Are these expressions: "Risk-based thinking", "Actions to

address risks and opportunities" and "Risk management"

different? Really?
The confusion over the term risk in the new ISO/DIS 9001:2015 and other MS
standards could have been avoided simply if the ISO/TC 176 and the ISO/TMB had
consulted (and understood) the terms and definitions in ISO 31000 and ISO Guide 73.
What does the expression address risk mean? And the footnote in DIS 9001 on the
various options for addressing risks?
Answer: to address risk is nothing more than to TREAT risk!
And what should you do to treat risk?
Simple: you need to identify the risks, then analyze them and evaluate them (against a
previously established risk criteria) in order to define the best options for the
organization address these risks.
That is, briefly, the risk management process proposed by ISO 31000 and shown in this
humorous figure: http://bit.ly/1FW9dzC
bit.ly

Comment(32)
Like(12)
Follow
Report spam
Rob Jeges, Gabriela Salgueiro, Elena Morozova, +9 like this

Rob Jeges
The objectives of QM are just two, to meet customer expectations and to do so consistently.
Risk on the latter is about statistical process control, and on the former about requirements
elicitation, analysis, design and user acceptance.
Like Francesco says, it is nothing more than risk identification, assessment and treatment.
Rather than introducing new terminology we should home on the language of ISO 31000 and
understand the underlying theory of risk.
7 days ago

o
o
o

Like(2)
Reply privately
Report spam


Ahmed F. Shalabi
Well said, Robert. Thank you.
6 days ago

o
o

Like(0)
Report spam

David Seear
I love the cartoon approach to the question! This is typical of the difference between Risk
Professionals and common sense. Common sense would make you move well away from the
edge of the cliff and you would not need to discuss it. Risk is all about discussing more and
more options and them disagreeing with each other on what needs to be done. Only joking !
or am I?
6 days ago

o
o
o

Like(1)
Reply privately
Report spam

ATHANASIOS FOURTOUNAS
Thank you for sharing
6 days ago

o
o
o

Like(0)
Reply privately
Report spam

David Seear
Francesco,
The difference between "Risk Management" and "Risk Based thinking" is simple. ISO 9001
has had to be structured around Annex SL the new ISO format to allow certification
standards to be easily integrated. As this new structure is generic it has to cover many
different options some of which may not be necessary for some organisations. As stated in
ISO 9001 2015DIS in clause 0.5 Risk Based thinking is the effect of uncertainty on an
expected outcome AND the concept of risk based thinking has always been implicit in ISO
9001. In the past quality professionals did not have to have the word "Risk" in ISO 9001. In
fact ISO 9001 2008 clause 4 catagorically states that "Risk Management" is not applicable to
ISO 9001 2008. This did not mean that RISK, as related to the scope of ISO 9001, was not
applicable just that the broader issues covered by "Risk Management" are not applicable. So
the new Annex SL structure has a clause "6.1 Actions to address risks and opportunities". So
how to deal with the new term "Risk" when the previous standard ISO 9001 2008 stated
"Risk Management" was NOT applicable. That is easy it was removed from the new clause
0.6 in ISO 9001 Draft lines 339 - 340. (See clause 0.4 in ISO 9001 2008 to compare). So one
problem solved. Like most things changing something can raise another question and this is
the question being raised here what is the difference? If I say to you that ISO 9001 is all
about meeting the agreed customer requirements that is simple and totally objective. Then
"Risk based thinking" is just that. If you then check your own organisations quality
management system and you can demonstrate that it can consistently meet the customer
reqyuirements then NO action is necessary. You don't stand under the cliff thinking about
"Risk" when the decision to be made is obvious.
6 days ago

o
o
o

Like(3)
Reply privately
Report spam

Martin Hopkinson
Francesco,
For most of the three hundred of so years in which the principles of risk management were
developed, suggested approaches were dominated by the question of how to make
decisions under conditions of uncertainty. These approaches might be characterised as risk
based thinking.
It is only recently (last 30 years) that most practice has changed to one in which risks are
treated on a risk by risk basis. The focus has thus switched from decisions to risks and the
approach can be characterised as actions to address risks and opportunities.
Processes that focus on risks are relatively easy to understand, whereas the methods used
to make decisions under conditions of uncertainty are more sophisticated. As I see it, we
have a problem because the decision-centred approaches are also much better in many
circumstances, but are being swept aside by simplistic tools such as the probability-impact
matrix.

