Certification Encyclopedia │ "Risk Management" in ISO9001 Quality Management System

Release Date:

2020-07-22 13:17

Source:

Certification Encyclopedia │ "Risk Management" in ISO9001 Quality Management System

Guided Attention

The risks in ISO9001 mainly refer to quality risks. The ISO9001:2015 standard contains many risk-based thinking elements. "Risk management" occupies a significant part of the ISO9001 standard. Here, the focus is on the definition of risk and related clauses.

◎ Planning

- - - Measures to address risks and opportunities

① Ensure that the quality management system can achieve its intended results

② Enhance beneficial effects

③ Avoid or reduce adverse effects

④ Achieve improvement

Risk management is a systematic procedure used to identify, assess, and control risks. It can be applied both prospectively and retrospectively. The risk management system should ensure: risks are identified, assessed, and controlled based on knowledge and process experience; controls should be linked to the ultimate objective of keeping risks within acceptable limits; the level, form, and documentation of the risk management process input should be commensurate with the level of risk.

◎ Definition of Risk

Risk refers to the effect of uncertainty.

Note 1: Effect means deviation from the expected, which can be positive or negative;

Note 2: Uncertainty is a state of having insufficient understanding or knowledge about an event, or even a partial result or possibility;

Note 3: Risk characteristics are generally expressed through possible events and consequences or a combination of both;

Note 4: Risk is usually described as a combination of the consequences of an event and the likelihood of its occurrence;

Note 5: The term risk is sometimes used only when there is a possibility of negative outcomes;

Risk management is the coordinated activity of directing and controlling an organization with regard to risk-related issues. It manages risk through identification, analysis, and evaluation to ensure whether corrective measures for risks are adopted.

Which clauses in ISO9001:2015 involve risk?

Introduction -- Explains the concept of risk-based thinking.

Clause 4 -- Requires the organization to determine QMS processes and address risks and opportunities.

Clause 5 -- Requires top management to:

-- Enhance the understanding of risk-based thinking;

-- Identify and address risks and opportunities affecting product/service conformity

Clause 6 -- Requires the organization to identify risks and opportunities related to QMS performance and develop appropriate responses.

Clause 7 -- Requires the organization to determine and provide necessary resources.

Clause 8 -- Requires the organization to manage its operational processes.

Clause 9 -- Requires the organization to monitor, measure, analyze, and evaluate the effectiveness of measures addressing risks and opportunities.

Clause 10 -- Requires the organization to correct, prevent, or reduce unintended results and improve the QMS, updating risks and opportunities.

Note: Risks always exist and require appropriate attention at all times (Clauses 7 and 8).

What types of risks can impact an enterprise?

○ Organizational risks: occur at the entity and activity levels of the organization;

○ Strategic risks: occur when the organization's strategic or business planning is insufficiently thorough;

○ Compliance risks: occur when legal and regulatory requirements are not met;

○ Operational risks: divided into seven categories related to the organization's procedures and measures.

1. Organizational Risks

Entity-level risks can be external or internal. External factors include technology, competition, and legal environment; internal factors include security, information systems, loss of goods in transit, changes in personnel capabilities and responsibilities, etc.

Activity-level risks affect individuals and departments, including omissions when inputting information or materials into systems; loss of shipping and receiving records; lax security controls; lack of skilled technicians; and employee negligence. If activity-level risks persist across organizational processes, they will eventually form entity-level risks.

2. Strategic Risks

Strategic risks refer to potential losses resulting from executing an unsuccessful business plan or strategy. Causes may include poor business decisions, ineffective execution, insufficient resources, or failure to adjust timely due to changes in the business environment.

3. Compliance Risks

Compliance risks relate to legal and regulatory requirements. Environmental, health, and safety requirements have always been a concern because issues in these areas can lead to fines, business suspension, or even criminal liability. Compliance with quality and environmental standards and regulations also falls within this scope.

Environmental risks include spills of hazardous liquids, emissions of hazardous gases, and improper disposal of solid waste. Situations may also include:

The procurement department switches from domestic to foreign suppliers;

Key environmental management personnel leave without timely replacement;

New materials are introduced without preparing relevant safety control records.

4. Operational Risks

Operational risks can be detailed in the following seven aspects:

(1) Management system risks

(2) Customer satisfaction risks

(3) Supply chain risks

(4) Revenue recognition risks affecting profit

(5) Information security risks

(6) Logistics risks

(7) Natural disaster risks

Featured Topic | United Intelligence Industrial Energy-saving Diagnostic Technology Service

Certification Popular Science | Once the quality system has its initial certification, is the surveillance audit still difficult?

The national zero-carbon factory policy is now in effect! United Zhiye provides precise support to help clients seize the initiative in their transformation.

Based on the strategic plan proposed by the headquarters, United Zhiye takes the upgrade of its product system as a key driver to build a three-tiered business structure—comprising “zero-carbon factory solutions + carbon-related products + integrated comprehensive services”—and thereby develop end-to-end service capabilities. The original enterprise’s integrated approach to low-carbon development has been upgraded to an integrated approach to zero-carbon development, which we regard as a milestone event. While the zero-carbon factory business focuses on deepening engagement in the manufacturing sector, the integrated approach to zero-carbon enterprise development transcends industry boundaries, extending its reach to the service sector and thus covering a broader scope of services.

For the first time, technology-based small and medium-sized enterprises have been included in the scope of tiered cultivation for high-quality SMEs.

Recently, the Ministry of Industry and Information Technology issued the latest revised "Administrative Measures for the Tiered Cultivation of High-Quality Small and Medium-Sized Enterprises" (hereinafter referred to as the "Measures"), which have expanded the scope of cultivation by including technology-based SMEs in the tiered cultivation system for the first time. In the future, the tiered system for high-quality SMEs will encompass technology- and innovation-driven SMEs, specialized, refined, distinctive, and innovative SMEs, and "Little Giant" enterprises that are specialized, refined, distinctive, and innovative. The "Measures" will take effect from April 1, 2026.

Five departments jointly issued the "Guiding Opinions on Carrying Out the Construction of Zero-Carbon Factories."

Recently, five departments—the Ministry of Industry and Information Technology, the National Development and Reform Commission, the Ministry of Ecology and Environment, the State-owned Assets Supervision and Administration Commission of the State Council, and the National Energy Administration—jointly issued the "Guiding Opinions on Promoting the Construction of Zero-Carbon Factories" (MIIT Joint [2026] No. 13, hereinafter referred to as the "Guiding Opinions"). These opinions aim to tap deeply into the potential for energy conservation and carbon reduction in the industrial and information technology sectors, drive carbon reduction and efficiency improvements in key industries, promote a green and low-carbon transformation, and foster the development of new-quality productive forces.

Notice on Certification Risk Management and Standard Implementation Services | Top Management of Certified Organizations Must Complete Training on the New Version of Quality Management System Certification Rules

This standardization effort will provide an in-depth interpretation of the new version of the rules and systematically analyze the significant changes and implementation requirements of the new rules in areas such as audit procedures, responsibilities of top management, evidence management, and risk control.

Understand at a Glance | Guangdong Province’s Zero-Carbon Park Development Plan

Recently, the Guangdong Provincial Development and Reform Commission, the Guangdong Provincial Department of Industry and Information Technology, the Guangdong Provincial Department of Ecology and Environment, and the Guangdong Provincial Energy Administration jointly issued the "Guangdong Province Zero-Carbon Park Construction Plan."

Related Downloads