The Risk Oversight chapter is meant to lay the foundation for the entire risk management section.
We will start by answering the question- what is Risk?
Then what are the different types of Quality Risks to be aware of.
We will follow that up with a review of the Risk Management process and how risk management should be integrated into the Quality System(QS).
We will then dive into the relationship between Risk Management & Quality Management; and how risk management can be integrated into each of the various topics within the CQE Body of Knowledge.
What is Risk (Severity & Likelihood)
From a very generic perspective, Risk can be thought of as the effect of uncertainty on our desired goal. Within the world of Quality, our desired goal is generally described as “high quality” or “customer delight” or “conforming product“.
It’s important to remember though that uncertainty can work both ways. It can have a either negative or positive impact on our goals.
You can have good luck or bad luck.
Most often however, especially in the world of quality, we generally think of the consequences being a negative event.
This is essentially because our product should work correctly every time, and there generally isn’t any room for any additional positive events when it comes to our products.
So in Quality Risk Management we tend to focus on how uncertainty can result in a negative impact on our product.
Therefore, the definition of risk as it relates to Quality Management has been more narrowly defined as the combination of the probability of occurrence (likelihood) of a negative event and the severity of that event.
Quality Risk = Severity X Occurrence
That negative event can be as small as a non-obvious cosmetic issue or as severe as death or serious injury to your customer.
Below is a Risk Ranking Matrix that shows the relationship between the calculated Risk value (Numbers in the matrix) and the Severity of Occurrence (Y Axis) and the likelihood of Occurrence (X-Axis). As either increases, Risk increases.
This matrix assumes that the scales of your Risk Analysis for both Severity & Occurrence are a 10x Scale from 1 – 10; with 1 being the least severe or least likely value and 10 being the highest; however this scale is arbitrary.
Types of Quality Risks to Manage
As we talk about integrating risk management into the quality system, it’s important for you to know the different types of risks that you’ll need to consider.
Essentially, for every area of business or life, there is risk.
That is to say, there is some uncertainty that we won’t achieve our goals.
From a quality perspective, we have to manage the risks that might prevent us from achieving our goal of a high quality product or customer delight.
Hence the name Quality Risk.
A Review of the Quality Risk Management Process
So now that we understand risk, it’s time to talk about Risk Management.
Risk Management is defined as the systematic application of management policies, procedures & practices to the tasks of assessing, controlling, monitoring, communicating & reviewing risk throughout the lifecycle of a product or service.
These activities are the key – identifying, assessing, controlling, monitoring, communication and reviewing risk, and they are they are reflected in the risk management flow diagram below.
Keep these activities (identifying, assessing, controlling, mitigation, communicating & reviewing risk) in mind as we discuss the integration of risk management into the Quality System.
What you should begin to see is how many of the various quality processes & systems significantly contribute to these activities within risk management.
So when we’re managing risk, we’re inherently improving quality; and vice-a-versa.
Integration of Risk Management into the Quality Management System
OK, now we’re ready to talk about how Risk Management can been integrated into the various elements of the Quality System.
Before we start, I want to quote ISO 31000:2009 (Risk Management) – “Risk Management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective & efficient.”
The standard goes on to further say that “The success of risk management will depend on the effectiveness of the management framework providing the foundation and arrangements that will embed it throughout the organization at all levels“.
The reason that we want Risk Management embedded into our quality system is because Risk can be occur or be introduced at any point throughout the lifecycle of your product or service.
Therefore we must ensure that Risk Management is embedded into each element of the Quality System and cover your products entire lifecycle.
Below are the 6 other pillars of the CQE Body of Knowledge that represent the entire product or service lifecycle.
Risk Management and Management & Leadership
Within the Management & Leadership pillar of the CQE Body of Knowledge, there are three key topics that are interrelated with risk management.
These include supplier management, communication & top managements responsibilities, especially in the area of policy development.
Top Management Responsibilities
One of the most important responsibilities of Top Management is the creation of a Risk Policy.
Top management is responsible for establishing this policy which defines the acceptable level of risk associated with your products or services.
