|Explicit references to risk appear
throughout ISO 9001: 2015.
If you’re unfamiliar with the concept of risk, or your exposure to it has been limited, now is the time to get comfortable with all aspects of risk as it relates to the quality management system. Why? Because the latest edition of the standard makes risk management, which has always been implicit, explicit. In other words, it’s no longer optional; it’s a must.
In this final installment of a three-part webinar series, ISO experts Walt Murray and Peter Knauer discuss (among other things) the four phases of risk management, where risk is documented in the new standard (hint—almost everywhere) and how to relate the objectives of your quality system to risk (this is key!). Get a head start on the transition process by watching this free webinar now.
Four Phases of Risk Management
The technical committee’s decision to move away from the classic Corrective Action/Preventive Action (CAPA) model is a change that many ISO veterans are finding difficult to wrap their heads around. Are preventive actions really going away? Yes and no. In the current draft, the term “preventive action” has been replaced by the term “risk management” for two reasons: to sidestep the confusion many companies face in determining what constitutes a preventive action versus a corrective action and to force companies to think in a truly preventive mindset. However, although the term is being retired, the concept of preventive action will live on as part of the formalized risk management system, which is comprised of four phases: risk analysis, risk evaluation, risk control and post-product information. Each phase contains steps you must work through to complete the quality risk management process.
Risk Analysis (Phase One):
- Intended Use Identification. Identify your product’s intended use according to the manufacturer’s specifications, instructions and other information. In Europe, “intended use” is referred to as “intended purpose.”
- Hazard Identification. Identify potential hazards (i.e., sources of harm), as well as the potential consequences.
- Risk Estimation. Estimate the amount of risk associated with the hazards you’ve identified.
Risk Evaluation (Phase Two):
- Risk Acceptability Determination. Determine your acceptance criteria, i.e., the level of risk that you are willing to accept.
- Risk Assessment. Assess your actual level of risk. It can be a quantitative estimate of risk, which is expressed by a numerical probability, or a qualitative description of the range of risk (e.g., low, medium or high). There are several risk assessment tools at your disposal. It’s your responsibility to select the tool that’s appropriate for your organization.
Risk Control (Phase Three):
- Risk Control Option (RCO) Analysis. Identify measures you can implement to mitigate or avoid risks that exceed an acceptable level.
- RCO Implementation. Decide how to implement the measures you’ve identified in your RCO analysis.
- Residual Risk Evaluation. Evaluate the risks that remain after the risk control measures have been implemented. Check to see if the measures you’ve implement have introduced new risks to the system or increased the significance of other previously identified risks.
- Overall Risk Acceptance Determination. Accept risk. This can be a formal decision to accept the residual risks or passive decision in which residual risk are not identified.
Post-Product Information (Phase Four):
- Risk Review. A risk management system should be an ongoing, dynamic part of the quality management process. In order for it to remain effective, you must continuously review or monitor events that might impact your original risk management decision. These events can be planned (e.g., product reviews, audits) or unplanned (e.g., recalls). Review frequency should be based upon risk level.
Risk: Here, There and Everywhere
After ISO 9001: 2015 is published, organizations currently registered to ISO 9001: 2008 will have three years to transition to the new standard. This may seem like ample time, but the changes are significant. They include new terminology, increased leadership requirements and a complete restructuring of the standard to the high-level structure introduced in Annex SL, Appendix 2 of the ISO/IEC Directives, Part 1. What’s more, risk is no longer limited to specific elements of the quality management process; it’s addressed throughout ISO 9001: 2015.
“The question to ask isn’t ‘Where is risk mentioned in the current DIS?’ but ‘Where isn’t risk mentioned?' ” said Murray, who has brought several life sciences organization to full registration under the ISO process model standard. Here are some examples:
- Clause 4…“the organization is required to determine risks that can affect its ability to meet objectives…”
- Clause 5…“top management is required to commit to ensuring Clause 4 [relating risks to objectives] is followed…”
- Clause 6…“the organization is required to plan and take action to address risks and opportunities...”
- Clause 8…“the organization is required to have processes which identify and address risk in its operations…”
- Clause 9... “the organization is required to consider risks and opportunities when determining what needs to be monitored, measured, analyzed and evaluated…”1
An End-to-End Process for Risk Management
“In effect, ISO 9001: 2015 is asking you to establish an end-to-end process for identifying and addressing risks so your QMS can deliver upon its objectives and then to execute that process carefully and consistently throughout your organization,” said Murray. “It’s a tall order, and it’s complicated by the fact that—because the standard must be flexible enough to address different situations—few tangible specifications are given. When a standard becomes less prescriptive, compliance requirements are subject to wider interpretation, and misinterpretations can (and often do) occur. This is where training becomes so important.”
To learn more about the newly updated standard, particularly as it pertains to risk, watch ISO 9001: 2015, Part 3. If you missed the first two webinars, you can access them by clicking on the links below.
ISO 9001: 2015, Part 1 provides a high-level view of the impending changes.
ISO9001: 2015, Part 2 focuseson the new high-level structure and the “Plan-Do-Check-Act” methodology.
(1) “What Changes Will ISO 9001: 2015 Bring?” [PowerPoint] Available from the Internethttp://www.bureauveritas.co.uk/wps/wcm/connect/a2cd2e0a-0ad0-4cef-b95c-70eedc98642e/9000+pdf.pdf?MOD=AJPERES
Lisa Weeks, a marketing communications specialist at MasterControl, writesextensively about technology, the life sciences, and other regulated environments. Her two decades of marketing and advertising experience include work with McNeil Pharmaceuticals, SAP AG, SCA Mölnlycke Health Care, Crozer-Keystone Health Systems, and NovaCare Rehabilitation/Select Med.
Walt Murray, director of MasterControl’s quality and compliance services, is a specialist in the quality and regulatory professions with more than 25 years’ experience to his credit. He is certified in quality systems auditing, problem solving and process control using Six Sigma principles that support lean enterprise. His extensive audit experience covers several industries, and he has successfully brought several life sciences companies to full registration under the ISO process model standard. Murray has also worked extensively in risk and supplier management. He may be reached at firstname.lastname@example.org.
Peter Knauer is a partner consultant with MasterControl's Quality and Compliance Advisory Services. He has more than 20 years of international experience in the biomedical industry, primarily focusing on supply chain management, risk management, CAPA, audits and compliance issues related to biopharmaceutical and medical device chemistry, manufacturing and controls (CMC) operations.He may be reached at email@example.com.