Organization risk assessment

Organizational risk assessment does not need to be done yearly, it should be done whenever the organization feels it is necessary.

For example, ISO 9001:2015 clause 6.1.1 mentions risks related with context and interested parties. If you check the last paragraphs of clauses 4.1 and 4.2, whenever you update context and interested parties information, you should update your determined risks. Consider also ISO 9001:2015 clause 5.1.2 b), whenever your organization updates performance reports about products and services, perhaps it is reasonable to review determined risks and its assessment. When your organization performs the management review, according to clause 9.3.2 e), you evaluate the effectiveness of actions to handle risks and opportunities. Your conclusions about effectiveness can drive changes in the assessment of risks and opportunities.

About SOPs, you do not need to include the distribution list in each document, it can be included in a general table that controls the distribution all of controlled documents. Also, you do not need to distributed SOPs to all department heads, you should distribute SOPs to whoever needs them to perform his or her work.

The following material will provide you information about the risk-based approach:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/  
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Hi Carlos,

Thank you for the revert. Another thing I like to know is for supplier qualification, is that not all suppliers in my company require to do supplier qualification assessment and risk assessment but only selected and critical ones that requires?

Also, may I know what is actual timeline to close the internal audit, corrective and preventive actions and customer complains? Is “agreed timeline” statement be accepted for explanation in SOP and to auditors?

Thank you for the revert. Another thing I like to know is for supplier qualification, is that not all suppliers in my company require to do supplier qualification assessment and risk assessment but only selected and critical ones that requires?

In my practice as consultant, my advice for organizations is to distinguish between critical and non-critical supplies. Supplier qualification assessment and risk assessment is only applicable to critical supplies. For example, a manufacturing company will not evaluate office materials suppliers.

The following material will provide you information about supplier evaluation:

- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Also, may I know what is actual timeline to close the internal audit, corrective and preventive actions and customer complains? Is “agreed timeline” statement be accepted for explanation in SOP and to auditors?

Some organizations state a time frame to close internal audit non-conformities. I never saw time frames defined in an SOP for closing corrective and preventive actions or customer complains. Some organizations state a time limit to give a first answer to a customer complaint, not necessarily closing it.

I feel difficult to define a specific time frame to close internal audit, corrective and preventive actions and customer complaints, because each case is a particular case, and closing them requires time to assess effectiveness of actions implemented. Also, sometimes there is a lot of uncertainty about what to do, and the investigation needed to find root cause(s) can take different amounts of time.

The following material will provide you information about closing corrective actions:

- ISO 9001 – Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Thank you for your reply. Just like to check what is business risk management and assessment? And the difference between normal risk assessment and business risk assessment?
For change management, is it in relation to document control and in which situations change control should be activated?

Just like to check what is business risk management and assessment?

Risk management is a set of activities done in a certain order to work with risks in an organization. Risk assessment is one of those activities in the risk management process where risks are classified according to their importance.

And the difference between normal risk assessment and business risk assessment?

I do not know of any standard vocabulary about those words. What I can write is my interpretation. For me business risks are those risks coming from clauses 4.1 and 4.2, they can be related with the economic situation, technological evolution and other topics. Normal risks are risks related with the product(s) or service(s), or with processes of the organization.

For change management, is it in relation to document control and in which situations change control should be activated?

Change management is important for document control, for example when because of a corrective action, we change a practice and update a procedure. Change management is also important when we change a product specification and have to change materials requirements, production parameters, and things like that. 

The following material will provide you information about risks:

- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Hi Carlos,

May I know if for internal audit, do I need to do an audit for all departments or only selected departments for yearly and re-certification audits?

Another is what is a proper way to check and document the internal audit findings and ensure all is okay to close all the findings?

What is a suitable time frame to conduct an internal audit?

How long do I need to keep findings for yearly internal audit?

May I know if for internal audit, do I need to do an audit for all departments or only selected departments for yearly and re-certification audits?

Answer:

All departments included under the scope of the quality management system should be audited at least yearly.

Another is what is a proper way to check and document the internal audit findings and ensure all is okay to close all the findings?

Answer:

Auditors document internal audit findings in an audit report. Normally, then, organizations transfer negative findings into an audit nonconformity form where the treatment is recorded. Each negative finding should be closed after verifying implementation of correction and verifying implementation and effectiveness of corrective actions.

What is a suitable time frame to conduct an internal audit?

Answer:

Some organizations do a yearly internal audit. Normally, around one month before the management review. Other organizations do a set of small audits during the year, in that case the set of audits includes all departments under the scope of the quality management system. In this case, audits should be distributed according to availability of auditors and to minimize disruption of operations.

How long do I need keep findings for yearly internal audit?

Answer:

Each organization has the authority to define the record keeping time. I suggest 4 years, just to ensure that all internal audit records generated during the 3-year certification cycle are available for consultation.

I would like to invite you to a webinar about internal audits that will take place today - How to perform an ISO 14001:2015 internal audit [free webinar] - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/