6 days ago

o
o
o

Like(2)
Reply privately
Report spam

Terry McHugh FCQI CQP.

It may be one thing to discuss risks but I have yet to see discussions regarding the
identification and evaluation of hazards.
Additionally it appears that Risk is all about the processes involved yet in some instances
you must be aware of physical access to the workplace which has nothing to do with the
outcome of the actual work involved.
You may have to consider every aspect of your workforce from the time they leave their
front gate until they return after a full working shift. how will that be interpreted by the
standard.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam

Peter van Nederpelt

Risk is defined in ISO 9001:20015 DIS as "the effect of uncertainty on an expected result".
This definition raises two questions: 1) who expects the results and 2) what are the expected
results.
RBT can be applied in many different fields of expertise. However, the scope of RBT in ISO
9001 should be restricted to quality management. This means that the expected results can
be specified as follows: the result expected by the customer is that the quality of the
product/service is good and the result espected by the provider is that the customer will be
satisfied. This way, RBT is related to the goals of ISO 9001. This could be mentioned in
clause 0.5 of ISO 9001:2015 DIS.
Finally, the term 'adressing risk' is not defined in ISO 9001:2015 DIS. A normative reference
is missing. So, it is up to the reader to define what it is. It could be the whole proces of
identifying, analysing, evaluating and treating risk or just treating risk. Personally, I prefer
the whole process.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam


Mark Fenech
David Seear - you might be border line between joking and not!
Usually humans are good at identifying risks, however I think there are times when we tend
to be biased. And hence the need for a formal and logical approach (standards and
guidelines and frameworks) to help us out.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam

Paul Thompson CMIOSH; MIIRSM; MSc; BA(Hons).

Having a common understanding on the underlying theory of risk in my humble opinion
depends on your frame of reference. The issue of definition has been raised numerous times.
What this tells me is that we will only reach a consensus when definitions and terms serve
all frames of reference or scope according to a specific reference?
Some thoughts....I don't think definitions such as "the effect of uncertainty on an expected
result" is meant to be used as a normative reference, which is fulfilling a quality purpose and
scoped accordingly. Different definitions of risk can be found in safety, security, health,
finance etc. For me risk is more than a statistical process. Uncertainty and risk are not the
same but are often used to mean the same thing. It has never been properly separated.
Similarly, ISO 31000 and understanding the underlying theory of risk is not recognising all
references in its definition. My point here is that framing is a fundamental problem with all
forms of risk assessment, and until this is solved we shall continue with the differing terms
and definitions. For me risk is a possibility of an undesirable event whatever the discipline,
but the words 'undesirable' and 'event' needs context. This is different from risk definition
stating 'objectives' and separates from any reference to positive risk.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam


Philip Scalise
"What does the expression address risk mean? And the footnote in DIS 9001 on the
various options for addressing risks?"
To not plead ignorance of risks. To have considered them and understood them for each and
every value added activity under the scope of top management organizational responsibility.
"Options to address risks and opportunities can include: avoiding risk, taking risk in 1061
order to pursue an opportunity, eliminating the risk source, changing the likelihood or
consequences, sharing the risk, or retaining risk by informed decision."
I do recognize there is confusion surrounding risk based thinking and I do believe TC 176 has
contributed to this confusion when in fact they should be alleviating concerns as opposed to
contributing to the, personally I find nothing funny about risk and find cartoons less than
helpful.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam

