Applying Risk Management Plan Requirements For Service Organizations

Clause 7.3.1.C.4 of the Release 5.0 of the TL 9000 Quality Management System Requirements Handbook-Risk Management Plan, requires the certifying organization to “develop and document a plan for the identification, analysis and control of risks to the project that can impact cost, schedule, product quality or product performance”.   While this requirement is in section 7.3, Design and Development, it also applies through clause 7.1.V .1, Service Delivery, to service companies that may not design their services, but just provide them.

The requirement is specifically intended to address the impact of risk on projects. For service companies, such risks may affect individual projects in the case of installation or outside construction work, or affect the general service you provide as in the case of a network operations center (NOC).  As a manger, your responsibility is to identify potential risks to your projects or services.  The accompanying note provides some guidance on what to look for.  The note says, “Risk Management should be performed during all phases of product development (also service delivery see 7.1.v.1) and should include:”

a) The means to determine risk sources, categories, and priorities,
b) Identification of significant or critical characteristics and failure modes, including customer experience,
c) A definition of risk parameters (e.g., probability of occurrence, severity of impact) to be used in determining risk priorities and any scoring mechanisms to be used (e.g., FMEA – Failure Mode Effects Analysis),
d) How risks will be managed (e.g., tools to be used, actions to reduce risk, mitigation strategies, monitoring and reporting requirements),
e) Inputs from appropriate functional disciplines, and
f) A mechanism for capturing and applying lessons learned.

This means identifying risks may include management review or review by project experts, or a review of lessons learned from prior projects.  It may include common sense risk items that simply need to be listed and then prioritized and managed.  Your plan should also record how you plan to manage risksLet’s look at a quick example:

Mythical Installation Company’s management knows this requirement has to be addressed.  So they conduct a series of brainstorming sessions to determine risks.  They recall that several years ago there was a significant shortage of chips that caused the products they were installing to be delayed, thus delaying their projects.  Another employee suggested that there could be a repeat of the severe shortage of skilled installers that happened two years ago.  Finally, several individuals suggested that natural or manmade disasters could cause the interruption to their installations.  Once the risks were identified they were prioritized and a management plan was developed.  The plan included customer notifications of delayed product, alternate staffing companies to mitigate possible labor shortages and a detailed strategy to relocate alternate facilities in the case of a natural disaster. These conditions and resulting strategies, were all documented in the plan.  Furthermore, management scheduled reviews during the year to ensure that the plan would continue to be appropriate.

Naturally this is a fairly simplistic example, but hopefully it will provide some food for thought.  If you have further questions regarding risk management requirements, don’t hesitate to contact us at  Next week, we begin a 3-part series on the value of ISO and TL 9000 certification and some tips on how to market your certification.