The purpose of this procedure is to manage the business risks and opportunities that arise from the context of xxx and the requirements of interested parties.
This procedure applies to all the activities within the scope of the XXX Quality Management System.
3. REFERENCE DOCUMENTS
3.1 XXX Quality Manual,
3.2 ISO 31000:2018 standard
3.3 Procedure for Context of the organization
4. TERMS & DEFINITIONS
RM- Risk Management
SOP- Standard Operating System
5. RESPONSIBILITY AND AUTHORITY
The Management Representative (MR) and HOD’s of all departments are responsible for the effective implementation of this procedure.
6. DETAILS OF PROCEDURE
XXX has documented procedure to identify & control risk associated with impact on delivery & quality of products. This procedure identifies techniques, tools & their application for risk identification, assessment and mitigation.
6.1 RISK ASSESSMENT:
Risk Assessment Associated with Delivery of product shall generally include, but not limited to following:
- Availability of facilities & their maintenance
- Availability of equipment
- Breakdown / preventive maintenance of equipment
- Material availability
- Timely Supply of material
- Quality of supplied material
- Suppliers performance in terms of Quality, Delivery & Other capabilities
- In adequate QA / QC activities
Risk assessment Associated with product Quality shall generally include, but not limited to following:
- Competencies & Performance of critical, non-critical suppliers, sub-contractors, and outsourced vendors
- Delivery of non-conforming products to customers
- Maintenance of Facilities, equipment including testing equipment
- Incoming, Inprocess, and final inspection and its controls.
- Addressing the non-conformance of the product in process at all levels to avoid the effect or potential effects on the final product.
- Availability of competent personnel.
Risk assessment provides a structured process for analyzing risk in terms of consequences and likelihood before deciding on further actions.
Records of risk assessment and management including actions taken are maintained.
This structured process attempts to answer some fundamental questions:
- What may happen and why (risk identification)?
- What might be the consequences?
- What is the likelihood of them happening? And
- Is there anything that might mitigate the consequences or reduce the likelihood?
It is defined as the process of finding, recognizing and describing risk. It could be a historical data or theoretical analysis which involves identification of risk sources, events, causes and their potential consequences which delay the origination’s objectives
It is the process of analyzing the nature of risk and determining the level of risk associated with the relevant activity. RPN (Risk Priority Number) is used for analyzing the impact. Risk analysis provides an input to risk evaluation and decisions on whether risks need to be treated and on the most appropriate risk treatment strategies and methods. Risk analysis also provides an input into making decisions where choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences and the likelihood that those consequences can occur. Factors that affect consequences and likelihood identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency are taken into account. The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk to reflect the type of risk the information available and the purpose for which the risk assessment output is to be used.
The significant risk associated with each process are segregated based on the below 5 categories,
Human resource is one of the important and mandatory requirements for product realization which includes workmen, staff and managers.
A machine is an important resource to meet the required product realization and possible risk like breakdown / out of tolerance is considered while carrying out risk analysis.
Risk related to material handling and preservation of the product is considered in method.
Risk related to material rejection, delayed shipment from the supplier, raw material shortage considered for carrying out risk assessment.
Risk related to natural disaster and their impact on quality or delivery of the product with required communication is considered.
The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need control / mitigation and the priority for control / mitigation implementation. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established. Based on this comparison, the need for control /mitigation can be considered
Risk control / mitigation involves,
- Deciding whether residual risk level are tolerable, if the XXX feels that the present non-significant risk become significant in future, then it is treated as significant.
- If not tolerable, generating a new risk treatment and assessing its effectiveness Further, activities pertaining to the below criteria is called as significant which requires proper action plan.
6.2 GUIDELINES FOR DETERMINING RPN:
The guideline followed at XXX to determine RPN while performing risk assessment includes the following important terms.
Severity evaluation criteria (S):
Severity for the each activity / problem is worked based on the amount of impact it creates on the equipment / legal / customer satisfaction (delivery and product quality). The value range is between1 to 5. The tabulation 01 used to plot the applicable severity number for the relevant activity is given in Guideline 2. When the severity is 5, it is defined as critical class (CC), and for the values 4 it is called significant class (SC) and less than 3 are common activity are left unfilled.
