Not a Game
Is it risk management or preventive
action—and does it
by John E. "Jack" West and Charles A. Cianfrani
People seem to be divided into two camps regarding the new wording related to the subject of risk found in the draft of ISO 9001:2015:
- Those who believe the subject of risk-based thinking is a totally new concept never before found in ISO 9001.
- Those who believe risk-based thinking is simply a one-for-one replacement for, or a repackaging of the concept of preventive action, which has been deleted from the 2015 update.
We would argue that both of these extremes are incorrect and put ourselves with the many who have opinions that are somewhere in the middle. At the very least, though, we believe a prudent and well developed quality management system (QMS) should have always considered the risk of things going wrong, assessed the potential effects of negative outcomes and taken reasonable action to prevent problems.
A QMS also should require a strategic, forward-looking process to assess potential risks related to changing and evolving external and internal conditions such as competitive actions, technology advances, and personnel knowledge and skills.
It’s interesting that so many organizations have resisted any formal effort to address preventive action and risk. Just to satisfy auditors, some organizations will even search through their corrective actions to find a few issues to characterize as preventive.
Risk-based thinking and preventive action, however, don’t involve working on past problems. Rather, used properly, these processes look ahead to what could happen in the future. What are the risks of things going wrong or not anticipating changes in customer needs and expectations, and what opportunities do these risks present to an organization if there is a serious effort to address them?
It seems obvious that an ounce of preventive action costs much less than a pound of corrective action.
Is it about cost?
Organizations typically don’t apply preventive action at the optimal stage in a QMS’s development or management. Perhaps it’s the thought that, even under the best of circumstances, preventing every problem and nonconformity is exorbitantly expensive or even impossible.
Organizations then don’t think about preventive action until long after considerations of effective alternatives are practical—because of either cost or time limitations. There are many other excuses, however.
This leads us to a major reason the change to risk-based thinking in ISO 9001 is important. Risk-based thinking is looking at what uncertainties an organization, product or process face, and then considering possible actions to "de-risk" the situation.
Uncertainty abounds in today’s business environment, and organizations are frequently faced with decisions about products, services, processes and other elements of the business when taking the wrong direction could cause the whole organization to fail.
Strangely, when we study situations in which poor decisions have caused major product, service or even organizational failure, seldom is a single root cause found that proved catastrophic. Rather, we often find that the ultimate failure followed a chain of events when seemingly unrelated decisions or actions—a deadly chain of events—acted together to precipitate the failure.
Situations such as this often have a unique characteristic: If just one decision in the chain had been correct, the major failure would not have occurred. In other words, the major failure might have been prevented if just one person in an entire organization had made one correct decision when all others took the wrong path.
One example of what could prevent catastrophic failure would be to insist on what’s known as "process required actions," such as design reviews during a development project.
Understanding how to prevent major failures can include using the insight provided by a combination of the concepts incorporated into the 2015 update of ISO 9001. These concepts are in the requirements for risk-based thinking:
- Understanding the organization and its context.
- Understanding the needs and expectations of interested parties.
- Acting to address risks and opportunities.
The concepts should require organizations to dedicate meaningful and explicit attention to prevention and actions to address risk. This is in sharp contrast to the much more benign attitude toward prevention that was more common in the past.
The revisions in ISO 9001 should encourage a change in behavior at three distinct but closely interrelated levels:
- During the planning of the QMS.
- During the design and development of the organization’s products and services.
- During the design of the processes for production and delivery of products and services.
Planning of the QMS
ISO 9001:2008 makes several references to planning. Clause 5.4 tells us to develop quality objectives and plan the quality system to meet those objectives and customer requirements.
The 2015 draft revision strengthens the requirements for planning and implementing the system. Organizations must think about the key processes and process interactions of the system and ensure the system is developed and managed as a whole.
The processes of the system need careful development to ensure they act together to achieve desired outcomes. This means that during development of the system, organizations must think about uncertainties and take the associated risks into account.
The system should be designed to drive people in the organization to think about the potential consequences of decisions and actions they take. Ask whether taking an action will contribute to a deadly chain of events. If it will, determine what can be changed to break the chain.
The system should drive people in the organization to connect the dots by thinking broadly about process interactions that are not always obvious.
It is relatively easy to manage processes and process interactions when the interactions are linear and can be displayed on a process map or a flowchart. Linear relationships might be quite complex, but that complexity is due to details, not the complexity that is typical of real systems (see Figure 1).
Indeed, linearity is not the reality of our world. Many interactions are hard to recognize, and today’s complex and adaptive management systems certainly do not behave linearly. Problems, however, seem most obvious at the interactions. The issues posed by nonlinearity can be understood by thinking about dynamic complexity, which increases along with the number of process interactions (see Table 1).
