I am one of the quality managers from the ISO/IEC 17025 accredited laboratory, XYZ. Currently, we change the 2005 version to the 2017 version, so we face difficult new clause Risk & Opportunities. How can I do the risk actions to be taken and implement monitor and follow up action
The standard specifies the need for the following, related to risks and opportunities:
Plan how to address them
Take action proportional to the potential impact on the validity of the results (i.e. positive impact in the case of opportunities, and negative impact in the case of risks)
Evaluate the effectiveness of the actions taken
To “consider “means to think carefully about the risks and opportunities before making a decision. Central to all decision making is thinking about the risk or opportunity for improvement in terms of ensuring and safeguarding the laboratory’s defined quality objectives. These objectives should be aligned to the requirements of the standard. i.e. impartiality, competence and consistent operation.
The “considering” process can involve various methodologies and tools, including process mapping, brainstorming and use of the Plan-Do-Check-Act (PDCA) cycle. Start with mapping your processes and brainstorming. The best approach is produce a Registry of Key Risks and Opportunities, with suitable columns, including for example description, responsibility. For each activity ask the question – is there a risk to safeguarding impartiality, competence or consistent operation? If the answer is yes, in order to meet the requirement of point two and three above, you need to first evaluate risks and opportunities using a risk matrix, considering the existing controls already in place. Once the risks and opportunities are ranked in priority (high to low), you can move to planning how to firstly reduce the high risks; and implement the opportunities found to have a high benefit-to-risk (of implementing) ranking. Choose the actions that are most likely to reduce or control the risk, or ensure success of improvement. Assign responsibility and due date.
Finally, as with any laboratory activity, the efficiency of the activity must monitored. This can be done through existing activities such as nonconforming events, internal audits and management review. Show evidence of this evaluation by updating the risk register and recording the date of last review.
Have a look at the following articles, which will provide more guidance: