by Greg Hutchins
Risk and the Role of Quality Professionals
Risk is the watchword for this new millennium. It’s at the forefront of management thinking in the areas of homeland security, health care, and supply chain management, just to name a few. At its root, risk is nothing more than a probability statement of something bad happening. Who are better suited to deal with risk than those trained in disciplines such as statistical probability theory, comprehensive operational auditing, structured problem solving, and root cause analysis? Quality professionals, that’s who! Specifically, American Society for Quality-certified quality professionals.”
--Dick Gould, quality leader, ASQ Fellow, past chair, Customer-Supplier Division
“The world is so integrated today. We no longer have direct control over our destinies, either individual or corporate. We are swimming in a sea of change, and risk management can add stability to our lives. If we can identify risks and analyze their effects, perhaps we can continue to function when those events occur. Read, study, and understand the principles of safety, environment, security, and finance. Think about how they affect the enterprise in an integrated fashion. Read Peter Senge’s book The Fifth Discipline: The Art and Practice of the Learning Organization [Doubleday, 2006] and practice systems thinking.”
--Dennis Arter, author, futurist, ASQ Fellow
“You’re at risk in your quality career. If you don’t accept the fact-- you are at risk ! What can you do about it? Step one, define risk for you and your quality work/career/job. Step two, assess the risk. Step three, decide on actions, if any, in response to your discoveries of the ‘I’m at risk’ situation. Risk can be about how your job is going to be outsourced or somehow fundamentally changed. Don’t wait; your future depends on your decisions now .”
--Jerry Brong, futurist and quality academician
“Certifications and experience in project management have provided quality professionals with some understanding of risk. Bodies of knowledge developed for ASQ’s Manager of Quality/Organizational Excellence and Quality Auditor both include risk management. Risk is no longer defensive regression to survival in crisis. Rather, it’s prevention in service to higher-level values of social accountability and corporate ethics.”
--Henry Lindborg, Ph.D., professor and executive director of National Institute for Quality Improvement
“All managers have a duty to reduce risk to their organizations. It is often an unspecified duty, but it comes with the manager title. There are many ways to reduce risk: One unfortunate human tendency is to ‘reduce’ it by denying that risk exists. In our shrinking, flat earth, this is not a good approach. The best approach is to apply our skills to intelligently defining and mitigating risks. Quality professionals have the skills to define risk and control it. This is a clear need in our world today, and worthy of our time and talent.”
--Douglas C. Wood, CQE, CMQ/OE, finance for improvement expert
Have you noticed that there’s a seismic shift going on in quality? Interest in risk management is growing and, according to some, approaching the level of quality management. What facts support this contention? Some global quality management system (QMS) registrars are placing their certification activities under the risk management umbrella. More quality conferences have risk management tracks. What’s going on?
In this article, we’ll explore why the migration to risk management is occurring and what you can do to position your career to take advantage of this shift.
Let’s look at one data point. Several global registrars are rebranding themselves from quality management to risk management organizations. For example, Det Norske Veritas Certification has a risk management tag line on its web site. This shift is occurring with other global QMS registrars, too. Quality management institute offers a menu of risk management services from “supplier risk assessment” to “environmental performance management.” If you visit any global registrar’s site, you’ll see this evolution.
Global quality registrars are rebranding themselves as risk management shops for a combination of reasons: economics, the maturation of QMS standards, globalization, corporate responsibility, new business models, and the internet. Let’s look at each.
ISO 9001 registrations in North America are flat, and the registration and auditing services supporting the standard have become a commodity. Most of the growing market is in Asia. The market in North America and other large economies is becoming saturated with ISO 9001 registrations, so the registrars are asking, “How do we add value?” and “How do we generate additional income?”
Globalization, outsourcing, and technology have created additional uncertainty, complexity, and risks for organizations. Global uncertainty and complexity result in the need for additional risk controls. So risk management is an obvious extension to the registrars’ auditing, compliance, and assurance activities.
QMS standards based on ISO 9001 are maturing. They have moved from compliance to effectiveness and process orientations. Also, new ISO quality management systems and their relevant standards have been developed, such as the new standards from the International Organization for Standardization (ISO), ISO 28000--”Specification for security management systems for the supply chain,” ISO/IEC 27001--”Information technology--Security techniques--Information security management systems--Requirements,” and others. Security management systems are risk-based. More than 900,000 companies worldwide have adopted ISO 9001. The thinking is that a high number of ISO 9001-registered companies will adopt these new ISO risk management systems.
Global companies are being held to a higher standard of corporate accountability for outsourcing, environmental sustainability, and corporate governance. The risk of a corporate responsibility breach has grown during in the last few years as a result of massive outsourcing and the fear of human rights and child-labor abuse charges.
Aerospace, automotive, and most manufacturing sectors have developed new business and operational models based on massive outsourcing. For example, Sara Lee Corp. has sold its noncore factories. It will focus on its core strengths--developing new products, managing its brands, and increasing market share. Sara Lee will outsource commodity manufacturing and other noncore activities and only retain its “highly proprietary” processes. In other words, it plans to focus on what it does best and outsource all the rest. Outsourcing can result in risks of poor quality and unsafe products. Both can result in recalls and reputation risks.
The internet also accelerates the need for risk management. Jim Kline, a quality consultant in Portland, Oregon, says, “Customer vigilantes are distributing customer complaints worldwide via YouTube. The failure to manage quality risk can result in a company failure. Globalization and outsourcing make managing internal processes, such as quality, difficult. Toyota Motor Corp.’s reputation for quality automobiles suffers with each recall.” Welcome to the global economy.
