…in the end risk management is how organizational knowledge and knowledge are transformed into strategic ideas and strengths. ” – Harry Hertz, Director Emeritus Baldrige Performance Excellence Program
Although quality managers are commonly thought of as product managers who meet standards and processes that fail, what they care about is performance – helping people and machines work together to make things easier, better, faster, and less expensive.
Sometimes this means enforcing controls to prevent losses or carry out projects that reduce waste or increase efficiency. Other times, it means identifying and understanding opportunities for improvement and growth. Risk detection and management techniques are usually found in the quality toolbox.
Risk-based thinking is a “mindset that promotes confidence in achieving results using methods that address threats and opportunities” (Laqua, 2018). This mentality can be applied during work when designing a product or process while improving a product or process, or even when designing a strategy. Risk-based thinking can help you avoid losses, capture opportunities, and improve communication throughout your organization – so it is no surprise that it is a crucial component of many quality management systems, including ISO 9001. : 2015 and the Baldrige Performance Development Process.
How can you develop the underlying habits associated with risk management and evolve them at all levels of your body?
How can you leverage QMS software?
Risks and threats are sources of danger.
Risks, which are situations that are likely to cause injuries or damage that may be physical, chemical, biological, ergonomic, psychological, political, or social.
Risks can become threats if they are triggered. For example, a virus (computer or biological) can be a danger, but it is only a threat if one can be affected by it. The likelihood and severity of these effects on a particular person, place, or thing determine the risk.
The risk is consequently on who or what is affected. As a result, before you start, you need to develop an organizational profile (called the “organizational framework” in ISO 9001: 2015).
Most importantly, the organizational profile should describe the stakeholders and their needs. Stakeholders, according to the ISO 9001: 2015 standard, can be customers, suppliers, employees, members of the community or region where the organization or society, in general, is located. Governments are also stakeholders, especially for organizations that are highly dependent on them.
Organizations can identify, assess, and address risks at different levels of formulation and can narrow the scope to individual departments or facilities or extend it to the enterprise level. Systematic risk management follows a data-based approach (Plan-Do-Check-Act-PDCA) (IOSH UK, 2017) and characterized by the following activities:
- Defining policies for quality, environmental management, and/or health and safety
- Defining procedures, roles, and responsibilities
- Conduct risk assessments and establish controls
- Performance monitoring
- Carry out regular reviews
- Continuous improvement of policies, procedures, roles, responsibilities, and controls to improve the performance of the system as a whole
These steps can be considered as parallel processes when quality, environment, and health and safety systems are managed independently or can be combined for organizations that have integrated management systems (IMS).
WHY APPLY RISK ANALYSIS
Simply put, organizations adopt risk-based reasoning to make better decisions – especially when operating in a challenging, fast-paced, or otherwise uncertain environment. Although the return on investment (ROI) for risk-based thinking is difficult to characterize, most organizations report reports of (sometimes spectacular) failures and inefficiencies resulting from pretending that nothing unexpected will happen – or not investing time or resources are required to plan the contingencies.
According to Willumsen et al. (2017), this improved decision making can bring many benefits, such as:
- Reducing the frequency of losses
- Reducing the chance of loss
- Reduce the cost of losses
- Improve response time to unexpected events
- Reduce stress
- Improving communication
- Enhancing organizational learning
- Collection of new opportunities for development and improvement
Risk assessment and risk management take time, effort, and money.
Risk management is much more than an evaluation or management exercise. The time you spend planning, finding, and dealing with risks also helps you learn about your organizational processes with your colleagues. This process of shared learning helps to build and strengthen relationships and often improves communication. A better understanding of the organization and its processes leads to improved business results. (Kovach & Fredendall, 2013)
THE PROCESS
Risk management is a set of “systematic approaches to organizing the pros and cons of an alternative decision” that includes the following general steps: (Aven, 2016)
- Establishment of the framework. Define the purpose, objectives, and criteria governing risk management activities in the organization.
