Quality Resource Center – ISO 9001 Consulting & ISO 9001 Training Services
Quality Resource Center Now Proudly Offers ISO 9001:2015 Training, Implementation, Upgrades, Internal Auditor Certification, and Internal Audit Services
Quality Resource Center Now Proudly Offers ISO 14001:2015 Training, Implementation, Upgrades, Internal Auditor Certification, and Internal Audit Services
Silicon Valley based Quality Resource Center has been providing World Class Quality and Quality Management Systems ISO 9001 consulting to an array of Global Clients for nearly a quarter of a century.
As the nations’ pre-eminent Quality Management Systems ISO 9001 Consultants, we’ve assisted thousands of clients in achieving their Quality Management Systems, Data Security, Recycling, e-waste Recycling, Environmental, and Food Safety Management Systems goals and objectives.
Quality Resource Center, Inc. (QRC) provides ISO 9001 consultants, consulting, training, design, implementation, and auditing services for all major Quality, Data Security, and Environmental Management standards –
- ISO 9001 Consulting
- ISO 27001 Data Security
- ISO 14001 Environmental Management
- ISO 13485 Medical Device Quality
- OHSAS 18001 Occupational Health and Safety
- ISO 22000 Food Safety, SQF 1000 and SQF 2000 Food Safety, and FSSC 22000
- AS9100D Aerospace Quality, AS9110 Aerospace Maintenance, and AS9120 Aerospace Distributors
- IATF 16949:2016 Automotive Quality
- R2:2013 Responsible Recycling, RIOS, e-Stewards
Whether it’s complete turnkey ISO 9001 consulting, ISO 27001, ISO 14001, ISO 13485, AS9100C, R2 Responsible Recycling Implementation or ISO Internal Auditor Training, Quality Resource Center is the recognized leader in consulting services.
Contact us toll free for a complimentary consultation at (800) 244-5409
You can also Email Us
AS9100D – Risk Management vs Risk-Based Thinking: Just What is the Difference?
Risk-Based Thinking requires organizations to consider the risks they face during strategic planning, planning for product and service conformity, management review, and when taking corrective action. The idea is that the organization works to identify risks, decides if action is required, and if applicable, takes action. That said, It is important to note that it is not necessary to track the risk as the project progresses to judge the effectiveness of the action, and whether additional action is necessary.
Risk Management, on the other hand, is a process for identifying risks, determining actions to mitigate those risks, tracking those actions, and then re-assessing any remaining risk after actions are deployed. It involves not just thinking about risk at certain stages during the realization of products and services, but also having a process to track these risks until they are addressed, mitigated, or eliminated.
What is required for operational risk management, and what isn’t?
To start with what is not required – there is a note specifying that while clause 6.1 “Actions to address risks and opportunities” addresses the risks and opportunities for the QMS, clause 8.1.1 “Operational Risk Management” is limited to risks that are associated with operational processes needed by the organization to provide its’ products and services. Therefore, while your organization may identify a QMS risk that your organization might soon have a rival company to compete with, this is not a risk that needs to be tracked according to the risk management requirements, as it is not an operational risk.
There are at least five requirements that an organization needs to consider during the planning, implementation, and control of the operational risk management process. They are:
- Assign Responsibilities – Who owns the process? Who constitutes the Team? Which departments need to be included? If actions are likely to be assigned to a certain department or function, it is best to have them involved in the whole management process.
- Determine Risk Assessment Criteria – What criteria will be used for risk assessment? How will you quantify which risks to accept and what you will mitigate? A note in this clause states that within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of the occurrence and the severity of the consequences (a good example of this might be Failure Mode Effects Analysis or FMEA).
- Identify, Assess, and Communicate Risks – Any risk of product failure due to must be communicated to those who design and realize the product. Without effective communication, risk identification is ineffective.
- Identify, Implement, and Manage Mitigation Actions – There are a multitude of ways to address risk, ranging from risk reduction all the way to complete elimination of the risk – or, in other words, try to prevent the risk from happening. If a risk exceeds your acceptable criteria, take actions to address the risk and track those actions.
- Re-evaluate the Risk that remains when mitigation is complete, and continue to work to reduce it – Risk management is an iterative process, where the risk can always be reduced.
Has anything really changed from AS9100 Rev C?
The requirements have remained greatly unchanged since the past revision. Risk management process requirements were already included in AS9100 Rev C as risk management, and the five requirements have remained basically as they were. The real change here is the clarification that these requirements only applied to operational risk, hence the name change in the clause. The other change from Rev C is the addition of the two notes to clarify how these requirements are separate from risk-based thinking and to make it clear that risk in aerospace is a combination of likelihood and severity. For organizations that are already compliant with AS9100 Rev C, the current risk management process should most likely remain unchanged.