Does ISO 9001 require a procedure for addressing risks and opportunities?
What is actually required by ISO 9001:2015?
In section 6.1 of the standard, there are a few activities that need to take place with regards to the risks and opportunities of the QMS:
- Identify the risks and opportunities – What needs to be addressed to ensure your QMS does what is needed, builds on desirable outcomes, prevents or reduces problem outcomes, and achieves improvement?
- Plan your response – What actions do you need to take to address the risks and opportunities identified?
- Integrate into your QMS – How can you take these plans and fit them into your regular activities so that they happen easily?
- Evaluate effectiveness – How will you know whether your actions have worked, or if they need to be updated? This involves analyzing the information (section 9.1.3) and management review to assess the effectiveness (section 9.3.2).
For more details on what is required by the ISO 9001:2015 standard, see this article on How to address risks and opportunities in ISO 9001.
Do you need a documented procedure?
It is important to note in the requirements above that there is no mandate for documented information for any of these steps. The standard itself does not state that you need to document anything with respect to risks and opportunities, just that you must perform the processes in the section above, as well as update the risks and opportunities as an outcome of process non-conformities (section 10.2).
For instance, you could choose to assess your risks and opportunities at a management meeting, identify a risk (possibility of a single-source supplier of a critical part not delivering), decide what you are going to do (find a second supplier to reduce the risk ), and ensure that the employees who are performing the QMS process involved are aware of what they need to do (purchasing manager initiates the process to find a second supplier), and you could then claim that you are compliant with the ISO 9001:2015 requirements, even though none of this is written down.
So, do you need a documented procedure? The answer, according to ISO 9001:2015, is that a documented procedure is not required, but your company may have a different need for documented information and records regarding QMS risks and opportunities.
Why should I have a documented procedure?
Even though the ISO 9001:2015 standard does not require a documented procedure, there are some instances where having a documented procedure is an important way to ensure consistency. For example:
- Is this a new process? If you have been performing a business SWOT analysis for years, and use this to address the requirements of ISO 9001:2015, then you don’t necessarily need to write down your process. However, if this is a new process for your company, then it can be helpful to document what you do in order to not only be consistent, but also to help identify ways to improve the process.
- Are new people involved in the process? Even if you have been doing a process for a long time, if you are going to include new people in the process, it can help these new participants to understand the process if it is written down.
- Will it make integration easier? When determining what your plans to address the risks and opportunities are, and how to integrate these into your QMS activities, it may be useful to have a documented procedure on how these risks were determined in order to explain your reasoning to those who were not involved in the initial identification; however, you still need to implement the changes throughout the organization.
- Will it help when reviewing for effectiveness? This goes not only for the documented procedure, but also for documenting the risks and opportunities you identify and the plans to address them. It is important to think about how you will assess the effectiveness of your planning and actions taken if you have not written down the process you followed to arrive at your plans, or the plans themselves, to ensure successful conclusion.
Think before you make the decision not to document.
There are many good reasons to have a documented risk and opportunity procedure, and it is up to your organization to determine what is needed for you to have a successful process implemented. While I am normally a proponent of not writing unnecessary procedures, it is a good idea to think through what the procedure will be used for, and how it will be used, before you make the decision that a documented procedure will not be beneficial to your company. A short and simple documented procedure can be a great help for your employees, if done correctly.
Remember, the documented information of your Quality Management System is intended to work for you, so take the time to make sure that you create useful and helpful documented information when it will benefit your company.