9/29/2017

Workshop on Process Mapping and

Risk-Based Quality Planning

Tell me and I forget, teach me

and I may remember, involve
me and I learn.
-Benjamin Franklin

1
 9/29/2017

Session Objectives
 Develop an in-depth understanding of the Agency’s mission,
vision, commitment to quality, and relevant issues that it may need
to address through risk-based quality planning
 Identify risks and opportunities related to organizational context,
i.e. internal and external issues, and issues of the relevant
interested parties
 Formulate action plans to address risks and take advantage of
opportunities

The Organization and Its Context

2
 9/29/2017

The Organization and its Context

4.3 Determining the scope of the QMS
The QMS scope defines the boundaries and applicability
of the QMS taking into consideration:
the context of the organization,
requirements of relevant interested parties, and,
products and services.

What to do?
• Determine the QMS scope and provide justification (if any) if a specific
requirement of the ISO 9001 standard is not applicable.
• Maintain and ensure availability of documented information on these.

(per ISO 9000:2015)

Scope of the QMS

 Consider issues, requirements of interested

parties, and products and services
 Maintain as documented information
 Type of products and services covered
 Justification for any ISO 9001:2015
requirement that is claimed to be “not
applicable” to the organization
Scope – boundaries and applicability

3
 9/29/2017

4.4 QMS and its Processes

 determine the processes needed for the QMS and their
application;
 determine the inputs required and the outputs
expected from these processes;
 determine the sequence and interaction of these
processes;
 determine and apply criteria and methods, including
monitoring, measurement, and related performance
indicators to ensure effective operation and control of
these processes;

4.4 QMS and its Processes

 determine the resources needed for these processes
and ensure their availability;
 assign responsibilities and authorities for these
processes;
 address determined risks and opportunities
 evaluate these processes and implement any change to
ensure achievement of intended results; and,
 improve the processes and the QMS.

4
 9/29/2017

Risk Management: A Background

The Purpose of ISO 31000:2009

ISO 31000:2009 provides organizations with guiding
principles, a generic framework, and a process for
managing risk. The Standard introduces 11 risk
management principles an organization should comply with,
and a management framework for the effective
implementation and integration of these principles into an
organization's management system. Emphasis is given to
considering risk in terms of the effect of uncertainty on
objectives.

The standard can be applied to any type of risk, whatever its

nature, whether having positive or negative consequences.

5
 9/29/2017

The Purpose of ISO 31000:2009

ISO set out to achieve consistency and reliability in risk
management that would contain:
1. One vocabulary;
2. One common process for identifying, analyzing, evaluating,
and treating risks;
3. Guidance on how the risk management process should be
integrated into an organization

Risk Management
Risk Management looks into relationships between risk
management principles, framework, and processes.

Source: ISO 31000:2009 principles and guidelines

6
 9/29/2017

Risk Management 101

“Organizations of all types and sizes face internal and
external factors and influences that make it uncertain
whether and when they will achieve their objectives.
The effect this uncertainty has on an organization’s
objectives is “risk”. –ISO31000:2009

Risk = IMPACT on objectives X LIKELIHOOD of

occurrence

Risk Management 101

Risk responses are dependent upon the evaluation and
analysis of risk. Some of the more common risk responses
are:
1. Mitigation/Treatment – corrective action to reduce risk
2. Elimination – Avoiding the risk by deciding not to
continue with the activity
3. Accept/Tolerate – No corrective action will be taken
4. Transfer – Sharing or shifting the impact to or with
another entity

7
 9/29/2017

Let’s Play a Game

Scenario
• Two cars are driving on perpendicular streets. Both
stoplights are blinking red.
• Assume that there are no traffic enforcers to
apprehend violators.
• Do you think of them or both of them would violate the
law and not yield first?

8
 9/29/2017

Prisoner’s Dilemma
Player 2
Go Stop

Go -10 1
-10 0
Player 1

0 -1
Stop 1 -1

Risk Management in ISO

9
 9/29/2017

How do we manage risk?

Risk Management Process

Communication and consultation Establish Context

Risk Assessment

Monitoring and Review

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Source: ISO 31000:2009 principles and guidelines

Risk Assessment
Risk Assessment is at the core of risk management is a
process that is, in turn, made up of three process:

Risk Identification

Risk Analysis

Risk Evaluation

10
 9/29/2017

Risk Assessment
Risk
Identification
• Establishes the exposure of the organization to
risk and uncertainty.
• The organization should identify sources of risk,
areas of impacts, events (including changes in
circumstances) and their causes and their
potential consequences.
• This process aims to generate a comprehensive
list of risks based on those events

Risk Assessment
Risk Analysis

• A process that is used to understand the nature, sources,

and causes of the risks that you have identified and to
estimate the level of risk.
• It is also used to study impacts and consequences and to
examine the controls that currently exist.
• The analysis provides an input to risk evaluation.

11
 9/29/2017

Risk Assessment
Risk Evaluation
• A process that is used to compare risk
analysis with risk criteria in order to
determine whether or not a specified level of
risk is acceptable or not.

Let’s draft the document…

In relation to the QMS Scope of the Agency, what are the
internal and external issues of that may prevent or hasten the
attainment of the organizational goals?

