Risk management in ISO 9004 standard
For organizations with an effective working ISO 9001 management system, ISO 9004 provides guidance on performance improvements to specific organizational needs. There are nine clauses with guidance on managing risks:
5.1 Management Commitment : Management consideration should be given to identifying and managing risks, and exploiting performance improvement opportunities,
5.4.2 Quality management system planning: Inputs for effective and efficient planning include related risk assessment and mitigation data.
5.6.3 Management Review output: Review outputs to enhance efficiency include loss prevention and mitigation plans for identified risks.
6.3 Infrastructure: The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties.
7.1 Planning of product realization: An operating plan should be defined to manage the processes, including identification, assessment and mitigation of risk. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in processes. The results should be used to define and implement preventive actions to mitigate identified risks.
7.3.1 Design and development planning: Management has the responsibility to ensure that steps are taken to identify and mitigate potential risk to the users of the products and processes of the organization. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in products or processes. The results of the assessment should be used to define and implement preventive actions to mitigate the identified risks.
7.4.1 Purchasing process: To ensure the effective and efficient performance of the organization, management should ensure that purchasing processes consider identification and mitigation of risks associated with the purchased product.
7.5.3 Identification and traceability: The need for identification and traceability may arise from mitigation of identified risks.
8.5.3 Preventive action: Planning for loss prevention should be systematic and based on data, such as use of risk analysis tools such as fault mode and effects analysis.
This ISO 9004 guidance is aligned with ISO 10006:2003 Quality management systems — Guidelines for quality management in projects section 7.7 Risk-related processes clauses:
- Risk identification
- Risk assessment
- Risk treatment
- Risk control
