RISK ASSESSMENT AND MITIGATIONPLAN

PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

Revision History

Revision No. Date (DD/MM/YYYY) Description of Changes

00 09/03/2024 MSA-QSP-GEN-06 Rev. No.00 Release date 01-01-2020

changed to MSA/QSP/01 Rev. No. 00 for enhancement of
procedure

This Procedure has been approved by the following Approval Authorities

Approval Name Designation Date

Prepared by Vasudevan G Management Representative 09/03/2024

Reviewed by Krishna Murthy K Chief Technical Officer 09/03/2024

Approved by T Renganathan Executive Director 09/03/2024

Page 1 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

1. Purpose

This procedure defines a risk management process for

 The planning of QMS risk process to give assurance that the QMS can achieve its intended results,
enhance effects, prevent or reduce undesired effects and achieve Improvement.
 The risk management process for managing the operations risk to the achievement of applicable
requirements to the organization products and services.

2. Scope

This procedure is applicable to all Processes, Projects, Products, Customers, Suppliers, Contracts managed
at MSA Global Technology & Engineering Pvt. Ltd.

3. Abbreviations, terms, and definitions

Terms Definitions
Risk An undesirable situation or circumstance that has both a likely hood of
occurring and a potentially negative consequence.
Significant Risk Any medium level risks for which controls have been assessed at less than
adequate any risk assigned a level of high and the severity
Risk Assessment The overall process of the risk identification risk analysis and risk evaluation.
Risk Identification The process of finding, recognizing and describing risks.
Risk Analysis A process to comprehend the nature of the risk and to determine the level
of the risk.
Risk Criteria The terms of reference against which the significance of risk evaluated.
Risk Evaluation The process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or is magnitude are acceptable to
tolerable.
Risk Mitigation A plan developed with the intent of addressing all known or possible risks
and preventing their occurrence.
SWOT Strength, Weakness, Opportunity, and Threat
Severity The outcome of an event affecting objectives (for the purpose of this
process consequence shall be used in the context of having a negative
effect on objective).
FMEA Failure Mode Effects Analysis

Page 2 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

4. Responsibility

Function Responsibility
MR Maintain the QMS risk management process
Process owner  Ensure the risk management activities are performed
throughout the life cycle of any work effort (i.e., customers,
contracts, suppliers, products process etc.)
 Use, and maintain the risk management procedure
 Ensure that the risk management process is communicated and
integrated throughout the organization and that risk are
identified managed and monitored in accordance with this
procedure
 Ensure that adequate resources from all necessary disciplines
are allocated to support this procedure
 Ensure the risk treatment strategies and developed
implemented and controls maintained
Risk owner Drive respective risks to closure
Top management Ensure that adequate resources are allocated to support the risk
management process

5. Process Approach

Resources
Responsibilities
Risk register
Stake holders

Inputs Outputs
RAMP
Internal and external issues Risk register, FMEA
Stake holder and their Contract Review
requirements Supplier Approval

Controls Metrics
Internal Audit No .of unpredictable risk
Management Review

Page 3 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

6. Process Flow

Risk Identification Risk Analysis Risk Response

Risk Monitoring and

Control

7. Process Description
7.1 Risk Context
a) Organizational Contexts: internal and external issues that are relevant to the purpose and the
strategies direction to the organization and which affect the intended results of QMS are
identified through risk register.
b) External Context: while there are several categories of risk associated with manufacturing
including strategic, financial, and suppliers operational. Customers are generally connected with
the operational risk associated with quality and schedule performance requirements of the
products they purchase. This procedure will focus on the significant risks to meet those
requirements, special requirements and/or other risks will be determined from information
flowed via contract or in consultation with other stakeholders.
c) Internal Context: This process is intended to provide a plan for managing the significant risks to
achieve quality, schedule, and cost requirements associated with the manufacture and delivery
of products in accordance with customer and/or regulatory requirements this process shall
support the MSA Global quality policy and assist in achieving established quality objectives.
7.2 Risk Management Context

a. Under following list/situations, risk register will be reviewed and updated

 QMS

 Each QMS processes

 Context issues, interested parties requirements

Page 4 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

 Operation

 New products

 New customers

 New orders

 New suppliers

 New manufacturing processes, products and technologies

 Any changes to the above list /situations

 Major complaints and corrective actions

 Once in a year

b. The following table defined the various risk planning and management process

Process/stage Frequency Responsibility Document reference

(what) (when) (who)
QMS risks and When establishing and Concerned process Risk and Mitigation
opportunities change in QMS NC’s owners/MR Form