Occurrences evaluation criteria (O):
Occurrence for each activity / problem is worked based on the number of repeated cases in the past history or assumptions based on experience. The value range is between 1 to 5.The tabulation 02 used to plot the applicable occurrences number for the relevant activity is given in Guideline 2.
Detection evaluation criteria (D):
Detection for each activity is defined as the possibility of capturing the problem / defect with the present existing controls. The value ranges from 1 to 5. The tabulation 03 used to plot the applicable detection number for the relevant activity.
Risk assessment output:
The output of risk assessment is used as an input for contingency planning and also the same is considered in corrective and preventive actions
Risk assessment Frequency
The Risk assessment at SOS is carried out once in a year for all the relevant processes and the records are documented with necessary actions. Re-evaluation can be done, whenever there is need due to Management requirement, major process change and customer request, changes in the RPN number and major quality or delivery issue.
TABLE 01 – SEVERITY (S) EVALUATION CRITIERIA
|Effect||Criteria: Severity of Effect||Ranking|
|Catastrophic||Very high severity & multiple effect on product quality or delivery. Severe & wide spread damage to the customer with respect to delivery & quality of product||5|
|Critical||Major Severity & Multiple effect on product quality or delivery||4|
|Serious||Single severe impact & Multiple Minor impact on product quality and delivery||3|
|Minor||Low or minor impact and short term effect on product quality and delivery||2|
|Low||Negligible or trivial effect and or impact on product quality and delivery||1|
TABLE 02 – OCCURRENCE EVALUATION CRITERIA
|Frequent : Persistent Failures (shall occur Several times )||5|
|Probable : Frequent Failures (Occurs Repeatedly / an event to be expected )||4|
|Occasional : Occasional Failures (Could take place or occur sometimes)||3|
|Remote : Relatively unlikely & Few Failures||2|
|Improbable : Failure so is unlikely that probability not there||1|
TABLE 03 – DETECTION EVALUATION CRITERIA
|Detection||Criteria||Suggested Range of Detection Methods||Ranking|
|Almost Impossible||Absolute certainty of non-detection of problem||Cannot detect or is not checked||5|
|Low||Control have poor chance of detection of problem||Control is achieved with visual inspection only||4|
|Moderate||Controls may detect the problem||Control is based on variable gauging after parts have left the station, or Go/No Go gauging performed on 100% of the parts after parts have left the station||3|
|High||Controls have a good chance to detect the problem||Error detection in station or error detection in subsequent operations by multiple layers of acceptance: supply, select, install, verify. Cannot accept discrepant part||2|
|Very High||Controls certain to detect the problem||Discrepant parts cannot be made because the process or the equipment / item have been error-proofed by process / product design.||1|
Based on above criteria given in Table No. 1, 2 & 3 severity, occurrence and detection rating for each potential risk is determined. While determining this potential causes for failures are taken into account for severity rating, current process control prevention are considered while doing occurrence rating.
Risk Priority Number (RPN): RPN = S X O X D where S – Severity Rating, O – Occurrence rating and D – Detection Rating. RPN no. for each potential risk is determined. Value of RPN is always from 1 to 125. The RPN value is used to rank the order of concern in the Product delivery and Product Quality. Special attention is to be given when the value of RPN is 80 or more than 80 or alternatively if Severity value is more than 4. The highest severity of effect should be taken for calculating risk priority number.
In SOS we have set a cut off limit of RPN value as 80. Appropriate corrective actions are recommended & Implemented in all such cases where RPN value exceeds 80. And also risks having RPN number more than 80 are considered for contingency planning and entered in the risk assessment register.
Recommended action and or Mitigation
After completion of the steps described above, the RPNs are to be analyzed to identify the priority areas for control and mitigation. Higher risk priority numbers generally requires immediate action and contingency planning, however the severity ranking more than 4 are to be considered with high priority irrespective of the RPN value.
