Professional Documents
Culture Documents
ISO 9001 has always had a risk management element in it, albeit coated as
preventive action and linked with potential nonconformance. In the 2008
version of the standard, risk management was hinted though it wasn't made as
a requirement. It is, in fact, a blessing in disguise to all sincere quality
management professionals that risk management has been delinked from the
term preventive action and there by dissociating it from unnecessary
confusion with corrective action and nonconformances. The result is that
risks could be seen and identified in process designs upfront without having
to see them in connotation of product defects.
PFMEA
For example, an organization would have made it mandatory for its supplier
quality engineer to audit all the subcontractors annually at a time when the
industries in its area did not have an expected quality level. Over a period of
time, the subcontractors would have matured and improved their quality
levels making the annual audit a redundant activity. Because, there is no
objective reevaluation of the controls established in its procedures, it would
end up carrying out annual audits on its suppliers who have improved their
product quality.
There are good resources in the internet with general guidance and templates
for PFMEA, including one by ASQ. An organization with well defined
procedures for its business activities is half way into effective risk
management using PFMEA.
In order to start the tool, the organization needs to take each step from its
procedure and list out all the potential risks arising out of that activity. This
goes into the potential risks column of the PFMEA. The next column should
risk the effects of the risks. This effect needs to be objectively evaluated in a
scale of 1 to 10 with 10 being very severe. (AITF FMEA manual provides a
very good guidance with respect to an automobile but one should be able to
use it to adapt the idea to any business)
For example, the activity create a PO could have a risk that the information in
the PO could be different from the material requisition. The effect would lead
to buying wrong material or service. The effect could be 5, if the material
could be easily exchanged when detected or 8-9 if not so.
The controls are most likely documented in the procedure. Say, a review of
the PO by a third party could be one control. Or, having the items integrated
from the material requisition to PO automatically through software system
could be another. The next column quantifies the effectiveness of these
controls in mitigating the risk. Again, in a scale of 1 - 10 with 10 being the
least effective one, independent review of PO would likely score somewhere
at 5 and the software integration at about 2.
The final task is quantification of the risk, typically called RPN or Risk
Priority Number, which is a product of severity of risk, occurrence rating and
effectiveness of the control. The organization should determine its risk
appetite in terms of a critical RPN. A RPN above the risk appetite warrants a
re-look into the controls to make them effective or a change in the process to
totally avoid the risk.
In order to ensure that no new risk has crept into the business process and
also to ensure that controls that have become redundant are modified, the
organization would need to do a periodic review of the PFMEA, just as
companies that do PFMEA for its manufacturing processes do. This review
will result in better controls in its procedures and also make it easier for
people to appreciate and follow them.
I believe that if PFMEA is used a tool, in stead of other namesake tools done
to satisfy the intent and not the spirit of the requirements of the ISO
9001:2015, organizations stand to benefit by managing risks effectively.