RISK MANAGEMENT and ISO 17025:2017

Dr. Bill HirtGlobal Technical Advisor

ANAB / ANSI-ASQ National Accreditation Board

January 31, 2018

Outline of Sections

• Introduction of ANAB• Risk management consistency in ISO stds• General understanding of Risk-based Mgmt

and Tools• Resources of ISO 31000 Guidelines Document• Elements in new 17025 standard for RISK• How RISK is challenge both for labs and AB’s

ANSI-ASQ National Accreditation Board / ANAB

• Non-profit accreditation body; now 25 years in the industry

• Offer ISO programs and sector specific ISO-based programs

• 60 full time employees, 185 technical assessors, 4 office locations

• Accredited customers in 58 countries, over 2,000 total accr’ns

• Signatory to 4 int’l MRAs/MLAs (ILAC, IAF, IAAC, APLAC)

4

ANSI-ASQ National Accreditation Board / ANAB

LABORATORY-RELATED Laboratories

ISO/IEC 17025 Inspection Bodies

ISO/IEC 17020 RMP

ISO 17034 PT Providers

ISO/IEC 17043 Product Certifiers –

ISO 17065 (w/ANSI) Government Programs:

DoD ELAP, EPA Energy Star, CPSC Toy Safety, NRC, NST IPV6, US Navy

Training

FORENSIC Accreditation for

ISO/IEC 17025 forensic test laboratories and

ISO/IEC 17020 forensic agenciesTraining

MANAGEMENT SYSTEMS Certification Bodies

ISO/IEC 17021 Accreditation for Management System Certification Bodies:

ISO 9001 (QMS) ISO 14001 (EMS)ISO 22001 (Food) TS 16949 (US Automotive) etc.

Training

55

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

Risk Terminology & The Four Elements of Risk

Role of Standards In Changing Perceptions of Risk

Process vs Product Risk and Existing Controls

Metrics and Tools – Converting Unknown to Known

Risk components to cover

66

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

What is Risk?

A risk is a potential future event that could result in adverse and unplanned consequences• A risk may not be a problem, an issue or a crisis! With Mitigation

Risk is also a measure of the potential inability to achieve overall program objectives within defined cost, schedule and technical constraints*

*Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003

THE EFFECT OF UNCERTAINTYUPON OBJECTIVES

Source: ANSI Z690.1-2011

77

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

Risk Implementation • Used throughout your organizational processes• Risk-based thinking for QMS (business) - Clause 6.1 Identify and prioritize Plans to address the risk (PLAN) Implement the plan (DO) Check for effectiveness (CHECK) Learn from experience (ACT)

Risk Based Thinking

88

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

Outcome – Prevention (Replacing P/A)• Risk to the Customer• Minimize risk to the organization! Staff Equipment Product/Service

Be eliminated or mitigated risk

Risk Based Thinking

• Uncertainty: The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

• Risk: Characterized by reference to potential events and consequences or a combination of these and expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

Risk Management Terminology*

*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE Z690.1-2011 the “National Adoption of ISO Guide 73-2009”

• Risk Management: Coordinated activities to direct and control an organization with regard to risk.

• Risk Management Framework: Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.

*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE Z690.1-2011 the “National Adoption of ISO Guide 73-2009”

Risk Management Terminology*

• Likelihood: the chance of something happening

• Exposure: the extent to which an organization is subject to an event

• Consequence: outcome of an event affecting objectives

Risk Management Terminology

• Probability: the chance of occurrence (0-1)

• Frequency: number of events per unit of time

• Vulnerability: intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with consequence

Risk Management Terminology

• Documented Information: Written procedures& Records

• Maintain: Documented Procedures

• Retain: Records

New ISO 9001 and 17025 Terminology

Identification

Mitigation

Prioritization

Each applies equally to the QMS system, PROCESS and PRODUCT associated risks!

All phases of product realization AND all aspects of company operations!

Measurement & Feedback

Risk Management encompasses:

Four Elements of Risk Management

All management system standards now specify risk management activities: TOTAL System

– AS 9100, AS 9110, AS 9120 (aerospace)

– ISO 13485 (medical devices)

– ISO 22000 & SQF

– IATF 16949

– ISO 9001

– ISO/IEC 17025

While all address risk, each has a unique twist. Until the Annex SL

was created, standards focused on risks associated with the product

only and not all areas of the organization

Risk and Standards

• The standards require the identification and reduction of process-based risks.

Managing Process Risk

• Contract Review

• Product Development (Design)

• Purchasing

• Planning / Production / Service

• Change Control / CA / PA– Modify your forms to mandate risk analysis

• Testing for accredited work

• Test report issuing

Process Risk Examples

• BRAINSTORMING• FMEA• HACCP• Cause / Effect Diagram• 5 Whys• Preliminary Hazard Analysis• Fault Tree Analysis• Internal & External Audits

Common Risk Identification Tools

• Pay LESS attention to the actual NUMBERS,– FOCUS attention on the TRENDS

• Trends provide the CONTEXT for the numbers –good or bad, trending up or down, above target or below target.