David Seear
Philip
Above the footnote you mention on clause 6.1.2 of ISO 9001 Draft it states - Actions to
address risks and opportunities shall be proportionate to the potential impact on the
conformity of the products or services. Please re-read this statement as it mentions
"Proportionate" and "Product or Services" that are provided. The ISO 9001 Draft has the
same scope as ISO 9001 2008. It is all about having a quality management system that can
consistently meet the customers and relevant statutory and regulatory requirements from
agreeing what is required to delivering it. What I see is "Risk Professionals" trying to use ISO
9001 as a standard that they can bring in any "Risk" they like. e.g. We aleady have a
statement above "You may have to consider every aspect of your workforce from the time
they leave their front gate until they return after a full working shift how will that be
interpreted by the standard". All I can say it is NOT, I repeat NOT, covered by ISO 9001. This
is "Risk Management" in its broadest sense and that is why "Risk Management" was
excluded from ISO 9001. What is happening is what I feared would happen where everything
you can think of is a RISK is trying to be included. It is this type of broad interpretation that
worries me. I have even been told it includes the risk of having a poor meal in the canteen
as staff could be upset. I could go on but there is no point as I see is too many "Risk

Professionals" adding whatever they want and misusing ISO 9001. I will state again "Risk
based thinking" is a term used to explain the restrictive activity as it relates to ISO 9001 and
this is mentioned in line 301 and 302 of the Draft ISO 9001 where it states "Risk based
thinking has always been explicit" in ISO 9001 whereas "Risk Management" is what covers
all of an organisations "Risks". As already explained "Risk Management " is not covered by
ISO 9001 unless the organisation itself has determined a risk should be dealt with to ensure
they meet the customers requirements.
5 days ago

o
o
o

Like(1)
Reply privately
Report spam

Terry McHugh FCQI CQP.

David,
I tend to agree with you and it is why I think that the inclusion of Risk into the standard will
create problems as can already be seen by the varying comments. With regard to leaving
the front gate and returning at the end of the shift there are situations where the quality of
service and customer satisfaction may not be up to the required level & could be
compromised due to tiredness, journey times or workload. In some instances these are
mandated requirements for consideration and I worry that the confusion between Risk based
thinking, Risk management and Hazard control will be lost on a lot of people. This continued
meddling with the standard only helps to accelerate its demise.
5 days ago

o
o
o

Like(0)
Reply privately
Report spam

Philip Scalise
David not sure why you addressed those comments at me, but thank you just the same. Be
well friend.
4 days ago

o
o
o

Like(0)
Reply privately
Report spam


Ahmed F. Shalabi
Philip: If this is the case, why then after various exchanges and over 200 comments on the
ISO 9001 forum; there is no consensus on using the ISO 31000 definition for risk ? And NO
ONE has been able to support the ill-conceived concepts of 'positive risk' or 'neutral
uncertainty' --don't you think the idea to change the definition is based on NOT
distinguishing between risks and opportunities which is consistent with what accountants do
but contradicts the other professions, standard English usage, and how risk/uncertainty
evolved? Is it really worth causing this confusion now, given other ISO 14001 and ISO 50001
will go through a similar experience?
As one commenter in the ISO 9001 forum, stated "ISO had accomplished the confusion, not
us".
4 days ago

o
o

Like(0)
Report spam

Philip Scalise
Ahmed: In your comments addressed to me, you state;
"If this is the case, why then after various exchanges and over 200 comments on the ISO
9001 forum; there is no consensus on using the ISO 31000 definition for risk ?"
Are you under the impression that I am supporting risk based thinking or the manner in
which it is being introduced when I have clearly stated otherwise? I find it beyond ironic that
you would ask me why people do not understand such things while it appears you are
misunderstanding a singular comment thread posting in which I have so clearly stated;
"I do recognize there is confusion surrounding risk based thinking and I do believe TC 176
has contributed to this..."

