The Risk and Compliance Paradigm

Editor’s note: In an upcoming webinar presented by EtQ and moderated by Quality Digest, we will consider the elements of risk management and what to look for in an effective software solution. For a preview of the webinar, please tune in to the Fri., Oct. 5, 2012, episode of Quality Digest Live, which airs at 11 a.m. Pacific from the EtQ User Conference in Squaw Valley, California.

The world moves fast. We produce more varied goods and services than ever before, and market demand has not let up. Consumers continue to want new products and services. Combine this with a complex supply chain and aggressive competitive landscape, and organizations are challenged just to stay in business, let alone stay at the top of their industry.

Where do quality and compliance fall in this picture? Not only are companies facing this increased level of volume and complexity, they must also maintain a high level of compliance to quality, environmental, and safety standards. Consumers expect new products to appear on the market quickly, and their expectations of quality remain high.

“Five Commonly Asked Questions and Answers on Managing Risk in the Midst of Volatility,” an article that appeared in the Sept. 28, 2012, issue of CFO Journal, cited a Deloitte and Forbes survey indicating that 91 percent of leading U.S. executives responsible for risk planned to reorganize and reprioritize their approaches to risk management during the next three years. The survey also noted that nearly 80 percent said this was due to market volatility during the past three years.

Organizations are faced with a new challenge: How to find a way to benchmark compliance in their processes, while keeping up with the complex and rapid pace of business.

Recently, organizations have taken a new approach to measuring and benchmarking quality, environmental health and safety (EHS), and compliance. It’s a systematic and objective means to assess adverse events and make decisions more efficiently, resulting in objective and consistent results. This method is risk management.

Now, risk management is not new to many industries. Risk-based standards, such as ISO 14971 and ISO 31000, have been in existence for years. These standards assist companies define their risk management programs, while more industry-specific standards, such as ISO 13485 and the upcoming revision to ISO 9001, are building risk management into their processes. Beyond the standards, risk management methodologies can be found in all types of industries, from food and beverage to aviation to life sciences to manufacturing.

Where is risk applied to quality and compliance?

We know that risk management and risk assessment are nothing new to business, but where are companies applying these risk methods to their business processes? Many organizations tacitly apply risk methods in qualitative fashion all the time and may not even know it.

Risk can be any systematic way of identifying adverse events, evaluating potential outcomes, and making decisions to implement controls to prevent and handle these events going forward. Figure 1 shows a standard risk management process:

Figure 1: The risk management process

In risk management, potential risks are identified, whether through proactive means or as damage control following an adverse event. From there, you evaluate the probability and likelihood of that event; this is typically where risk assessment tools come in handy. By using risk management methods, you can make effective decisions and implement controls to mitigate that risk.

Find a risk, assess its severity, and make a decision about how to handle it. Just like that.

OK, perhaps not “just like that.” As we said, there are many complexities in business today, and variables exist that affect risk-based decisions. For example, an emerging variable for risk is social media, partly due to its ability to act as an accelerant to other risks. That’s why quantitative risk tools exist to help provide metrics to weigh all variables and present the necessary data points to make the best possible decision. These tools vary by industry, but their goal remains the same: to help guide the risk management process.

Examples of risk tools and methods include decision tree analysis, fault tree analysis, risk matrices, human factor analysis, hazard analysis and critical control point (HACCP), hazard and operability studies (HazOps), failure mode and effects analysis (FMEA), job safety analysis, and others. Although all these tools have an underlying risk methodology, it is up to the organization to determine which method works best for its business.

It is also critical to understand that risk is not just about tools and methodologies. Risk is also about people—people are on the other end of these tools making the decisions that affect compliance. Many organizations assemble “risk teams” that collaborate and review adverse events, and use risk assessment tools to come to a collective decision. Risk should not operate in a vacuum; it needs a cross-functional team to be truly effective.

Risk in compliance as it relates to the product life cycle

Let’s take a look at how risk can be applied in a manufacturing operation. The product life cycle in manufacturing typically begins with a design and then moves to the production processes and supply chains. After a product’s release, the life cycle finishes up with post-market feedback and then responsible disposal. This is, of course, a simplified view, but it provides a basic framework of where risk in compliance can be found. Let’s start with quality by design and see how risk can be applied.

Risk in design: Build risk into the product foundation
At some point, all products begin as an idea. As we manufacture in our complex world, the design of products can become equally as complex. To truly mitigate product failures, risk management must be built into this design. Assessing and mitigating risks during the design phase helps to build better-quality products and maintain acceptable levels of compliance.

