Policy Governance & Risk - Quality Approach
Qualityworld
The risk factor
Corporate risk comes in many guises from the smallest of pitfalls, which at worst might cause an organisation expense or embarrassment, to outright disasters - the result of which can be catastrophic. Mike Debenham, IQA professional affairs manager, and David Hutchins, chairman of David Hutchins International Ltd, explain what measures can be taken to reduce and manage risk
When the word risk is used in an industrial context, it usually refers to the possible but uncertain and undesirable outcomes of business-related activities. The particular risk concerned may be either predictable and foreseeable or unpredictable and unforeseeable. In the case of the latter, by definition, there is little we can do but hope that they do not occur. However, some seemingly unforeseeable risks may actually be anticipated if sufficient time, thought and research are applied to the situation.
What's the risk?
Organisations that are confronted with high likelihood risks to life invariably have very high profile forms of hazard analysis, involving well-trained experts in the specific risks involved. Their activities involve risk identification, risk analysis and prevention and quick reaction when an incident occurs to limit the effect on life.
To many who are involved in this work, the term 'risk management' has a scope that relates to nuclear, chemical, explosive, poison and occupational health and safety type risks. While we must acknowledge the importance of these, we must not forget that there are other forms of risk that might not be life threatening but that can be catastrophic in other ways.
The Barings crash
The fate of Baring traders is one example. Who, other than possibly Nick Leeson himself, could have predicted only days before the facts became known that one of the world's most reputable financial institutions would have crashed so dramatically and without any warning?
And there are other types of risk. For example, industrial action, unwelcome legislation, currency value changes, insurrection, trade barriers, products liability, hostile take-over bids, aggressive competitors, new competitors, new products, the impact of the electronic calculator on the slide rule business - the list is endless. What is important in all of these cases is that action is taken:
to identify all of the possible risks confronting the organisation
to determine their probability of occurrence and the consequences of such an occurrence
to conclude what action should be taken for prevention or risk reduction
Underpinning all successful business processes is the effective management of risk. If risks are identified, categorised and proactive measures are implemented to manage them, there will be evidence on file to support the day-to-day business decisions made on behalf of management or shareholders. If the presence of risk is simply ignored then management will find itself exposed when risks, which could have been foreseen and planned for, occur with the associated financial penalties.
The management of risk can be viewed from two perspectives, first from the level of managing corporate risk and setting in place the necessary strategies and associated control measures, and second from the perspective of personnel who use the risk-based procedures for making day-to-day business decisions.
How to deal with risk
The corporate risk
Much has been written about the management of corporate risk and it is usually defined by something similar to the process shown in figure 1. A number of tools are available to control an organisation's exposure to risk:
formal systems management
partnering arrangements
insurance
risk tolerant work packages
prototype and product testing
provision of risk reduction resources
risk assessment and risk management
Figure 1. The effective management of risk
Formal systems managementThe application of the basic principles of formal systems management may also form part of the package of risk control measures, based on a model such as the one detailed in figure 2.
The management of the organisation's exposure to external risk is addressed through the gap analysis between external requirements and the defined system requirements, while internal risk is addressed through the definition of system requirements, training in those requirements and measurement of evidence that the requirements have been executed.
Figure 2. A management system model (business systems management)
Partnering arrangements
Where items or materials are purchased on a regular basis, a customer may decide to develop a partnering arrangement to contract out the associated risks to the supplier. The customer will make a commitment to the supplier and in return, the supplier will take on some or all of the risks associated with late or non-compliant delivery. The customer may categorise items of equipment and materials as well as specify limits for financial penalties.
Alternatively, in the case of products liability risks where the customer has large resources, it is common for the customer to underwrite or take over the risks of its supplier. This is particularly the case in the automotive industry where product recall is a high level risk with a high rate of occurrence. It also carries with it the threat of potential bankruptcy if products liability lawsuits are successful. The reason for this being that in law, when a products liability case arises, it is in the interest of the pursuant to sue everyone in the supply chain - initially from the retailer back, and then focus on the one most likely to be able to pay. Many suppliers to the large automotive companies would not trade if they were confronted with this level of risk. Partnering may also reduce the risk of unpredicted bankruptcy of a critical supplier.
Insurance
Where the use of partnering arrangements is impractical then the customer may identify those risks to be insured in-house and on the open market.