4 days ago

o
o
o

Like(0)
Reply privately
Report spam


Philip Scalise
David Seear would it be possible for you to articulate a closed ended question for me as
opposed to using me in a rhetorical implication and suggesting that I need to "reread"
something? I am typically not one to take offense and I prefer to believe none was intended
so forgive me if I find your desire to issue homework assignments just a bit presumptuous
when you state;
"Philip
Above the footnote you mention on clause 6.1.2 of ISO 9001 Draft it states - Actions to
address risks and opportunities shall be proportionate to the potential impact on the
conformity of the products or services. Please re-read this statement as it mentions
"Proportionate" and "Product or Services" that are provided."
Did I somehow imply that it did not? How would this be any less arbitrary than for me to
write in responses to your posting
David above the clause you mention in the ISO 9001 Draft it reads; Planning for the quality
management system. Please re-read this statement as it mentions "Planning" for "quality"
and "systems."
This is a great example of not planning for a reaction to an action that you have taken and it
will prove very educational, so I truly do look forward to your response here.
4 days ago

o
o
o

Like(0)
Reply privately
Report spam

Ahmed F. Shalabi
Philip: Now I'm confused...ISO TC 176 was 'asked' to use the risk-based thinking in ISO 31000
( which if you've been following the forums over the last few months, it's definition of risk
needs to be revised), so the confusion is not on the part of TC 176, as you claim.
There's a separate ISO 9001 forum initiated by Christopher Paris on this issue--please review
those comments and the lack of consensus on introducing RBT, from ISO 31000. Thank you,
Ahmed
4 days ago

o
o

Like(0)
Report spam


David Seear
Philip, You are correct I most certainly did not intend to offend anyone. I just responded to
your question. In my second response (After the cartoon comment). I tried to explain why
"Risk based thinking" had been introduced and explained that Annex SL was used to develop
the new clause structure used by ISO certificable standards. My third comment tried to build
on your response where you stated "What does the expression address risk mean? And the
footnote in DIS 9001 on the various options for addressing risks?
I then used the footnote you mentioned and took it one step back to the paragraph before in
"clause 6.1.2 of ISO 9001 Draft where it states - Actions to address risks and opportunities
shall be proportionate to the potential impact on the conformity of the products or
services."
I would like to remind everyone that ISO 9001 is about having a QMS that can comnsistently
achieve the customer requirements. ISO 9001 does not cover all quality issues an
organisation has to deal with.
This is where once again I tried to remind everyone of the restrictive scope of ISO 9001 and
when using the term "Risk based thinking" this restrictive role should be recognised.
I can only hope that "Risk" is not misused because ISO 9001 is already misunderstood and
adding in terms such as risk could cause confusion as indicated by the responses in this
post.
Your request for a closed ending is as follows. The three terms you mentioned in the original
question are quite simple.
* based thinking" is "As stated in ISO 9001 2015DIS clause "0.5 Risk Based thinking is the
effect of uncertainty on an expected outcome AND the concept of risk based thinking has
always been implicit in ISO 9001". So no change as "the expected outcome" is quite clear
namely meeting customer requirements.
* to address risks and opportunities" This is a common clause heading for all ISO standards
as develpoed from Annex SL and it has to be looked at in relation to the organisations
activites. It is not something that can be decided in isolation. It is also the responsibility of
the Organisation to decide what "risks or opportunities" are relevant no one else.
1. "Risk Management" MAY be applicable to some organisations as indicated in ISO 9001
Draft however as mentioned in the current ISO 9001 2008 clause 0.4 Risk Management is
not applicable. The reason for this is it covers many subjective issues outside the scope of
ISO 9001.
In fact I would remove the reference to ISO 31000 Guidance on Risk Management from ISO
9001 Draft as I believe this reference adds confusion.
I recognise that my views may not be supported but I believe unless these issues are
resolved ISO 9001 certification could be undermined to no ones benefit.

