Featured Product
This Week in Quality Digest Live
Operations Features
Having more pixels could advance everything from biomedical imaging to astronomical observations
Chris Caldwell
Significant breakthroughs are required, but fully automated facilities are in the future
Dawn Bailey
Helping communities nurture the skilled workforce of the next generation
Leah Chan Grinvald
Independent repair shops are fighting for access to vehicles’ increasingly sophisticated data
Mike Figliuolo
Stay cool. It all works out.

More Features

Operations News
Easy to use, automated measurement collection
A tool to help detect sinister email
Funding will scale Aigen’s robotic fleet, launching on farms in spring 2024
3D printing technology enables mass production of complex aluminum parts
High-end microscope camera for life science and industrial applications
Three new models for nondestructive inspection
Machine learning identifies flaws in real time
Developing tools to measure and improve trustworthiness

More News

Tim Lozier


Applying Risk-Based Thinking to Operations

The universal constant of compliance

Published: Wednesday, July 5, 2017 - 11:01

The dynamic of risk management and compliance seems to be experiencing a shift toward risk management in operations, and learning to pay attention to detail in order to leverage it.

The biggest question often asked is, “I’m aware my company needs to pay great attention to the detail of risk, but I don’t know where to start, or even how to put it into practice.”

This is a normal practicality with which most quality professionals struggle. As for what you can do about risk, it’s important to first focus on the process of collecting and analyzing your risks. There are many common, simple, and effective tools to help make risk management a practical option for your business.

After risk is mapped out it can be better controlled. Risk tools make it possible to delve a little deeper into the overall scope of risk management from a company and operational perspective using ISO standards.

Risk management: hazards vs. risk

We hear that risk is a good benchmark for compliance. However, it is important to recognize the difference between hazards and risk for the perfect dynamic. The terms are often used interchangeably, but the truth is that risk and hazard are different terms that do not equal the same outcome.

Risk is defined as the probability that exposure to a hazard will lead to a negative consequence. The risk equals the hazard times the exposure. Thus, a hazard poses no risk if there is no exposure to the hazard.

Risk is the likelihood that the hazard will lead to that negative consequence. It’s multiplied by the probability of exposure to that hazard. It’s important to understand that you can have a hazard that poses no risk, and if there is no probability of exposure to that hazard it is then of lesser concern.

The key is learning what your hazards are so that they can be estimated. Once this is done, risk management is created.

Enterprise risk management

Risk is pervasive throughout all areas of an organization. It spans from quality to environmental, health, and safety, to finance, to the supply chain. You can think of risk management as the umbrella that spans the entire enterprise. It’s the universal method for understanding and controlling risk throughout any location within an organization.

ISO 31000 is the standard for risk management. Although it is broad, it is used within many business operations as a general interpretation of defining risk management. It’s an excellent method for getting started on your risk journey.

Risk management applied to ISO 31000

Risk management begins with the identification of any relevant risks. Proper risk management means looking into operations, determining where the hazards are, and understanding what the risk of those hazards may be.

Once this is done, you’ll want to determine a way to quantify those risks and look for ways to measure them in a systematic and objective way. Most companies will use scales such as severity and probability. Then, you’ll need to implement a process for evaluating and assessing the risk. This is where risk assessment plays its part.

After a decision has come from the assessment, certain tools are able to help make the right decision on how to handle the risk. There is often a scale used within many businesses with options on how to treat risk.

The scale typically reads:
Accept—it’s worth the risk
Reduce—take steps to mitigate risk
Transfer—source out risk to supplier/partner with a better management process
Avoid—stop the process altogether

Depending on different situations, decision scales like those listed above help to quickly and effectively make changes to processes or operations. Risk management at a high level is done by implementing controls such as the acceptance-to-avoidance scale. This allows users to implement controls based on facts that ultimately best support their end goals.

Understanding operational risk management

Now that risk management is understood, it is important to recognize that risk tools help to drive change both in the long term and short term. Although, even with systematic and repeatable solutions, it should be noted that risk assessment is only a tool.

In irregular cases, someone on the shop floor may see something as a critical risk and escalate it. However, when it reaches the top floor, the risk may not be as bad in the larger context. This brings about the topic of universally understanding risk.

As operations change, or more data infiltrates your system, risk levels may need to be adjusted—like within other tools. It is important to remember that although it is crucial to pave the way for an automatic and consistent manner of handling risk, risk levels still may need manual adjustment.

