Featured Product
This Week in Quality Digest Live
Risk Management Features
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure
Steven I. Azizi
Take these steps to protect your employees and your company
Oliver Laasch
There’s unlikely to be a point of general stability anytime soon
Gleb Tsipursky
You shouldn’t trust your gut as a decision-maker: Here’s why.
NIST examines disinfection methods that could be critical in the future if PPE supply is low

More Features

Risk Management News
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel
A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses
NordLocker study discloses industries at a heightened risk of ransomware attacks, with manufacturers taking a troubling second place

More News

Morgan Palmer

Risk Management

Does Your QMS Speak Risk?

Risk management can help streamline compliance in an objective and systematic way

Published: Monday, April 22, 2013 - 11:36

Editor’s note: Quality Digest hosted Morgan Palmer’s webinar, “Defining and Building a Risk Management Strategy for Quality and Compliance Management Systems” on Tuesday, April 30, at 2 p.m. Eastern/11 a.m. Pacific.

When we look at the dynamics of commerce, from any industry, we see an increasing rate of change. Changes in products, processes, and regulations are all driving companies forward. One process affects the next, and with a growing emphasis on compliance regulations and standards in a global marketplace, complexity is the new cost of doing business.

We’ve also begun to see disparate trends in quality and compliance. As businesses become more complex, quality cultures change, sometimes from a regional perspective, but also companywide. Growth and expansion also give rise to more industry regulations and requirements, which companies also must address. As they expand in complexity, businesses struggle to organize their regulatory compliance efforts to their quality management system (QMS) initiatives.

All these factors weigh heavily on organizations. How are they able to keep up?

Technology is one way to streamline complexity. It can help align business processes with compliance initiatives and drive better process automation. Companies are tying more areas of their business together to improve communication and create greater visibility into operations. At the same time, organizations try to keep a consistent and singular workflow for processes that adhere to compliance initiatives.

This all comes at a cost, of course. Systems are an investment, as are the time and resources required to maintain compliance. There’s also the cost of compliance reporting; we must invest in these reporting methods to demonstrate compliance. As quality management regulations change, we may be faced with additional costs. We may need to change equipment to adhere to a new quality standard. We may even need to adjust an entire work area for quality initiatives or new products.

We know that compliance is necessary, and it can be a significant investment for an organization. How can we find ways to streamline the compliance process while mitigating costs? Risk management can help streamline compliance in an objective and systematic way.

When we talk about risk management, we’re not just talking about one area in the business. Risk management is an umbrella that spans the enterprise. It includes everything from quality to environmental health and safety (EHS) to finances and the supply chain. That is why it is so powerful as a concept; we can use risk as a universal methodology for benchmarking compliance within the organization.

Overcoming risk management misconceptions

Often when people think about risk management, they’re really thinking about the risk-assessment tools. The tools are important, but they are only one piece of the whole. It’s really the content behind them that is the most critical aspect. Having a tool in place is good, but it is not going to capture everything. We use tools such as risk assessment to identify known hazards, but how do we know what our unknown or unidentified hazards are? Tools are not going to help find the unknowns; you need a risk management process for that. Similarly, how can you adjust your risk levels and associated guidance as your business evolves? The tool is a fixed point that assesses the risk, but you need to look at the content and context of your operations to adjust the risk levels and make changes to guidance as you encounter new hazards and potential risks.

We need to realize that the tools are just tools, and understand their limitations. People are not inherently good at assessing risk. Here are some reasons why:
We are not as perceptive as we think we are. We are not adept at expecting things that we can’t imagine or have never experienced; in other words, we can’t anticipate unexpected events.
We are not good at recording information. When we do encounter hazardous events, our ability to record the event is flawed. We are not recording machines; we take the events and attempt to reconstruct them as we see them. We project our point of view onto situations.
We see patterns where none exist. We tend to see patterns in random events; we look for order, and when we can’t find it, we create a subjective pattern.
We think we understand more than we do. We also think we have a deep knowledge of all processes, when in fact we have only a basic understanding; we often insert our own understanding into a process and come to a subjective conclusion.
We will inherently follow a group mentality. Finally, we tend to “group-think”—i.e., if everyone on a quality team follows a similar consensus to an issue, then it must be the right decision.

The point is that without a true risk structure and process, using tools alone can lead to subjective errors in risk recording. It’s also important to realize that prediction is hard. Even experts don’t always get it right. We must ensure that we understand the limitations of the situations and circumstances in which we work, knowing what we can predict vs. what is hard evidence.

Then there is the issue of cumulative risk. We may weather a lot of little events with minor impacts. These fly under the radar because they are minor, but if all these minor events happen at the same time, they can have a critical effect. For example, a factory could be at maximum production, which is tolerable. There might be some routine equipment maintenance, which is normal. A new production line might be starting, which is not uncommon. And, a supplier’s materials might be late due to a snowstorm. All these things on their own represent a minimal risk level, but if they all happen on the same day, the risk of an adverse event increases significantly. Risk management requires that we become attuned to this way of thinking.