This risk acceptability criteria will be utilized during the Risk Evaluation phase of the Risk Assessment process to determine if your identified risks & their associated risk levels are acceptable or not.
This determination of risk acceptability should occur before you design a product or perform a risk assessment.
This level of risk acceptability essentially defines your organizations appetite for risk.
That is, how much risk you’re willing to accept, or how much risk you’re willing to subject your customers to before you take action & reduce risk.
Supplier Management
Our suppliers can be a major source of risk that should be managed.
When suppliers provide us with non-conforming parts, those components can result in a product failure or unsafe condition for our end user.
This is where our supplier management program can improve quality and reduce risk at the same time.
You can find elements of risk management within the Supplier Management Process already.
For example the supplier evaluation & selection process is meant to determine which supplier is the most capable of providing high quality, low risk components.
Then, the idea of supplier monitoring & improvement is all about managing & controlling the risks associated with your suppliers & their supplied components.
A risk based approach to quality can also be found within the supplier scorecard tool.
The entire idea of a supplier scorecard is similar to the risk assessment process meant to determine your highest risk suppliers that require auditing or corrective action.
Communication
The next important topic we need to discuss are the best practices surrounding Risk Management & Communication.
If you look back at the overall risk management process, there are multiple points where communication is recommended or required.
This communication & reporting is beneficial in that it ensures that all of your key internal stakeholders have the appropriate level of aware to the on-going risk management process, etc.
Communication also encourages more accountability & ownership of the risk management process and the resulting level of risk associated with your product.
Good communication also opens up a dialogue between the risk management team and the internal stakeholders that might have relevant input or be able to provide consultation on the overall product or process.
Risk Management & The Quality System
Within the Quality System pillar there are many different topics that are intertwined with the risk management process.
For example, documentation & quality training are two of the primary tools used within the quality system that contributes to risk management.
As we create documentation (Procedures or Work Instructions) for our processes, we’re mitigating the risk that our process will be performed incorrectly, which could potentially result in product that doesn’t meet our customers’ needs.
This is where training comes into play.
Once we’ve documented how our processes should be executed, it’s important to training our employees on the procedure to ensure that they are knowledgeable & capable of fulfilling all of the requirements within the procedure.
You could also utilize a risk-based approach to determine the proper level of initial & on-going training required for your employees.
This same thought process could be applied to the identification of required experience, qualification, education & training level for particular roles within the organization.
For example, it would be extremely important to train your employees on how to apply the risk management techniques that we’re able to discuss so that they’re capable of using them properly.
Without the proper training, critical elements of the risk management process might be overlooked, resulting in the incorrect assessment of risk and the potential exposure of your customers to an unacceptable level of risk.
The Design Process & Risk Management
Risk Management is HUGE in the Product & Process Design stage of your products lifecycle.
One of the most important steps in the design process is to perform a Risk Assessment for your new product or service to identify hazards and feedback the analysis into your design process to achieve “Quality or Safety by Design”.
Your design efforts could also include a Design FMEA to identify & mitigate any high risk failure modes associated with your product.
Your design efforts should also include the identification of CTQ’s (Critical to Quality), or CQA’s (Critical Quality Attributes). These are features about your product that, if they were to fail, would result in a serious impact to the end user.
As such these attributes have an element of risk to them and should then be monitored & controlled as part of your risk mitigation strategy.
Your technical drawings are similar to process documentation discussed earlier. By accurately defining your design using technical drawings you’re creating a tool that can be used to ensure product quality throughout the lifecycle of your product.
This will ultimately reduce the probability of a failure of your product and helps mitigate the risk associated with those failures.
Also during the design process is when you would first perform a Process FMEA.
This Process FMEA would help you assess the risk associated with your process and identify any areas of unacceptable risk that requires mitigation.
Your Design V&V process is also meant to be one last checkpoint to ensure that your product functions per your specifications; meets your customers needs and does not result in an unacceptable level of risk to your customer.
Process Validation is very similar here too. By validating your process you’re confirming with objective evidence that your process performs as intended and results in product that meets your specifications.
The success of your Design V&V & Process Validation work should culminate in the creation of a process control plan that defines all of the necessary testing, inspection & sampling steps to ensure that your process is in a state of statistical process control and is capable of producing conforming parts.