Risk tolerant work packages
To reduce the cost of insurance, either in-house or by a third party the customer may develop risk tolerant work packages. The use of suppliers' standard items that have already been extensively tested in previous use, rather than custom-built untried items of equipment, is an example of this type of package. Boeing for example has a policy that each new design of aircraft must contain at least 70 per cent components in use in earlier models. The adage 'innovate at your peril' is extremely apposite.
Prototype and product testing
To reduce the risk of recall and prosecution under the product liability laws, prototype and product testing and validation of service has been used as an effective form of risk control. There are two aspects to this approach:
risk prediction - this can be done using such tools as FMEA and fault tree analysis. These tools are quite similar to each other and involve such techniques as brainstorming, affinity diagrams and relationship diagraphs to predict high likelihood risks and possible countermeasures. In the case of management and financial risk there is an adaptation of FMEA known as a process decision programme chart. It can be very effectively used for the prediction of management related problems, identification of countermeasures, identification of problems caused by the countermeasures on an iterative basis until either achievement of the desired outcome can be reasonably assured or the mission abandoned
risk analysis - this involves life testing, accelerated life testing, environmental testing, weibull and other forms of failure analysis. From the results of these tests preventive strategies can be developed. For example, it is known from the results of extensive product testing that sodium streetlights run for a fairly predictable 8,000 hours. Rather than replace each one individually on failure it is more economic to replace all of the lights in the area whether they have actually failed or not. This is known as a block replacement policy and is extremely economical
Risk reduction resources
Risk reduction resources are generally provided in the form of inspection, expediting or auditing services, but may also include risk management planning resources. The extent to which inspection and the associated expediting activities are undertaken for any item of procured equipment, will depend on the perceived risks of items being delivered to the site or the receiving warehouse - not in accordance with the specification requirements and programme delivery requirements. It is therefore industry practice to carry out a risk assessment that addresses the consequences, in terms of cost, for either of these events occurring ie in non-conformance to quality requirements and late delivery
Depending on the industry sector, this assessment will be carried out for all or only the major categories of procured equipment. A typical risk assessment will address the following topics:
criticality of the product based on the consequences of failure. A criticality rating will typically address the following factors:
product safety implications
design complexity and maturity
complexity of production process
product characteristics
environment issues
operation issues
direct and indirect economic consequences of failure
cost of rectifying defective items, if any
cost from consequential delay to programme in rectifying defective items
cost from delay to programme for late delivery of items
cost of inspection and expediting as a percentage of purchase price
whether a vendor quality plan is required
Once these costs have been assessed it is necessary to identify the following:
pre-award audit of the supplier's QMS
pre-inspection meeting
intermediate inspection visits, if needed, how many and for what
final inspection visit
expediting visits, if needed, how many and for what aim
Risk assessment techniques
It is not the intention of this article to cover the various tools and techniques currently in use to manage and assess risk - hazard and operability studies (HAZOP) and FMEA to mention just two. These techniques have been covered in great detail elsewhere. The only exception is risk-based decision-making which has received less exposure and included as an example of one of these techniques.
Most of the decisions made in the working environment will benefit from an analysis of the risks involved. In practice, there is usually too little time, and the actual process of risk analysis is perceived to be too lengthy for this course of action to be undertaken with the associated record being placed on file.
There is a clear need for a simplified system of identifying and analysing risk so the process can be applied on a more regular basis. In particular, those decisions classified as minor, but that can still materially affect the prosperity of a company or the success of a project, will benefit. Paradoxically however, it can also be argued that without risk analysis, an organisation remains vulnerable to all levels of risk and will be the least prepared to deal with them if any materialise. The process of risk-based decision-making is suited to these minor decisions and, under normal circumstances, it can be conducted in about one and a half hours, usually involving two or three people. The result is that for the investment of approximately three hours of time spent on analysis, a decision can be taken having considered and budgeted all risks involved and the related outcomes. Risk-based decision-making can also be applied to major decisions such as the selection of joint venture or alliance partners, but the time required to develop the analysis will be even greater. Risk-based decision-making is typically used for the following types of decisions:
review of invitations to tender
selection contract agreement type
placing of subcontracts
equipment selection (the design process) and procurement
resolution of problems encountered on projects
development of plant maintenance philosophies
selection and employment of company personnel
Other business risk strategies
Scenario testingIn order to be prepared for any contingency however unlikely some organisations in high hazard level environments practice a technique known as scenario testing. A high level catastrophic risk is imagined to have occurred. Documents are prepared that graphically describe the situation in some detail. The scenario is then passed to various management teams who are expected to assume a real occurrence, to analyse the situation and produce recommendations for a solution - and to plan subsequent limitation and prevention should the scenario happen in reality. The technique can produce an extremely high level of risk awareness.