The number of interactions increases faster than the number of processes. If a system includes three processes and each interacts with the other, there are three possible interactions among them. With four processes, there are six possible interactions; with five processes, 10 interactions, and so on.
Often, multiple interactions occur between any two processes. It gets messy very fast—and that is without introducing the notion of hidden process interactions or process interactions among the processes of the QMS and other parts of an organization’s overall management system.
Cause and effect
All this complexity tends to separate cause from effect. An action in one part of the system can have dramatic consequences in other parts, and those consequences often happen long after the action was taken. An example might be a quality improvement proposal initially resisted by the system but eventually modified and accepted in the form of a cost reduction. The subsequent rise in warranty costs then are blamed on the quality manager for "not controlling the parts."
In this example, various parts of the management system reacted in different and unexpected ways. The finance people thought a proposed improvement in quality was too expensive. The design and industrial engineers got together and came up with an alternative that reduced cost but had significant risk.
Somehow, the quality manager wasn’t involved in the final solution. The cost reduction part of the story was long forgotten, but the system tracked the item as the quality manager’s idea.
The point is that if the managers in this situation had seen the business as a system, they would have looked for the best overall results, not just grabbed the quick money and hoped there would be no resulting problems.
When we focus on processes, we tend to focus on details. We must, however, understand how the whole system works, including the interfaces among processes, rather than considering only direct cause-and-effect relationships (see Figure 2).
Managers must understand what will happen if they make a process change that isn’t properly coordinated. It’s this big-picture coordination that makes system management magic. In our example, the interrelationship among the cost reduction process, the quality improvement process and the financial accounting process needed attention.
Design and development
If there is a single clause or subclause in ISO 9001 that has potential for addressing product and service related risk, it is the clause on design and development (see Figure 3).
Indeed, in working with small but growing technology organizations, we have found that having a robust design and development process to verify and validate the ability of the product to meet requirements and the needs of initial customers is a key success factor. Organizations find it hard to get financing without this.
Risk-based thinking and preventive action are key parts of this design and development process. It is important to determine how to use the tools of design review, verification and validation as inputs to risk analysis and the development of preventive actions.
Perhaps most important of all, each design and development control is not just a potential opportunity to reduce the cost of an overall product development and introduction program; it is also an opportunity to:
- Hone product production and service delivery processes.
- Fine-tune the design so the product captures the market.
The design review phase of the design and development process is particularly powerful in mitigating risk. Such reviews can identify risks related to manufacturability, deliverability, testability, inspectability, shipability, serviceability, repairability, availability and reliability, plus issues related to purchased components.
Reviews also can include consideration of appropriate approaches to achieve risk mitigation and design of the processes required to achieve delivery of products and services.
As with the overall QMS, processes for creating and delivering products and services can be plagued with complexity. Many organizations are using lean techniques to address such issues.
Lean provides a good platform and an excellent set of tools for reducing the risks within the product cycle. ISO 9001 permits—some would say encourages—use of the design and development processes for developing and implementing product and service delivery processes.
This is a good idea because the stages of development and the inherent review, verification and validation steps provide a good framework for de-risking this key part of the organization’s system.
Holistic control and measured management of a QMS is a lot of work, but it has the advantage of driving system simplification and cost reduction while reducing costs.
Fear of risk-based thinking and preventive action could create an environment in which known risks are tolerated. On the other hand, you can plan forever and maybe prevent all the problems but get nothing done.
Neither previous versions nor the 2015 revision of ISO 9000 tells us how far to go to integrate risk-based thinking and processes into a QMS. The revision does explicitly require consideration of actions to address risks and opportunities, and decisions about how far to go.
Such considerations should not be superficial. The processes to accomplish compliance with this requirement should have the wide participation of individuals from throughout an organization, including finance, marketing and legal in addition those directly involved with product and service delivery.
Design and deployment of such processes can have a profound impact on the sustainability of an organization. So, is risk-based thinking new or just a replacement for preventive action? We conclude it doesn’t matter because the things you should be doing are the same either way.
Charles A. Cianfrani is a principal consultant for Green Lane Quality Management Services in Green Lane, PA. He is a U.S. expert representative to ISO/TC 176. He has an MBA from Drexel University and a master’s degree in applied statistics from Villanova University. An ASQ fellow, Cianfrani is a certified quality engineer, reliability engineer and auditor, as well as an Exemplar Global-certified quality management systems auditor.
John E. "Jack" West is a member of Silver Fox Advisors in Houston. He is past chair of the U.S. Technical Advisory Group to the International Organization for Standardization Technical Committee 176 (ISO/TC 176) and lead delegate of the committee responsible for the ISO 9000 family of quality management system standards. He is an ASQ fellow and has co-authored several ASQ Quality Press books.