What is

Degree to which a set of

inherent characteristics fulfills the requirements
1 – Customer Focus
The primary focus of quality management is to meet customer requirements and to strive to exceed customer
expectations.

Rationale

Sustained success is achieved when an organization attracts and retains the confidence of customers and other interested
parties on whom it depends. Every aspect of customer interaction provides an opportunity to create more value for the
customer. Understanding current and future needs of customers and other interested parties contributes to sustained
success of an organization

Key Benefits (As per ISO 9000:2015)

• There is an increase in customer value;
• There is an increase in customer satisfaction;
• There is an improvement in customer loyalty;
• It enhances in repeat business;
• It enhances in reputation of the organization;
• There is an expansion of customer base;
• There is increase in revenue and market share.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take to increase Customer Focus can include:

To identify and recognize the direct and indirect customer of the organization who receive value from the organization.
To understand customers’ current and future needs and expectations;
The organization must link it’s objectives to customer needs and expectations;
It must communicate customer needs and expectations throughout the organization;
It must plan, design, develop, produce, deliver and support products and services to meet customer needs and expectations;
It must measure and monitor customer satisfaction and take appropriate actions;
It must determine and take action on relevant interested parties’ needs and appropriate expectations that can affect customer
satisfaction;
It must actively manage relationships with customers to achieve sustained success.
2 – Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving
the quality objectives of the organization.

Rationale
Creation of unity of purpose, direction and engagement enable an organization to align its strategies, policies, processes and
resources to achieve its objectives.

Key Benefits (As per ISO 9000:2015)

• It increases the effectiveness and efficiency in meeting the organization’s quality objectives;
• There is a better coordination of the organization’s processes;
• There is improvement in communication between levels and functions of the organization;
• It develops and improves the capability of the organization and its people to deliver desired results.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It can communicate the organization’s mission, vision, strategy, policies and processes throughout the organization;
• It can create and sustain shared values, fairness and ethical models for behaviour at all levels of the organization;
• It can establish a culture of trust and integrity;
• It can encourage an organization-wide commitment to quality;
• It can ensure that leaders at all levels are positive examples to people in the organization;
• It can provide people with the required resources, training and authority to act with accountability;
It can inspire, encourage and recognize the contribution of people
3 – Engagement of People
It is essential for the organization that all people are competent, empowered and engaged in delivering value. Competent,
empowered and engaged people throughout the organization enhance its capability to create value.

Rationale
To manage an organization effectively and efficiently, it is important to involve all people at all levels and to respect them as
individuals. Recognition, empowerment and enhancement of skills and knowledge facilitate the engagement of people in
achieving the objectives of the organization.

Key Benefits (As per ISO 9000:2015)

• It improves understanding of the organization’s quality objectives by people in the organization and increased motivation
to achieve them;
• It enhances involvement of people in improvement activities;
• It enhances personal development, initiatives and creativity;
• It enhances people satisfaction;
• It enhances trust and collaboration throughout the organization;
• It increases attention to shared values and culture throughout the organization.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It can communicate with people to promote understanding of the importance of their individual contribution;
• It can promote collaboration throughout the organization;
• It can facilitate open discussion and sharing of knowledge and experience;
• It can empower people to determine constraints to performance and to take initiatives without fear;
• It can recognize and acknowledge people’s contribution, learning and improvement;
• It can enable self-evaluation of performance against personal objectives;
• It can conduct surveys to assess people’s satisfaction, communicate the results and take appropriate actions.
4 Process Approach
Consistent and predictable results are achieved more effectively and efficiently when activities are understood and
managed as interrelated processes that function as a coherent system.

Rationale
The quality management system is composed of interrelated processes. Understanding how results are produced by this system,
including all its processes, resources, controls and interactions, allows the organization to optimize its performance.

Key Benefits (As per ISO 9000:2015)

• It enhances ability to focus effort on key processes and opportunities for improvement;
• There is a consistent and predictable outcomes through a system of aligned processes;
• It can optimize performance through effective process management, efficient use of resources and reduced cross-
functional barriers;
• It enables the organization to provide confidence to interested parties related to its consistency, effectiveness and
efficiency.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It can define objectives of the system and processes necessary to achieve them;
• It can establish authority, responsibility and accountability for managing processes;
• It can understand the organization’s capabilities and determine resource constraints prior to action;
• It can determine process interdependencies and analyse the effect of modifications to individual processes on the system
as a whole;
• It should manage processes and their interrelations as a system to achieve the organization’s quality objectives effectively
and efficiently;
• It can ensure the necessary information is available to operate and improve the processes and to monitor, analyse and
evaluate the performance of the overall system;
• It should manage risks which can affect outputs of the processes and overall outcomes of the QMS.
5 – Improvement
Successful organizations have an ongoing focus on improvement.

