Many companies are in the midst of adopting changes introduced by ISO 9001:2015. One of the most significant of these, is incorporating "Risk-based Thinking." Risk-based thinking was introduced to improve (among other things) the effectiveness of how corrective and preventative actions (CAPA) were handled. From the standard we know that preventative actions has been replaced with taking a risk-based approach.
I am going to explore in this blog the concept that some have proposed to replace CAPA with CARA (i.e. Corrective Action / Risk Assessment). At the basic level this is conducting a risk assessment for the corrective action.
First of all, there are good reasons to conduct a risk assessment on corrective actions. We know that change can be a significant source of new and emerging risks.
When dealing with any change there are two primary sources of risk that need to be addressed:
Risks implementing the change – these are risks in conducting the work needed to effect the change. These risks may include: worker safety, temporary impacts on other processes (including risk controls), and so on. A portion of these risks can be addressed proactively by using safe work practices which are procedures that have been previously risk-assessed.
Risks introduced by the change – these are new risks or changes to existing risks that result after the change has been made. These risks are identified as part of the change process usually by a cross-functional team with experience in detecting risks within their particular discipline. Depending on the scope of the change it is not uncommon to have: occupational safety, process safety, IT, compliance, regulatory, environment, and other specialists involved as part of the risk assessment team.
Corrective actions are a source of change and therefore also a potential source of risk. However, there are limitations in using these as the only trigger to identify and manage both external as well as internal program risks. These limitations result from the fact that corrective actions are often:
addressed in isolation from other actions
triggered by symptoms and not systemic causes
a reaction to a non-conformance leading to lagging actions
not effective at addressing latent failure modes (those that have yet to be discovered by the customer for example)
To overcome these limitations companies should take a proactive and holistic/systems approach to assess risk. In fact, ISO 9001:2015 states that each company must identify and manage threats and opportunities associated with each process within their quality program. While this is good, it is not enough to identify risks associated with the objectives of the entire program. The latter requires consideration of not only individual processes but also how they interact with other processes within and outside the quality program. All with the goal of assessing how uncertainty affects achieving program outcomes.
The first step is having clear and concise program objectives for each system and process. This will properly constrain risk assessments along with resulting treatments to ensure that the certainty of achieving program goals are increased. The advantages of being proactive and using a holistic/systems approach to risk assessment include:
Improving processes before non-conformance is realized
Addressing latent failure modes before they become active
Minimizing disruption, and risks introduced by implementing the change by consolidating changes
Avoiding higher costs associated with addressing non-compliance after the fact
Applying resources to risks that really matter to achieving program outcomes
Including risk assessments as part of corrective actions is indeed part of risk-based thinking. However, on its own, it is not enough to address uncertainty in achieving program outcomes.