Risk and Quality Management
A holistic approach is necessary for organizational survival
by Dale K. Gordon
The media has made all of us aware of the global financial crisis caused by the assumption of risk by banks and speculators in stocks and commodities. Even ordinary people took on risk by buying homes in hot markets, hoping that they could quickly resell them and make a big profit.
What we have since learned is that many of these people, professionals and otherwise, did not understand or even consider the risks of the types of transactions or deals they were making. This caused significant losses for everyone.
In any organizational or business environment, we talk about risk all the time, with the understanding that we have to manage multiple aspects of risk every day. From an ownership and operational standpoint, as an organization gets bigger and more sophisticated, the one thing management learns to do is to manage risk.
Companies have always had to deal with different types of risk, be it financial, legal, or related to a product launch, merger or the threat of natural disasters. These risks are traditionally treated as silos:
- The CFO is responsible for understanding and making financial risk decisions.
- The IT department is responsible for the risk of losing data-processing capabilities.
- Legal counsel must understand and manage the company’s legal issues.
- The quality department is tasked with the risk of shipping defective product.
Fragmentation in integration
This fragmented approach to risk is be-coming more dangerous as companies with highly integrated processes and systems face risks that threaten their existence.
These risks come in the form of non-compliance with government regulations, information security threats, natural disasters, product liability and customer dissatisfaction resulting in loss of business.
It is important, now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal: to protect the company and ensure its survival to the benefit of its stakeholders.1
The quality management system (QMS) of an organization exists as a framework for how the organization is going to ensure customer satisfaction through a set of operational requirements and quality management principles when the organization:
- Needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements.
- Aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.2
The word risk appeared nowhere in ISO 9001:2000. Yet the origin of quality, specifically quality control, was the application of statistical principles for managing risks (also known as probabilities) of delivering defective or nonconforming product to the customer (consumer risk).
There was a corollary risk of having too stringent a method of measurement and thus scrapping or wasting perfectly acceptable product that the customer would accept, thus potentially creating losses that would damage the organization’s competitive position (producer risk).
It is only now, in the just-published ISO 9001:2008, that the word risk finally appears. The standard’s introduction says that relative to the environment the organization has to operate in, which includes legal, regulatory and competitive forces, the adoption of a QMS should be a strategic decision of an organization.
The design and implementation of an organization’s QMS is influenced by its organizational environment, changes in that environment and the risks associated with that environment.3
In adapting ISO 9001 to the industry-specific standard SAE AS9100, the aviation, space and defense industries always recognized the need to identify and manage risk as part of an acceptable, functioning QMS.
The word risk first appeared in AS9100 in terms of evaluating the risk of being able to deliver what the customer was asking for as part of reviewing requirements related to the product.
Many other sections of ISO 9001:2000 are all about managing and mitigating risks. They cover the following:
- Reviewing requirements.
- Establishing a robust design process.
- Looking at all aspects of customer use of the product.
- Management of the supply chain.
- Control of product or service operations.
Added to that list are the requirements for a nonconformance control process, feedback to management about risks uncovered in internal audits, and the corrective and preventive action processes that are supposed to be built into the system.
In fact, the entire standard could be considered a tool to mitigate the risk of poor customer satisfaction, with customer satisfaction considered essential for business continuation. But, we now don’t really talk about risk in those terms.
Newest version of SAE AS9100
In the newest version of SAE AS9100, soon to be released as revision C, the use, importance and emphasis of risk is significantly enhanced.
Risk is used as an all-encompassing concept that can apply to all parts of the QMS and product life cycle. Risk is mentioned about 16 times and given its own definition: "An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence."4
Some may argue that the products created and used by the aviation, space and defense industries have inherently greater risks than other types of products (think aircraft, spacecraft and weapon systems). I contend that any organization has to manage not only product risk to customers (from asbestos to ladders to toys) but also risks to the organization from likely events that could have negative consequences (think business disruption in a lean supply chain that could shut down a customer’s operations).
The writers of the latest revision of the AS9100 standard not only identify risk as a concept but also identify risk management as an essential ingredient in the healthy functioning of the organization’s QMS.
Clause 7.1 of the revised AS9100, which covers product realization and risk management requirements, includes establishing and implementing a process for managing risk that includes:
- Assignment of responsibilities for risk management.
- Definition of risk criteria (for example, likelihood, consequences and risk acceptance).
- Identification, assessment and communication of produce realization risks.
- Identification, implementation and management of actions to mitigate risks that exceed defined risk acceptance criteria.
- Acceptance of risks remaining after implementation of mitigating actions.5
Risk is not something that is treated lightly from an organizational standpoint. Organizations carry all sorts of insurance to mitigate risks to the business, such as liabilities from faulty products and faulty decisions by management. Organizations also carry insurance against the loss of physical assets of the organization and the loss of people.
What insurance are organizations carrying for scrap, rework, poor supplier performance or bad internal processes that delay shipments? How do organizations compensate for designs that are difficult to produce, machines with unacceptable variances, or new product or technology introductions with unknown variables? How do we compensate for the design and integration of complex technology and software so unintended consequences do not manifest in product failure or worse?
Customer dissatisfaction risk
Each and every risk in the preceding paragraph can and will lead to customer dissatisfaction, but it could also have dire effects on the organization’s ability to continue as a viable concern.
In many articles about the current problems in financial markets, you will find repeated references to the fact that the personnel in those organizations did not understand or fully appreciate the risks associated with the kinds of investments or transactions they were making.
Many of these same organizations view their buying, selling, lending and financing as products, but they simply lacked or ignored the risk mitigation activities that should have taken place.
Many of these same organizations have fully functioning and certified QMS processes. Maybe it’s about time we identified risk mitigation as part of our QMS processes.
Risk is not a bad thing or a dirty word. There is a lot of uncertainty in any endeavor that advances us. Risk is how we learn, innovate and open new frontiers and levels of understanding. There is no way we would have the societies and technology we have today without risk.
But let’s be sure we understand what we are risking and whether we can afford to pay the price if the risk involved exceeds the potential benefit, or the ultimate outcome threatens a business’s very existence.
References and Notes
- Shon Harris, "Understanding Risk," http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1158732,00.html#guide.
- ANSI/ISO/ASQ Q9001-2008—Quality Management Systems—Requirements, International Organization for Standardization, 2008.
- SAE AS9100:2008, Quality Management Systems—Requirements for Aviation Space and Defense Industries, SAE Inc., unpublished.
Dale K. Gordon is vice president of quality for Woodard MPC in Skokie, IL. He is an ASQ fellow, past chair of the American Aerospace Quality Group and contributor to the AS9100 series aerospace standards. Gordon earned a bachelor’s degree in industrial engineering from General Motors Institute (now Kettering University) in Flint, MI, and an MBA from Butler University in Indianapolis.