- Risk assessment, which includes:
- Risk identification
- Risk analysis
- Risk assessment
- Risk management. Address the risks and monitor the effectiveness of the treatments.
This process is summarized in Figure 1, from ISO 31000: 2018, Risk Management – Guidelines:
The risk-taking step requires more than just locating a control and putting it into operation because there are several different ways in which your body can respond to risk.
If you do not detect or manage risks, your default choice is to ignore all risks. Applying controls (in the design, in the production process, or after the sale) helps to reduce the risks and sometimes eliminates them.
An organization may share risks with partners or customers (for example, by developing collaborative new products or features) or it may transfer risks to other places, such as insurers.
Finally, an organization can avoid risks by adapting its business model, influencing the competitive environment, or transforming the business to change the nature of the risks.
The Excellence Performance Baldrige program (a quality system that shares the core concepts of ISO 9001: 2015, but applies them more holistically and flexibly) presents some ideas on how to use the organizational profile to investigate risks.
Baldrige promotes smart risk-taking to find transformation paths:
- Point 1.1 – How do senior leaders create an environment for innovation and intelligent risk-taking, strategic goal achievement, and organizational flexibility?
- Point 2.1 – How do you decide which strategic opportunities are intelligent risks?
- Section 5.2 – How (performance management system) enhances smart risk-taking to achieve innovation, strengthen customer and business focus and enhance the implementation of your action plans?
- Section 6.2-How do you pursue strategic opportunities that you identify are intelligent risks? Risk-based thinking may not solve all your problems, but it will make you think more strategically about how to deal with the unexpected.
Risk-based thinking may not solve all your problems, but it will make you think more strategically about how to deal with the unexpected.
RISK-BASED ANALYSIS IN ISO 9001: 2015
The latest revision of the ISO 9001 standard puts risk-based thinking at the forefront. Although risk was a significant part of previous ISO 9001 revisions, these changes encourage companies to adopt a more cautious and anticipated mindset. The risk appears in all the main paragraphs of the ISO 9001: 2015 standard (Hoyle, 2017)
Finally, the Plan-Do-Check-Act approach is maintained, but the risk now plays a central role in defining the organizational framework, establishing structures for quality management, and evaluating QMS performance, always concerning customer satisfaction and analysis of other business results.
Reference:
- Baldrige Outstanding Performance Program (BPEP). (2018). Excellence Baldrige Framework. Available at https://www.nist.gov/baldrige/publications/baldrige-excellence-framework/businessnonprofit
- Aven, T. (2016). Risk assessment and risk management: A review of recent progress in their establishment. European Journal of Operational Research, 253 (1), 1-13.
- Hertz, H. (2016, Summer) Business Risk Management Requires Systems Perspective. Baldrige Blog. Available at https://www.nist.gov/baldrige/enterprise-risk-management-requires-systems-perspective
- Hoyle, D. (2017). ISO 9000 quality system manual – updated to the ISO 9001: 2015 standard: Increasing the quality of an organization’s results. Routledge.
- Illés, BC, Szuda, C., & Dunay, A. (2017). Quality and management – Tools for continuous and systematic process improvement. Occupational Safety and Health Institute (IOSH UK) (2017). Combined work – introduction to integrated management systems.
- Kendall, K. (2017). The growing importance of risk management in an uncertain world. The Journal of Quality and Participation, 40 (1), 4.
- Kovach, JV & Fredendall, LD (2013). The Impact of Continuous Improvement Practices on Learning: An Empirical Study. Journal of Quality Management, 20 (4), 6-20.
- Laqua, Raimond. (2018, August 23). Avoiding danger. Intelex Community Webinar. Available at https://community.intelex.com/library/peer-resources/demystifying-risk
- Willumsen, P., Oehmen, J., Rossi, M., & Welo, T. (2017). Applying flexible thinking to risk management in product development. In Proc. 21st Intl. Conf. in Engr. Design (ICED 17), Vancouver, 269-278.
Source: https://www.qualitymag.com/articles/95239-risk-based-thinking-creating-opportunities-from-strategic-insights
