RISK MANAGEMENT and ISO 17025:2017Dr. Bill HirtGlobal Technical AdvisorANAB / ANSI-ASQ National Accreditation BoardJanuary 31, 2018

Outline of Sections Introduction of ANAB Risk management consistency in ISO stds General understanding of Risk-based Mgmtand Tools Resources of ISO 31000 Guidelines Document Elements in new 17025 standard for RISK How RISK is challenge both for labs and AB’s

ANSI-ASQ National Accreditation Board / ANAB Non-profit accreditation body; now 25 years in the industry Offer ISO programs and sector specific ISO-based programs 60 full time employees, 185 technical assessors, 4 office locations Accredited customers in 58 countries, over 2,000 total accr’ns Signatory to 4 int’l MRAs/MLAs (ILAC, IAF, IAAC, APLAC)

ANSI-ASQ National Accreditation Board / ANABLABORATORY-RELATED LaboratoriesFORENSIC ISO/IEC 17025 Accreditation for Inspection BodiesISO/IEC 17025 forensic ISO/IEC 17020test laboratories and RMPISO/IEC 17020 forensic ISO 17034agencies PT Providers Training ISO/IEC 17043 Product Certifiers – ISO 17065 (w/ANSI) Government Programs: DoD ELAP, EPA Energy Star,CPSC Toy Safety, NRC, NSTIPV6, US Navy TrainingMANAGEMENT SYSTEMS Certification Bodies ISO/IEC 17021 Accreditation forManagement SystemCertification Bodies: ISO 9001 (QMS) ISO 14001 (EMS) ISO 22001 (Food) TS 16949 (USAutomotive) etc. Training4

Risk components to cover Risk Terminology & The Four Elements of Risk Role of Standards In Changing Perceptions of Risk Process vs Product Risk and Existing Controls Metrics and Tools – Converting Unknown to Known EAGLE Certification Group 2017 – Confidential – Do Not Reproduce5

What is Risk?THE EFFECT OF UNCERTAINTYUPON OBJECTIVESSource: ANSI Z690.1-2011 A risk is a potential future event that could result in adverse andunplanned consequences A risk may not be a problem, an issue or a crisis! With Mitigation Risk is also a measure of the potential inability to achieveoverall program objectives within defined cost, schedule andtechnical constraints**Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003 EAGLE Certification Group 2017 – Confidential – Do Not Reproduce6

Risk Based Thinking Risk Implementation Used throughout your organizational processes Risk-based thinking for QMS (business) - Clause 6.1 Identify and prioritize Plans to address the risk(PLAN) Implement the plan(DO) Check for effectiveness (CHECK) Learn from experience (ACT) EAGLE Certification Group 2017 – Confidential – Do Not Reproduce7

Risk Based Thinking Outcome – Prevention (Replacing P/A) Risk to the Customer Minimize risk to the organization! Staff Equipment Product/Service Be eliminated or mitigated risk EAGLE Certification Group 2017 – Confidential – Do Not Reproduce8

Risk Management Terminology* Uncertainty: The state, even partial, of deficiency ofinformation related to, understanding or knowledgeof, an event, its consequence, or likelihood. Risk: Characterized by reference to potential eventsand consequences or a combination of these andexpressed in terms of a combination of theconsequences of an event and the associatedlikelihood of occurrence.*All Definitions are 2011 American National Standards Institute and published in ANSI/ASSEZ690.1-2011 the “National Adoption of ISO Guide 73-2009”

Risk Management Terminology* Risk Management: Coordinated activities to directand control an organization with regard to risk. Risk Management Framework: Set of componentsthat provide the foundations and organizationalarrangements for designing, implementing,monitoring, reviewing, and continually improvingrisk management throughout the organization.*All Definitions are 2011 American National Standards Institute and published in ANSI/ASSEZ690.1-2011 the “National Adoption of ISO Guide 73-2009”

Risk Management Terminology Likelihood: the chance of something happening Exposure: the extent to which an organizationis subject to an event Consequence: outcome of an event affectingobjectives

Risk Management Terminology Probability: the chance of occurrence (0-1) Frequency: number of events per unit of time Vulnerability: intrinsic properties of somethingresulting in susceptibility to a risk source thatcan lead to an event with consequence

New ISO 9001 and 17025 Terminology Documented Information: Written procedures& Records Maintain: Documented Procedures Retain: Records

Four Elements of Risk ManagementRisk Management t& FeedbackMitigation Each applies equally to the QMS system, PROCESS andPRODUCT associated risks! All phases of product realization AND all aspects of companyoperations!

Risk and Standards All management system standards now specifyrisk management activities: TOTAL System– AS 9100, AS 9110, AS 9120 (aerospace)– ISO 13485 (medical devices)– ISO 22000 & SQF– IATF 16949– ISO 9001– ISO/IEC 17025While all address risk, each has aunique twist. Until the Annex SLwas created, standards focused onrisks associated with the productonly and not all areas of theorganization

Managing Process Risk The standards require the identification andreduction of process-based risks.

Process Risk Examples Contract Review Product Development (Design) Purchasing Planning / Production / Service Change Control / CA / PA– Modify your forms to mandate risk analysis Testing for accredited work Test report issuing

Common Risk Identification Tools BRAINSTORMINGFMEAHACCPCause / Effect Diagram5 WhysPreliminary Hazard AnalysisFault Tree AnalysisInternal & External Audits

Show Me The Data Pay LESS attention to the actual NUMBERS,– FOCUS attention on the TRENDS Trends provide the CONTEXT for the numbers –good or bad, trending up or down, above targetor below target.