The recommended actions are to be taken to prevent / eliminate the causes to reduce the occurrence ranking. The general steps for risk mitigation are:
- Where Possible risk elimination
- Substitution by alternate man , material , machine or method as applicable
- Segregation of products and or material
- Changes in the system of working that reduces the risk to an acceptable level ( This includes having written procedure , adequate supervision , training and information & instructions
Verification of implementation: QA / QC Engineer has to verify the action for implementation. After the corrective action have been implemented estimate & record the resulting ‘Severity’, ‘Occurrence’ and ‘Detection’ rankings. Calculate the “Resulting RPN”. If no actions are taken, leave the related ranking columns blank.
Risk Assessment review & updating: This document is a dynamic document, this is to be reviewed whenever there is a change in process, customer requirement, on identification of new failures & causes, when the process becomes unstable & / or incapable. Whenever Risk Assessment is reviewed the concerned process related documents like Quality plan, operating instructions, setup instructions, maintenance instructions etc. are to be reviewed and updated as required.
ISO 9001:2015 – QMS SPECIFIC REQUIREMENTS
- SOS considers and manages risks and opportunities differently.
- Risks are managed with a focus on decreasing their likelihood, and minimizing their impact if they should occur.
- Opportunities are managed to increase their likelihood, and to maximize their benefits if they should occur.
- Where risks and opportunities overlap, the best appropriate method for managing them shall be ascertained, given the situation at hand. Elements of such “blended” uncertainties may require methods which both address the negative risk and positive opportunity.
MANAGEMENT OF RISKS
- Risks are identified as part of the “Context of the Organization Exercise”
- Additional risks are identified department wise by doing brain storming by concerned department heads. Risk also can be identified by any employee of XXX.
- Each process owner identifies the risk/Opportunities associated with different activities in their department and record them in Risk Assessment format.
- Risks identified as part of the Context of the Organization are recorded in the Risk Assessment format for Top Management
- The methods for risk assessments vary, but should always include a means of identifying the risk under examination, and a description of the result of the risk assessment.
- Detailed methods may include FMEA (failure mode effects analysis), SWOT (strength, weakness, opportunity and threat) or other tools. But right now we are not following these methods and use simple method of identifying risk and taking actions to reduce or eliminate the risk & to increase or encourage the opportunities.
- When doing the risk treatment an entry shall be made in the Risk format. When using the Risk format , the following steps are to be followed
- Identifying the risk.
- Identifying the process for which the risk most likely dominates.
- After entering the Risk in Risk Assessment format, the concerned management will decide whether to reject the subject due to the risk, or accept the risks after the development of a risk mitigation plan. The mitigation plan must be documented, either in the Risk Assessment format.
- The concerned Management will review & revised the Risk Assessment time to time
- If a risk includes a potential positive aspect, management may elect to conduct an opportunity pursuit assessment on the positive aspect, as defined below.
PROCEDURE: MANAGEMENT OF OPPORTUNITIES
XXX actively seek out opportunities which could enhance its financial viability and market position. For example:
- obtaining new contracts
- obtaining access to new markets
- identification of new industries which may be served by XXX
- development of new offerings that are within the scope of capabilities of XXX
- streamlining existing processes to improve efficiency and reduce costs
Opportunities are identified as part of the “Context of the Organization Exercise” and as part of the corrective action program. Discussing and analyzing opportunities shall be done by top management. If made part of the management review activities, these shall be recorded in the management review records.
To help determine which opportunities should be pursued, the Opportunity column within the Risk Assessment form may be used to conduct an “opportunity pursuit assessment.”
The opportunity pursuit assessment is conducted by:
- Identifying the opportunity.
- Identifying the process for which the opportunity most likely falls under.
For opportunities recorded in Risk & Opportunity Form, management will decide whether to pursue the opportunity through an “opportunity pursuit plan” or to abandon the opportunity altogether. The opportunity pursuit plan must be documented, either in the Risk & Opportunity form.
Analysis of any opportunity will generally result in one of the following possible determinations:
- Pursue the opportunity
- Explore the opportunity in greater detail before proceeding
- Accept the opportunity, but under limited and controlled conditions
- Decline the opportunity, typically based on a high expected cost or low anticipated benefit
If an opportunity includes a negative aspect, management may elect to conduct a risk assessment on the negative aspect, as defined above.
7. RETAINED DOCUMENTED INFORMATION
7.1 Risk and Opportunity Register
7.2 Management Review Record
If you need assistance or have any doubt and need to ask questions contact me at email@example.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.