Is it within the assessment of CABs a requirement to judge the risk-based approach of the CABs or just to check if it was done and that within the assessment no findings have been identified which would not be occurred if the risk based approach would have been done in a proper way?
In several standards like ISO/IEC 17025 or other standards within the ISO/IEC 17000 family there are requirements concerning risk-based approaches. The CABs are requested identifying and analysing these risks and if they are concerned about some of these risks, they have to initialize action to avoid or minimize these risks. But in none of these standards an information is given with respect of the necessary level of documentation, the necessary level of analysing risks, a distinction between “critical” or “non-critical” risks or that this approach or analysis are to be judged by the NABs with regards to the content.
The question has been discussed during the Warsaw ISO/IEC transition workshop: the assessor should not judge the method applied by the Laboratory to perform its risk assessment but the compliance with the requirement of clause 8.5 should be evaluated.
Where the assessor find that a risk is not identified by the laboratory or if a risk is not properly assessed, and there is a proof that it affects the validity of the results to then a finding should be raised.