3 days ago

o
o

Like(0)
Reply privately

Report spam

Philip Scalise
David I asked no questions. That was a cut and past from the headline discussion. My
comments were in response. Thank you for explaining.
3 days ago

o
o
o

Like(0)
Reply privately
Report spam

Philip Scalise
Ahmed the source you mention is not one I use. I see now why you are confused now.
3 days ago

o
o
o

Like(0)
Reply privately
Report spam

Francesco De Cicco
Thank you all for the comments. Some opinions seem not to take into account the paper
published by ISO/TC 176 entitled "RISK IN ISO 9001:2015" (see it here: http://bit.ly/1F622Ty).
If you are not a newcomer in the risk management area, you can easily conclude that "riskbased thinking" (see the paper, item 6. How do I do it?) is (partially) the risk management
process defined in ISO 31000 (the cartoon provided above shows the same process in an
humorous way...).
The footnote in clause 6.1 - Actions to address risks and opportunities (included in ISO
9001:2015 and in ALL new management system standards - according to Annex SL) states
that "Options to address risks and opportunities can include: avoiding risk, taking risk in
order to pursue an opportunity, eliminating the risk source, changing the likelihood or
consequences, sharing the risk, or retaining risk by informed decision".

Wow! That is exactly what ISO 31000 calls "risk treatment"! as defined below:
risk treatment
process to modify risk
NOTE 1 Risk treatment can involve:
avoiding the risk by deciding not to start or continue with the activity that gives rise to
the risk;
taking or increasing risk in order to pursue an opportunity;
removing the risk source (2.18);
changing the likelihood (2.21);
changing the consequences (2.20);
sharing the risk with another party or parties (including contracts and risk financing); and
retaining the risk by informed choice.
When you talk (or think...) about risk, you most probably want to manage it.
Then we come to the question: What is risk management?
ISO 31000 defines it in a very simple way:
risk management
coordinated activities to direct and control an organization with regard to risk.
Conclusions (in an undisguised way):
"Risk-based thinking" = "Risk management".
"Actions to address risks and opportunities" = "Risk treatment" (which is part of the risk
management process).
And my final message to some ISO's Technical Management Board and Technical
Committees members: Please do not complicate and do not create new terms and
expressions with regard to risk!
3 days ago

o
o
o

Like(1)
Reply privately
Report spam

David Seear
Francesco De
"Risk based thinking" does not = "Risk management". I also believe you are being unfair to
the TC 176 committee. Let us look at the facts. All new ISO standards that are certifiable will
use the new Annex SL format for the structure of their clauses. ISO 9001:2015 Draft will use

this format and the committee has to work out how this will work. ISO 9001:2008 states,
quite clearly, that Risk management is not applicable to ISO 9001 (Clause 0.4). The new
Annex SL has a clause 6.1 Risk and Opportunity. So how do you include risk and
opportunity yet recognise that Risk Management is not applicable. The method they have
chosen is to use is the term Risk based Thinking. This is relevant in the sense that, as
stated in the draft ISO 9001 on lines 300-301, Risk based thinking has always been implicit
in ISO 9001. In fact the whole purpose of ISO 9001 is to address the risk as it relates to the
Organisations ability to consistently meet the customer requirements. So far so good then
along comes the Risk specialists and a simple situation has become even more confused.
Instead of recognising the situation that the committe was in the Risk specialists try to
introduce Risk Management. Now risk management covers just about everything anyone
can think of and it is very "subjective" as seen in this discussion. ISO 9001 is the opposite in
fact it is totally "objective" as you know exactly what the customer requires and the
standard has a restricted role where it just covers having an effective quality management
system that can meet customer requirements. You mention "Risk appetite" and then terms
such as, Risk tolerance, Risk acceptance, Risk threshold, Risk attitude and Risk Category to
name just a few are banded about. Then you state that the committee should not introduce
new terms and expressions regarding risk. I can see why you have so many of your own. The
people wonder why I am concerned about Risk Management" being included in ISO 9001.
At least "Risk Based Thinking" can be "Objective" as the risk is measured against the
specification for the product or service the the customer requires..
If you are concerned I would suggest you read the book ISO 9001 2015 Back to the Future.
If we cant understand the Basics of ISO 9001 there is little point moving forward to the
Future as without reference to the "ISO 9000 Family of Standards" and the restrictive role
of ISO 9001 the changes will make it confusing and unworkable. Still trying to help..
.
1 day ago

