A look at Section 8.

5 of ISO/IEC 17025:2017

Presented by:
Michael Kramer
Calibration/Inspection Program Manager
Perry Johnson Laboratory Accreditation, Inc.
12-May-2020
This webinar is being recorded and will be available in it’s
entirely on the Perry Johnson Laboratory Accreditation Website.
www.pjlabs.com
Go to the link for recorded webinars.
Duration of webinar is set for one hour. There will be time
allocated at the end for questions.
Questions can be submitted directly
through the question block on your
Go to Webinar Screen. Please keep
questions related to todays topic.
ISO/IEC 17025:2017 strongly emphases “risk based” thinking: ’The
word “risk appears over thirty times in the document compared to only
four appearanc.es in the 2005 Standard

As a result of this shift to risk-based thinking, there is no longer any

reference to “preventive actions”; this is essentially replaced by the new
clause on addressing risks and opportunities”
Even though a note within the 2017 Standard states that there is
no requirement for formal risk assessment methodologies the fact
that the new emphasis on the consideration of risk is in place,
laboratories will need to produce evidence of compliance with the
new clause.

Those laboratories who already undertake regular management

reviews or staff meeting which stresses improvement
opportunities may likely find that they already meet most of the
requirements in the 2017 Standard in regards to Section 8.5.
According to the Standard’s Foreword Section, risk based
thinking does enable reduction in prescriptive requirements and
their replacement by performance requirements. Hopefully
laboratories will be able to use this extra flexibility in practice
From ISO/IEC 17025:2005
Lab shall have policies and procedures to ensure protection of
confidential information including :including electronic storage
and transmission of results;
From ISO/IEC 17025:2017
Lab shall ensure the protection and confidential information
including electronic storage and transmission of results.
Addressing both risks and opportunities establishes a basis for
increasing the effectiveness of the management system, achieving
improved results and preventing negative effects. The laboratory is
responsible for deciding which risks and opportunities need to be
addressed.
We address risk everyday however probably never think about
how we go about doing these:
• Driving. Most of the time, we take this for granted. But staying
off the cell phone, keeping basic systems in good order – and
even replacing your wipers once in a while – can make a big
difference and reduce the risk of having an accident.
• Food preparation. Keep surfaces clean, avoid transfer of
bacteria from uncooked food to your hands, countertops, and
utensils can greatly reduce the risk of getting ill from eating the
prepared foods;
• Stairways. Simple, I know, but using the handrail can
significantly reduce the likelihood of a fall.
• Non-routine tasks. Changing a light bulb in a ceiling fan? Get a
good ladder or stepstool, not a chair. Using harsh chemicals to
clean? Protect your hands.
• Yardwork. Substantial shoes are important in operating any
power equipment. Good leather gloves for handling brush are a
big plus.
Subconsciously we are aware of risk and
take actions to reduce the adverse impact
of a negative outcome.
Risk: what makes achieving an objective uncertain.
Level of Risk: an expression of the importance of the risk taking into
account the consequences and the likelihood of situations.
Risk evaluation: comparison of the level of risk with an acceptance
criterion
Risk treatment: Many options are possible and can be combined:
avoiding the risk, taking the risk to seize an opportunity, eliminating the
source of risk, changing the likelihood of occurrence or consequences,
sharing risk or accept risk as it is and inform on it.
Residual risk: Risk remaining after risk treatment
Opportunity: an event with potential positive outcome for the
organization
Risk management - appropriately optimizes success with minimal
threat and maximal opportunity.
Risk mitigation - to reduce the extent of risk exposure, and the
adverse effects of risk.
Risk mitigation plan
Step one, risk identification The risk needs to be identified.
Analysis and deliberation are needed to uncover, recognize and
describe the risks that might affect your project or its outcomes;
Step two, risk evaluation - probability and impact;
Step three, risk treatment – Each risk treatment strategy can be
described in terms of likelihood and impact;
Risk acceptance: low likelihood, low impact
Risk avoidance: high likelihood, high impact
Risk transfer: medium likelihood, high impact
Risk mitigation: medium likelihood, high impact
8.5.1 The laboratory shall consider the risks and opportunities
associated with the laboratory activities in order to:
a) give assurance that the management system achieves its
intended results;
b) enhance opportunities to achieve the purpose and objectives of
the laboratory;
c) prevent, or reduce, undesired impacts and potential failures in
the laboratory activities;
d) achieve improvement
8.5.2 The laboratory shall plan:
a) actions to address these risks and opportunities;
b) how to:
— integrate and implement these actions into its management system;
— evaluate the effectiveness of these actions.
NOTE Although this document specifies that the laboratory plans actions
to address risks, there is no requirement for formal methods for risk
management or a documented risk management process. Laboratories
can decide whether or not to develop a more extensive risk management
methodology than is required by this document, e.g. through the
application of other guidance or standards.
How to assess risks in a laboratory?
To identify risks, it is useful to consider both the internal context
of the organization and its external context (risks related to the
customer, the supplier, but also to the customer of the client and
other stakeholders).
Risk identification methods range from common sense and
brainstorming, the use of pre-established lists for a professional
sector, to the use of standards setting good practices
The assessment of risks can be addressed answering the following
questions:
• What can happen and why (by risk identification)?
• What are the consequences?
• What is the probability of their future occurrence?
• Are there any factors that mitigate the consequence of the risk or that
reduce the probability of the risk?
Shared Risk??