Product & Process Control & Risk Management
Once you’ve designed a product that is low risk, you now must go through the process of ensuring that same level of low risk throughout the lifecycle of the product.
This is achieved through Product & Process Control.
By controlling & monitoring your various manufacturing processes and ensuring that they’re operating within a validated state, you’re ensuring that your producing parts that meet your customers needs and requirements.
This includes all of the topics within this pillar which include your control plan, your control of non-conforming material, your testing & sampling plans, and your measurement & calibration (metrology) program.
For example, we calibrate equipment to ensure it is accurate and capable of discerning good products from bad, thus reducing or eliminating the risk of accepting bad product. This is also true when we’re determining the capability of our measurement system.
Similarly, we control non-conforming material to prevent it from being distributed to our customers to mitigate any risk there.
Risk Management & Continuous Improvement
The biggest relationship between risk management & continuous improvement can be found in CAPA.
When a non-conformance occurs, you’ve essentially identified a potential risk. If it’s a new & never before seen non-conformance, you can perform a risk assessment to determine if the risk associated with that event is acceptable or not.
Regardless of your risk assessment, your corrective action & the CAPA process is one of the biggest tools for Risk Reduction within the Quality toolbox.
Another strong relationship exists between the risk management tools like the FTA & PFMEA and a handful of the Quality Control Tools.
For example, the Flow Diagram, Cause & Effect Diagram and Check Sheet are common tools that facilitate the risk assessment process.
Control Charts are another Continuous Improvement tool that is meant to monitor your process to mitigate the risk of non-conforming product being produced and ultimately distributed to your customer.
The last comment I’ll make is about the continuous improvement tools like lean & six sigma.
Most of the time these projects are meant to improve your process and reduce risk; especially in the world of six sigma where the goal is to reduce your process variation and thus improve process capability and eliminate defects.
However, some improvement projects and other various changes to your process can introduce new sources of risk.
So I would strongly caution that you perform a risk assessment when planning your changes to ensure that you’re not introducing any new sources or opportunities for risk.
Risk Management the Quantitative Methods & Tools
Alright – on to the last pillar of the CQE Body of Knowledge – Quantitative Tools & Methods, otherwise known as Statistics.
Within this pillar there are two key tools that are related to Risk Management; that is Process Capability & Statistical Process Control.
We’ve already touched on the concept of a Control Chart and its relationship with the Risk Management process.
So we will focus here on the idea of process capability and its relationship with risk; specifically, the “likelihood” element of risk.
When process capability is poor, the likelihood for non-conforming material increases, thus risk increases.
As you can see below, if the tails of your distribution drift past the specification limit, that portion of your population is non-conforming and thus has an element of risk to it.
If that product is 100% inspected and scrapped during your manufacturing process, then you’ve introduced business risk. The financial performance of your company has decreased due to your poor process capability.
If that product is not 100% inspected and it is distributed to your customer, then you’ve potentially introduced User Risk or Product/Reliability Risk.
Lastly, when a non-conformance reaches your customer, it introduces business risk in the form of lost goodwill or brand reputation.
Conclusion
Alright – time for a quick recap!
So the purpose of this chapter was meant to introduce the concept of risk, and discuss the different types of Quality Risks.
Additionally, we wanted to discuss the process & framework for the entire risk management pillar, and how risk management should be integrated into the Quality System(QS).
To do this, we introduced the concept of Risk as the combination of the probability of occurrence of a negative event, and the severity of that negative event.
We then moved on to discuss the different types of Quality Risk; those being User Safety Risk, Product/Reliability Risk & Compliance/Regulatory Risk.
We then moved on to the concept of risk management which is defined as the systematic application of management policies, procedures & practices to the tasks of assessing, controlling, monitoring, communicating & reviewing risk throughout the lifecycle of a product or service.
From there we discussed the relationship between Risk Management & Quality Management; and how risk management can be integrated into each of the various topics within the CQE Body of Knowledge.
This is where we went in-depth and discussed how risk management is related to or integrated into each of the various topics within the CQE Body of Knowledge.