o
o
o

Like(0)
Reply privately
Report spam

Francesco De Cicco
David S., you have your point of view on this subject and I have mine. This can be a never
ending discussion. So I close my participation in this thread.
PS: I didn't mention the term "Risk appetite" nowhere. And I know very well the scope, etc.
of ISO 9001 and all the ISO 9000 family. After all I have been using and applying these
standards since 1991...
1 day ago

o
o
o

Like(0)
Reply privately
Report spam


Rob Jeges
Achieving quality is an objective, and risk is the effect of uncertainty on objectives.
Quality management is the endeavour to manage the risk to quality. If properly done it
should have a framework based on principles and a process.
Cl 0.4 of ISO 9001:2008 does not state that risk management is not applicable to ISO 9001.
In fact it implies that they are aligned or integrated:
"0.4 Compatibility with other management standards
(...) This International Standard does not include requirements specific to other management
systems, such as (...) risk management. However, this International Standard enables an
organization to align or integrate its own quality management system with related
management system requirements."
This was written prior to the publication of ISO 31000. Cl 0.5 of DIS 9001:2015 provides
clarification:
"0.5 "Risk-based thinking"
Risk is the effect of uncertainty on an expected result and the concept of risk-based thinking
has always been implicit in ISO 9001. This International Standard makes risk-based thinking
more explicit and incorporates it in requirements for the establishment, implementation,
maintenance and continual improvement of the quality management system. Organizations
can choose to develop a more extensive risk-based approach than is required by this
International Standard, and ISO 31000 provides guidelines on formal risk management which
can be appropriate in certain organizational contexts".
Risk-based thinking is positioned as a proper subset of risk management (as defined by ISO
31000) for the purpose of quality management. As the concept does not include anything
that is not already part of ISO 31000 then one should not be surprised to find that it is fully
contained within ISO 31000.
I am not sure that quality is totally "objective". Quality aims at satisfying expectations, and
all theories of satisfaction are based on some form of cognitive dissonance. An individual
expecting a high or low-value product and receiving the opposite experiences a state of
dissonance, or a psychological discomfort, and I would consider this a highly subjective
perception.
1 day ago

o
o
o

Like(1)
Reply privately
Report spam


David Seear
Franchesco,
Thank you for the response it is much appreciated and I agree we have different views and I
thank you for allowing me to express mine. What I am trying to do is ensure that certified
organisarions are not afraid of the new ISO 9001 2015 as it is up to the Organisation
themselves to decide what "Risk" is applicable. Yes ISO 31000 "Guidance on risk managemt"
is one of many Guidance standards and it is up to the organisation to decide if they wish to
use the "Risk" guidance standard no one else. I don't wish to see all the "Risk Management"
issues forced onto organisations especially when they may not be beneficial or cost
effective.
Kind Regards David John Seear (Still trying to help)
1 day ago

o
o
o

Like(1)
Reply privately
Report spam

David Seear
Robert J
Thank you for your comments most of which I agree with, however, I do worry about the
final paragraph as ISO 9001 still requires the organisation to agree with the customer what
they require, That being the case there are no misunderstanding about what the outcome of
the process should be. So your statement that If "An individual expecting a high or low-value
product and receiving the opposite experiences a state of dissonance, or a psychological
discomfort, and I would consider this a highly subjective perception." This is strange as the
customer knows what they are buying as it is the product or service being offered or the one
specifed by the customer. High or Low value product or service has little to do with ISO 9001
as the objective of having an effective quality management service is to consistently provide
what the customer specified. ISO 9001 certification does not and never has given guidance
on the High or Low value of a product or service just that the Certified organisation can
consistetnly deliver the product to the specified requirements. This is what the restrictive
role of ISO 9001 is all about. Surely meeting customer requirements is a priority? I had a
discussion decades ago with a very senior person who stated that ISO 9001 Certificated
organisation provides a better product. This is incorrect what ISO 9001 certification should
do is give assurance that the agreed product or specified requirment will consistently be
met. That is why it is totally objective . A much later comment was that ISO 9001 certified
organisation cannot guarantee that it will meet the customer requirements. I accept it
cannot guarantee however when a professional audit is carried out it certainly can give a
level of assurance that the system is capable of consistently meeting the specified

requirements or what is the point of certification?

