Search results

What is the efficient way and tricks to address, handle and treat the risk and opportunity?

The most efficient way to address, handle and treat the risk and opportunity is to start by knowing what ISO 17025 requires and keep it simple!

ISO 17025:2017 does not require a formal risk management program nor documented risk management process.  What it requires, as a minimum, is for laboratories to consider and address risks and opportunities that may impact (negatively and positively), on its activities and objectives including the validity of results. Address the activity bearing in mind, at all times, that the objective is to safeguard competence, impartiality and consistent operation of your laboratory.

The goal is to create a structure where the management system is shielded from “upsets” i.e. nonconforming events; and opportunities to drive improvement are enhanced. I suggest initially coming up with a method to consider and address risks first. Then adapt or integrate opportunities into your approach.

You can approach this activity through a sequence of simple steps, whilst using a spreadsheet as a register / risk index.

The steps and measures taken to address risks and opportunities will vary depending on the context of your laboratory. Remember this is an activity that is iterative – it will involve getting started then repeating the cycle to improve the process and adjust the risks and controls as your management system evolves.

As a general overview, considering and addressing risks to meet ISO 17025 involves five steps:.

Step 1: Identifying risks (What can happen, when, where why and how?).

Step 2: Evaluating the risk (Determine existing controls, determine likelihood and consequences leading to estimate level of risk).

Step 3: Ranking the risks (Determine which is to be addressed first, then second, and so on).

Step 4: Determining actions to be taken (Compare against criteria, Identify and weigh options, dependent on availability of resources and the costs to address the risk. Decide on response and establish priorities).

Step 5: Implementing, monitoring and following up (Selected actions must then be implemented within the laboratory. Laboratory management will be responsible for ensuring that resources are provided, that the proposed actions are taken, and that they are having the desired effect).

I shall be sharing more detailed methods and tips in the Free ISO17025 Academy webinar – How to manage risks in laboratories according to ISO 17025. You can register at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/ to attend on the 1 July 2020.

For more information regarding  actions to address risks and opportunities, see the ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure - https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/ 
and for more information on the five steps to address risks, see the article Five-step laboratory risk management according to ISO 17025:2017 - https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/

Similarities between ISO 14001, ISO 9001, ISO 45001 (previous BS OHSAS 18001), and ISO 19011?

Yes

Parent Company Processes

No, it is not necessary to have different processes from the parent company. A division can have the same processes or a different set of processes.

The following material will provide you more information:

• Article - Certifying different legal entities under one certification scope in ISO 9001 - https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Documentation storage

ISO 9001:2015, clause 7.5.2 b) states that documents and records can be in any media, paper or digital.

Some organizations keep digital documents and records on digital form and simultaneously keep in paper form all those that at some moment during its life cycle have to be in a paper, for signatures for example. More than ISO 9001:2015 requirements I would check if is there any legal obligation in your country of keeping signed contracts in paper form.

The following material will provide you more information:

• Article - How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Complaint on ISO certified company

Yes, you can. Anyone who feels that an organization, while certified, is not meeting the requirements of the standard, can always formally complain to the certification body that issued the certificate. Normally, they can have a lot of authority over the company and they don’t want to see their certificate being badmouthed.

Can Risk Assessment be automated?

Risk assessment requires a lot of analysis and evaluation work to be done, and today most of these activities cannot be simply automated, because some decisions require a human feeling and perception of the business environment that a machine cannot properly evaluate. However, some activities you can make use of automated tools are:

• collect data from existing databases (e.g. to help identity assets if an asset-threat-vulnerability risk assessment approach is used)
• compare data gathered with risk level limits to warn about risks that require further analysis
• organize and present data for decision making.

This article will provide you a further explanation about the use of tools:

• When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

Distance between server sites

Most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about the distance of recovery site:

• Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of the recovery site:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 9001 punto del diseño y desarrollo

Si realiza algún tipo de diseño y desarrollo, entonces esta cláusula sí que aplica a su organización. Por ejemplo, en el caso de la capacitación, sí que aplicaría la cláusula 8.3 - Diseño y desarrollo si su empresa elabora el material de capacitación o la metodología de aprendizaje. No aplicaría si recibiesen los materiales de capacitación que van a impartir, por ejemplo en el caso de que un organismo gubernamental sea el encargado de suministrar los contenidos que van a utilizar.  

En el caso de validación de equipos probablemente no aplique el numeral, ya que su organización se estará basando en una metodología ya establecida para tal fin.

Para más información sobre la aplicabilidad de la cláusula de diseño y desarrollo, vea los siguientes materiales:

- What clauses can be excluded in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

- ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/

- Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Discover ISO 90001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Which tool to use for unstructured data?

Yes, the email address is considered personal data when refers to an individual (i.e. name@domain.com, name.surname@domain.com). Email can also contain other personal data, like the signature, or information in the text box. However, GDPR requires to comply with its requirements for every personal data you process either electronically or not (paper-based documents, phone calls, etc.).

If you need to learn how GDPR works, I suggest you follow our online free foundation course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

We also developed a Toolkit to help you to implement GDPR requirements inside your activity.

• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

• Selection and approval criteria for new suppliers according to IATF 16949

  We certainly have a very robust and multidisciplinary selection process in place as you mentioned. This question was entirely asked for the sub-dealers or representatives working with our approved suppliers. It is pleasing to see that we share the same views on every detail you mentioned. Thank you very much.Best regards