Risk management system testing
In this instance, the risk system is tested during normal operations partly to test effectiveness and also to ensure a high level of sensitivity to the risk. An example is the system used in airports where officials disguised as normal passengers attempt to pass through the security system with drugs or fake guns and explosives. The staff knows this will happen on average twice per day.
Alarm testing
This is something that we are all aware of. It is necessary but suffers from the possibility that people may be desensitised to potential real occurrences if the practices are too frequent and are scheduled into specific time slots. This is also often the case when alarms go off by accident eg car and property alarms.
Further reading
Although there are numerous publications about risk management, it is recommended that one of the following publications is used as the basis of the method to identify and assess risk:BS 6079.3:2000 - 'Guide to the management of business related project risk'BS 8444.3:1996 - 'Guide to risk analysis of technological systems'IEC 60300-3-9:1995 - 'Guide to risk analysis of technical systems'
Michael Debenham is the IQA professional affairs manager and as such, is the focal point for all professional and technical matters within IQA and in the exchange of ideas and issues with other stakeholders in the UK QA industry. He is a fellow of IQA and can be contacted on e: mdebenham@iqa.org.
David Hutchins is chairman of David Hutchins International Ltd and co-founder of the Central European Business Academy in Hungary, which is being developed to provide six sigma training for organisations in Europe, the Middle East and Asia. He is a fellow of IQA and can be contacted on e: hutchins@hutchins.co.uk
Michael Debenham and David Hutchins are both senior consultants with the IQA management consultants register (MCR). This article was originally written for inclusion in the MCR manual of good practice.
The authors wish to acknowledge the extensive input from the various clients and colleagues (too numerous to mention) with whom they have worked over the years and to whom they are indebted for much of the material contained in this paper.
The risk factor
Corporate risk comes in many guises from the smallest of pitfalls, which at worst might cause an organisation expense or embarrassment, to outright disasters - the result of which can be catastrophic. Mike Debenham, IQA professional affairs manager, and David Hutchins, chairman of David Hutchins International Ltd, explain what measures can be taken to reduce and manage risk
When the word risk is used in an industrial context, it usually refers to the possible but uncertain and undesirable outcomes of business-related activities. The particular risk concerned may be either predictable and foreseeable or unpredictable and unforeseeable. In the case of the latter, by definition, there is little we can do but hope that they do not occur. However, some seemingly unforeseeable risks may actually be anticipated if sufficient time, thought and research are applied to the situation.
What's the risk?
Organisations that are confronted with high likelihood risks to life invariably have very high profile forms of hazard analysis, involving well-trained experts in the specific risks involved. Their activities involve risk identification, risk analysis and prevention and quick reaction when an incident occurs to limit the effect on life.
To many who are involved in this work, the term 'risk management' has a scope that relates to nuclear, chemical, explosive, poison and occupational health and safety type risks. While we must acknowledge the importance of these, we must not forget that there are other forms of risk that might not be life threatening but that can be catastrophic in other ways.
The Barings crash
The fate of Baring traders is one example. Who, other than possibly Nick Leeson himself, could have predicted only days before the facts became known that one of the world's most reputable financial institutions would have crashed so dramatically and without any warning?
And there are other types of risk. For example, industrial action, unwelcome legislation, currency value changes, insurrection, trade barriers, products liability, hostile take-over bids, aggressive competitors, new competitors, new products, the impact of the electronic calculator on the slide rule business - the list is endless. What is important in all of these cases is that action is taken:
to identify all of the possible risks confronting the organisation
to determine their probability of occurrence and the consequences of such an occurrence
to conclude what action should be taken for prevention or risk reduction
Underpinning all successful business processes is the effective management of risk. If risks are identified, categorised and proactive measures are implemented to manage them, there will be evidence on file to support the day-to-day business decisions made on behalf of management or shareholders. If the presence of risk is simply ignored then management will find itself exposed when risks, which could have been foreseen and planned for, occur with the associated financial penalties.