I am still trying to get acceptance that auditors should know what the outcome of a process
should be or how can they judge the effectiveness of the management system.
Note: - One of the 8 management principles have been dropped within the new draft revision
process. It is "System approach to management" it seems there is some disagreement over
the difference between "Process" and "System". If you look at ISO 9000 2005 you will see
the difference quite clearly. I would love to know how many people reading this actually have
ISO 9000 2005 because from my research it indicates that in excess of 60% do not have or
know of ISO 9000 as they have never been made aware of the "ISO 9000 Family of
Standards".
That is the reason I still pursue the need to carry out process audits following an audit trail.
If interested Google "David John Seear ISO 9001 Audit Trail". To see why "Quality" has not
manged to achieve credible recognition. If we continue with the so called "System audit"
where auditors are advised they don't need to know what the product/service or what the
agreed specification is we will never improve. The current changes in 2015 could be open to
the so called "System Audit" and the opportunity for improvement will be lost. I believe ISO
9001 should remain totally Objective or quality will be undermined and Certified
organisation may reconsidering their position.
Trust me I am a "Seer". Only joking I am however very concerned. The broader issues often
discussed under ISO 9001 should come form ISO 9004.
Kind Regards David John Seear (Still trying to help)
1 day ago

o
o
o

Like(0)
Reply privately
Report spam

Rob Jeges
David,
Sure, quality is about meeting customer specifications, but the problem is that this requires
a shared understanding of the specification by both parties.
I am the first to confess my parochial view of the world based on limited experience; I know
a thing or two about software development where one of the main problems is that
requirements are not well communicated between the client and the developer.
The problem of meeting specifications is always subjective. No documentation is perfect,
and RAD is not without its problems as each iteration cements design constraints that
cannot be easily removed later on.
In the end quality is always subjective. Meeting written requirements is no assurance of
success.
1 day ago

o
o
o

Like(0)
Reply privately
Report spam


David Seear
Robert,
Once again at the beginning I agree with you. You state that where an organisation is trying
to provide a Bespoke product or service then there is a lot of work that needs to be done in
the design area and a lot of work obtaining agreement as it is not always well
communicated. My experience in your sector of work is customers don't know what they
want until you provide it then they realise that is not what the are after. I agree research and
development can be very problematic but ISO 9001 is still a tool that you can use. In your
case the new ISO 9001 2015 draft will help as it mentions in clause 0.5 lines 303 -306 that
organisation may choose to develop a more risk extensive risk based approach and ISO
31000 provides guidance on formal risk management which can be "appropriate in certain
organisational contexts". So although this is covered I would prefer ISO 31000 to be removed
as I believe it has already caused confusion and will be even worse if it goes world wide. My
concern is that this optional use of ISO 31000 should be understood as being OPTIONAL the
same as any guidance standard is optional. What worries me is where the general opinion is
that all the elements of "Risk Management" should apply. I recognise that people are trying
to get the best out of the revision but as an ex naval officeer all I am asking is, like being at
sea, you should know where you are trying to get to, where you are starting from before you
start trying to manage the process of getting there. Some people seem to think I am against
"Risk" that is so far from the truth. What I am trying to do is get "Back to Basics" understand
where problems exist and then modify the standard in a manner that makes things clearer
and more effective. I have tried to explain "Risk Based Thinking" and how this does not
directly equate to "Risk Management".
Once again it is your last sentence that worries me. Your statement that "In the end quality
is always subjective. Meeting written requirements is no assurance of success." Where has it
ever stated that the purpose of ISO 9001 is to "meet written requirements?". ISO 9001
requires few written requiremensts but what happens now causes a problem with auditing. If
we don't carry out professional audits your comment is true. The problem is the "System
Audit" approach is still being taught it is wrong. That being the case your last sentence is
factual but still incorrect because that is not what is supposed to happen. My previous post
covers some of these issues. We have a great opportunity in 2015 to get things right and
understand the structure of ISO standards and how they should be used lets not miss it i the
rush to make change as it should be about improvement.
Kind regards and best wishes David John Seear (still trying to help)
1 day ago

o
o
o

Like(0)
Reply privately
Report spam

Terry McHugh FCQI CQP.