Understanding risks and hazards is necessary so that when the situation arises, team members can go with their “gut feel” that they may have learned through training to make the best risk-based approach. This is not to say that automation won’t help this adjustment be brought to life, because without technology we may not see the adverse event, but overall, being aware of a false sense of security is the best method to properly ensure appropriate risk management and assessment.

ISO 9000:2015 and risk management

ISO 9000:2015 is the new standard of risk. When following the updates, companies will see that, again, it’s not all about the requirements but about a company mindset to quality. Understanding the framework to your company and driving that framework home is the most efficient method to satisfying risk.

A companywide commitment with leadership toward quality is an effective method for incorporating risk into every quality management effort. Ensuring that every team member is properly and consistently building his or her own quality story through each and every action makes for a healthy and traceable outcome. This is best achieved through leadership and planning.

The governance of this standard is really based on the mindset of quality. It’s open to the interpretation that every company can determine and evaluate its own processes around the standard. Some tools to help ease the transition can be to focus on leadership and planning.

Leadership aids in building a consistent focus on quality. Providing leadership to the quality team through encouragement and planning allows employees to feel appreciated and motivated, but also highly trained in understanding and considering all risks and opportunities, while being backed by automation.

Common tools for leveraging risk in compliance

Common tools for risk management treatment include:
Decision tree. Easy to integrate with daily processes
Risk matrix. Quick and colorful way to quantify risk levels with tested assumptions
FMEA. For the design of products and processes
Bowtie. For low occurrence events that may be catastrophic
Risk register. For monitoring risk levels over time

To accommodate your own initiative for governance as well as risk and compliance, determining which of the tools listed above is best for your organization is the first step. Then, there are other tools that can help with the next parts, which are identification, evaluation, treatment, and action plans.

Other helpful tools

Auditing and surveying
Ask your colleagues what the potential hazards are within all areas of business. See how likely they are to occur and their unique problems. The results will most likely be plentiful, with a host of probabilities. But fear not, because the key is to collect and analyze to better categorize. This is called the taxonomy of risk, and can help you to make better sense of everything. Once this process is completed, building general scales of hazards with frequencies is the most logical way to organize the overall levels.

Document control
After surveying, you may be thinking, “How do I document this and prove it in audit?” Document control paired with risk management ensures that the process is built with work instructions and roles.

As a standard rule, especially when introducing new elements into processes, include document control for each step. In this way traceability will be built into the overall quality program, and the new processes will be recorded in the results of audits, surveys, and analyses.

When you are building the evaluation and treatment of risk, you need to control the tools you use. You also need to document each time it’s incorporated into a record. This is all about having traceability. Whether this is done manually, digitally, or through a technology solution, the traceability of the process and the practice of that process is necessary and considered risk-based thinking. This applies to compliance and your quality management system (QMS).

Employee training
Training is the foundation of your company’s safety and quality management strategy. It is important to continue training even after orientation is over, just as it is important to keep an eye on risk management and assessment once it is consistent and systematic.

Many a QMS allows users with employee training software to segment and assign training by role, department, or facility to ensure proper training to necessary employees. This is a great addition in that when changes or updates to processes or regulations pop up, they can be added immediately into the queue for training, just as an adverse event would within risk assessment.

Closing thoughts

Overall, risk is a universal compliance constant. It’s a practice that, once put into use, allows companies to take control back from the unknown. Automated resources and tools are helpful in figuring out your company’s specific path toward unveiling risk and allows users to then leverage specific tools to keep it consistent. The requirements in ISO standards are simply stated as the path to enrolling everyone in quality, which is why it pairs so well with the risk-based thinking methodology.

For more information on this topic, please join us for the webinar, “Applying Risk-Based Thinking in Your Operations—Tools and Tips for Incorporating Risk into Quality Management,” on Thurs., July 13, 2017, at 2 p.m. Eastern and 11 a.m. Pacific. I will be presenting, and Dirk Dusharme of Quality Digest will be the host. Click here to register.


About The Author

Tim Lozier’s picture

Tim Lozier

Tim Lozier is the director of product strategy for EtQ, in Farmingdale, New York. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user-interface design and development. He began his career in digital marketing before taking a turn into software design and marketing at Quark Inc. Since then, he’s never looked back—helping to foster the development (and blog about) leading quality management software solutions.