Customers, During new customer project Business Enquiry Review

project contract and contract and its changes Development with Checklist, Enquiry
risk NC’s CFT Risk Assessment Form
Supplier’s risks When selecting new suppliers Purchase Supplier Evaluation
and during revaluation NC’s and Approval Form

Product and process New products new processes Production /PPC/ FMEA,
risk new technology and its Engineering Product Safety
development stage Register, Operational
Risk Register, PO
Review Checklist

c. This procedure should be used in conjunction with other established procedures and process
throughout the organization, such as sales quotation, contract review, production planning,
purchasing, manufacturing and acceptance to provide an integrated plan for managing risk
throughout product realization.

Page 5 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

d. For the purpose of this process, the components of risk shall be identified as follows

Risk has three components

 A potential risk (or existing issues i.e., internal issues and external issues opportunities)

 A probability (or like hood) assessed at the present time

 The consequence (or severity)

7.3 Risk criteria

a. Risk criteria are defined in terms of the following 2 elements

 The probability of an events (root issues) occurrence

 The severity of the event (root cause) occurrence

b. The level of probability (likelihood) element shall be determined using the criteria specified in the
below table. Probability (likelihood) should be determined by evaluating the information both
current and historical or by estimating of occurrence using experience and judgement.

Probability of occurrence (likelihood)

Rank Likely hood Description

1 Not likely (remote) Externally unlikely. May only occur in exceptional circumstance has
never occurred before

2 Low like hood Unlikely to occur or re-occur but possible occurred less than once per
(occasional) Annum

3 Likely (probable) May occur/or re-occur but not definite has previously occurred once
or twice per annum

4 High likely (frequent) Will probably occur/ re occur has happened several times per annum

5 Near Certainty (often) Continuous exposure to risk has happened before regularity and
frequently

Page 6 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

c. The level of severity (consequences) element shall be determined using the criteria specified in
the below table. While cost has been included in these criteria and should be considered in the
quotation and estimation stages the inclusion of cost criteria should be evaluated for the use
afterward of contract

Severity (Consequences)
Level Product quality process intended results Delivery schedule Cost effect

1 Insignificant (negligible) requires minor No impact Minor or no impact

reworks/ reprocess to bring into full
conformity

2 Minor (marginal) requires significant Minor impact internal Cost increase of <5%
rework /reprocess/replacement to bring schedule slip still able to
into full conformity meet original schedule and
quality

3 Moderate. (critical) Extensive rework or Require minor schedule Cost increase of <5%
remake cannot be reworked to meet (<30 days) or quality
conformity/requirements requires concession from customer
customers concession/approval to “use as
is”

4 Major(hazardous) multiple scrapped Require major schedule Cost increase of

products/work requires repair to restore to (>30 days) or quantity <10%
acceptable condition requires customers concession from customer
condition

5 Severe (catastrophic) all products/works Unable to deliver parts Cost increase of

scrapped unable to produce confirming major impact to customer <20%
parts unable to obtain required materials production or program
and service schedule

Page 7 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

d. The overall risk score is determined using risk score matrix and is assigned a level of low medium
or high

RISK Consequence
MATRIX
1 2 3 4 5

1 L L L L H

2 L L M M H
Likelihood

3 L M M H H

4 L M H H H

5 L H H H H

L: Low, M: Medium, H: High

e. Risk acceptance criteria

Risk acceptance criteria

1.Risk rated as low can be accepted without any treatment plan

2.Risk related as medium –existing controls must be like evaluate for effectiveness for controls assessed

3.Risk rates in the high (red) category shall require risk treatment and/or further analysis