Although you can’t have risk management without risk assessment, the structure is in risk management. It’s the process in which we systematically come to the right conclusions, using risk assessment to analyze the overall process. We need a risk management process to help eliminate our subjectivity, and to maximize the effectiveness of the tools within the process.

Finally, risk management requires collecting a lot of data. One operational area usually is not often enough; single data points are going to give you something, but not the whole picture. Roll out risk management throughout the enterprise, and record all types of data, not just the more critical. Look at the near-miss data as well as the critical data to get a complete picture of the company’s risks.

Risk assessment tools for quality management compliance

Risk assessment is an important tool to measure levels of risk. It gives us the means to evaluate risk in its operational context. Risk assessment allows us to apply event data using a risk-based approach.

What makes risk assessment powerful is that it is repeatable and objective; we can replace the otherwise subjective “gut feelings” with a more guided, decision-making approach. Furthermore, risk assessment is easy to understand for people who aren’t directly involved with the process.

Risk assessment helps to drive change, in both short-term and long-term contexts. What we’re doing is building alerts for critical events and wrapping guidelines and decisions around risk assessment to develop solutions for risk levels that are unacceptable. We can implement solutions for high risks in a more automatic and consistent manner.

However, it’s important to reiterate that risk assessment is a tool, not the solution. Like any tool, we must be careful of falling into a false sense of security by relying on it alone. In some cases, someone on the shop floor may see something as a critical risk and escalate the level of risk, whereas when it’s considered from the top floor, the risk may not be as bad in the larger context of operations. Risk must be universal in this sense and not a matter of opinion. We must continuously test our risk assessment with content as well as historical data, and then tweak the risk tools based on these data. We need to have a team in place to vet our risk tools and make sure we’re achieving the right results. As our operations change, or as more data fill the system, we may find that the risk levels need to be adjusted.

In a quality management context, risk is found throughout business operations. When we look at the QMS process, we find areas where risk assessment makes sense as a useful tool:
Product and process design. As companies build out new products or processes, they can build risk assessment in an operational context around several areas. Planning functions such as production part approval processes (PPAP) can benefit from using this tool. Production and product planning are key components for starting the product life cycle, and by building risk into these areas, we can foster risk-based compliance at the start.
Manufacturing and delivery. In manufacturing, adverse events will happen. Risk assessment can help analyze the severity and criticality of those events, which will lead to better, more informed decisions. As we record nonconformances or deviations, having a risk methodology in place to filter a critical event can ensure that we are paying attention to the events that pose the greatest risk to the organization.
Post-production: Most risk-based events will happen during the post-production part of operations. These usually come as complaints, audits, or supplier performance. Risk assessment is a powerful method for prioritizing adverse events and ensuring that they responded to effectively. Building risk into corrective and preventive action processes provides an important function when conducting effectiveness checks. How can we correct systemic issues to within acceptable risk levels? Risk assessment serves as an important “check” on the effectiveness of corrective actions taken.

Risk management starts now

Risk management, if not already started in your organization, should start now. What this means is that compliance is moving toward a risk management focus, and building risk technologies and tools is a great way to benchmark and measure compliance.

However, the technology behind risk management is not automatic. It is a collection of processes and tools to support decision making and does not replace people. Risk tools will take a level of subjectivity out of the equation, but the ultimate decision-making still relies on people. Many organizations assemble a risk team to ensure that decisions are made properly, and they use historical data to help fine-tune their risk assessment to ensure accurate results.

Risk is a common element at all levels of compliance. It’s applicable to many operational areas. It provides an objective and systematic way to filter and prioritize adverse events, and in this complex business environment, we need to improve the speed and quality of our decision-making capabilities. Risk terminology offers a common language for complex operational issues, and it can easily be interpreted at all levels of the organization.

If your QMS operation can speak risk, you can vastly improve your ability to affect compliance within your business.


About The Author

Morgan Palmer’s picture

Morgan Palmer

Morgan Palmer, chief technology officer at EtQ Inc., has more than 20 years’ experience delivering software solutions. Palmer joined EtQ to create the company’s first software application and is now responsible for Reliance, EtQ’s flagship product for quality, environmental, and safety management.


the seven sisters

I'm obviously not thinking of the beautiful norwegian waterfalls: these days I'm reading Benito Li Vigni, an italian oil expert, his 2006 book, the title of which could be translated "In the Name of Oil" - by the way, I also found on Youtube Vitor Hugo's piece "Secret of the Seven Sisters: the Shameful Story of Oil". To the extent risk management talks to quality & health & safety & environment management, how can we envisage some companies' conduct as consistent with risk management? Risk management, as it is commonly understood, is a social affair, it is not a profit-making gadget, as the QMS standards have become. Thank you.