90 likes | 189 Views
7.7 ISO TMB Risk Management WG. John Walz US TAG to ISO TC 176 Quality Management liaison report on FDIS 31000 Risk Management – Principles and Guidance. Risk Management (RSKM) Standards – Selected History. AS/NZS 4360:1995 RSKM AS/NZS 4360:1999 RSKM
E N D
7.7 ISO TMB Risk Management WG John Walz US TAG to ISO TC 176 Quality Management liaison report on FDIS 31000 Risk Management – Principles and Guidance
Risk Management (RSKM) Standards – Selected History • AS/NZS 4360:1995 RSKM • AS/NZS 4360:1999 RSKM • JIS Q 2001:2001 Guidelines for Development and Implementation of RSKM System • IEEE 1540-2001, Software Life Cycle Processes – RSKM • IEC 62198:2001 Project RSKM – Application Guidelines • ISO/IEC Guide 73:2002, RSKM – Vocabulary Guidelines for Use in Standards • AS/NZS 4360:2004 RSKM • COSO Enterprise RSKM Framework -2004 • ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management
History • ISO and IEC have many Technical Committees (TCs) • Most TCs create standards to reduce and manage risks in their technical domain, e.g. Medical Devices • To help their TCs, ISO and IEC created in 2002 Guide 73 Risk Management — Vocabulary • ISO Technical Management Board (TMB) created Risk Management Working Group (RMWG) to develop ISO 31000 Risk Management System — Principles and Guidelines • RMWG copied AS/NZS 4360:2004 Risk Management as a RSKM “process” and added high level outcomes • RMWG decided to change the Guide 73 Vocabulary to match the 31000 Vocabulary • After 5 meetings, ANSI selected American Society of Safety Engineers as the US TAG to ISO TMB RMWG • US TAG to ISO TC 176 Quality Management, which develops the ISO 9001 and is a member of US TAG to ISO TMB RMWG, with John Walz an the US TAG to ISO TC 176 liaison
ISO/IEC Committees TC 56 TC 176 TC 207
Standards containing Risk Management ISO TMBRisk MgmtWG DIS 31000 TC 176Quality Mgmt Syst.ISO 9001 TC 207Environmental Mgmt Syst. ISO 14001 TC 210Medical Devices ISO 14971 TC 8SupplyChain ISO/PAS 28001 TC 98StructuresISO 13824 TC 223Societal Security TC 20SpaceSystems ISO 17666 JTC1/SC7Software &Systems IS 16085 JTC1/SC22InformationSecurity MSIS 27005 IEC/TC56DependabilityIEC 60300-3-9IEC 31010 INCOSE SE Hdbk Risk Mgmt PMI PMBOK Risk Mgmt SEI CMMI Risk Mgmt OHSA Health & Safety Mgmt 18001 COSO Financial InternalControls JIS Q 2001Risk Mgmt
ISO Governance • ISO → TMB → TC • US ANSI → US TAG to ISO/TMB/RSKM • American Society of Safety Engineers (ASSE) • TAG includes some 5 insurance companies, 6 associations, 7 consultants, • Liaison w/ US TAG to ISO TC 176
TC 176 Recommendations My recommendations to US TAG TC 176 was to vote NO on FDIS 31000 as • Those one million companies doing well with quality “risks” by using ISO 9001 QMS, may need guidance to expand their management to cover other business risks. FDIS 31000 does not provide guidance to enhance ISO 9001 Preventive action clause 8.5.3. • Clause 5 is portrayed as a "process" for risk management. However, there are existing standards, e.g. ISO/IEC 16085, that normatively prescribe risk management processes. The process standards of ISO/IEC JTC 1/SC 7 and ISO TC176 demonstrate that "processes" are tangible items for which normative standards can be written. It is inappropriate to describe guidance as being a "process", particularly when there are already normative standards that define the very same process. • US TAG TC 176 supported recommendations by voting 31 NO to 10 YES • From those US TC 176 comments, 25 negative comments were sent to US TAG to ISO TMB RMWG My recommendations to US TAG TC 176 was to vote NO on Draft Guide 73 Risk Management — Vocabulary • The new risk definition "effect of uncertainty on objectives" enlarges the scope of risk beyond the 2002 definition "combination of the probability of an event and its consequence." This enlargement covers all technical objectives such as quality. • US TAG TC 176 is still voting
US Position on FDIS 31000 • US TAG to ISO TMB RMWG voted 20 YES to 1 NO (TC 176) for FDIS 31000 • ISO 31000 is expected to be published early 2010 along with revised Guide 73 Risk Management — Vocabulary
Consequences • ISO 31000 could be disruptive to other TC management systems • Provides no bridge to or from ISO 9001 or any of the TC Risk Management standards • ISO Guide 73 will result in changes to many standards definitions to align with this very broad definition.