12
 9/29/2017

The Organization and its Context

4.2 Understanding the needs and expectations of
interested parties
• Interested party refers to stakeholders*
• Relevant interested parties provide significant
risk to organizational sustainability if their
needs and expectations are not met

*Stakeholder - A person or organization that can

affect, be affected by, or perceive itself to be
affected by a decision or activity

(per ISO 9000:2015)

4.2 Understanding the needs and expectations

of interested parties
• Determine relevant interested parties and their
requirements relevant to the QMS

What to do?
Monitor and review information on these
relevant interested parties and their relevant
requirements
(ISO 9000:2015)

13
 9/29/2017

Let’s draft the document…

QMS Planning: Addressing Risks

ISO 9001:2015 Clauses 4.3 and 4.4.1

14
 9/29/2017

Risk in ISO 9001

Risk in the context of ISO 9001 relates to the uncertainty in
achieving the following:
Providing confidence in the organization’s ability to consistently
provide customers with conforming & quality goods and
services
Improving customer confidence and satisfaction
Establishing a proactive culture of prevention and
improvement

Risk-based thinking
Clause 4.4 The organization shall determine the processes
needed for the quality management system and their application
throughout the organization and shall determine:
f) the risks and opportunities in accordance with the
requirements of 6.1, and plan and implement the appropriate
actions to address them;

Risk-based thinking is something we all do

automatically and often sub-consciously

15
 9/29/2017

6.1 Actions to Address Risks and Opportunities

Plan :
 actions to address these risks and
opportunities and
 how to integrate and implement the actions
into QMS processes and to evaluate the
effectiveness of these actions.

Actions taken to address risks and opportunities shall be

proportionate to the potential impact on the conformity of products
and services

6.1 Actions to Address Risks and Opportunities

When planning for the QMS,
issues and relevant interested parties’
requirements are considered, and
risks and opportunities are determined and
addressed.

Give assurance that the QMS can Enhance desirable effects

achieve its intended results

Prevent, or reduce, undesired Achieve improvement

effects

16
 9/29/2017

Workshop: Crafting the Risk and

Opportunities Registry
ISO 9001:2015 Clauses 4.3 and 4.4.1

What To Do?
1.Identify what the risks and opportunities are in your organization –
depending on context
2.Analyze and prioritize the risks and opportunities in your
organization – what is acceptable/unacceptable?
3.Plan actions to address the risks – how can I avoid or eliminate the
risk?/mitigate the risk?
4.Implement the plan – take action
5.Check the effectiveness of the actions – does it work?
6.Learn from experience – continual improvement

17
 9/29/2017

Let’s draft the document…

Let’s draft the document…

Rating Risk Opportunity
Insignificant/M 1 • Minimal impact on objectives; • No perceived value for
inor • Day-to-day activities of the improvement and sustainability
organization will not be disrupted
Moderate 2 • Moderate impact on objectives; • Pursuing the opportunity will
• Will affect the business-as-usual or add value to the organization or
day-to-day activities of the objectives
organization;
• Minor regulatory consequences
Major 3 • Will cause major delays in the • This opportunity must be
provision of services to stakeholders; pursued
• Failure to achieve desired outputs;
• Failure in the delivery of services;
• Major regulatory consequences

18
 9/29/2017

Let’s draft the document…

Rating Frequency
Unlikely 1 • Event that is very unlikely to occur
during the life-time of an operation /
project

Likely 2 • Event that may occur frequently

during the life-time of an operation /
project
Certain 3 • Recurring event during the life-time
of an operation / project

Let’s draft the document…

Risk Rating Matrix IMPACT/BENEFIT
Low Medium High
1 2 3
LIKELIHOOD

Low

Medium 2 4 6
High 3 6 9

Criteria for Action

Management's Decision
Risk/Opportunity
Rating Priority Risk Opportunity

Take immediate appropriate Pursue the

6-9 High action to address the risk opportunity

More frequent monitoring of May consider pursue

3-5 Medium risks the opportunity
1-2 Low No immediate action required No action required

19
 9/29/2017

The Risk Registry – Best Practice

The Risk Registry records identified risks, their impact and the actions to be
taken. There is no standard list of components but below are some of the
commonly used components:
PROCESS/ RESPONSIBILITY/R
RISK IMPACT Risk Response CONTINGENCY PROBABILITY RISK ASSESSMENT
ACTIVITY ISK OWNER

alternate action if
MEAT methodology –
mitigation is not
Operations Risk Statement Rating Response to address Juan dela Cruz Probability LOW
effective to eliminate
risk
risk or lessen its impact

OPPORTUNITIES FOR DOCUMENTED

CAUSES ACTION
IMPROVEMENT INFO/REFERENCE

Documented info where the

action could be found; if none,
Opportunities to exploit related Direct action to address the cause of the
Causes of the Risk this should be updated one an
to the risk risk
action plan has been
documented

Feel free to contact us for questions:

 Jack Flaminiano – 0917 506 72 00 or flaminianoj@dap.edu.ph
 Franchesca Flores – 0917 894 67 38 or florespf@dap.edu.ph

20