By Christopher Paris
Part 1: The COTO Exercise
I’ve made it clear I am no fan of the vague, peyote-sourced “risk based thinking” (RBT) language that TC 176 added to ISO 9001:2015, nor its clearly non-consensual “include risk or else” origins from a mandate by overcaffeinated ISO executives. The thing is, we’re stuck with it, and no amount of garment rending will undo it. I know, since I’ve rended all my garments, and am typing this naked.
Moving past that mental image (you’re welcome), if we must adopt RBT then it behooves us to figure out just how to do it in the best practical way possible, without falling into one of two traps:
Part 1: The COTO Exercise
I’ve made it clear I am no fan of the vague, peyote-sourced “risk based thinking” (RBT) language that TC 176 added to ISO 9001:2015, nor its clearly non-consensual “include risk or else” origins from a mandate by overcaffeinated ISO executives. The thing is, we’re stuck with it, and no amount of garment rending will undo it. I know, since I’ve rended all my garments, and am typing this naked.
Moving past that mental image (you’re welcome), if we must adopt RBT then it behooves us to figure out just how to do it in the best practical way possible, without falling into one of two traps:
- We don’t want to let the vague language of RBT in ISO 9001 translate into doing nothing
- We don’t want to let the growing chorus of ill-informed CB auditors have us overdo it, and apply FMEA to everything
Instead, the text of ISO 9001 tells us that it’s entirely up to the company to decide what level of risk consideration to adopt. And that’s great. But before we can do that, we have to tackle an entirely different clause of ISO 9001:2015 first, and it’s also new. This is the clause related to “context of the organization” (which I’m calling “COTO”, an abbreviation I am shoving the Oxebridge flag in so years later you know who invented it.) Anyone jumping into the risk clause without tackling COTO has missed an important step. This also proves how those FMEA-addicted auditors have no clue what they are talking about, since COTO will drive the decisions on which risk treatment methods to select.
COTO en Toto
Why COTO first? If we look at the first requirement in clause 6.1.1 related to risk, we find it pushes us back to COTO:
"When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 … "
What this means is that prior to doing any work on the RBT requirement, you have to first conduct what I call the “COTO exercise.” This is an activity that will take a little bit of time the first time, and then just gets updated periodically (perhaps annually) later on. So, just to repeat myself and see if my blog can still handle red bold italics, let me reiterate:
"You cannot address risk-based thinking properly without considering the context of the organization first".
Fortunately, the COTO exercise is simple. This requires identification of four things:
Now a strict reading of the COTO clauses (4.1 through 4.4 of 9001:2015) has them in a different sequence. This is because TC 176 is dumb; they would have you identify the external issues first, and then identify the external stakeholders — which in the exact opposite of the way you would do this in real life. So I’ve re-ordered the steps, ignoring 9001:2015’s clause sequence.
Fight For Your Right to Party
Following these steps, you have to first identify stakeholders (“interested parties”) who either have an interest in your products or an interest in your quality system. This is a great addition to ISO 9001, the previous versions of which obsessed almost entirely with customers, but ignored almost anyone else who might care about your products of services. For example, many B2B companies sell products to another company, but the end user may actually be the public; under 9001:2015 we get to consider the end users, and not just the paying customer.
I recommend creating a simple table and then populating it, with the help of the senior management team and other company propellorheads. The table should look like this:
COTO en Toto
Why COTO first? If we look at the first requirement in clause 6.1.1 related to risk, we find it pushes us back to COTO:
"When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 … "
What this means is that prior to doing any work on the RBT requirement, you have to first conduct what I call the “COTO exercise.” This is an activity that will take a little bit of time the first time, and then just gets updated periodically (perhaps annually) later on. So, just to repeat myself and see if my blog can still handle red bold italics, let me reiterate:
"You cannot address risk-based thinking properly without considering the context of the organization first".
Fortunately, the COTO exercise is simple. This requires identification of four things:
- Identify your interested parties – who they are and what are their requirements and expectations
- Identify internal and external issues – based on # 1 above
- Define the scope of the QMS – based on # 1 and # 2 above
- Identify your processes within the QMS
Now a strict reading of the COTO clauses (4.1 through 4.4 of 9001:2015) has them in a different sequence. This is because TC 176 is dumb; they would have you identify the external issues first, and then identify the external stakeholders — which in the exact opposite of the way you would do this in real life. So I’ve re-ordered the steps, ignoring 9001:2015’s clause sequence.
Fight For Your Right to Party
Following these steps, you have to first identify stakeholders (“interested parties”) who either have an interest in your products or an interest in your quality system. This is a great addition to ISO 9001, the previous versions of which obsessed almost entirely with customers, but ignored almost anyone else who might care about your products of services. For example, many B2B companies sell products to another company, but the end user may actually be the public; under 9001:2015 we get to consider the end users, and not just the paying customer.
I recommend creating a simple table and then populating it, with the help of the senior management team and other company propellorheads. The table should look like this:
You will then think of all the groups of people who may be directly or indirectly impacted by your product or service, as well as those that have a direct or indirect impact on your QMS. For each identify whether they are internal (work for the company) or external (third parties.) Then define why those groups might have an interest.
Like much of ISO 9001, you get to decide who an interested party is. The only expected party would be your customers, and everything beyond that is entirely up to you.In most cases, however, this is going to include:
Internal Interested Parties
Like much of ISO 9001, you get to decide who an interested party is. The only expected party would be your customers, and everything beyond that is entirely up to you.In most cases, however, this is going to include:
Internal Interested Parties
- Employees
- Other divisions of the company
- Departments that may be outside of the QMS (legal, finance, etc.)
- Customers
- Suppliers / Vendors
- Regulators
- The public
- Other end users of your product/service
- Certification bodies
- Competitors
bout Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3