Risks, AS9100D 6.1 and 8.1.1
The management system defined by ISO9001:2015 and AS9100D depend on you defining your processes and assessing the risks associated with these processes. The organization mitigates risks though planning, action and review. To do this, the AS9100D standard requires that the context of the organization be understood, see AS9100D 4.1. This entails determining external and internal issues that are relevant to the business and the organization’s strategic direction and how these affect the organization’s ability to achieve its goals.
Strategic direction is a course of action that lead to achieving the organization’s goals.
Three common areas of focus in a strategic plan are vision planning (future vision), scenario planning (what if) and issues planning (solving challenges).
Examples of Strategic Plan Includes: Evaluating the strengths and weaknesses of the organization.
You will also need to define organization’s the interested parties, their requirements and expectations as related to the QMS. These must be monitored over time and included in your management review, see AS9100D 9.3.2 b.
Now that you have all of this in place, we can discuss risk.
Starting with AS9100D 6.1, when planning for the QMS (function, structure, mechanics), you must consider context and interested parties as we have stated above. Hopefully, you can enhance the desired affects and prevent or reduce the undesired affects.
In addition, the organization must plan actions to address risks and opportunities and how to implement and evaluate these actions. As guidance, the AS9100D states:
“Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.”
To meet these requirements, the QMS Database includes a section for Context, Interested Parties and SWOT analysis. Without the QMS Database, you could create spreadsheets for each, or some other tool to record the data.
AS9100D 8.1.1 also includes requirements for operational risk. If you are familiar with AS9100C, you are likely to recognize these requirements. These risks relate to requirements applied to processes and products by customers, POs, drawings and specifications.
Often these risks are captured and managed using an FMEA process for processes, product families, customers, etc. Also, risks are identified and assessed on an order-by-order basis as defined by the organization.
Important to note:
Clause 6.1 addresses the risks and opportunities when planning for the quality management system.
Clause (8.1.1) is limited to the risks associated to the operational processes needed for the provision of products and services.
But Wait There’s’ More!
There is more to risk in AS9100D. Paragraph 8.2.2 d requires that you identify operational risks.
Paragraph 8.4.1 requires that you identify and manage risks associated with suppliers and that this is reflected in your verification (aka receiving inspection) activities.
When raw material has been identified as a high risk you shall implement a process to evaluation test reports. Be sure raw material is a part of your risk assessment!
Paragraph 18.104.22.168 Production Process Verification suggests risk assessment activities.
Paragraph 9.1.34 Analysis and Evaluation includes actions taken to address risks.
Paragraph 9.3.3 Management Review Outputs item d is risks identified.
Paragraph 10.2 Nonconformity and Corrective Action includes update risk and opportunities determined during planning.