Create a record that this is taking place

8.5.3 Actions taken to address risks and opportunities shall be
proportional to the potential impact on the validity of laboratory
results.
NOTE 1 Options to address risks can include identifying and
avoiding threats, taking risk in order to pursue an opportunity,
eliminating the risk source, changing the likelihood or
consequences, sharing the risk, or retaining risk by informed
decision.
NOTE 2 Opportunities can lead to expanding the scope of the
laboratory activities, addressing new customers, using new
technology and other possibilities to address customer needs.
FMEA – Failure Mode and Effects Analysis
HAZOP - Hazard and Operability Study
Risk Management Checklist
Pareto Chart
Fishbone
Fault Tree
SWOT Analysis
RIDM –Risk Informed Decision Making
Brain Storming
For further information: ISO 31000:2009 Risk management —
Principles and guidelines ; IEC/ISO 31010:2009 Risk management –
Risk assessment techniques
.S.W.O.T. is an acronym that stands for Strengths, Weaknesses,
Opportunities, and Threats. A SWOT analysis is an organized list of your
business’s greatest strengths, weaknesses, opportunities, and threats
SWOT Analysis Example for Delightful Dog Grooming
Purpose: To create a marketing action plan
 Strengths
• Have many return customers
• Customer satisfaction - customers do say they like the service
and give positive word of mouth by recommending grooming
services to others
• Do get some walk-in business
• Mobile grooming van has eye-catching logo and gives some
exposure when performing on-site services
 Weaknesses
• Don't pay much attention to marketing – dependent on word-
of-mouth and website
• Website purely informational and static
• Don't have a marketing plan
• Don't have much of a marketing budget
 Opportunities
Take advantage of the increasing popularity of dogs
Increasing use of social media
Increase the amount of walk-in traffic
Local annual Pet Fair
Kennel clubs, rescue societies, local SPCA
 Threats
• Other dog grooming businesses in town, competition is
increasing
• One dog grooming business has a series of radio ads running
and is also running newspaper ads once a week
• Another competitor has partnered with the local SPCA to host a
dog washing and grooming day every few months (by donation
to the SPCA
• Expense of running media ads
Do Strengths Open Any Opportunities?
• As customers say they like services and are willing to recommend them, could
create some type of referral reward program to actively encourage referrals.
• A loyalty program for repeat customers could be developed.
• Could try to increase walk-ins by having an eye-catching window display.
• Consider relocating business to a location that would get more walk-in traffic.
• Look into setting up a booth at the local annual Pet Fair.
• See if kennel clubs, rescue societies, etc. are interested in partnerships.
• Increase the use of social media and investigate other low-cost ways of promoting
the business
How Can We Convert Weaknesses to Strengths?
Looking at opportunities and listed weaknesses, looks like social
media could be a real marketing opportunity. Instead of just
having an informational website, our business could put up a
Facebook page and open a Twitter account to try and reach out to
old (and new) customers. (Because dogs are so popular, might be
helpful to tweet as a dog, e.g. "Rover says regular grooming
makes him happy and healthy"). Pinterest or Instagram might also
be good options - pictures of cute pets are very popular.
What Do We Have to Do to Use Opportunities?
• Set up social media business accounts/pages. (Am already
familiar with Facebook and Twitter through personal accounts.)
Set aside time or assign staff person to update Facebook/
Twitter accounts. Set up a Pinterest and/or Instagram account,
purchase a camera, and train a staff person to take photos of
animals and post images.
• Canvas staff for Facebook contest ideas.
• Find out details of annual Pet Fair, such as when it runs and
how much a booth/table would cost there. (Remember will also
have cost/logistics of manning the booth or table, too
Continue next slide
• Scout out some possible new business locations. Contact a
realtor and ask about a more centralized business location
where many people walk their pets.
• Canvas kennel clubs and dog rescue groups for possible
partnership opportunities.
• Contact window artists for quotes on a window display.
• Decide on referral discount and customer loyalty schemes and
notify existing customers
How Do We Best Neutralize Threats?
Without a bigger marketing budget, we can’t run competing radio
and newspaper ad campaigns (although would be a good idea to
run occasional newspaper ad). Might be able to off-set the
competition's newspaper and radio campaigns through developing
our online presence as above and running marketing campaigns
on social media.
Results: As you see above, this SWOT analysis has created the
seeds of an action marketing plan, providing clear direction for
how this small business can counter their competitions' marketing
efforts and increase their own customer base.
Creating a Risk Management Checklist
In any type of project planning, risk management is a necessary
tool. Risk management identifies and prioritizes risks, measures
how harmful they can be, and develops a plan to deal with risks
that are a threat to the project. Beyond creating a risk management
plan, you should also create a risk management checklist. As you
develop your risk management plan, including the risks and how
they will be dealt with, a risk checklist should quickly tell you
from past experience and forecasting if a risk area will evolve.
Scope of Work - The first part of your risk checklist should
include questions and answers such as: Has the work been done
before or is it something new? In essence, has an area in the work
been identified in prior projects as a risk? If a task is a new task