If committees continue to meddle and make changes to standards in areas that they appear
to have little understanding of, then confusion, that is starting to appear here will continue
to get worse. Risk Management doesn't apply unless it affects the quality of goods and
services so then it does apply. All that needed to be added to the standard, if it had to be
added at all was a sentence that stated 'All risks andf hazards, relative to the business or
company must be considered.' Nothing else would be needed, auditors could clearly ask a
simple question and check any pertinent records and the business management would have
a clear understanding of what was needed.
Instead it is beginning to look as if the new revision will be going down the route of previous
ones where the title should be 'Do what you want because the content here is meaningless'
The standard is starting to become less relevant as the confusion between system and
process audits continues and the increasing meddling does nothing to help matters.
16 hours ago

o
o
o

Like(0)
Reply privately
Report spam

David Seear
Terry,
I agree committees should not make changes where they have not fully understood the
purpose or scope of the standard. ISO 9000 Fundamentals and vocabulary Draft is a classic
example. The terms "Objective/Audit Evidence" is now considered to be the same (Clause
3.10.15.) yet there still is a clause "Objective Evidence" 3.8.4 and the objective evidence
3.8.4 is the same as the previous version in ISO 9000 2005. So both cannot be correct. In
fact all they have to do is delete the term "Objective" from "objective/audit evidence" and all
would be well. I can only hope they will do that.
If you are interested in some other definitions concerns go to www.pdqms.co.uk and look
under "articles" to see my concerns. All of this has been advised to members of the
committeess and the ISO, CQI, IRCA, UKAS etc so I live in hope these anomolies will be
corrected.
I would however point out my concern over one sentence you have written. "All risks and
hazards, relative to the business or company must be considered". This is incorrect. If you
had stated "All risks or conditions that could affect the ability of the organisations
management system to consistently provide product or service that meets the customer and
applicable statutory and regulatory requirements it would be correct. Where you indicate
that it covers ALL risks and hazards relative to the business then this is incorrect as it fails to
take into account the restrictive role of ISO 9001. However, all I am saying is we should all
take into account the scope. You do mention earlier that it is only to do with the quality of
goods and services so this may have been a slip of the keyboard. If we all refered back to
the Scope of ISO 9001 before we made a decision on what something meant then we would
use ISO 9001 correctly and remove confusion. If we recognised that the introduction and the
clause 1 - 3 are important and not just consider clauses 4 - 8 we would also improve. How
many of you have read ISO 9001:2008 from cover to cover? Clause 2 Normative references
states that ISO 9000 2005 is indispensile to the application of ISO 9001. So in affect ISO
9001:2008 cannot be used without reference to ISO 9000. Clause 3 also states that where

the term "product" occurs it can also mean "service". Who knows reading the standard fully
may mean we don't have to make any changes ?
Sorry I am being silly again. I am however still trying to ensure that the changes being made
make things clearer not more confusing. Kind Regards David John Seear
10 hours ago

o
o
o

Like(0)
Reply privately
Report spam

Richard Murdock
In my opinion, the text in the DIS uses terms such as "shall determine ) the risks and
opportunities in accordance with the requirements of 6.1, and plan and implement the
appropriate actions to address them". Since there is a shall involved, there needs to be
objective evidence of planning and implementation. Is this not part of Risk Management?
"Top management shall demonstrate leadership and commitment with respect to customer
focus by ensuring that: the risks and opportunities that can affect conformity of products
and services and the ability to enhance customer satisfaction are determined and
addressed" Once again, the shall in this statement requires objective evidence. And again is
this not part of risk management?
As you all have the DIS and can read, I will not quote the remain clauses that call for the
same objective evidence pointing to Risk Management.
Call it what you want, but when the requirements call for planning and implementation, that
to be is a round-a-bout way of calling for risk management.