Rationale
Improvement is essential for an organization to maintain current levels of performance, to react to changes in its internal
and external conditions and to create new opportunities.

Key Benefits (As per ISO 9000:2015)

• There is improved process performance, organizational capability and customer satisfaction;
• There is enhanced focus on root cause investigation and determination, followed by prevention and corrective actions;
• There is enhanced ability to anticipate and react to internal and external risks and opportunities;
• There is enhanced consideration of both incremental and breakthrough improvement;
• There is improved use of learning for improvement; There is enhanced drive for innovation.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It can promote establishment of improvement objectives at all levels of the organization;

• It can educate and train people at all levels on how to apply basic tools and methodologies to achieve improvement
objectives;
• It can ensure people are competent to successfully promote and complete improvement projects;
• It can develop and deploy processes to implement improvement projects throughout the organization;
• It can track, review and audit the planning, implementation, completion and results of improvement projects;
• It can integrate improvement consideration into development of new or modified products and services and processes;
It can recognize and acknowledge improvement
6 – Evidence-based Decision Making.
Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.

Rationale
Decision-making can be a complex process, and it always involves some uncertainty. It often involves multiple types and
sources of inputs, as well as their interpretation, which can be subjective. It is important to understand cause and effect
relationships and potential unintended consequences. Facts, evidence and data analysis lead to greater objectivity and
confidence in decisions made.

Key Benefits (As per ISO 9000:2015)

There is an improvement in decision making processes;
There is an improvement in assessment of process performance and ability to achieve objectives;
There is an improvement in operational effectiveness and efficiency;
There is an increased ability to review, challenge and change opinions and decisions;
There is an increased ability to demonstrate the effectiveness of past decisions.
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It should determine, measure and monitor key indicators to demonstrate the organization’s performance;
• It can make all data needed available to the relevant people;
• It should ensure that data and information are sufficiently accurate, reliable and secure;
• It can analyse and evaluate data and information using suitable methods;
• It should ensure people are competent to analyse and evaluate data as needed;
• It can make decisions and take actions based on evidence, balanced with experience and intuition.
7 – Relationship Management
For sustained success, organizations manage their relationships with interested parties, such as suppliers.

Rationale
Interested parties influence the performance of an organization. Sustained success is more likely to be achieved when an
organization manages relationships with its interested parties to optimize their impact on its performance. Relationship
management with its supplier and partner network is often of particular importance

Key Benefits (As per ISO 9000:2015)

• There is an enhanced performance of the organization and its relevant interested parties through responding to the
opportunities and constraints related to each interested party;
• There is a common understanding of objectives and values among interested parties;
• There is an increased capability to create value for interested parties by sharing resources and competence
and managing quality related risks;
There is a a well-managed supply chain that provides a stable flow of products and services
Possible actions (As per ISO 9000:2015)
Some of the possible actions that an organization can take includes:

• It can determine relevant interested parties (such as providers, partners, customers, investors, employees or society as a
whole) and their relationship with the organization;
• It can determine and prioritize interested party relationships that need to be managed;
• It can establish relationships that balance short-term gains with long-term considerations;
• It can gather and share information, expertise and resources with relevant interested parties;
• It can measure performance and provide performance feedback to interested parties, as appropriate, to enhance
improvement initiatives; It can establish collaborative development and improvement activities with providers, partners
and other interested parties;
• It can encourage and recognize improvements and achievements by providers and partners.
What is process ?
A “Risk Based Thinking” Model
for ISO 9001:2015
Why implement Risk Based Thinking?
•
• What does ISO 9001:2015 require?
• What is Risk Based Thinking?
• What is Risk?
• What is a simple Risk Tool?
• How does it integrate into the Process Approach?
• How do you make Risk Based Thinking a Continual Process
Improvement activity?
ISO 9001:2015 Risk & Opportunities

