Does ISO9001:2015 require risk assessment for change requests, non-conformances, complaints etc. or only the top-level risk assessment for the strategic business risks and opportunities? Do you have a form example for nonconformance risk assessment?
Context interacting with interested parties (clause 6.1)
Products and services (clause 5.1.2 b))
Processes (clause 4.4.1)
Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.
ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:
What is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.
Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.