Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
REPUBLICAN UNITARY ENTERPRISE
“BELARUSIAN STATE CENTRE FOR ACCREDITATION”
MANAGEMENT SYSTEM
DOCUMENTED PROCEDURE
RISK MANAGEMENT AT STATE ENTERPRISE “BSCA”
DP SM 4.0-01-2017
Developed by Department for Accreditation Activities Management
Responsible for update Department for Accreditation Activities Management
Approved by Order No. 59 of 24 July 2017
Date of implementation 01.08.2017
Revision 01, replaces RI SM 4.0-2015 (Work Instruction of
Management System 4.0-2015)
Type of copy REFERENCE COPY
Modified
Minsk 2017
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 2 of 12
CONTENTS
1 SCOPE OF APPLICATION…………………………………………………………... 3
2 REFERENCES………………………………………………………………………… 3
3 TERMS AND DEFINITIONS…………………………………………………............ 3
4 DESIGNATIONS, ACRONYMS, AND ABBREVIATIONS………………………… 3
5 AUTHORITY AND RESPONSIBILITIES…………………………………………… 4
6 RISK MANAGEMENT……………………………………………………………….. 4
6.1 General provisions…………………………………………………………………… 4
6.2 Danger identification…………………………………………………………………… 4
6.3 Risk analysis and risk level evaluation………………………………………………… 5
6.4 Preparation and implementation of measures………………………………………….. 6
6.5 Assessment of the effectiveness of measures………………………………………… 6
7 RECORDS……………………………………………………………………… 6
Appendix 1 Template for risk analysis map…………………………………………… 8
Appendix 2 Template for measures on risk minimization and/or elimination in BSCA
activity……………………………………………………………………….
9
Appendix 3 Template for risk management data for the reporting period…………….
10
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 3 of 12
1 SCOPE OF APPLICATION 1.1 This documented procedure (hereinafter, “the procedure”) is a document of the
management system of the Republican Unitary Enterprise “The Belarusian State Centre for
Accreditation”. It is developed in accordance with the requirements in section 4 of STB ISO/IEC
17011 and to further section 4 of BSCA Quality Manual. The procedure establishes the order of
management of risks arising in the accreditation activities (hereinafter, the “risks”) and aims to
ensure efficient enterprise management and ongoing enhancement of its performance.
1.2 The requirements outlined in this procedure are mandatory for the personnel who
participate in risk management activities.
2 REFERENCES
This procedure uses references to the following documents:
STB ISO 9000-2015 Quality management systems – Fundamentals and vocabulary
STB ISO/IEC 17011-2008 Conformity assessment – General requirements for accreditation
bodies accrediting conformity assessment bodies
STB ISO 31000-2015 Risk management – Principles and guidelines
GOST ISO/IEC 17000-2012 Conformity assessment. Vocabulary and general principles
GOST ISO 19011-2013 Guidelines for auditing management systems
QM SM-2017 Quality Manual of the State Enterprise “BSCA”
DP SM 5.3-01-2017 Documented procedure. Management of records in the management
system
DP SM 5.5-2014 Documented procedure. Management of non-conformities and corrective
actions
DP SM 5.6-2014 Documented procedure. Preventive actions
DP SM 5.7-2014 Documented procedure. Internal audit
DP SM 5.8-2015 Documented procedure. Management review
DP SM 5.9-2015 Documented procedure. Management of complaints (requests)
DP SM 7-2015 Documented procedure. Accreditation process
DP SM 7.10-2016 Documented procedure. Handling of appeals
3 TERMS AND DEFINITIONS
3.1 This procedure uses terms and definitions covered in GOST ISO/IEC 17000, STB
ISO/IEC 17011, STB ISO 9000, STB ISO 31000, GOST ISO 19011, including:
risk: combination of probability of occurrence of the event and its consequences;
probability: degree implying that the event may occur
risk management: coordinated efforts on management and control over organization
applicable to risk. Generally covers strategic planning, risk identification and analysis, control over
identified risks etc.;
consequence: the outcome of the event;
event: formation of a specific set of circumstances.
4 DESIGNATIONS, ACRONYMS, AND ABBREVIATIONS
The following designations, acronyms and abbreviations are used in the procedure:
The following abbreviations are used in the procedure:
BSCA – Republican Unitary Enterprise the Belarusian State Centre For Accreditation
HC – hard copy
Gosstandart
DP
– The State Committee for Standardization of the Republic of Belarus
– documented procedure
OORA – Department for Accreditation Activities Management
QM – Quality Manual
SM – Management system of BSCA
EM – electronic media
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 4 of 12
5 AUTHORITY AND RESPONSIBILITIES
5.1 Director bears responsibility for defining of the risk management strategy at the
enterprise.
