Adding "Risk Management" to ISO 9001: what do you think?

Hahaha, few debates here, quite interesting!!

• Risk assessment or the use of ISO 31000 is not mandated as a requirement in ISO 9001:2015. What is mandated is the application of ' statutory and regulatory requirements', re: applicable laws. In itself, these laws are in fact risk treatments for significant risks that needed to be legalized to ensure protection of personnel and the environment, which may leave 14001 and 18001 irrelevant. In this regard, a holistic risk matrix will best serves all the disciplines in the operations. This leads to an integration of the operational disciplines - a single management system. 

  
  
•  Senior Lead Auditor en SGS
  
  

  I'm not sure that Risk Based Thinking has more or less the same focus that Preventive Action in 9001:2008. The focus of PAs is to avoid potential non conformities. ISO 9000 determinates NC as a requirement non accomplished, so ISO 9001:2008 stablishes in 1.1.a), the provision of products (services) satisfying customer's requirement.
  So, PA point only to NCs related to product/services but Risk Based Thinking points to all, which is a broader vision.
  
  Regards.

  
  
• Process Quality Consultant,ITIL

  
  

  Yes. It should be. That is one of the main thing which is missing in the ISO 9001. Adding risk management will help many industries streamline their risk management process using ISO 9001 and it will allow them to effectively manage their process without implementing separate standard for risk management. 

  
  
• Managing Director, Swiss Advantage Systems (Pvt) Ltd, Business Process Re-engineer, Quality Systems Auditor

  
  

  Yes, risk assessment is going to be very much part of the new ISO 9001 : 2015. We are planning to use the FMEA tool for our clients. Any advice ? 

  
  

  Risk based think is preventive because by assessing the risk, the potential for a non-conformance is addressed.

  
  
• To avoid the risks mentioned by Terry and Karthikeyan a holistic Risk Matrix is to be applied. Malik ISO 31000 from memory informs of 20 methods oo risk analysis. I personally prefer 'what if' utilizing a holistic risk matrix.

• VP Operations at Oxebridge Quality Resources International LLC

  
  

  As has been mentioned above, the problem with this new "risk based thinking" is that it will have people running to FMEA and risk matrices. These last few posts prove that yet again.
  
  The post was originally put up in 2012. WE have since learned that NO, "risk management" is not included in the standard, but instead "risk based thinking" which ISO has said is NOT risk management. But I cannot edit the post, so we are stuck with the error in the original question.
  
  RBT is not FMEA and not risk matrices. Those do not work for the broad spectrum of companies, in all industries, and over all processes. An area where risk assessment may be performed is in the selection of suppliers: how do you apply an FMEA to supplier selection? Answer: you don't, you use an entirely different too.
  
  People must be cautious about recommending only what they know about risk management, and instead learn all the tools and approaches. FMEA and risk matrices are very limited in their usefulness.

  
  
• Thanks for the differentiation. Appreciate. However, I refer you to a webinar by IRCA which speaks to 'a single management system 
• 
  
  It will be interesting on how to attain a single management system, without assessing the risk to persons and the environment. 

   
• Director en Asesoría en Calidad Integrada a su Negocio

  
  

  In think, it is necessary to include the concept of risk in any management system, because many companies are just concern in not loosing their certification not in cover customer needs or focusing in provide the best product to the market, nooo just sales and sales no matter if they have to pay a lot of money in guaranty services, no matter if they increase the cost of production, no matter if they are producing products with defects, nooo just sales and sales and sales.
  
  Also many companies are focusing just in cover the requirements of a standard and that's it. Ask them how many noises they have in their systems!! maybe they don't know!!
  
  In other fields like Financial, they are forced to use risk management approach, why not in ISO 9001 or others?, at the end it will be many groups receiving the benefits, the customers between them.
  
  Christopher Paris, I don't believe ISO 19011 is just a 'program' (it's the people who apply it just as a program but that's not the real intentions of the standard) but this is a topic for another debate.