4.Irrespective of risk score if the consequence value is 5 and above must be treated with a plan

7.4 Risk Mitigation

 Risk Mitigation process for controlling the risk to prevent or reduce undesired effects.
Risk mitigation involves the cyclical process of

 Assessing the risk mitigation

 Deciding whether the reschedule risk levels are tolerable

 If not tolerable developing a new risk mitigation

 Assessing the effectiveness of that mitigation

 Avoiding the risk by deciding not to start or continue an activity

 Accepting or even increasing the risk order to pursue an opportunity

 Removing the source of the risk

Page 8 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

7.5 Risk analysis

 Once the risk has been identified, must be analysed in terms of their probability
(likelihood) to occur and the severity (Consequences) of their occurrence. This is
accomplished using the probability and severity criteria charts established as explained
above.

 Each risk shall be assigned a probability level and severity level score these will be used to
evaluate the overall risk assessment score which in turn will determine further action.

 Score shall be documented in risk register.

7.6 Risk evaluation

Using the score developed in the risk analysis, enter the risk assessment scoring chart at the
appropriate levels of probability and severity to obtain the overall risk assessment score. This
will correspond to one of the three overall levels of risk low(yellow), moderate(purple), high
(red).

 For risk scoring in the low (yellow) category risk treatment is not required monitor and review for
future treatment.

 For risk scoring in the medium (purple) category exists controls must be evaluated for effectiveness
for controls assessed to be less than “adequate” further risk treatment is required for controls
assessed to be only “adequate” evaluate for further risk treatment.

 All-risk scoring in the high (red) category shall require risk mitigation and/or further analysis.

 Irrespective of risk score if the consequence value 5 and above must be treated with the plan.

 Scores shall be determined in risk register.

7.7 Sections of Mitigation options

a. selecting the most appropriate mitigation options involves balancing the cost of
implementation against the benefits derived.

b. In general, the cost of managing risk need to be commensurate with the benefits
obtained. when evaluating the cost versus benefits, it is important to consider all costs
direct and indirect and all benefits whether tangible or intangible.

c. If budgetary constraints exist, the mitigation plan should clearly specify the priority order
in which mitigation should be implemented, considering the full impact of not acting
against any cost saving.

Page 9 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

d. If after mitigation plan implementation, residual risk remains then it should be evaluated,
and a decision should be made about whether to retain this risk or repeat the risk
mitigation process.

7.8 Preparing and implementing Mitigation plans

a. The purpose of the mitigation plan is to document how the chosen potions will be
implemented, the plan is documented in risk register which contains a minimum of the
followings,

 The proposed action

 Assigned responsibilities

 Timing and scheduling requirements

b. Mitigation plan should be integrated with the applicable QMS processes and the same will
be implemented as above.

c. As a part of QMS risk planning opportunities are also identified during the SWOT analysis
the same is captured in the risk register.

7.9 Monitor and Review

a. In MRM, review of the risks and mitigation are discussed and if any further action
required, shall be implemented.

b. Review is essential to ensure that the management plan remains relevant and effective in
case of customer complaints, major nonconformities (process, product etc.).

c. Monitoring of mitigation plans at regular intervals at least once in a year, for verifying the
effectiveness of the actions implemented, until the risk factor comes under accepting
criteria of the risk.

8. Process Performance Measures

S/N Process Measure Target Source Reviewing Responsibility

Frequency
1 No. of Count Risk Register MRM Process owner
unpredictable risk

Page 10 of 11
 RISK ASSESSMENT AND MITIGATIONPLAN
PROCEDURE NO. MSA/QSP/01 REVISION NO. 00 AS9100D CLAUSE NO. 6.1, 8.1.1

9. Documented Information Reference

S/N Doc. Ref. No. Description Responsibility Document Mode

1 MSA/MRD/F/002 Risk Register Process owner, MR Soft
2 MSA/ENG/F/001 Feasibility Review Checklist Business Development Soft / Hard
3 MSA/ENG/F/002 FMEA Engineering Soft / Hard
4 MSA/PUR/F/003 Supplier Assessment Record Purchase Soft / Hard

Page 11 of 11