5.2 Quality manager is responsible for the following:
organisation of identification of potential dangers (hereinafter, the “danger”) and risk
analysis at the enterprise;
development of risk analysis map and its subsequent delivery to heads of structural units;
control of implementation and effectiveness of measures on risk minimization and/or
elimination at BSCA.
5.3 Heads of structural units are responsible for the following:
analysis of identified risks in a structural unit and arrangement of measures to minimize
and/or eliminate them, appointing responsible persons and deadlines for completion;
risk management in their subordinate units in accordance with the approved schedule of
measures;
timely and duly provision of information to quality manager regarding implementation of
planned measures.
6 RISK MANAGEMENT
6.1 General provisions
6.1.1 Risk analysis is performed to mitigate the danger threatening impartiality, objectivity
and competence of the assessment results and decisions made in relation to the accreditation, poor
service delivery, financial instability, discrimination, etc.
6.1.2 Risk management procedure includes:
identification of potentially disruptive factors that bear the danger of risk formation;
risk analysis that is conducted taking into account the level of impact of these risks on the
achieving goals and probability of arising of potential dangers;
development and adoption of measures to minimize significant and potential risks;
evaluation of the effectiveness of measures in terms of risk management in the given
industry.
6.2 Danger identification
6.2.1 Dangerous factors that may jeopardize successful achievement of goals are defined as
the result of:
performing internal audits in accordance with DP SM 5.7;
having external audits done including those performed by the European Cooperation for
Accreditation;
analysis of possible conflict of interests with related organizations;
analysis of performance of the management system in accordance with DP SM 5.8;
conducting accreditation process in accordance with DP SM 5.7;
development, review and improvement of management system documents in accordance
with DP SM 5.3-01;
experience exchange at conferences/workshops;
handling complaints from persons and legal entities in accordance with DP SM 5.9,
DP SM 7.10;
processing feedback (customer satisfaction surveys);
considering information coming from BSCA personnel to their immediate supervisor;
using other ways.
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 5 of 12
6.2.2 Quality manager shall identify dangers with regard to the elements of the management
system annually prior to 20th of January of the current year via filling in risk analysis map in
accordance with the template given in Appendix 1.
6.3 Risk analysis and risk level evaluation
6.3.1 Scoring system is applied to evaluate risk level.
6.3.2 Quality manager shall perform primary risk analysis and risk level evaluation based on
the list of identified dangers, he/she uses indicators expressing risk probability and severity of risk
consequences in case of its formation in accordance with the formula:
Р = В × С where P stands for risk level;
B stands for risk probability;
C stands for severity of consequences.
Numerical values B and C are to choose from Table 1.
Table 1
Risk probability
(quantitative indicator
B)
Risk probability
(characteristics)
Severity of
consequences
(quantitative
indicator C)
Severity of
consequences
(characteristics)
1
No data 1
No impact on
accreditation
activities
2
Risk formation during any
analyzed period/
modification of operations
2
Indirect impact on
accreditation
activities
3
Risk formation during any
analyzed period/
modification of operations
3
Direct impact on
the accreditation
activities
4 Annually during analyzed
periods
Statistical data for the preceding five-year period of such operations is used while describing
risk probability.
6.3.3 It is necessary to insert calculation data in the risk analysis map (hereinafter, the
“map”), subsequently, risks are graded based on the data in Table 2.
Table 2
Risk level
(Р)
Risk grade Risk response action
1-3 Н
Disregarded
Not performed
4 НС
Insignificant
Consider, develop preventive actions
and control their implementation
6, 8, 9, 12 С
Significant
Consider, develop corrective actions
and control their implementation in
accordance with the planned deadline
6.3.4 Quality manager shall develop action plan for each estimated risk to exclude or
minimize this risk using the risk management data for the reporting period and taking into account
provisions of DP SM 5.5, DP SM 5.6.
6.4 Preparation and implementation of measures
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 6 of 12
6.4.1 Quality manager shall deliver the map along with risk management results for the
reporting period to the heads of those structural units where insignificant and/or significant risks
were identified, and the heads shall consider measures regarding focus activities.
6.4.2 Heads of structural units shall do the following:
estimate effectiveness of risk management measures that have been undertaken in the
reporting period;
analyze the list of significant and insignificant risks in accreditation activities and
measures offered to eliminate or minimize them, take decisions on the implementation of such
measures, define persons in charge and the deadlines for the upcoming period, and make a
relevant record in the field “Note” of the map.
6.4.3 Heads of structural units shall deliver results of map analysis to the quality manger
alongside with the reports regarding management review.
Quality manager shall summarize the delivered results and present them at the management
review meeting to make up a final decision (Appendix 2). The procedures for the preparation and
administration of the management review are defined in DP SM 5.8.
