With the release of ISO 9001:2015, there is a new requirement for the identification and assessment of risks and opportunities for the Quality Management System (QMS). These new requirements have created confusion not only about what should be done, but also about in ISO 9001:2015 documentation, what should be documented about risks and opportunities for your QMS. There are a few activities that must be carried out in relation to the risks and opportunities of the QMS:
- Identify the risks and opportunities – what should be addressed to ensure that your QMS does what is necessary, is based on the desired results, prevents or reduces the results of the problem and obtains an improvement?
- Plan your response – What actions should you take to address the risks and opportunities identified?
- Integrate into your QMS – how can these plans be adopted and adapt to the usual activities so that they can happen easily?
- Evaluate effectiveness – How will you know if your actions have worked, or need to be updated? This involves analyzing the information and management review to assess the effectiveness.
Do you need a document ISO 9001:2015 procedure?
It is important to note that there is no mandate for documented information for any of these steps. The standard itself does not state that it is necessary to document ISO 9001:2015 procedures that concerning risks and opportunities, just that you must perform the processes in the section above, as well as update the risks and opportunities as an outcome of process non-conformities.
For instance, you could choose to assess your risks and opportunities at a management meeting, identify a risk, decide what you want to do and make sure that employees who are executing the QMS process are aware of what they need to do and you could then claim that you are compliant with the ISO 9001:2015 requirements, even if none of these are written.
Therefore, in accordance with ISO 9001: 2015, a documented procedure is not required, but your company may have a different need for documented information and records regarding QMS risks and opportunities.