RISK MANAGEMENT and ISO 17025:2017

Dr. Bill Hirt

Global Technical Advisor
ANAB / ANSI-ASQ National Accreditation Board

January 31, 2018

 Outline of Sections
• Introduction of ANAB
• Risk management consistency in ISO stds
• General understanding of Risk-based Mgmt
and Tools
• Resources of ISO 31000 Guidelines Document
• Elements in new 17025 standard for RISK
• How RISK is challenge both for labs and AB’s
ANSI-ASQ National Accreditation Board / ANAB
• Non-profit accreditation body; now 25 years in the industry
• Offer ISO programs and sector specific ISO-based programs
• 60 full time employees, 185 technical assessors, 4 office locations
• Accredited customers in 58 countries, over 2,000 total accr’ns
• Signatory to 4 int’l MRAs/MLAs (ILAC, IAF, IAAC, APLAC)
 ANSI-ASQ National Accreditation Board / ANAB

LABORATORY-RELATED
 Laboratories MANAGEMENT SYSTEMS
FORENSIC  Certification Bodies
 ISO/IEC 17025  Accreditation for
 Inspection Bodies  ISO/IEC 17021
ISO/IEC 17025 forensic  Accreditation for
ISO/IEC 17020 test laboratories and
 RMP Management System
ISO/IEC 17020 forensic Certification Bodies:
ISO 17034 agencies
 PT Providers  ISO 9001 (QMS)
Training  ISO 14001 (EMS)
ISO/IEC 17043
 Product Certifiers – ISO 22001 (Food)
ISO 17065 (w/ANSI)  TS 16949 (US
 Government Programs: Automotive) etc.
DoD ELAP, EPA Energy Star,  Training
CPSC Toy Safety, NRC, NST
IPV6, US Navy
 Training
4
 Risk components to cover
 Risk Terminology & The Four Elements of Risk

 Role of Standards In Changing Perceptions of Risk

 Process vs Product Risk and Existing Controls

 Metrics and Tools – Converting Unknown to Known

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

5
 What is Risk?
THE EFFECT OF UNCERTAINTY
UPON OBJECTIVES
Source: ANSI Z690.1-2011

 A risk is a potential future event that could result in adverse and

unplanned consequences
• A risk may not be a problem, an issue or a crisis!
 With Mitigation

 Risk is also a measure of the potential inability to achieve

overall program objectives within defined cost, schedule and
technical constraints*
*Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

6
 Risk Based Thinking
 Risk Implementation
• Used throughout your organizational processes
• Risk-based thinking for QMS (business) - Clause 6.1
 Identify and prioritize
 Plans to address the risk (PLAN)
 Implement the plan (DO)
 Check for effectiveness (CHECK)
 Learn from experience (ACT)

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

7
 Risk Based Thinking
 Outcome – Prevention (Replacing P/A)
• Risk to the Customer
• Minimize risk to the organization!
 Staff
 Equipment
 Product/Service
 Be eliminated or mitigated risk

© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

8
 Risk Management Terminology*

• Uncertainty: The state, even partial, of deficiency of

information related to, understanding or knowledge
of, an event, its consequence, or likelihood.

• Risk: Characterized by reference to potential events

and consequences or a combination of these and
expressed in terms of a combination of the
consequences of an event and the associated
likelihood of occurrence.
*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE
Z690.1-2011 the “National Adoption of ISO Guide 73-2009”
 Risk Management Terminology*

• Risk Management: Coordinated activities to direct

and control an organization with regard to risk.

• Risk Management Framework: Set of components

that provide the foundations and organizational
arrangements for designing, implementing,
monitoring, reviewing, and continually improving
risk management throughout the organization.

*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE
Z690.1-2011 the “National Adoption of ISO Guide 73-2009”
 Risk Management Terminology

• Likelihood: the chance of something happening

• Exposure: the extent to which an organization

is subject to an event

• Consequence: outcome of an event affecting

objectives
 Risk Management Terminology

• Probability: the chance of occurrence (0-1)

• Frequency: number of events per unit of time

• Vulnerability: intrinsic properties of something

resulting in susceptibility to a risk source that
can lead to an event with consequence
 New ISO 9001 and 17025 Terminology

• Documented Information: Written procedures

& Records

• Maintain: Documented Procedures

• Retain: Records
 Four Elements of Risk Management
Risk Management encompasses:

Identification Prioritization

Measurement Mitigation
& Feedback

 Each applies equally to the QMS system, PROCESS and

PRODUCT associated risks!

 All phases of product realization AND all aspects of company

operations!
 Risk and Standards
 All management system standards now specify
risk management activities: TOTAL System
– AS 9100, AS 9110, AS 9120 (aerospace)
– ISO 13485 (medical devices)
– ISO 22000 & SQF While all address risk, each has a
unique twist. Until the Annex SL
– IATF 16949 was created, standards focused on
– ISO 9001 risks associated with the product
only and not all areas of the
– ISO/IEC 17025 organization
 Managing Process Risk
• The standards require the identification and
reduction of process-based risks.
 Process Risk Examples
• Contract Review
• Product Development (Design)
• Purchasing
• Planning / Production / Service
• Change Control / CA / PA
– Modify your forms to mandate risk analysis
• Testing for accredited work
• Test report issuing
 Common Risk Identification Tools

• BRAINSTORMING
• FMEA
• HACCP
• Cause / Effect Diagram
• 5 Whys
• Preliminary Hazard Analysis
• Fault Tree Analysis
• Internal & External Audits
 Show Me The Data

• Pay LESS attention to the actual NUMBERS,

– FOCUS attention on the TRENDS

• Trends provide the CONTEXT for the numbers –

good or bad, trending up or down, above target
or below target.
 Risk Prioritization

