Our PROMISE: Our ads will never cover up content.
Our children thank you.
Tim Lozier
Published: Wednesday, July 5, 2017 - 11:01 The dynamic of risk management and compliance seems to be experiencing a shift toward risk management in operations, and learning to pay attention to detail in order to leverage it. The biggest question often asked is, “I’m aware my company needs to pay great attention to the detail of risk, but I don’t know where to start, or even how to put it into practice.” This is a normal practicality with which most quality professionals struggle. As for what you can do about risk, it’s important to first focus on the process of collecting and analyzing your risks. There are many common, simple, and effective tools to help make risk management a practical option for your business. After risk is mapped out it can be better controlled. Risk tools make it possible to delve a little deeper into the overall scope of risk management from a company and operational perspective using ISO standards. We hear that risk is a good benchmark for compliance. However, it is important to recognize the difference between hazards and risk for the perfect dynamic. The terms are often used interchangeably, but the truth is that risk and hazard are different terms that do not equal the same outcome. Risk is defined as the probability that exposure to a hazard will lead to a negative consequence. The risk equals the hazard times the exposure. Thus, a hazard poses no risk if there is no exposure to the hazard. Risk is the likelihood that the hazard will lead to that negative consequence. It’s multiplied by the probability of exposure to that hazard. It’s important to understand that you can have a hazard that poses no risk, and if there is no probability of exposure to that hazard it is then of lesser concern. The key is learning what your hazards are so that they can be estimated. Once this is done, risk management is created. Risk is pervasive throughout all areas of an organization. It spans from quality to environmental, health, and safety, to finance, to the supply chain. You can think of risk management as the umbrella that spans the entire enterprise. It’s the universal method for understanding and controlling risk throughout any location within an organization. ISO 31000 is the standard for risk management. Although it is broad, it is used within many business operations as a general interpretation of defining risk management. It’s an excellent method for getting started on your risk journey. Risk management begins with the identification of any relevant risks. Proper risk management means looking into operations, determining where the hazards are, and understanding what the risk of those hazards may be. Once this is done, you’ll want to determine a way to quantify those risks and look for ways to measure them in a systematic and objective way. Most companies will use scales such as severity and probability. Then, you’ll need to implement a process for evaluating and assessing the risk. This is where risk assessment plays its part. After a decision has come from the assessment, certain tools are able to help make the right decision on how to handle the risk. There is often a scale used within many businesses with options on how to treat risk. The scale typically reads: Depending on different situations, decision scales like those listed above help to quickly and effectively make changes to processes or operations. Risk management at a high level is done by implementing controls such as the acceptance-to-avoidance scale. This allows users to implement controls based on facts that ultimately best support their end goals. Now that risk management is understood, it is important to recognize that risk tools help to drive change both in the long term and short term. Although, even with systematic and repeatable solutions, it should be noted that risk assessment is only a tool. In irregular cases, someone on the shop floor may see something as a critical risk and escalate it. However, when it reaches the top floor, the risk may not be as bad in the larger context. This brings about the topic of universally understanding risk. As operations change, or more data infiltrates your system, risk levels may need to be adjusted—like within other tools. It is important to remember that although it is crucial to pave the way for an automatic and consistent manner of handling risk, risk levels still may need manual adjustment. Understanding risks and hazards is necessary so that when the situation arises, team members can go with their “gut feel” that they may have learned through training to make the best risk-based approach. This is not to say that automation won’t help this adjustment be brought to life, because without technology we may not see the adverse event, but overall, being aware of a false sense of security is the best method to properly ensure appropriate risk management and assessment. ISO 9000:2015 is the new standard of risk. When following the updates, companies will see that, again, it’s not all about the requirements but about a company mindset to quality. Understanding the framework to your company and driving that framework home is the most efficient method to satisfying risk. A companywide commitment with leadership toward quality is an effective method for incorporating risk into every quality management effort. Ensuring that every team member is properly and consistently building his or her