IJCA - Volume 2 - Flipbook - Page 34
34 The International Journal of Conformity Assessment
Risk Management and ISO/IEC 17011:2017
ISO/IEC 17011:2017 is the International Standard
(IS) used by regional cooperations to conduct peer
evaluations of ABs worldwide. If an AB wishes to
be recognized under the IAF or ILAC multilateral
agreements, they must be prepared to demonstrate
compliance with ISO/IEC 17011:2017 to their local
regional accreditation groups. One significant aspect
of operating an internationally recognized AB is
implementing the risk management requirements
found in the Standard.
The word “risk” can be found 21 times throughout
the Standard. However, it is not enough to do a
simple word search and note “risky” areas. Instead,
conformity assessment professionals must operate
under the paradigm of risk-based thinking (RBT).
RBT supposes that in every situation, there are
risks, and there are opportunities. Practitioners of
risk assessment must constantly be on the lookout
for these risks and opportunities and should take
measures to either mitigate the risks, or, capitalize
on the opportunities. From an AB standpoint, RBT
should pervade business and technical decision
making. Is this application for accreditation going to
present the AB with untenable risk? Is the decision
to not use checklists going to present an untenable
risk? What opportunities does it present? How can
this situation be used to make the AB better? What
are some measuring the AB can take to reduce the
likelihood and/or impact of the risk? These are all
good examples of questions that should arise from
RBT.
Risk Management Is Also Important for
Conformity Assessment Bodies (CABs)
Risk management is equally as important for
CABs. Below are the mandatory requirements for
risk management that can be found in the various
standards, for example:
Clauses 5.2.3, 6.2.1, 7.2.9, 9.1.4.2, and 10.2.5.2 of ISO/
IEC 17021-1:2015
Clauses 4.2.3, 4.2.4, and 4.2.11 of ISO/IEC 17065:2012
Clauses 9.4.9 and 9.6.3 of ISO/IEC 17024:2012
Clause 4.1.3 of ISO/IEC 17020:2012
Clauses 4.1.4, 7.8.6.1, 7.10.1, 8.5, and 8.9.2 of ISO/IEC
17025:2017
There are many sections within the Standard
that require risk management, even where it isn’t
expressly written. For instance, a management
system´s certification body must consider risk
when determining audit time and practice risk
management when it sets procedures for the
determination of audit time. The CAB decides, based
on appetite for risk, what is an adequate justification
for reduction or increase in audit time. Similarly, a
testing laboratory may need to consider the level of
risk (to the public, to the lab, to the UUT) associated
with a specific statement of conformity and practice
risk management by establishing risk levels
associated with the specific scope of testing.
In any situation, appropriate risk management
ensures that personnel at all levels of an
organization are aware of, working to mitigate or
take advantage of, and constantly identifying and
analyzing associated risks and opportunities that
otherwise may go unnoticed until they develop into a
crisis or a lost opportunity.
Why Risk Management?
First, appropriate risk management is the key to
any successful business. Risk management is
critical to those that wish to operate their business
from a proactive, rather than a reactive standpoint.
Risk management is also crucial to ongoing
improvement within an organization. Understanding
the risks and opportunities presented by different
situations allows for the development of mitigation
and contingency plans for the risks, and strategy
and tactics for the opportunities. This highlights
a very important concept when considering risk
management; it is very difficult to eliminate a
