Mohd Nizam

“Quality has toAb

be
Rahman
caused, not
controlled.”
Pusat Jaminan Kualiti

UKM
Philip B. Crosby

FOR TRAINING PURPOSE ONLY

1
 Introduction to ISO 9001:2015
Risk-Based Quality Management
System: Risk-Based Thinking
Model

2
By the end of this workshop, participants
will be able to:
1. Understand the concepts of changes in ISO
9001:2015 standards

2. Develop Risk-Based Thinking

3. Integrate Risk-Based Thinking with the Process

Approach as required by ISO 9001:2015

4. Understand the audit approach

3
 1
Overview of ISO 9001
Standard

4
About ISO

 Non-governmental organization (NGO) established in

1947, based in Geneva, Switzerland

 Has a membership of 160 national standards institutes

from countries in all regions of the world

5
About ISO

 Developed various standards for all dimensions of

sustainable development: economic, environmental and
societal
• Examples :
 ISO 9001 – Quality Management Systems (QMS)

 ISO 14001 – Environmental Management Systems (EMS)

 ISO 27001 – Information Security Management Systems (ISMS)

 ISO 31000 – Risk Management (Principles and Guidelines)

 SIRIM and STANDARD Malaysia are major

representative to ISO
6
What is ISO 9001?

 ISO 9001 is the world’s most popular and most

commonly used standard for Quality Management
Systems (QMS)

 International consensus on good management practice

 Focuses on meeting customer requirements and other

interested parties

 Covers any organization – whatever the size, industry or

culture

7
Advantages of Certification

 Compliance with customer requirements

specifying certification
 Independent check of conformity
 Indicates an effective Quality System
 National/International recognition
 Provides competitive advantage
 Improves company image

8
Why Was ISO 9001 Revised?
 Adapt to a changing world
 Enhance an organization’s ability to satisfy customers
 Maintain relevance, provide integrated approach to
organizational management, and integrate with other
management systems
 Reflect needs of all user groups and increasingly
complex operating environments
 Set a consistent foundation for the next 10 years

9
Key Improvements to ISO 9001:2015

 Increased emphasis on achieving value for the

organization and its customers

 A greater emphasis on leadership and organizational

context

 The focus on risk-based thinking

 Emphasis on objectives, measurements and change

 Stakeholder-focused communication and awareness

 Decreased emphasis on documentation

10
ISO 9001 – Key Differences
ISO 9001:2008 ISO 9001:2015
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and definitions 3 Terms and definitions

4 Quality management system 4 Context of the organization

5 Leadership
5 Management responsibility
6 Planning

6 Resource management 7 Support

7 Product realization 8 Operation

8 Measurement, analysis and 9 Performance evaluation

improvement 10 Improvement

11
ISO 9001 – Different Terminology
ISO 9001:2008 ISO 9001:2015

Products Products and services

Documentation, quality manual,

documented procedures, records, Documented information
instructions

Work environment Environment for the operation of processes

Monitoring and measuring equipment Monitoring and measuring resources

Purchased product Externally provided products and services

Supplier External provider

12
 Term: “Documented Information”

“Retaining” Doc. Info. = Records “Maintain” Doc. Info. applies to…

Quality Objectives Quality Policy

Fitness for purpose of monitoring and measuring resources Quality Objectives
Evidence of Competence Scope of the QMS
Conformity of Products/Services

Review of Customer Requirements

Design and Development Process

Design and Development Changes

Evaluation/Performance of External Providers

Product/Service ID and Traceability

Pre and Post Delivery Change Authorizations
Conformity with Acceptance Criteria
Authorized Release of Products/Services
Non-conformances and C/A
Internal Audits
Management Reviews
13
Benefits of the New ISO 9001:2015

 Puts greater emphasis on leadership engagement

 Helps address organizational risks and opportunities in a

structured manner

 Uses simplified language and a common structure and

terms

 Addresses supply chain management more effectively

 Is more user-friendly for service and knowledge-based

organizations

14
 2
ISO 9001 and Risk
Structure

15
Emphasis on Process Approach

 Understanding and meeting

customer requirements

 How do processes value add

 Measure process
performance and
effectiveness

 Continual improvement of
processes based on
measurement

16
Risk-based Management
 To improve customer
confidence and satisfaction
 To assure consistency of
quality of products and
services
 To establish a proactive
culture of prevention and
improvement Risks Opportunities

 Successful companies
intuitively take a risk-based
approach
 Improve governance
17
ISO 9001 Approach is Based on the
Plan-Do-Check-Act (PDCA) Cycle
Organization and
its context (4)
Support &
Operation
(7,8)
Customer
Plan Do Satisfaction

Performance
Planning Leadership Results of
evaluation
(6) (5) the QMS
Customer (9)
Requirements

Products
Act Check and services

Needs and expectations Improvement

of relevant interested (10)
parties (4)

18
PDCA and ISO 9001 Clause Structure
0. Introduction
1. Scope
2. Normative References
3. Terms & Definitions 4. Context of the
Organization

10. Improvement
5. Leadership

ACT PLAN
6. Planning

7. Support
CHECK DO

9. Performance
8. Operations
Evaluation

19
 ISO 9001 Clause Structure (4-10)
PLAN DO CHECK ACT
4. Context of the 5. Leadership 6. Planning for 7. Support 8. Operation 9. Performance 10. Improvement
organization the QMS evaluation

4.1 Understanding the 5.1 Leadership and 6.1 Actions to address 7.1 Resources 8.1 Operational 9.1 Monitoring, 10.1 General
organization and its commitment risks and planning and control measurement,
context opportunities analysis and
evaluation
4.2 Understanding the 5.2 Quality policy 6.2 Quality objectives 7.2 Competence 8.2 Determination of 9.2 Internal audit 10.2 Nonconformity
needs and and planning to requirements for and corrective action
expectations of achieve them products and services
interested parties

