Does "Risk" Need To Be Directly Documented Throughout Your QMS?
THE SHORT ANSWER
THE LONG ANSWER
Let’s begin by going back to first principles and reviewing the basic reasons why we document anything in a management system in the first place. Remember the old saw: “It’s a documented system – not a system of documents.” In other words, it’s all about the management system, and about how it serves your organization. Documentation is just one of the types of resources which support the system (for example, a quality management system), along with human resources, equipment, information services and so on.
Documentation, like anything else in a QMS, should always serve a purpose. There’s no more point in having unnecessary documents than in having pointless metrics or unused tools. Now, you may hold onto some records (or, as Annex SL puts it, “retain documented information”) that you have no known need for now but might well do in the future (for instance, in the event of a customer or regulatory inquiry).
But, for the rest of this post, let’s focus on the other kind of document – the kind that Annex SL is talking about when it tells you to “maintain documented information”.
WHAT DOES ISO 9001 MAKE YOU DOCUMENT?
Surprisingly little. ISO 9001:2015 specifically requires you to “maintain documented information” about:
- 1. the scope of the QMS
- 2. the quality policy
- 3. the quality objectives
– and that’s it! (Of course, some sector-specific standards built on top of ISO 9001, such as TL 9000, add some items to that list.)
In clause 4.4.2, though, ISO 9001 also tells you to “maintain documented information to support the operation” of your processes – to “the extent necessary”. And again, in clause 8.1, you’re told to maintain documented information “to the extent necessary” to have confidence in the performance of your processes and in the quality of your products and services.
ISO 9001 does in these two requirements what it does throughout the standard: it leaves it up to the organization to determine what it needs to have in its QMS in order to achieve its intended outcomes.
So, why might you document something that ISO 9001 doesn’t specifically make you document?
Because having documentation to refer to (whether it’s a printed work instruction, a checklist or a cheat sheet, a video – whatever) will make it easier for people to consistently perform a process correctly than if they had to rely on their memory, common sense or tribal knowledge.
Because a customer or regulator requires it.
Because it would be helpful in training people on a process that’s new to them.
Because it would be a useful reference for your internal auditors (and perhaps your CB auditors as well).
SO, GETTING BACK TO RISK …
Documenting risk in your QMS, then, is essentially no different from documenting anything else: do it to the extent that seems sufficient to support your processes and give you confidence in the results. In other words – at the risk of getting all recursive on you – use risk-based thinking!
What’s the risk of under-documenting risk in your QMS? Perhaps it would impair top management’s ability to promote risk-based thinking as required by clause 5.1.1 d). On the other hand, what’s the risk of over-documenting it? Perhaps wasted time to create and maintain that documentation; and, perhaps worse: you wind up with so much documentation that no one bothers looking at any of it at all.
There are definitely implicit requirements to document risks and opportunities in your QMS, though. The organization is required, at various points in the standard, to address them and to update them. It could be challenging to do those things if they weren’t written down somewhere.
DO IT FOR YOUR INTERNAL AUDITORS – BUT NOT FOR YOUR CB AUDITORS
Since one of the things you’re shooting for in a QMS is effective internal audits, don’t be afraid to document something (e.g., how you manage risks and opportunities) only because it’ll make it easier for your internal auditors to perform good audits. But don’t create any documentation that is useful only for your CB auditors (unless you’re just feeling kindly disposed towards them).
Make no mistake: CB auditors love to have things documented for them: it means they don’t have to work quite as hard putting things together for themselves. But, as an NQA Regional Auditor myself, I always tell clients: “Don’t document anything just for me – document it for you!” Remember, the bottom line is: If documenting it will help to make your QMS more effective – document it! (And, if not, do something more useful with your time.)
Author: Rick Hill, TL 9000 Program Manager, NQA USA