6.4.4 Heads of structural units shall provide any information on dangers arising in the
reporting period at the operating meetings to analyze and evaluate risks; the operating meetings
involve participation of BSCA top management. The decisions that are taken consequently shall
be documented in accordance with Appendix 2.
6.4.5 Upon the expiry of the scheduled implementation deadline persons in charge shall
ensure implementation of measures and:
deliver information about implementation of the planned measures to the quality
manager where objective evidence should be demonstrated;
provide internal memo to the director in case of non-implementation of measures and
explain reasons for non-implementation as well as ways to manage this risk. Internal memo shall
be endorsed by quality manger.
6.5 Assessment of the effectiveness of measures
6.5.1 Quality manger shall evaluate implementation of measures based on the information
delivered by persons in charge before 10th
January of the year following the reporting period,
he/she does so by placing an execution mark about measures on risk elimination and/or
minimization completed at BSCA. It should be noted that the measure is considered to be effective
unless there is a non-conformity resulting from that risk.
6.5.2 In case a non-conformity resulting from a certain risk is identified, it is necessary to
develop another measures on risk minimization in accordance with the procedure in DP SM 5.5, it
is also necessary to correct risk level calculation for the following reporting period.
6.5.3 Quality manager shall include data on risk management performance for the analyzed
period into the management review report in accordance with DP SM 5.8. The information shall
be provided in accordance with the form in Appendix 3.
6.5.4 Data on risk management performance for the analyzed period and risk minimization
and/or elimination measures at BSCA for the reporting period are considered at the meeting of the
Impartiality Board in accordance with P SM 4.3.
7 RECORDS
A list of documents given in this procedure is provided in Table 3 and contains storage
location and period.
Таблица 3
No. Name of document Location and period for operating storage of the
document, type of document
Reference copy Working copy
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 7 of 12
1 Risk analysis map OORA
5 years
(paper copy)
Heads of structural units
1 year
(electronic copy)
2 Risk minimization and/or
elimination measures in
BSCA activity
OORA5 years
(paper copy)
Heads of structural units
1 year
(electronic copy)
3 Information on the results of
risk management
OORA5 years
(electronic copy)
Heads of structural units
1 year
(electronic copy)
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 8 of 12
Appendix 1
Template for risk analysis map
Risk analysis map
Potential
dangers (threats)
that may
become risks of
undue
performance
Risk probability
(quantitative
indicator – B)
Severity of
consequences
(quantitative
indicator – C)
Risk
level
(Р)
Risk
grade
(Н/НС/С)
Measures on risk
elimination
and/or
minimization
No
te
1 2 3 4 5 6 7
Name of activities
1
2
…
N
Developed by:
Quality manager ___________________ _________________________ Signature Print full name
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 9 of 12
Appendix 2
Template for measures on risk minimization and/or elimination at BSCA
Measures on risk minimization and/or elimination at BSCA for 20___
Risk
description Risk grade
Name of
measure
Position of the
person in
charge, co-
person in
charge
Deadline Completion
status
1 2 3 4 5 6
Quality manager _______________________ _____________________________ Signature Print full name
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 10 of 12
Appendix 3
Template for risk management data for the reporting period
Risk management data in 20___
Table 1
Indicator description Analyzed period
20___ (А)
Preceding period
20 ___ (П)
Growth ratio, %
( %100П
А)
Planned Actual Planned Actual
Total risks identified,
among them
Н
НС
С
-1
-
-
- - -
- - -
- - -
Development and
implementation2
of
preventive actions for
NS risks, amount
Development and
implementation2 of
corrective actions for S
risks, amount
Table 2
Name of the risk that
originated
Origination of risk in
the preceding period
in 20___
Position of the person in
charge for risk
elimination/minimization
Note
1 2 3 4
Notes:
1. Fields with dashes are to leave empty in Table 1.
2. Column Plan in Table 1 comprises the amount of developed measures, whereas column Fact comprises the
amount of implemented measures.
3. All risks originating in the analyzed period are given in Table 2.
4. Column 4 in Table 2 comprises comments on that risk which also contain reasons for non-implementation of
the planned measure and objective evidence of implemented actions on risk elimination/minimization.
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 11 of 12
Head of the developer department -
Quality manager:
Head of OORA ___________________ Morozova E.V. signature
Developer:
Second category engineer, OORA ___________________ Klimenko E.Ye. signature
AGREED
Deputy Director
___________________ Sharamkov V.A. signature
_______________________20____
DP SM 4.0-01-2017
Revision 01 – since 01.08.2017 Page 12 of 12
Checklist for registration of modifications
Counting
number of
modification
Date of
modification
No. of
modification
notice, date of
approval
Paragraph
of modified
position
Signature of
the person
who
introduced
modification
Printed name of
the person who
introduced
modification
1 2 3 4 5 6