Risk assessment in OHSAS 18001 and ISO 9001

All product and process to be covered? For example in purchase activity what potential risk exist which may effect Quality of product or effect on business.

Answer:

The main difference in requirements regarding risks in OHSAS 18001 and ISO 9001 is that the OHSAS 18001 has more extensive requirements, it requires methodology, criteria, procedure, records and so on while ISO 9001 only requires organization to identify risks and to address them. For more information about risks and opportunities in ISO 9001, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

Entire context of the organization needs to be considered when identifying risks and opportunities, and that includes the processes within the company, products and service conformance, etc.

Potential risks for purchasing are that the products your purchased are not delivered on time or they are not compliant with your requirements, depending on the type of product or service you are purchasing you can establish different controls to avoid those risks. For more information about purchasing, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

Thx for the reply. So it means not only business risks as highlighted in context of the organization to be identified and managed but also all operational Risks of all routine activities?

Further Article of Mark...How to address Risk..dated June 21.2016...Nice Article. But when it says that no requirement for documented info or Formal process of Risk Managemenent but refers clauses which states to identify and plan the actions and evaluate the actions and check effectiveness ..then how these are possible if not done as documented Risk Management?

Hi Iffat,

Risk management would include defining methodology for risk assessment and defining criteria for evaluation of the risks and so on. OHSAS 18001 requires all these elements but requirements of ISO 9001 are much simpler, it does requires taking actions to address risks and opportunities but it doesn't require them to be documented.

The fact that documentation is not mandatory doesn't mean that there wont be any records but there can be some actions that don't have to be conducted formally through risk management but rather through other activities, like documenting some additional procedures, performing additional training, etc.

Thx