Risk Prioritization The process of analyzing– Prioritizing– Process risks against impact ProductSchedulePerformance criteriaCostCopyright 2017 DB Performance Solutions, LLC and ISTI, LLC

Common Risk Prioritization Tools FMEA (Severity, Detection, Occurrence, RPN) HACCP Impact / Effort Matrix Pareto AnalysisCopyright 2017 DB Performance Solutions, LLC and ISTI, LLC


Impact um2463High*3691 – 2 Incorporate the change3 – 4 Additional analysis should be conducted prior to making thedecision6 -- 9 Do not incorporate the changeNote: ‘*3 - high impact x high benefits’ - No change allowed, but we needto record details of proposed change, to provide input into futurerevisions . EAGLE Certification Group 2017 – Confidential – Do Not Reproduce23

Risk MatrixLegend:AcceptableConcernCritical

Risk Mitigation Identify Evaluate Select Revaluate Residual Risk? Reduce?

Common Risk Mitigation Tools Strategic Planning (Management)Control PlansTeam Based Problem Solving (8-D)Poke-Yoke (Error-Proofing)Training / AwarenessOn Site Audits, Internal, Customer, Third PartyDesign for:– Reliability / Maintainability / Manufacturability

System-Level Mitigation Tools Contingency Plans Emergency Response Plans Succession Planning Strategic Planning Reviews

Risk Monitoring & Feedback Established metrics Systematically tracking and evaluatingperformance Ensure that Lessons Learned feedback intofuture risk identification activities. Changes need to current mitigation?

Evaluating Risk Effectiveness CAPA System Internal Audit Returns / Warranties / Complaints Review of Internal Failures Management Reviews

Feedback Make certain that RISK IDENTIFICATION includes pastexperience from related products: Things Gone Wrong / Things Gone Right Feasibility Reviews Design Reviews Adverse Event Reports Previous Complaints Customer Feedback

Risk vs Company Size Varying Applicability to Different Functions Risk Processes .appropriate to the productand the organization

Risk vs Company Size Supplier Management: Supplier capability, interface,etc. Purchasing: Vendor capability, Critical material / part/ detail, lead times, special process Manufacturing: Applying “appropriate” methods,special processes Inspection: Independent verification, Criticalrequirements Individuals: Application decisions, injury

Risk Management Review[Management] review shall include assessingopportunities for improvement and the need forchanges to the quality management system How is this linked to the expectations of RiskManagement?

Risk Management Review What are the results of the Key Metrics? What risks have been reduced due to InternalAudits? What risks were identified in External Audits? What risks were detected by our CAPASystem?

Risk Management Review What risks escaped detection and causedcomplaints / rework / warranty? Have the risk management plans beenupdated accordingly? What external changes can impact our risk? What additional or transferred resources arerequired to minimize or eliminate risks?

RMS Scorecard Review example scorecard provided Red / Yellow / Green Stoplights for immediateimpact of problem areas Based upon defined metrics and objectivescovering defined functions in theorganization Higher level concerns “Bubble-Up” to thenext layer of the organization.

Summary Many ways to manage Risk Many ways to document methods for Risk Many tools for Risk Management Some Standards / Customer-required Methods

Risk categories – general business Product propertiesBusiness impactCustomer-relatedDevelopment environmentProcess issuesStaff size / experienceTechnical issuesTechnology / Other

ISO 17025 / ANSI-Z-540 Risk Primarily for calibration laboratories followingANSI-NCSL-Z-540.3 in addition to 17025 Required measurement and review todetermine probabilities of RISK for decisions.

ISO 17025 / ANSI-Z-540 Risk

Class exercise In your tables or groups of 4 to 8 if possible Spend 3 or 4 minutes thinking about your lab / organization think of at least 3 or 4 risks, take notes then share with your group

ISO 31000 Table of contents-1

ISO 31000 Table of contents-2

ISO 31000 – Risk Managementenables an organization to :

ISO 31000 – Risk Managementenables an organization to : (2)

ISO 31000 – Risk Management

Risk elements in ISO 17025:2017 Introduction – paragraph 24.1.4 -- impartiality4.1.5 -- lab to demo how it minimizes it7.8.6.1 – reporting statements of conformity7.10 b -- non-conforming work8.5 -- Actions to address Risks & Opp’s– 8.5.1 / 8.5.2 / 8.5.3 plan actions proportional

Risk elements in ISO 17025:2017 (2) 8.6.1 -- Note only in Improvement 8.7.1 e -- update risk piece of CAR’s 8.9.2 m -- management review – results ofrisk identification Bibliography references ISO 31000 guidelines Includes when evidence / records required

How will AB’s assess Risks & Opp’s New to the ISO 17025 world, though not 9001 All AB’s now challenged to develop policies– Need customer lab inputs and examples– Likely to wrestle with this for the 3-year implm’tn– Assessors have similar learning curve as labs

Questions and Discussion –Good Luck !!

Contact InformationDr. Bill HirtGlobal Technical AdvisorANAB / ANSI-ASQ National Accreditation BoardEmail: [email protected] / [email protected] and Training [email protected]