This page contains a Flash digital edition of a book.
ISO 9001:2015 Addresses Risk. Is Your Organization Ready? Tracks


The example in Figure 2 shows an analysis of the process of closing the books.


Adopt a Risk-Based Approach


ISO/DIS 9001:2015 is strongly risk oriented. Risk-based thinking within an organization must start by defi ning its measurable objectives. Risks are obstacles that impede progress toward achieving these objectives.


Organizations must determine their risk appetite and risk tolerance so they will have a consistent risk philosophy. They then determine risk levels by combining the likelihood of an event and its consequences in a risk analysis matrix.


In a SOX-compliant process, controls should be selected using a top-down, risk-based approach and tested to identify defi ciencies and possible material misstatements. Based on the revision to date, the new versions of ISO 9001 and ISO 14001 seem poised to provide valuable tools to organizations working to improve their risk management strategies.


While this article covers the basics of a risk-based thinking method, visit this article’s webpage at www.qualityprogress.com to view Online Figures 1-7, which are templates you can fi ll out as exercises to enhance your organization’s risk approach.


References and Notes


1. ISO 9001:2008 did not include the word “risk.” ISO/DIS 9001:2015 specifi cally addresses risk-related processes.


2. International Organization for Standardization, ISO 9001:2015 Draft International Standard—Quality management systems— Requirements.


3. SOX is a U.S. federal law that identifi es standards for U.S. public company boards, management and public accounting fi rms, requiring top management to certify the accuracy of fi nancial information. The law made penalties for fraudulent fi nancial activity more severe and increased oversight of boards of directors and the independence of the outside auditors who review the accuracy of corporate fi nancial statements. For more information, visit Wikipedia, “Sarbanes-Oxley Act,” http://en.wikipedia.org/wiki/ Sarbanes_Oxley_Act.


4. International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27001: 2005, Information technology— security techniques— Information Security Management Systems—Requirements.


www.NATM.com


5. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework; Executive Summary Framework, 2004. COSO is a joint initiative of fi ve private-sector organizations designed to provide thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. For more information, visit www.coso.org.


6. Lloyd’s, “Why Is Risk Appetite Important?” www.lloyds.com.


7. International Organization for Standardization, ISO 9001:2015 Draft International Standard—Clause 10.1—Nonconformity and corrective action.


8. Greg Hutchins, “Value-Added Auditing,” Quality Plus Engineering, 2003, p. 62.


9. Carl S. Carlson, “FMEA Success Factors: An Effective FMEA Process,” Reliability Edge, Vol. 6, No. 1, 2005.


10. Protiviti Inc., “How to Standardize Documentation for Internal Controls,” www.protiviti.com.


Bibliography


Green, Scott, Manager’s Guide to the Sarbanes-Oxley Act, John Wiley & Sons Inc., 2004.


Guide to Sarbanes-Oxley: IT Risks and Controls, Protivity, December 2003. Liebesman, Sandford, “Quality in the Mix, Risk Watch,” Internal Auditor, October 2005, pp. 73, 75 and 77.


Liebesman, Sandford, Paul Palmes and John Walz, “Use Management Tools to Mitigate Risk from SOX,” Informed Outlook, January 2004, pp. 13-22.


U.S. Congress, H.R. 3763, the Sarbanes-Oxley Act of 2002, July 24, 2002. Welborn, Cliff, “Using FMEA to Assess Outsourcing Risk,” Quality Progress, August 2007, pp. 17-21.


About the Author


Sandford Liebesman, president of Sandford Quality Consulting in Morristown, NJ, has more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an ASQ fellow and past chair of the Electronics and Communications Division. Liebesman has been a member of the U.S. Technical Advisory Group to ISO Technical Committee 176 from 1984 to the present. He participated in the development of all versions of the standard during that period.


November/December 2015 49


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68