There are a number of definitions of risk. However, most incorporate the following common elements:
• Risk of something happening that will have an effect on objectives; measured in terms of consequences and likelihood (AS/NZS 4360:1999--”Risk Management,”
• Risk of a situation or circumstance that creates uncertainties about achieving program objectives (FAA System Engineering Manual, www.faa.gov/about/office_org/
• Risk of an event occurring that will adversely affect the achievement of objectives (Enterprise Risk Management--Integrated Framework, COSO, 2004,
Risk management is the ability to identify risk, assess it, and mitigate it. Although there are many definitions of risk management, the following share common attributes:
• Risk management is the culture, processes, and structures that are directed toward the effective management of potential opportunities and adverse effects. (AS/NZS 4360:1999--”Risk Management”)
• Risk management is the identification, assessment, and response to risk to a specific objective. ( Enterprise Risk Management--Integrated Framework, COSO, 2004, www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf)
Let’s look at several applications of risk management. Competition forces companies to develop more products faster as markets become specialized and customers demand more. Companies realize that they can’t keep pace with customer demands, so they rely on suppliers to design new marketplace offerings to improve their products. For example, cell phone companies must churn out new models to keep up with rapidly evolving markets. Collaborations become more critical, and product-timing risks increase. Products reach the market either too early or too late to beat the competition. If too early, there is insufficient demand; too late, and the crucial buy window is missed.
Much like Sara Lee Corp., The Boeing Co. adopted a business model that emphasizes outsourcing and supply management. The model incorporates the following: Design the core product, outsource the core assembly (up to 85% of manufacturing dollars), assemble the complete product, test the product to ensure compliance, and then manage the Boeing brand. Although the Boeing 787 Dreamliner was built following that model, Boeing didn’t anticipate or manage the risks involving its fastener supplier, which delayed the 787’s market introduction by many months.
Top-level U.S. Department of Homeland Security officials would like womb-to-tomb traceability of shipments based on source and product risks. Incoming shipments can be a terrorist vector or delivery mechanism for chemical, biological, high-explosive, radiological, and nuclear terrorism. The federal government is moving rapidly toward supply chain security using Customs-Trade Partnership Against Terrorism compliance audits, 100-percent container inspection, radio frequency tagging of containers, issuance of biometric IDs to port workers, supplier profiling, and fewer “less than truckload” shipments. Each of these changes the just-in-time supply chain model to a just-in-case risk model.
Product development is a global activity. Automobiles may be designed in Los Angeles and assembled in Ohio from parts manufactured throughout the world. Managing worldwide, disparate suppliers requires project risk management. Project risk management is the ability to anticipate project problems and obstacles that may hinder the project from achieving objectives within cost, schedule, and quality constraints.
The risks represented by imported products and food are now issues of public safety and homeland security. The White House is proposing to improve the safety of imported products by focusing on preventing nonconformances and controlling risks. For example, the United States can’t inspect all incoming goods to protect consumers from possible harm. Under one proposed system, the government would collect data from private and public sources, identify safety hazards along the entire life cycle of imported products, and manage risks proactively and preventively. The change from an inspection-focused strategy to a risk-based approach emphasizes prevention with verification and validation.
Risk management standards are proliferating like weeds. ISO is developing ISO/DIS 31000--”Risk management--Principles and guidelines on implementation.” The critical elements of the standard are:
• Risk identification. Identifies the sources of risk, risk events, and their potential consequences
• Risk analysis. Analyzes the causes and source of the risks and the likelihood that they will occur
• Risk evaluation. Determines whether risks need to be addressed and treated
• Risk treatment. Determines strategies and tactics to mitigate or control risks
Additional risk management standards are being developed for specific industry sectors. For example, the American Society of Mechanical Engineers Innovative Technologies Institute LLC (ASME ITI) developed Risk Analyses and Management for Critical Asset Protection (RAMCAP) for the U.S. Department of Homeland Security as a guidance document for assessing risk analysis and risk management for critical infrastructure assets.
An interesting management phenomenon occurred during the last decade. Approximately 10 years ago, quality was the critical filter in high-level management decision making. Then it evolved to price, which led to the global rush to find offshore suppliers and eventually to massive outsourcing. Price evolved into the total cost of ownership, and quality became a less compelling issue to senior management.
So, what’s the primary filter for senior management decision making now? Risk management. Why is risk management so critical these days? Four reasons:
• Risk is inherent in globalization and outsourcing.
• Executives don’t want to be blindsided, and they feel uncomfortable with uncertainty.
• Executives want to manage outcomes and stakeholder expectations.
• Bottom line: Risk management is preventive and predictive, not reactive.
Greg Hutchins is the principal engineer of Quality Plus Engineering, a U.S. Department of Homeland Security (DHS)-certified company for Critical Infrastructure Protection: Forensics, Assurance, Analytics (CIP/FAA) under the U.S. DHS SAFETY Act. Hutchins is also the developer of Value Added Auditing (DHS-designated anti-terrorist technology). Quality Plus Engineering uses Certified Enterprise Risk Manager to conduct CIP/FAA audits. Value Added Auditing; Certified Enterprise Risk Manager; and Critical Infrastructure Protection: Forensics, Assurance, Analytics are registered marks of Quality Plus Engineering. Visit online at www.qualityplusengineering.com.