In Against the Gods: The Remarkable Story of Risk, the author says the mastery of risk is the foundation of modern life and is what divides modern from ancient times. By consciously or unconsciously calculating probabilities, auditors make intelligent decisions about business processes. First let’s look at a few definitions of risk.
There are a several critical points to remember regarding these risk definitions:
As you read the previous elements of most definitions of risk, you’ll start seeing there are common elements with ‘conformance’ and ‘value’ based definitions of quality. In other words, the essence of risk is variation, variance, or variability away from an objective, target, specification, or standard.
Let’s look at some risk and quality parallels:
Quality professionals understand variation. Variation a state of nature, whether in business or organizational dynamics. Variation at the business objective, specification target, or process objective is the general condition of all systems. Variation outside of specification, business, or process controls limits represents a risk event waiting to occur. In fact, variations outside of control limits or specification limits are risks or nonconformances already occurring. This is illustrated in the figure, ‘Higher Risk On Target with More Variation.’
Risk can be defined as a variance or distance from a business objective, metric, or standard, all of which indicate risk waiting to occur or already occurring. For example, quality that can be specified in terms of a dimensional tolerance or a surface finish is a variable that can be controlled and ensured. If a target product dimension can be kept in the middle of the specification spread and the variation of measurements are distributed inside the specification limits and process control limits, then the risk of a hazardous event or a nonconforming product can be controlled.
Reliability has always been considered a critical product quality attribute. Look at reliability metrics, such as mean time between failures and mean time to first failure. These are essentially probabilistic risk concepts.
Also, the Six Sigma methodology to define, measure, analyze, improve, and control (DMAIC) is fundamentally a risk management methodology.
Risk, like quality, can be managed. Let’s look at the following definitions of risk management:
As risk decision-making has increased, there is now a sense of realization that activity, process, or project-based risk mitigation does not work, much like fixing or correcting the symptom of a quality problem results in recurring problems. Many managers realize that the root cause solution to a chronic or systemic quality problem is through enterprise risk management (ERM). Enterprise risk management (ERM) in many ways is analogous to Total Quality Management (TQM).
Enterprise risk management (ERM) and total quality management (TQM) share some similarities.
The differences between the two are also compelling.
As you can see the similarities between ERM and TQM are more pronounced than the differences.
The trend for good corporate governance is to focus on enterprise risk management. Internal controls and documentation will have to support the ERM system. The rationale for ERM is straightforward, which is to provide value for all stakeholders. The question then becomes how much risk can or should an organizational assume?
The underlying premise of enterprise risk management is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.
Benefits of ERM include:
Quality has fundamentally changed. Therefore quality professionals must take a hard look at their role in this new business environment, assess their current skill set, determine what they need to learn to be relevant contributors of value, and make a decision of where they will be in the near future. Here are but a few suggestions of what we need to do:
We all need to be career resilient and most importantly know how to add value. Quality has been very adaptable over the years. The body of knowledge has grown and the quality discipline has evolved from basic inspection to Six Sigma. The applications have expanded far beyond the manufacturing floor to providing quality in healthcare, education, and now homeland security. The contemporary business environment has morphed into one of greater expectations in the quality of corporate governance along with senior management personal accountability.
Risk and risk management are the next evolution in quality.
[i] Bernstein, Peter, Against the Odds: The Remarkable Story of Risk, John Wiley, 1996.
[ii] COSO, Enterprise Risk Management Framework, web, 2003.
[iii] “FAA Programmatic Risk Management, 2002, p. 6.
[iv] “Public Spending and Services, HM Treasury (UK) website, 2003.
[v] “FAA Programmatic Risk Management, 2002, p. 6.
Greg Hutchins is a principal with Quality Plus Engineering in Portland, Oregon. Greg is the author of numerous books in process and supply management. This material is excerpted from Value Added Auditing, see www.ValueAddedAuditing.com for more information.