As occurred with ISO 13485, AS 9100 got a boot in risk management requirements with the latest edition. However, surprisingly it only applies to section 8, the operations clauses (e.g., design, purchasing, production, etc.). Yet there are six other clauses where it is not required.
This makes no sense at all. Consider the clause related to Resources. Aren’t there risks related to the infrastructure of the organization (facilities, equipment, information technology) that can significantly impact product conformance and/or customer satisfaction? How about Leadership and their commitment to quality (and ethics)?
I’m afraid we still have a ways to go before we really hold organizations accountable for performance. And yes, theoretically these standards are all about managing risk, but if we’re going to require a formal process related to some processes, why not apply them across the board?