A Publication of WTVP

Do you know where your risks are hiding?

Every few years, the International Organization for Standardization (ISO) reviews and updates the guidance standards used in manufacturing. From ISO 9001 to ISO/TS-16949, the aim of ISO is to ensure that “products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors and increasing productivity.”

This article will review the coming changes to ISO 9001 and how the 2015 revision will impact registered companies throughout central Illinois. With an aim to reduce end-user risk, the new standard revision will focus heavily on assessing and managing risk throughout the product/service delivery process. The goal here is not to address the revision change as a whole, but to review risk management expectations within the pending release, scheduled for fall 2015.

What is Risk?
Merriam-Webster’s dictionary defines risk as “the possibility that something bad or unpleasant (such as an injury or a loss) will happen.” How would injuries or losses impact your organization? Risk transferred into service or product quality that reaches your customer carries a heavy burden on the organization.

As the Cost of Poor Quality Analysis teaches us, the further away from preventive cost management we get, the higher the cost to the organization. External costs—such as warranties, liabilities, lost sales, customer complaints or recalls—play an integral role in the sustainability of organizations. Risk encompasses those activities that yield process variation, which leads to less uniformity in product or service. Reducing risk, or process variation, reduces the chance that products or services will escape to the end user.

According to the Detroit Free Press in October of 2014, “with more than two months left (in the year), automakers have recalled a record 56 million-plus vehicles… and a surprising number of them have been for relatively basic technology—ignition switches, alternators or hood latches.” Simple risk mitigation processes could have saved these automakers millions of green dollars, as well as customer loyalty (lost sales), a near-impossible statistic to accurately quantify. The new ISO 9001 revision will require organizations to establish processes to plan and implement appropriate actions to address the risks and opportunities.

What is Risk-Based Thinking?
Foundationally, risk-based thinking is applying a preventive risk assessment plan or tool for those required processes the organization establishes to achieve company goals. Risk asks the question, “What if?” Risk management practices are applied to reduce risks and enhance the likelihood of the organization achieving production and quality objectives.

Creating processes with the Plan-Do-Check-Act cycle in mind is the first step to effective risk-based planning. The risk concepts have always been implicit in ISO 9001, but the new revision builds the requirement throughout all the company quality processes. Risk-based thinking makes preventive action part of the fabric of the company’s entire quality management system (QMS).

The more critical processes require a greater rigor of risk-based thinking. For example, the automotive sector has been using Potential Failure Mode and Effects Analysis (PFMEA) tools to quantify the magnitudes of potential risks in design and production. Created by the Automotive Industry Action Group (AIAG), the tool reviews potential failures for each process requirement, then adopts action plans to remove or minimize the identified risks. As you can see from the 2014 recall statistics, actions have to follow once the risks are identified. Sourced products or services needs to follow the same level of risk-based thinking, as if the products or services were delivered directly from the organization. The risk approach needs to become how companies conduct business.

Business processes, whether in a factory, office, hospital or service organization, are the starting point to baseline current levels of risk. Applying the Plan-Do-Check-Act methodology can prove useful in improving business processes.

– What to do?
– How to do it?
– When to do it?
– Who does it?
– Where is it done?
• Do:
– What was planned.
• Check:
– Measure performance.
– Objectives met?
• Act:
– Corrective actions…
– How to improve?

The company’s quality objectives defined for the ISO 9001 QMS can be a good starting point for identifying risk opportunities. Ask the “What if?” question to determine what variances would cause you to miss targets. Of course, missing targets means customer expectations may not be met. The aim for risk-based thinking in ISO 9001 is to translate customer requirements into products or services that lead to customer satisfaction—and repeat business.

Risk-based thinking can be applied to every process step, from defining customer expectations to delivery. It is equally important to look at how risks from one process pose risks to adjoining processes. Inputs and outputs can be affected by unmanaged risks. Applying the Plan-Do-Check-Act methodology and measuring performance of the process will identify risk improvement opportunities.

Striving Toward Tomorrow
So how do we move forward with implementing a risk-based thinking program? One company may decide to adopt the AIAG PFMEA approach regardless of whether they supply products or services to the automotive sector, as the tools are universal and can be applied to any process. Other companies may create their own risk model tools to track and update risks and opportunities.

Creating records of identified risks and mitigation actions will continue as ISO 9001’s Control of Records requirement is not going away. The risk model records can be used for a “lessons learned” archive to ensure companies do not fall back into the same risky behaviors. One recommendation is to start with the most critical processes and work back through all management system processes until the company has documented and is aware of all potential risks.

Not knowing where your risk hides is the riskiest business decision a company can make. One failure can reap catastrophic consequences on the longevity of the organization. Do you know where your risks are hiding? iBi

Scott Tillison, CMQ/OE, CQE, CQA, CQPA is chief quality officer of OQInternational, LLC (OQI) in Morton. For more information, visit