By Christopher Paris
Doing so, your list might start to look like this:
Doing so, your list might start to look like this:
Once you have your interested parties identified, you can start to think about what each of those cares about, which brings us to the next step in the COTO exercise.
We’ve All Got Issues
Using the list above, you will then identify internal and external “issues.” These are concerns that the interested parties may have that directly or indirectly impact on your products, services and/or QMS. Again, a simple table is a great way to start:
We’ve All Got Issues
Using the list above, you will then identify internal and external “issues.” These are concerns that the interested parties may have that directly or indirectly impact on your products, services and/or QMS. Again, a simple table is a great way to start:
(By the way, you can create a single spreadsheet that includes all of this in a sortable file. I’m just proposing these tables because it’s easier to discuss in a blog article.)
You would then begin the mental exercise of identifying the issues of concern. The good news is that ISO 9001:2015 gives us some pointers on where to start. The Notes in clause 4.1 provide the following suggestions:
Internal Issues
External Issues
Once again, these are optional… you decide the issues of concern, not anyone else. Just try to imagine, however, what your interested parties might consider an issue of concern.
When you’re done, your table might start to look like this:
You would then begin the mental exercise of identifying the issues of concern. The good news is that ISO 9001:2015 gives us some pointers on where to start. The Notes in clause 4.1 provide the following suggestions:
Internal Issues
- values
- culture
- knowledge
- performance
External Issues
- legal
- technological
- competitive
- market
- cultural
- social
- economic
Once again, these are optional… you decide the issues of concern, not anyone else. Just try to imagine, however, what your interested parties might consider an issue of concern.
When you’re done, your table might start to look like this:
So why did I add a column for “bias?” After all, that’s not mentioned at all in the standard. The answer is simple: this will help you identify risks and opportunities later, as part of the risk-based thinking (RBT) exercise. So remember that point, because we will come back to it later.
Scope, Processes & Strategic Direction
The next two requirements for COTO are two that you’ve probably already done, if you had implemented ISO 9001 prior to the 2015 release. These are (1) defining the scope of the QMS, and then (2) defining the QMS processes. If you haven’t done this before, well, they are not terribly complicated exercises, but far beyond the scope of this article. If you’ve identified interested parties and issues of concern, you have enough to begin taking a bite out of risk-based thinking. Your QMS scope and QMS processes will help in this regard.
From all of this information — stakeholders, issues, scope and processes — you now can do a few things. One of these will be to define the “strategic direction” of the company (see new clause 5.1.1 as well as a few others). This is also out of scope for this article, but if already done would further assist in the RBT exercise; if the company hasn’t yet defined its strategic direction, don’t worry: it’s not a showstopper for RBT.
But relative to RBT, the COTO information will allow you to make informed decisions on the risks to consider in your organization, the risk tools to use for assessment of each, and the risk treatment methods.
Scope, Processes & Strategic Direction
The next two requirements for COTO are two that you’ve probably already done, if you had implemented ISO 9001 prior to the 2015 release. These are (1) defining the scope of the QMS, and then (2) defining the QMS processes. If you haven’t done this before, well, they are not terribly complicated exercises, but far beyond the scope of this article. If you’ve identified interested parties and issues of concern, you have enough to begin taking a bite out of risk-based thinking. Your QMS scope and QMS processes will help in this regard.
From all of this information — stakeholders, issues, scope and processes — you now can do a few things. One of these will be to define the “strategic direction” of the company (see new clause 5.1.1 as well as a few others). This is also out of scope for this article, but if already done would further assist in the RBT exercise; if the company hasn’t yet defined its strategic direction, don’t worry: it’s not a showstopper for RBT.
But relative to RBT, the COTO information will allow you to make informed decisions on the risks to consider in your organization, the risk tools to use for assessment of each, and the risk treatment methods.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3