within the project, what risks may occur?
Project Resources - The second part of the checklist should deal
with your resources. Do you have the right number of resources?
Do your resources have the experience they need or do they have
to be trained? How experienced are they and do they work well
together? Again, if a resource risk is a potential problem, it should
be identified on your checklist.
Project Timeline - The third part of your risk management
checklist should identify items like scheduling conflicts and if
they are flexible. Will you and your team have enough time to
complete all the tasks within the project? If any items are
identified as a risk, list them here.
Project Cost - This fourth part should identify risks that have to
do with project costs and project overrun costs. If you feel a
project may overrun its budget, list this as a risk on your checklist.
Outside Sources - What outside sources are involved in the
project that may cause a risk? They are the fifth part of your
checklist. If you feel an outside source can't deliver on time or has
other issues that are considered to be a risk, put them on your
checklist.
Deliverables - Can you deliver the project? That means not just
the goals of the project, but the project itself. A goal may be to
analyze tools to change a process and the project may be to
change a certain process. If you feel the project has risk in its
deliverables, identify this as a risk
 The requirements of ISO/IEC 17025:2017
The international standard ISO/IEC 17025:2017 states in its
introduction:
This document requires the laboratory to plan and implement
actions to address risks and opportunities. Addressing both risks
and opportunities establishes a basis for increasing the
effectiveness of the management system, achieving improved
results and preventing negative effects. The laboratory is
responsible for deciding which risks and opportunities need to be
addressed
 The laboratory is responsible for deciding which risks and
opportunities need to be addressed. The accreditation body,
however, assesses whether the laboratory has established
appropriate actions for dealing with risks and opportunities in
accredited laboratories.
This may vary among laboratories in certain instances.
The requirement for impartiality is a good example of where the risk
and measures necessary may vary among laboratories
A privately owned independent lab with many customers where the
owner or lab personnel has no other activities or ownership is unlikely
to need extensive measures to protect impartiality
Other situations may require alternate considerations
• A lab with only one customer
• A lab where the owner owns some of the customers
• A lab within a manufacturer also taking on third party work
• A lab with minimum wage staff in a culture known for corruption
• A lab where its ownership is complex and keeps changing as does
that of related bodies within the structure
 A Technical Example
6.4.10 When intermediate checks are necessary to maintain confidence in
the performance of the equipment, these checks shall be carried out
according to a procedure
The complexity of this will vary according to risk.. A gauge block or
mass standard used as a reference may need little by way of intermediate
checks. On the other hand sensitive electronic items exhibiting drift may
need frequent checks, plotting and calculations from comparisons
resulting in a drifting reference value being identified;
Other Area’s of ISO/IEC 17025:2017 Were Risk Shall be Addressed
4.1.4 The laboratory shall identify risks to its impartiality on an on-going
basis;
8.9.2 The inputs to management review shall be recorded and shall
include information related to the following;
m) results of risk identification;
7.8.6.1 When a statement of conformity to a specification or standard is
provided, the laboratory shall document the decision rule employed,
taking into account the level of risk (such as false accept and false reject
and statistical assumptions) associated with the decision rule employed,
and apply the decision rule;
Nonconforming work
7.10.1 The procedure shall ensure that:
b) actions (including halting or repeating of work and withholding
of reports, as necessary) are based upon the risk levels established
by the laboratory;
Corrective actions
8.7.1 When a nonconformity occurs, the laboratory shall:
e) update risks and opportunities determined during planning, if
necessary;
What will an accreditation body be looking for in regards to compliance
with Section 8.5?

• Objective Evidence which would show that the organization has

adopted a risk based approach: This may include a specific document
(procedure or any other name) where risks and opportunities are
identified, as well as a plan to implement action to minimize risks and
maximize opportunities;
• Interview “ What opportunities for improvement have been identified,
implemented, or rejected and what risk was identified? (8.6)
Improvement;
• Inputs associated with the management review;
4.1.4 The laboratory shall identify risks to its impartiality on an on-
going basis. This shall include those risks that arise from its activities,
or from its relationships, or from the relationships of its personnel.
However, such relationships do not necessarily present a laboratory
with a risk to impartiality
NOTE A relationship that threatens the impartiality of the laboratory
can be based on ownership, governance, management, personnel,
shared resources, finances, contracts, marketing (including branding),
and payment of a sales commission or other inducement for the referral
of new customers, etc.
This time is allocated for questions. You should have a space
provided for submitting questions.

If a question is unanswered please submit directly to

[email protected]
 Next Scheduled Webinar

Option A and B as presented in ISO/IEC 17025:2017 along with

the Management System Documentation (8.2)