• 4.4 Quality management system and its processes

• The organization shall establish, implement, maintain and continually
improve a quality management system, including the processes needed
and their interactions, in accordance with the requirements of this
International Standard.
• The organization shall determine the processes needed for the quality
management system and their application throughout the organization and
shall determine:
• The risks and opportunities in accordance with the requirements of 6.1,
and plan and implement the appropriate actions to address them;
•
ISO 9001:2015 Risk & Opportunities

• Planning for the quality management system

• Actions to address risks and opportunities

• When planning for the quality management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and
• Determine the risks and opportunities that need to be addressed to:
• give assurance that the quality management system can achieve its intended result(s);
• prevent, or reduce, undesired effects;
• Achieve continual improvement.
ISO 9001:2015 Risk & Opportunities

The organization shall plan:

• actions to address these risks and opportunities;
• how to:
• integrate and implement the actions into its quality management system processes
(see4.4)

• 2)evaluate the effectiveness of these actions.

• Actions taken to address risks and opportunities shall be
proportionate to the potential impact on the conformity of products
and services.
The Main Objectives of International Standards

• To provide confidence in the organization’s ability to consistently

provide customers with conforming goods and services
• To enhance customer satisfaction
• The concept of “risk” in the context of the international standards
relates to the uncertainty in achieving these objectives

What is Risk Based Thinking?

What is “Risk-Based Thinking?

• Risk-based thinking is something we all do automatically and often

sub-consciously
• The concept of risk has always been implicit in ISO 9001 – the 2015
revision makes it more explicit and builds it into the whole
management system
• Risk-based thinking is already part of the process approach
• Risk-based thinking makes preventive action part of the routine
• Risk is often thought of only in the negative sense. Risk-based thinking
can also help to identify opportunities. This can be considered to be
the positive side of risk
Why Should I adopt “Risk-Based Thinking”?

• To improve customer confidence and satisfaction

• To assure consistency of quality of goods and services
• To establish a proactive culture of prevention and improvement
• Successful companies intuitively take a riskbased approach
 What Should I Do?

• Identify what the risks and opportunities are in your organization – it depends on context
• ISO 9001:2015 will not automatically require you to carry out a full, formal risk assessment, or to
maintain a “risk register”
• ISO 31000 (“Risk management — Principles and guidelines”) will be a useful reference
• (but not mandated) Analyse and prioritize the risks and opportunities in your organization
• What is acceptable?
• What is unacceptable?
• Plan actions to address the risks
• how can I avoid or eliminate the risk?
• how can I mitigate the risk?
• Implement the plan – take action
• Check the effectiveness of the actions – does it work?
• Learn from experience – continual improvement
 Key Points to Remember

• Risk Based Thinking = Preventative Action

• Risk Based Thinking is everybody’s business!
• Risk Based Thinking is not just the responsibility of management
• Risk Based Thinking must become an integral part of the
organizational culture
 What is Risk?
• Risk is the possibility of events or activities impeding the achievement
of an organization’s strategic and operational objectives.
Risk – A Simple Definition
• The volatility of potential outcomes.
or
• How surprised do you really want to be??
Food for Thought
 Why is Risk like Swiss Cheese?

• Author needs to acknowledge that this idea was shown at the NQA Meeting, Boston Session, August 2014
 Risk Definitions

• Risk can be defined by two (2) parameters

• Severity
• This is the Seriousness of the harm
• Probability
• This is the Probability that the harm will occur
Risk Assessment - Quantitative
 Risk Acceptable Regions
Generally
Un-Acceptable

As Low As
“Reasonably”
Practical

Generally
Acceptable
Risk Assessment - Qualitative

• Risk Registers
 The Importance of a Risk Register

• The risk register or risk log becomes essential as it records identified

risks, their severity, and the actions steps to be taken.
• It can be a simple document, spreadsheet, or a database system, but
the most effective format is a table.
• A table presents a great deal of information in just a few pages.
 Components of a Risk Register
• There is no standard list of components that should be included in the risk
register. Some of the most widely used components are:
• Dates: As the register is a living document, it is important to record the date that
risks are identified or modified. Optional dates to include are the target and
completion dates.
• Description of the Risk: A phrase that describes the risk.
• Risk Type (business, project, stage): Classification of the risk: Business risks relate
to delivery of achieved benefit;, project risks relate to the management of the
project such as timeframes and resources, and stage risks are risks associated
with a specific stage of the plan.
• Likelihood of Occurrence: Provides an assessment on how likely it is that this risk
will occur. Examples are: L-Low >30%)(, M-Medium (3170%), H-High (>70%).
• Severity of Effect: Provides an assessment of the impact that the occurrence of
this risk would have on the project
 Components of a Risk Register