Show Me The Data

• The process of analyzing– Prioritizing– Process risks against impact

• Product• Schedule • Performance criteria• Cost

Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC

Risk Prioritization

• FMEA (Severity, Detection, Occurrence, RPN)

• HACCP

• Impact / Effort Matrix

• Pareto Analysis

Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC

Common Risk Prioritization Tools

• BALANCED SCORECARDS and RISK MATRIXRMS Risk Prioritization Tools

23

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

1 – 2 Incorporate the change3 – 4 Additional analysis should be conducted prior to making the

decision6 -- 9 Do not incorporate the change

Note: ‘*3 - high impact x high benefits’ - No change allowed, but we need to record details of proposed change, to provide input into future revisions .

Impact Benefits

1 2 3

High Medium Low

1 Low 1 2 3

2 Medium 2 4 6

3 High * 3 6 9

Impact Analysis

Legend:

Acceptable

Concern

Critical

Risk Matrix

• Identify

• Evaluate

• Select

• Revaluate Residual Risk? Reduce?

Risk Mitigation

• Strategic Planning (Management)• Control Plans• Team Based Problem Solving (8-D)• Poke-Yoke (Error-Proofing)• Training / Awareness• On Site Audits, Internal, Customer, Third Party • Design for:

– Reliability / Maintainability / Manufacturability

Common Risk Mitigation Tools

• Contingency Plans

• Emergency Response Plans

• Succession Planning

• Strategic Planning

• Reviews

System-Level Mitigation Tools

• Established metrics

• Systematically tracking and evaluating performance

• Ensure that Lessons Learned feedback into future risk identification activities.

• Changes need to current mitigation?

Risk Monitoring & Feedback

• CAPA System

• Internal Audit

• Returns / Warranties / Complaints

• Review of Internal Failures

• Management Reviews

Evaluating Risk Effectiveness

Feedback Make certain that RISK IDENTIFICATION includes past

experience from related products:

• Things Gone Wrong / Things Gone Right

• Feasibility Reviews

• Design Reviews

• Adverse Event Reports

• Previous Complaints

• Customer Feedback

• Varying Applicability to Different Functions

• Risk Processes…..appropriate to the product and the organization

Risk vs Company Size

Supplier Management: Supplier capability, interface, etc.

Purchasing: Vendor capability, Critical material / part / detail, lead times, special process

Manufacturing: Applying “appropriate” methods, special processes

Inspection: Independent verification, Critical requirements

Individuals: Application decisions, injury

Risk vs Company Size

[Management] review shall include assessing opportunities for improvement and the need for changes to the quality management system…

How is this linked to the expectations of Risk Management?

Risk Management Review

What are the results of the Key Metrics?

What risks have been reduced due to Internal Audits?

What risks were identified in External Audits?

What risks were detected by our CAPA System?

Risk Management Review

What risks escaped detection and caused complaints / rework / warranty?

Have the risk management plans been updated accordingly?

What external changes can impact our risk?

What additional or transferred resources are required to minimize or eliminate risks?

Risk Management Review

• Review example scorecard provided

• Red / Yellow / Green Stoplights for immediate impact of problem areas

• Based upon defined metrics and objectives covering defined functions in the organization

• Higher level concerns “Bubble-Up” to the next layer of the organization.

RMS Scorecard

Summary• Many ways to manage Risk

• Many ways to document methods for Risk

• Many tools for Risk Management

• Some Standards / Customer-required Methods

Risk categories – general business

• Product properties• Business impact• Customer-related• Development environment• Process issues• Staff size / experience• Technical issues• Technology / Other

ISO 17025 / ANSI-Z-540 Risk

• Primarily for calibration laboratories following ANSI-NCSL-Z-540.3 in addition to 17025

• Required measurement and review to determine probabilities of RISK for decisions.

ISO 17025 / ANSI-Z-540 Risk

Class exercise

• In your tables or groups of 4 to 8 if possible…

Spend 3 or 4 minutes • thinking about your lab / organization • think of at least 3 or 4 risks, take notes • then share with your group

ISO 31000 Table of contents-1

ISO 31000 Table of contents-2

ISO 31000 – Risk Managementenables an organization to :

ISO 31000 – Risk Managementenables an organization to : (2)

ISO 31000 – Risk Management

Risk elements in ISO 17025:2017

• Introduction – paragraph 2• 4.1.4 -- impartiality• 4.1.5 -- lab to demo how it minimizes it• 7.8.6.1 – reporting statements of conformity• 7.10 b -- non-conforming work• 8.5 -- Actions to address Risks & Opp’s

– 8.5.1 / 8.5.2 / 8.5.3 plan actions proportional

Risk elements in ISO 17025:2017 (2)

• 8.6.1 -- Note only in Improvement• 8.7.1 e -- update risk piece of CAR’s

• 8.9.2 m -- management review – results ofrisk identification

• Bibliography references ISO 31000 guidelines• Includes when evidence / records required

How will AB’s assess Risks & Opp’s

• New to the ISO 17025 world, though not 9001

• All AB’s now challenged to develop policies– Need customer lab inputs and examples– Likely to wrestle with this for the 3-year implm’tn– Assessors have similar learning curve as labs

Questions and Discussion –Good Luck !!

Contact Information

Dr. Bill Hirt

Global Technical Advisor

ANAB / ANSI-ASQ National Accreditation Board

Email: bhirt@anab.org / billhirt17025@gmail.com

info@anab.org and Training Offeringsinfo@asq.org