4.3 Determining the 5.3 Organizational 6.3 Planning of 7.3 Awareness 8.3 Design and 9.3 Management 10.3Continual
scope of the QMS roles, responsibilities changes development of review improvement
and authorities products and services

4.4 QMS and its 7.4 Communication 8.4 Control of

processes externally provided
products and services

7.5 Documented 8.5 Production and

information service provision

8.6 Release of
products and services

8.7 Control of
nonconforming
process outputs,
products and services

20
 3

Risk-Based Practices

21
 Why Risk Management is needed?

KAPAL TITANIC -1912

CHALLENGER DISASTER

22
Risk Management
I have never known a battle plan to survive after a first contact
with the enemy.

23
Context of the Organization

24
• Risk Based Thinking

• Is not new

• Make prevention a habit and reduces the probability

of negative results

• No “Preventive Action sub-clause”. PA is expressed

through a Risk-Based Approach to formulating QMS
requirements

• Risk-based approach has facilitated some reduction in

prescriptive requirements and their replacement by
performance-based requirements

• Actions taken to address Risks and Opportunities

shall be proportionate to the potential impact on the
conformity of products and services 25
Decision making and ISO-9001:2015
 The first is a quality principle quoted from ISO 9000:2015, namely
“evidence-based decision making.” It is not hard to understand
that better decisions are made when they are based on evidence
rather than by conjecture.
 Clause 4.1, “Addressing external and internal issues (risks and
opportunities) associated with its context and objectives.”
Addressing risks means proactively managing uncertainties. The
simple meaning of “managing uncertainties” is that decisions should
be made with consideration of the possible positive and negative
consequences that the uncertain future may bring.
 Clause 5.1, entitled Leadership and Commitment, there is a
requirement for top management: “Ensuring that the quality
policy and quality objectives are established for the quality
management system and are compatible with the context and
strategic direction of the organization.” Top management’s most
basic role is strategic decision-making for the organization.
 6.1 When planning for QMS, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be addressed.

26
What is Risk
The concept of RISK in the context of the
ISO Standard relates to the uncertainty in
achieving objectives

Risk is the possibility of events or activities

impeding the achievement of an
organization’s strategic and operational
objectives

27
Risk Based Thinking
Examples and Ideas

 Purchasing
 Design and Development
 Process

The concept of RISK in the context of the

ISO Standard relates to the uncertainty in
achieving objectives 28
What should you do?

 Identify what the risks and opportunities are in your

organization – it depends on context
 Analyze and prioritize the risks and opportunities in your
organization
• what is acceptable?
• what is unacceptable?
 Plan actions to address the risks
• how can I avoid or eliminate the risk?
• how can I mitigate the risk?
 Implement the plan – take action
 Check the effectiveness of the actions – does it work?
 Learn from experience – continual improvement

29
Risk Based Thinking Tool

Failure Mode and Effects Analysis (FMEA)

30
 Risk Based Thinking Tool

RISK MATRIX

S
E
R
I
O
U
S
N
E
S
S

Jay Stahan
January 12, 2016 PROBABILITY
31
Risk Based Approach Tool
Risk Register Ranking Matrix

Probability

Severity

32
Risk Based Thinking Tool

33
34
 4

Audit Approach

35
What is a Quality Audit?

 Systematic, independent and

documented process for
obtaining audit evidence and
evaluating it objectively to
determine the extent to which
audit criteria are fulfilled

 Audit criteria

• Processes or procedures

• Standards

36
What Are Audits Used For?

 Looking at the overall process

 Auditing conformity

 Auditing effectiveness

 Approving external service providers

 Assessing for certification

 Investigating problems

 Way of improving

37
Types of Quality Audits

 First party audit

• Internal audit (by your organization’s Quality department)

 Second party audit

• Your customer auditing your organization

 Third party audit

• A certification body auditing your organization

38
Internal Audit

 To ensure the whole Quality

System is audited to check:
• The system is being followed

• The system meets ISO 9001

requirements

• The system is effectively

implemented and maintained

39
Audit Approach

 Focuses on employees’ understanding of the

organization’s processes and verifies that these
processes are:
• complied with

• under control

• achieving the desired results

Provide evidence, e.g. records,

meeting minutes, reports,
data and emails

40
Audit Findings

Major Non-conformity

Minor Non-conformity

Observation

41
Audit Findings

Major Non-conformity

 A major non-conformity relates to the absence or total

breakdown of a required process or a number of minor
non-conformities listed against similar areas
 A major non-conformity at the Registration Audit would
defer recommendation for registration until that major
has been closed

42
Audit Findings

Minor Non-conformity

 A minor non-conformity is an observed lapse in your

systems ability to meet the requirements of the standard
or your internal systems, while the overall process
remains intact

43
Audit Findings

Observation

 An observation or opportunity for improvement relates to

a matter about which the Auditor is concerned but which
cannot be clearly stated as a non-conformity
 Observations also indicate trends which may result in a
future non-conformity

44
Messages to take home…

 RBT likely to increase organizational resilience and

success and element in Process Approach
 RBT is an input to Management Review
 Risk attitudes and cultures influence organizational
behavior
 People resources can be trained in methods and tools
 RBT is an element in PDCA process and focused on
prevention
 Effective leaders listen and learn (PDCA)
 We only scratched the surface here….

45
Thank You Very Much

Q&A

Group Activity

mnizam@ukm.edu.my

46