, owners/shareholders, suppliers and partners, people in the organization), the composition of those categories can differ significantly over time and between organizations, industries, nations and cultures.
Interested party Needs and expectations
Customers Quality, price, & delivery of products and services
Owners/Share Holders Sustained profitabilityTransparency
People in the organization Good work environmentJob securityRecognition and reward
Suppliers & partners Mutual benefit and continuity
Society Environmental protectionEthical behaviorCompliance with statutory and regulatory requirements
23
Risk Based Thinking
24
What is “Risk-Based Thinking”?
• Risk-based thinking is something we all do automatically and often sub-consciously
• The concept of risk has always been implicit in ISO 9001 –the 2015 revision makes it more explicit and builds it into the whole management system
• Risk-based thinking is already part of the process approach• Risk-based thinking makes preventive action part of the
routine
25
Key Points to Remember Risk Based Thinking = Preventative ActionRisk Based Thinking is everybody’s business!
– Risk Based Thinking is not just the responsibility of management
– Risk Based Thinking must become an integral part of the organizational culture
26
Why Should I adopt “Risk-Based Thinking”?
• To improve customer confidence and satisfaction
• To assure consistency of quality of products and services
• To establish a proactive culture of prevention and improvement
• Successful companies intuitively take a risk-based approach
27
What Should I Do? (continued)
• Analyse and prioritize the risks and opportunities in your organization– what is acceptable?– what is unacceptable?
• Plan actions to address the risks– how can I avoid or eliminate the risk?– how can I mitigate the risk?
• Implement the plan – take action• Check the effectiveness of the actions – does it work?• Learn from experience – continual improvement
28
What is Risk?
Risk is the possibility of events or activities impeding the achievement of an organization’s strategic and operational objectives.
29
Risk Definitions
Risk can be defined by two (2) parameters– Severity
• This is the Seriousness of the harm
– Probability• This is the Probability that the harm will occur
30
Risk Assessment - Quantitative
31
Risk Assessment - Qualitative
32
How do I Determine Risk for my Quality Management System?
33
9.2 Internal Audit (cont.)
Question?
Where does Risk get introduced into an internal audit program?
34
Process(Major Elements & Boundaries)
StartEndProcess Owners:
Outputs Customers(for Whom?)
InputsSuppliers(By Whom)
Materials(With What?)
Measures(Trend Charts)(Metrics)
Manpower(Training)(Skills)
Methods(How?)
Machine(With What?)
Environment (Area Conditions?)
Risks(What Can Go Wrong?)
35
Internal audits are at planned intervals to provide information on whether the quality management system;• Conforms to:
– Organization’s own requirements for its quality management system;
– Requirements of ISO 9001:2015– Take into consideration the status and importance
of specific processes in meeting customer needs, regulatory compliance, etc.
• Is effectively implemented and maintained.
Internal Audit
36
Audit (Risk Based)• Audit schedules should take into account “Risk” in
developing a schedule• Risk can be due to :
– New customer requirements– Supplier Issues– Technology– Regulations– Process changes– Material, equipment, etc.
37
Audit Considerations• Does your audit team understand how to audit
Clause 4, “Context of the Organization”?• How will you audit “Leadership” and
“Planning”?• How will you audit “Risk Based Thinking” to
assess its effectiveness?• Will the role of the ”Internal Auditor” change?
38