The management of risk can be viewed from two perspectives, first from the level of managing corporate risk and setting in place the necessary strategies and associated control measures, and second from the perspective of personnel who use the risk-based procedures for making day-to-day business decisions.
How to deal with risk
The corporate risk
Much has been written about the management of corporate risk and it is usually defined by something similar to the process shown in figure 1. A number of tools are available to control an organisation's exposure to risk:
formal systems management
partnering arrangements
insurance
risk tolerant work packages
prototype and product testing
provision of risk reduction resources
risk assessment and risk management
Figure 1. The effective management of risk
Formal systems managementThe application of the basic principles of formal systems management may also form part of the package of risk control measures, based on a model such as the one detailed in figure 2.
The management of the organisation's exposure to external risk is addressed through the gap analysis between external requirements and the defined system requirements, while internal risk is addressed through the definition of system requirements, training in those requirements and measurement of evidence that the requirements have been executed.
Figure 2. A management system model (business systems management)
Partnering arrangements
Where items or materials are purchased on a regular basis, a customer may decide to develop a partnering arrangement to contract out the associated risks to the supplier. The customer will make a commitment to the supplier and in return, the supplier will take on some or all of the risks associated with late or non-compliant delivery. The customer may categorise items of equipment and materials as well as specify limits for financial penalties.
Alternatively, in the case of products liability risks where the customer has large resources, it is common for the customer to underwrite or take over the risks of its supplier. This is particularly the case in the automotive industry where product recall is a high level risk with a high rate of occurrence. It also carries with it the threat of potential bankruptcy if products liability lawsuits are successful. The reason for this being that in law, when a products liability case arises, it is in the interest of the pursuant to sue everyone in the supply chain - initially from the retailer back, and then focus on the one most likely to be able to pay. Many suppliers to the large automotive companies would not trade if they were confronted with this level of risk. Partnering may also reduce the risk of unpredicted bankruptcy of a critical supplier.
Insurance
Where the use of partnering arrangements is impractical then the customer may identify those risks to be insured in-house and on the open market.
Risk tolerant work packages
To reduce the cost of insurance, either in-house or by a third party the customer may develop risk tolerant work packages. The use of suppliers' standard items that have already been extensively tested in previous use, rather than custom-built untried items of equipment, is an example of this type of package. Boeing for example has a policy that each new design of aircraft must contain at least 70 per cent components in use in earlier models. The adage 'innovate at your peril' is extremely apposite.
Prototype and product testing
To reduce the risk of recall and prosecution under the product liability laws, prototype and product testing and validation of service has been used as an effective form of risk control. There are two aspects to this approach:
risk prediction - this can be done using such tools as FMEA and fault tree analysis. These tools are quite similar to each other and involve such techniques as brainstorming, affinity diagrams and relationship diagraphs to predict high likelihood risks and possible countermeasures. In the case of management and financial risk there is an adaptation of FMEA known as a process decision programme chart. It can be very effectively used for the prediction of management related problems, identification of countermeasures, identification of problems caused by the countermeasures on an iterative basis until either achievement of the desired outcome can be reasonably assured or the mission abandoned
risk analysis - this involves life testing, accelerated life testing, environmental testing, weibull and other forms of failure analysis. From the results of these tests preventive strategies can be developed. For example, it is known from the results of extensive product testing that sodium streetlights run for a fairly predictable 8,000 hours. Rather than replace each one individually on failure it is more economic to replace all of the lights in the area whether they have actually failed or not. This is known as a block replacement policy and is extremely economical
Risk reduction resources
Risk reduction resources are generally provided in the form of inspection, expediting or auditing services, but may also include risk management planning resources. The extent to which inspection and the associated expediting activities are undertaken for any item of procured equipment, will depend on the perceived risks of items being delivered to the site or the receiving warehouse - not in accordance with the specification requirements and programme delivery requirements. It is therefore industry practice to carry out a risk assessment that addresses the consequences, in terms of cost, for either of these events occurring ie in non-conformance to quality requirements and late delivery
Depending on the industry sector, this assessment will be carried out for all or only the major categories of procured equipment. A typical risk assessment will address the following topics:
criticality of the product based on the consequences of failure. A criticality rating will typically address the following factors:
product safety implications
design complexity and maturity
complexity of production process
product characteristics
environment issues
operation issues
direct and indirect economic consequences of failure
cost of rectifying defective items, if any
cost from consequential delay to programme in rectifying defective items
cost from delay to programme for late delivery of items
cost of inspection and expediting as a percentage of purchase price
whether a vendor quality plan is required
Once these costs have been assessed it is necessary to identify the following:
pre-award audit of the supplier's QMS
pre-inspection meeting
intermediate inspection visits, if needed, how many and for what
final inspection visit
expediting visits, if needed, how many and for what aim
Risk assessment techniques
It is not the intention of this article to cover the various tools and techniques currently in use to manage and assess risk - hazard and operability studies (HAZOP) and FMEA to mention just two. These techniques have been covered in great detail elsewhere. The only exception is risk-based decision-making which has received less exposure and included as an example of one of these techniques.
