45 15

1 april@trts.dorts.gov.tw

ISO 9000ISO 90042009

1

20092176ISO/TC 17626ISO 9000ISO 9001200911ISO 900415ISO 31000ISO9000

:

A Study of Risk Management in ISO 9000 Series StandardTaking ISO 9004:2009 as an Example

Mene-jen Yang1

AbstractThe 26th meeting of the ISO/TC 176 held in Tokyo in February 2009 passed a

resolution that the well-known ISO 9000 series standard should be maintained and updated. In addition, new notions and ideas for a new edition of ISO 9001 came up at the meeting. In November the same year, ISO 9004:2009 Managing for the sustained success of an organization A quality management approach, the third edition of the standard, was published. The ISO 9004 standard mentions risk in a total of 15 articles and clauses. In addition, this edition reminds organizations to refer to ISO 31000 a practical document that seeks to assist organizations in developing their own approach to the management of risk. While ISO 9000 that takes a process-oriented approach as its core concept and leads organizations to move toward sustainable management, it would be better for organizations to first develop and implement a risk management system.

Keywords: risk management, quality management, sustained success

16 1 ISO 9000ISO 90042009

20092ISOInternational Organization for standardization176ISO/TC 17626ISO 9000ISO 9001

2009111ISO 9004Managing for the sustained success of an organization A quality management approach

,2011ISO 9004

ISO 900112ISO 9004:2009

45

2

2009 2 ISOInternational Organization for standardization176 ISO/TC 176 26 ISO 9000 ISO 9001

2009 11 1 ISO 9004 Managing for the sustained success of an organization A quality management approach

,2011

ISO 9004 ISO 9001 1 2 ISO 9004:2009

1

2

ISO 9004:2009

ISO 9004 4.3 ISO 31000 ISO 9000 ISO 9001 ISO 9004

2Interested parties

9.3 9.3.5 2

1 2

ISO 9004:2009

ISO 90044.3ISO 31000ISO 9000ISO 9001ISO 9004

2interested parties2

45 17

IS09004:20099.39.3.5

ISO 9004:20091ISO 9004:2009

1ISO 9004:2009

No. ISO 9004:2009

4.2 Sustained success

identify associated short and long-term risks and deploy an overall strategy for the organization to mitigate them,

1

4.3 The organization's environment

An organization's environment will be undergoing change continually, regardless of its size (large or small), its activities and products, or its type (for profit or not-for-profit); consequently this should be monitored constantly by the organization. Such monitoring should enable the organization to identify, assess and manage the risks related to interested parties, and their changing needs and expectations.()()NOTE: For more information on risk management,

see ISO 31000.ISO

31000

2

5.3 Strategy and policy deployment

5.3.1 General

evaluate strategic risks and define adequate counter measures,

3

6 Resource management

6.1 General

To ensure the availability of the resources for future activities, the organization should identify and assess the risks of potential scarcity, and continually monitor current use of resources to find opportunities for improvement of their use.

18 1 ISO 9000ISO 90042009

No. ISO 9004:2009

5

6.4 Suppliers and partners 6.4.2 Selection, evaluation

and improvement of the capabilities of suppliers and partners

the risks associated in the relationships with the suppliers and partners.

6

6.5 Infrastructure

The organization should identify and assess the risks associated with the infrastructure and take action to mitigate the risks, including the establishment of adequate contingency plans.

76.7.4 Technology

the evaluation of risks related to changes in technology,

8

6.8 Natural resources

The organization should consider the risks and opportunities related to the availability and use of energy and natural resources in the short and long term.The o rgan iza t ion shou ld g ive app rop r i a t e consideration to the integration of environmental protec t ion aspects in to product des ign and development, as well as to the development of its processes to mitigate identified risks.

9

7.2 Process planning and control

potential financial and other risks,

10

8.3 Measurement 8.3.1 General

The methods used for collecting information regarding key performance indicators should be practicable and appropriate to the organization. Typical examples include risk assessments and risk controls,

45 19

No. ISO 9004:2009

11

8.3.2 Key performance indicators

Specific information relating to risks and opportunities should be considered when selecting the KPIs.

12

8.3.3 Internal audit

Internal auditing is an effective tool for identifying problems, risks and nonconformities, as well as formonitoring progress in closing previously identified nonconformities (which should have been addressedthrough root cause analysis and the development and implementation of corrective and preventive actionplans).

13

8.4 Analysis

Top management should analyse information gathered from monitoring the organization's environment, identify risks and opportunities, and establish plans to manage them.

14

8.5 Review of information from monitoring, measurement and analysis

Data can be collected from many sources, such as risk assessment, and

15

9.3.5 Risks

The organization should assess the risks related to planned innovation activities, including givingconsideration to the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary.

20 1 ISO 9000ISO 90042009

ISO 9004:2009

2001ISO 900120002009ISO 9001200810

ISO 90042009

1. 99CNS12684991221

2. 1002011/02/153. International Organization for standardization, ISO 9004 Managing for the sustained

success of an organization A quality management approach, 2009-11-01.