• There is no standard list of components that should be included in the risk

register. Some of the most widely used components are:
• Countermeasures: Actions to be taken to prevent, reduce, or transfer the
risk. This may include production of contingency plans.
• Owner: The individual responsible for ensuring that risks are appropriately
engaged with countermeasures undertaken.
• Status: Indicates whether this is a current risk or if risk can no longer arise
and impact the project. Example classifications are: C-current or E-ended.
• Other columns such as quantitative value can also be added if appropriate.
Risk Registers - Example
Risk Registers - Example
Integrating Risk Based Thinking with
the Process Approach
 Purpose of the Process Approach

• The purpose of the process approach is to enhance an organization’s

effectiveness and efficiency in achieving its defined objectives. This
means enhancing customer satisfaction by meeting customer
requirements.
Is This a Process Model in Your Organization?

or does your Process Approach look like this?

or does your Process Approach look like this?
 Materials Measures Manpower
(With What?) (Trend Charts) (Training)
(Metrics) (Skills)

Process
(Major Elements & Boundaries)
Suppliers Inputs Start Outputs Customers
(By Whom) End (for Whom?)
Process Owners:

Risks
(What Can
Go Wrong?)

Methods Machine Environment

(How?) (With What?) (Area Conditions?)
Proposed Risk Model
Proposed Risk Model - Populated

New Risk Value

Post Action Plans
 Food for Thought
• Why is Risk like Swiss Cheese?

• Author needs to acknowledge that this idea was shown at the NQA Meeting,
Boston Session, August 2014
Addressing Risk
 •Integrating Risk Based
Thinking with the Process
Approach and PDCA
 Plan-Do-Check-Act
• The Plan-Do-Check-Act (PDCA) methodology can be a useful tool to
define, implement and control corrective actions and improvements.
Extensive literature exists about the PDCA cycle in numerous
languages.

Act Plan
•How to improve •What to do?
next time? •How to do it?

Check Do
• Did things happen •Do what was
according to plan? planned
 Process + Risk + PDCA Model

Act -
Incorporate Plan the process
improvements ( Extent of planning
as necessary depends on RISK)

INPUTS Do – Carry out the OUTPUTS

process

Check – monitor/measure
process performance
 Management Review Input
• Top management shall review the organization's quality management system, at planned
intervals, to ensure its continuing suitability, adequacy, and effectiveness. The
management review shall be planned and carried out taking into consideration:
• the status of actions from previous management reviews;
• changes in external and internal issues that are relevant to the quality management
system including its strategic direction;
• information on the quality performance, including trends and indicators for:
• nonconformities and corrective actions;
• monitoring and measurement results;
• audit results;
• customer satisfaction;
• issues concerning external providers and other relevant interested parties;
• adequacy of resources required for maintaining an effective quality management system;
• process performance and conformity of products and services;
• the effectiveness of actions taken to address risks and opportunities (see clause
• 6.1);
• e) new potential opportunities for continual improvement.
 Conclusions
• Risk Based Thinking is an element in the Process Approach
• Risk Based Thinking is an input to Management Review
• Risk Based Thinking is an element in the continual
improvement process that is focused on prevention.
• Risk Based Thinking has be be demonstrated during audits; a
risk register is documented information that validates an
organization has done Risk Based Thinking.
 References

• ISO 9000 Introduction and Support Package:

• Guidance on the Concept and Use of the Process
• Approach for management systems, ISO/TC 176/SC
• 2/N 544R3
• ISO 9001:2008
• ISO 9001:2015
• “Implementing the Process Approach”, Core Business Solutions, Inc., March 31,
2008.
• The Process Approach: Adding Business Value and Minimizing Risks; David Muil,
Intertek.
• “The PDCA Continuous Improvement Cycle; Module 6.4”, Jeremy Weinstein and
Steve Vasovski , 2004