Most of the decisions made in the working environment will benefit from an analysis of the risks involved. In practice, there is usually too little time, and the actual process of risk analysis is perceived to be too lengthy for this course of action to be undertaken with the associated record being placed on file.
There is a clear need for a simplified system of identifying and analysing risk so the process can be applied on a more regular basis. In particular, those decisions classified as minor, but that can still materially affect the prosperity of a company or the success of a project, will benefit. Paradoxically however, it can also be argued that without risk analysis, an organisation remains vulnerable to all levels of risk and will be the least prepared to deal with them if any materialise. The process of risk-based decision-making is suited to these minor decisions and, under normal circumstances, it can be conducted in about one and a half hours, usually involving two or three people. The result is that for the investment of approximately three hours of time spent on analysis, a decision can be taken having considered and budgeted all risks involved and the related outcomes. Risk-based decision-making can also be applied to major decisions such as the selection of joint venture or alliance partners, but the time required to develop the analysis will be even greater. Risk-based decision-making is typically used for the following types of decisions:
review of invitations to tender
selection contract agreement type
placing of subcontracts
equipment selection (the design process) and procurement
resolution of problems encountered on projects
development of plant maintenance philosophies
selection and employment of company personnel
Other business risk strategies
Scenario testingIn order to be prepared for any contingency however unlikely some organisations in high hazard level environments practice a technique known as scenario testing. A high level catastrophic risk is imagined to have occurred. Documents are prepared that graphically describe the situation in some detail. The scenario is then passed to various management teams who are expected to assume a real occurrence, to analyse the situation and produce recommendations for a solution - and to plan subsequent limitation and prevention should the scenario happen in reality. The technique can produce an extremely high level of risk awareness.
Risk management system testing
In this instance, the risk system is tested during normal operations partly to test effectiveness and also to ensure a high level of sensitivity to the risk. An example is the system used in airports where officials disguised as normal passengers attempt to pass through the security system with drugs or fake guns and explosives. The staff knows this will happen on average twice per day.
Alarm testing
This is something that we are all aware of. It is necessary but suffers from the possibility that people may be desensitised to potential real occurrences if the practices are too frequent and are scheduled into specific time slots. This is also often the case when alarms go off by accident eg car and property alarms.
Further reading
Although there are numerous publications about risk management, it is recommended that one of the following publications is used as the basis of the method to identify and assess risk:BS 6079.3:2000 - 'Guide to the management of business related project risk'BS 8444.3:1996 - 'Guide to risk analysis of technological systems'IEC 60300-3-9:1995 - 'Guide to risk analysis of technical systems'
Michael Debenham is the IQA professional affairs manager and as such, is the focal point for all professional and technical matters within IQA and in the exchange of ideas and issues with other stakeholders in the UK QA industry. He is a fellow of IQA and can be contacted on e: mdebenham@iqa.org.
David Hutchins is chairman of David Hutchins International Ltd and co-founder of the Central European Business Academy in Hungary, which is being developed to provide six sigma training for organisations in Europe, the Middle East and Asia. He is a fellow of IQA and can be contacted on e: hutchins@hutchins.co.uk
Michael Debenham and David Hutchins are both senior consultants with the IQA management consultants register (MCR). This article was originally written for inclusion in the MCR manual of good practice.
The authors wish to acknowledge the extensive input from the various clients and colleagues (too numerous to mention) with whom they have worked over the years and to whom they are indebted for much of the material contained in this paper.
posted by T at 5:17 pm
<< Home