Your Future in Risk Management
by Greg Hutchins
Our engineering company conducts risk analyses and assessments in cyber security, infrastructure security, operational integrity and business continuity planning. And, business is booming.
Why? Federal, state and local agencies are facing increased uncertainty and are developing risk management requirements due to economic and security pressures. Publicly held companies are also developing new risk reporting requirements.
The salient point of this article is that our firm, Quality Plus Engineer-ing, started in the quality and ISO 9000 arena and was able to transfer its quality engineering expertise to risk management.
The bottom line is you, too, can move into risk management. Here’s where some of the opportunities are and how you can take advantage of them.
The United States faces chemical, biological, radiological, nuclear and explosive threats, more commonly called CBRNE threats. The Depart-ment of Homeland Security is developing standards, sampling methods and conformity assessment protocols for event based possibilities. In federal parlance, event risk is the likelihood and impact of an unanticipated occurrence.
CBRNE, border and transportation security, emergency preparedness and response, and infrastructure protection are hot areas for quality professionals. They can and should bring investigative, intervention, auditing, corrective action and preventive action skills to homeland security.
Protocols and auditing standards are being developed in this area, and I’ll discuss the opportunities in future columns.
“Welcome to DNV: Managing Risk,” shouts the homepage of the Det Norske Veritas (DNV) website. DNV and other global ISO 9001 registrars are consolidating their service offerings around risk management, rebranding themselves as risk management certification, assurance and consulting companies.
It’s interesting that ISO 9001 and quality, hallmarks of DNV, are not even mentioned on the homepage. Visit the website to get a peek at the future of ISO 9001 auditing.1
ISO Security Standards
The International Organization for Standardization, known as ISO, brought us two standards that defined the quality profession: ISO 9000 for quality management and ISO 14000 for environmental management.
ISO recently mobilized global resources to develop security standards. Two recent standards you should know about are ISO/IEC 270012 and ISO 28000.3
ISO/IEC 27001 details IT security techniques and security management requirements. ISO 28000 covers security management systems for supply chains.
Both standards emphasize security risk identification, controls, mitigation and corrective action and have an ISO 9001 look and feel. They follow a process and use the plan-do-check-act format and a closed loop feedback system. All quality professionals are familiar with these methods and should be able to adapt their skills to implementing the security standards.
More federal agencies, such as the Federal Aviation Administration (FAA) and the Food and Drug Administration, are integrating risk concepts and requirements into their orders, directives, procedures and protocols. Most of these are event based, risk protocols.
For example, the FAA recently issued the air transport safety oversight order. The order requires air transit operations to develop and document a methodology for conducting safety risk assessments. Updates regarding this work should soon be available on the FAA website.4
The application and effectiveness of these risk management controls will also be independently and objectively evaluated to ensure controls are mitigating hazards identified during risk assessments. You bet this sounds like quality auditing, failure mode and effects analysis and other quality tools.
The Sarbanes-Oxley Act (SOX) is the corporate governance law enacted in 2002. In the last three years, SOX has had wide impact on publicly held companies' internal financial controls. These risk controls are now migrating into operations.
The question of who should audit these controls arises. Presently, internal financial auditors conduct SOX operational assessments. Conducting these operational risk audits is a huge opportunity for ISO 9001 internal auditors and quality professionals to add value to their organizations, clients and, ultimately, themselves.5
Most critically, the results of risk based, internal audits get the attention of executive management and boards of directors.
Business Continuity Planning
Following Hurricane Katrina, almost every state, county, city and local jurisdiction is developing a business continuity program. This is a big opportunity for quality professionals. A business continuity program outlines the steps to be taken to identify the risk of potential losses and develop recovery plans to ensure continuity of services.
A business continuity program entails developing a process for identifying and mitigating risks. Quality professionals have experience in process management, establishing baseline capabilities (the “as is”), defining incident management systems (the “to be”) and then closing the gaps (preparedness plans).
Quality professionals know processes, systems, auditing, benchmarking, gap analysis, corrective action plans and root cause solution analysis. These are the skills needed to do business continuity planning.6
Your Next Step
Risk management will be a big part of your future. What can you do to learn risk management? Visit the websites referred to in this article and read as much as you can. Or attend one of ASQ’s workshops related to SOX.7,8
Plentiful opportunities are out there for those willing to adapt to the dramatic transformation currently taking place in the quality world.
REFERENCES AND NOTES
- Det Norske Veritas, www.dnv.com.
- ISO/IEC 27001:2005, Information Technol-ogy—Security Techniques—Information Security Management Systems—Requirements, www.iso.org.
- ISO/PAS 28000:2005, Specification for Security Management Systems for the Supply Chain, www.iso.org.
- Air Transportation Oversight System, www.faa.gov/safety/programs_initiatives/oversight/atos.
- See Sandford Liebesman, “Mitigate SOX Risk With ISO 9001 and 14001,” Quality Progress, September 2005, pp. 91-93, for a comparison of ISO 9001, ISO 14001 and SOX requirements.
- See R. Dan Reid, “What Organizations Can Learn From Hurricane Katrina, Quality Progress, November 2005, pp. 82-85, for an assessment of how using ISO 2001 and its international workshop agreement 1 might have mitigated the disaster.
- ASQ Sarbanes Oxley Network, www.asq.org/communities/sarbanes-oxley/index.html.
- ASQ Training and Certification, www.asq.org/training-and-certification.html.
GREG HUTCHINS is an engineering principal with Quality Plus Engineering and Lean SCM in Portland, OR. He is a member of ASQ.