As an example, many companies use FMEA during the design stage (which is sometimes called DFMEA) to avoid future failures. The FMEA tool essentially takes the product design and breaks it out into its individual components, then conducts an analysis of potential points of failure for each component. Each component has an element of risk, and by identifying those risks early and adding up all the components involved in the final product design, you create a comprehensive risk assessment of that product’s design. Before you even go into production, risks are known and mitigated.

Risk in process: Grading the supply-chain and production
Companies rarely are vertically integrated, where each unit of the supply chain produces a different product or market-specific service, and the products combine to satisfy a common need. Instead, suppliers are outsourced to help build the final product. However, there are inherent risks associated with outsourcing. To maintain the level of quality and compliance consumers demand, we must ensure that our suppliers are operating at the same level of quality and compliance. Supplier management is a key component of the product life cycle, and companies need ways of ensuring their suppliers are performing to acceptable compliance levels.

Many supplier management processes include a scorecard or rating process whereby suppliers are graded on their quality levels, proper delivery of goods, and overall viability as a partner. Building risk elements into this process can help organizations decide which suppliers to use. Tools such as the risk matrix shown in figure 2 can weigh out several factors and build a risk picture of the suppliers. High-risk suppliers are identified early, and low-risk suppliers are favored. Furthermore, creating a level of transparency in this process can help suppliers mitigate their own risks to remain competitive. Suppliers can see how they rank in terms of risk and take corrective action to reduce their risk level to the organization to which they supply.

Figure 2: The risk matrix

Risk in post-market: Assessing adverse events and fostering continuous improvement
Although organizations do all they can to mitigate risk prior to release, there will be adverse events in the post-market release. This is where typical quality management processes take effect. Nonconformance, customer complaints, auditing, and similar functions uncover potential adverse events that may have affect quality and compliance. Some quality functions are critical to the business; others may not be as critical. Companies must ask themselves, “How do we discern the high-risk events from the low-risk ones?”

Without a way to filter and prioritize these adverse events, you face a conundrum; what metric would you typically use to determine how to address adverse events? Companies used to do this by most overdue, or date of first identification. This is flawed simply because a critical event could enter your system today, but you have literally a pile of existing events you must address, so that critical issue becomes lost in the pile. The key is to filter the adverse events so that those most critical to the business rise to the top. This is where risk assessment comes into play.

 

By conducting a risk assessment on every adverse event, you are able to prioritize by severity of risk. High-risk events are handled first, followed by those with a lesser risk ranking. This way, you are able to effectively address adverse events in a way that puts risk at the forefront of the quality management process.

Not only is risk assessment beneficial in identifying the criticality of adverse events, it will also help ensure that the actions taken to correct them are mitigating the risk of recurrence. Corrective actions are the heart of any good quality management system. It provides a systematic method of determining the actions needed to ensure adverse events are corrected properly. Part of the corrective action process is verification and effectiveness, in which you ensure that the corrective action actually fixes the systematic issue. Although you may be correcting these issues, is that corrective action reducing the risk of recurrence to within acceptable risk limits? By building risk methods into the corrective action process, you can conduct a verification risk assessment to ensure not only that the corrective action is effective, but also that is within an acceptable level of risk.

Taking an enterprise approach to risk management

Perhaps one of the reasons risk management is a leading benchmarking method in compliance within the market is that it is a universal language in many respects. In an organization, people may not always “speak” quality, they may not “speak” safety, but everyone speaks risk. This is especially true when you get to higher levels within the organization. Executives make decisions every day that affect the organization, and they must be informed of various levels of compliance to make those decisions. Risk management and risk reporting are the core methods employed to make enterprise-level decisions.

 

Enterprise risk management (ERM) takes the concept of risk to a level that breaks down all the various operational areas within an organization—such as quality, safety, finance, human resources, security, operations, corporate governance, and others—and creates a risk report for each one. Because risk can be universal, the various risks within these areas can be benchmarked in a systematic and standardized fashion. By standardizing compliance using a risk-based approach, executive stakeholders can make more informed decisions throughout the organization.

Essentially, ERM translates compliance into a common denominator that everyone can identify with, and this level of understanding can help the decision-making process be more efficient.

Conclusion

Is 100-percent compliance truly attainable within an organization? The answer is not really. There will always be some opportunity for improvement within any process. Is 100-percent compliance the “right” objective? Perhaps it’s more realistic to say that companies must seek ways to systematically reduce the risks that threaten their compliance goals. By implementing processes that build risk mitigation strategies into every aspect of their business, they are able to continually benchmark their compliance at all levels, and take steps to mitigate those risks. Risk management can function as a series of “checkpoints” that help ensure the highest degree of compliance throughout the enterprise.

About The Author