own quality story through each and every action makes for a healthy and traceable outcome. This is best achieved through leadership and planning. The governance of this standard is really based on the mindset of quality. It’s open to the interpretation that every company can determine and evaluate its own processes around the standard. Some tools to help ease the transition can be to focus on leadership and planning. Leadership aids in building a consistent focus on quality. Providing leadership to the quality team through encouragement and planning allows employees to feel appreciated and motivated, but also highly trained in understanding and considering all risks and opportunities, while being backed by automation. Common tools for risk management treatment include: To accommodate your own initiative for governance as well as risk and compliance, determining which of the tools listed above is best for your organization is the first step. Then, there are other tools that can help with the next parts, which are identification, evaluation, treatment, and action plans. Auditing and surveying Document control As a standard rule, especially when introducing new elements into processes, include document control for each step. In this way traceability will be built into the overall quality program, and the new processes will be recorded in the results of audits, surveys, and analyses. When you are building the evaluation and treatment of risk, you need to control the tools you use. You also need to document each time it’s incorporated into a record. This is all about having traceability. Whether this is done manually, digitally, or through a technology solution, the traceability of the process and the practice of that process is necessary and considered risk-based thinking. This applies to compliance and your quality management system (QMS). Employee training Many a QMS allows users with employee training software to segment and assign training by role, department, or facility to ensure proper training to necessary employees. This is a great addition in that when changes or updates to processes or regulations pop up, they can be added immediately into the queue for training, just as an adverse event would within risk assessment. Overall, risk is a universal compliance constant. It’s a practice that, once put into use, allows companies to take control back from the unknown. Automated resources and tools are helpful in figuring out your company’s specific path toward unveiling risk and allows users to then leverage specific tools to keep it consistent. The requirements in ISO standards are simply stated as the path to enrolling everyone in quality, which is why it pairs so well with the risk-based thinking methodology. For more information on this topic, please join us for the webinar, “Applying Risk-Based Thinking in Your Operations—Tools and Tips for Incorporating Risk into Quality Management,” on Thurs., July 13, 2017, at 2 p.m. Eastern and 11 a.m. Pacific. I will be presenting, and Dirk Dusharme of Quality Digest will be the host. Click here to register. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Tim Lozier is the director of product strategy for EtQ, in Farmingdale, New York. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user-interface design and development. He began his career in digital marketing before taking a turn into software design and marketing at Quark Inc. Since then, he’s never looked back—helping to foster the development (and blog about) leading quality management software solutions.Applying Risk-Based Thinking to Operations
The universal constant of compliance
Risk management: hazards vs. risk
Enterprise risk management
Risk management applied to ISO 31000
• Accept—it’s worth the risk
• Reduce—take steps to mitigate risk
• Transfer—source out risk to supplier/partner with a better management process
• Avoid—stop the process altogetherUnderstanding operational risk management
ISO 9000:2015 and risk management
Common tools for leveraging risk in compliance
• Decision tree. Easy to integrate with daily processes
• Risk matrix. Quick and colorful way to quantify risk levels with tested assumptions
• FMEA. For the design of products and processes
• Bowtie. For low occurrence events that may be catastrophic
• Risk register. For monitoring risk levels over timeOther helpful tools
Ask your colleagues what the potential hazards are within all areas of business. See how likely they are to occur and their unique problems. The results will most likely be plentiful, with a host of probabilities. But fear not, because the key is to collect and analyze to better categorize. This is called the taxonomy of risk, and can help you to make better sense of everything. Once this process is completed, building general scales of hazards with frequencies is the most logical way to organize the overall levels.
After surveying, you may be thinking, “How do I document this and prove it in audit?” Document control paired with risk management ensures that the process is built with work instructions and roles.
Training is the foundation of your company’s safety and quality management strategy. It is important to continue training even after orientation is over, just as it is important to keep an eye on risk management and assessment once it is consistent and systematic.Closing thoughts
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Tim Lozier
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.