ISO maintains risk has implicitly been a part of the standard since the ISO 9001:2015 revision.Ā How?Ā In the new standard, āpreventive actionā has evolved to āactions to address risk and opportunities.āĀ This changes the Corrective Action ā PreventiveĀ Action (CAPA) model.Ā In the past, Preventive Action was implemented as a result of Corrective Action specifically to prevent the recurrence of the nonconformity.
Some quality authorities follow this logic:Ā RBT has always been a part of the ISO management systems ethos since its inception in 1987 because Statistical Process Control (SPC) deals with the control of process variation.Ā And, the control of process variation is all about risk management.Ā Since it was always implicit, now it is explicit in ISO 9001:2015 revision.
We are seeing something similar with ERM and ISO 31000.Ā ISO 31000Ā is the risk reference to support ISO 9001:2015 and RBT.Ā ISO 31000 risk authorities now affirm that ISO 31K is an ERM standard. Ā So if we follow this logic, ISO 9001:2015 having adopting RBT may be moving towards ERM.
Another interesting point comes up.Ā Does it matter if ISO 31000Ā is ERM as an Enhanced Risk ManagementĀ framework?Ā Not really.Ā ISO 31000Ā offers two options to a company in terms of implementing risk management: 1. Implement the standard risk management systemĀ as written or 2. Adopt the attributes of āEnhanced Risk Managementā, which is in Annex A (informative) part of ISO 31000.Ā Annex A has a few more risk guidelines, but is largely similar to the main text of the ISO 31000 standard.Ā We cover Enhanced Risk Management in Chapter 5.
Lesson Learned:Ā The future of ISO management systems may be RBT, risk assessment, risk management, and finally ERM.Ā So, purchase ISO 31000Ā guidelines and see if risk management or Enhanced Risk ManagementĀ may fit your organization and context.Ā Remember, apply and tailor them to your RBT and QMS processes.
Leave a Reply