• The process of analyzing

– Prioritizing
– Process risks against impact
• Product
• Schedule
• Performance criteria
• Cost

Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC

 Common Risk Prioritization Tools

• FMEA (Severity, Detection, Occurrence, RPN)

• HACCP

• Impact / Effort Matrix

• Pareto Analysis

Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC

 RMS Risk Prioritization Tools
• BALANCED SCORECARDS and RISK MATRIX
 Impact Analysis
Impact Benefits

1 2 3
High Medium Low
1 Low 1 2 3
2 Medium 2 4 6

3 High *3 6 9

1 – 2 Incorporate the change

3 – 4 Additional analysis should be conducted prior to making the
decision
6 -- 9 Do not incorporate the change
Note: ‘*3 - high impact x high benefits’ - No change allowed, but we need
to record details of proposed change, to provide input into future
revisions .
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce

23
 Risk Matrix
Legend:

Acceptable

Concern

Critical
 Risk Mitigation

• Identify
• Evaluate
• Select
• Revaluate Residual Risk? Reduce?
 Common Risk Mitigation Tools

• Strategic Planning (Management)

• Control Plans
• Team Based Problem Solving (8-D)
• Poke-Yoke (Error-Proofing)
• Training / Awareness
• On Site Audits, Internal, Customer, Third Party
• Design for:
– Reliability / Maintainability / Manufacturability
 System-Level Mitigation Tools

• Contingency Plans
• Emergency Response Plans
• Succession Planning
• Strategic Planning
• Reviews
 Risk Monitoring & Feedback

• Established metrics

• Systematically tracking and evaluating

performance

• Ensure that Lessons Learned feedback into

future risk identification activities.

• Changes need to current mitigation?

 Evaluating Risk Effectiveness
• CAPA System

• Internal Audit

• Returns / Warranties / Complaints

• Review of Internal Failures

• Management Reviews
 Feedback
 Make certain that RISK IDENTIFICATION includes past
experience from related products:

• Things Gone Wrong / Things Gone Right

• Feasibility Reviews
• Design Reviews
• Adverse Event Reports
• Previous Complaints
• Customer Feedback
 Risk vs Company Size

• Varying Applicability to Different Functions

• Risk Processes…..appropriate to the product

and the organization
 Risk vs Company Size
 Supplier Management: Supplier capability, interface,
etc.
 Purchasing: Vendor capability, Critical material / part
/ detail, lead times, special process
 Manufacturing: Applying “appropriate” methods,
special processes
 Inspection: Independent verification, Critical
requirements
 Individuals: Application decisions, injury
 Risk Management Review
[Management] review shall include assessing
opportunities for improvement and the need for
changes to the quality management system…

 How is this linked to the expectations of Risk

Management?
 Risk Management Review
 What are the results of the Key Metrics?

 What risks have been reduced due to Internal

Audits?

 What risks were identified in External Audits?

 What risks were detected by our CAPA

System?
 Risk Management Review
 What risks escaped detection and caused
complaints / rework / warranty?
 Have the risk management plans been
updated accordingly?
 What external changes can impact our risk?
 What additional or transferred resources are
required to minimize or eliminate risks?
 RMS Scorecard
• Review example scorecard provided
• Red / Yellow / Green Stoplights for immediate
impact of problem areas
• Based upon defined metrics and objectives
covering defined functions in the
organization
• Higher level concerns “Bubble-Up” to the
next layer of the organization.
 Summary
• Many ways to manage Risk

• Many ways to document methods for Risk

• Many tools for Risk Management

• Some Standards / Customer-required Methods

Risk categories – general business
• Product properties
• Business impact
• Customer-related
• Development environment
• Process issues
• Staff size / experience
• Technical issues
• Technology / Other
 ISO 17025 / ANSI-Z-540 Risk

• Primarily for calibration laboratories following

ANSI-NCSL-Z-540.3 in addition to 17025

• Required measurement and review to

determine probabilities of RISK for decisions.
ISO 17025 / ANSI-Z-540 Risk
 Class exercise
• In your tables or groups of 4 to 8 if possible…

 Spend 3 or 4 minutes
• thinking about your lab / organization
• think of at least 3 or 4 risks, take notes
• then share with your group
ISO 31000 Table of contents-1
ISO 31000 Table of contents-2
ISO 31000 – Risk Management
enables an organization to :
ISO 31000 – Risk Management
enables an organization to : (2)
ISO 31000 – Risk Management
 Risk elements in ISO 17025:2017
• Introduction – paragraph 2
• 4.1.4 -- impartiality
• 4.1.5 -- lab to demo how it minimizes it
• 7.8.6.1 – reporting statements of conformity
• 7.10 b -- non-conforming work
• 8.5 -- Actions to address Risks & Opp’s
– 8.5.1 / 8.5.2 / 8.5.3 plan actions proportional
 Risk elements in ISO 17025:2017 (2)
• 8.6.1 -- Note only in Improvement
• 8.7.1 e -- update risk piece of CAR’s

• 8.9.2 m -- management review – results of

risk identification
• Bibliography references ISO 31000 guidelines
• Includes when evidence / records required
 How will AB’s assess Risks & Opp’s
• New to the ISO 17025 world, though not 9001

• All AB’s now challenged to develop policies

– Need customer lab inputs and examples
– Likely to wrestle with this for the 3-year implm’tn
– Assessors have similar learning curve as labs
Questions and Discussion –
Good Luck !!
 Contact Information

Dr. Bill Hirt

Global Technical Advisor

ANAB / ANSI-ASQ National Accreditation Board

Email: bhirt@anab.org / billhirt17025@gmail.com

info@anab.org and Training Offerings

info@asq.org