Much has been written and discussed about “risk” being the future of “quality.” But what does this really mean, and how does it work?
Let’s us look at common working definitions of quality: zero defects, customer satisfaction, control of process variance, reliability, security, and fit for purpose. These are all objectives a quality program is aimed at satisfying. ISO 9000:2005—“Fundamentals and vocabulary for quality management systems” defines quality as the “degree to which a set of inherent characteristics fulfills requirements.”
BusinessDictionary.com states this definition of quality: “In manufacturing, a measure of excellence or a state of being free from defects, deficiencies, and significant variations, brought about by the strict and consistent adherence to measurable and verifiable standards to achieve uniformity of output that satisfies specific customer or user requirements.”
In software development, functional quality and structural quality are two measures. The Consortium for IT Software Quality (CISQ), an independent organization founded by the Software Engineering Institute (SEI) at Carnegie Mellon University, and the Object Management Group (OMG), has defined five major desirable characteristics needed for a piece of software to provide business value: reliability, efficiency, security, maintainability and (adequate) size.
If we switch to a risk perspective, these common definitions of quality become: risk of defects, risk of customer dissatisfaction, risk of uncontrolled process variance, risk of product unreliability, risk of security breach, risk of lack of fitness. Or in other words, failure to achieve objectives.
Thus in the risk domain, the focus is not on the objectives per se, but on the risk to achieving the objectives. Risk management is applied to control the risks and enhance the likelihood of achieving the objectives. Risk can be looked at as a two-sided coin: opportunity or danger. Either way, the same approach can be used to manage risk.
Another parallel between quality and risk is their respective focus. Quality had its Deming and his plan-do-check-act (PDCA) cycle. Greg Hutchins, an upcoming risk authority identifies the four Ps of risk: proactive-preventive-predictive-preemptive.
Let’s look further at the link between quality management and risk management.
Quality management can be thought of as the process of designing and executing products and services effectively, efficiently, and economically. In this context, effectiveness primarily involves the ability of the products and services to meet or exceed customers’ expectations, while efficiency involves the ability to provide products and services without wasting any resources. Economics involves the ability to generate requisite revenues from the process so that the organization can be sustained.
Risk management is the process of identifying, addressing, prioritizing, and eliminating potential sources of failure to achieve objectives. Applying risk management means being proactive, preventive, predictive, and preemptive. Risk asks the question, “What if?” and looks at likelihood and consequences to determine which of the what-ifs are significant and need to be addressed.
If we look at process quality, we see that objective gaps imply higher deltas in the process, which means higher risk: more variances, or higher variation, leads to less uniformity in product or service. By reducing the risk of deltas, we reduce objective gaps and variation, and increase process quality.
Most definitions of risk management cover the entire enterprise. For example, the Committee of Sponsoring Organizations (COSO) defines risk management as: “A process affected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
In ISO 31000:2009—“Risk management—Principles and guidelines on implementation,” risk is defined as the “effect of uncertainty on objectives,” and risk management as something that “aids decision making by taking account of uncertainty and its effect on achieving objectives and assessing the need for any actions.”
For our purposes, we restrict risk to be in the operations domain and not the finance domain. Financial risk management typically focuses on hedging costs, fluctuations in currencies, and insurance.
There are three main types of operational risks:
Enterprise risk—Risk related to the operation of a business, execution strategy, systemic issues, and material issues
Project risk—Risk related to the planning and delivery of a product or service, and of not being able to meet project “triple constraints,” i.e., scope/quality, schedule, and cost, including technology and other factors
Process risk—Risk relating directly to planning and delivery of a product or service and of not being able to meet process stability, process capability, and continuous improvement—meaning the inability to achieve consistent outcomes
To ensure consistency of approach to risk management, standards and models have been and are continuing to be developed. Standards provide the following benefits:
1. Reference for risk management processes
2. Define consensus and best practices
3. Define frameworks to guide and support risk decision process
4. Provide common vocabulary to discuss and compare risk processes
Some risk-based standards include: ISO 28000, which addresses supply chain security; ISO 27000, for IT security; ISO 22000 for food safety; the FAA Safety Management System, and AS 9100 for aerospace.
The critical elements of risk management identified in ISO 31000 are:
Risk identification—Identifies the sources of risk, risk events, and their potential consequences
Risk analysis—Analyzes the causes and source of the risks and the likelihood that they will occur
Risk evaluation—Determines whether risks need to be addressed and treated
Risk treatment—Determines strategies and tactics to mitigate or control risks
Further, ISO states that risk management should “ensure that organizations have an appropriate response to the risks affecting them.” Risk management should thus “help avoid ineffective and inefficient responses to risk that can unnecessarily prevent legitimate activities and/or distort resource allocation.” And, to be effective within an organization, risk management should be “an integrated part of the organization’s overall governance, management, reporting processes, policies, philosophy and culture.”
The ISO risk management process involves “applying logical and systematic methods” for:
• Communication and consultation throughout the process
• Establishing the context
• Identifying, analyzing, evaluating and treating risk associated with any activity, process, function, project, product, service, or asset
• Monitoring and reviewing risk
• Recording and reporting the results appropriately
Risk assessment is proactive in that a formal analysis is undertaken to identify, rate, and address risk. This involves risk identification (predicting and listing possible risks) then risk analysis (rating them as to seriousness). Seriousness is determined by looking at the likelihood of occurrence and the resulting consequences. There are several risk analysis techniques available, but they fall into two camps: qualitative and quantitative.
Qualitative analysis relies on subject-matter experts who rate both likelihood and consequence of potential risks using a gradated scale, e.g., 1–5, or high/medium/low, or using a “heat map.” Likelihood and consequence are recorded in a two-dimensional grid.
Quantitative analysis relies on using numerical values or scores because this is felt to be a more objective method. Historical or scientific data on the process or activity is used to determine values. This method requires an understanding of probability; for cases where data are available, removes some uncertainty.
Using either approach, highly likely risks with high consequences obviously must be taken seriously.
Once the serious risks are determined, they can be consciously dealt with. By applying mitigation steps, the risks can be prevented, preempted, or reduced in impact. You can accept risk, avoid risk (by stopping the risky activity), reduce risk (by reducing likelihood consequence or both), or share risk (pool, outsource the activity, insure against the risk). A key point to note is that this process represents a conscious effort, which by its nature must be visible to management.
We have looked at the link between quality and risk and the basic elements of risk management and operational risk. By changing your perspective to view quality as a risk function, you can shift from a largely reactive approach of measuring and controlling variances, to proactively identifying, addressing, prioritizing, and eliminating potential sources of failure.