10 July, 2013 Greg Hutchins, Principal Engineer, Quality + Engineering (Q+E)
Reprinted with permission©CERM Academy
Note: The views expressed in this article are those of the author and do not necessarily represent those of his or her employer, GxP Lifeline, its editor or MasterControl Inc.
In Against the Gods: The Remarkable Story of Risk, the author says the mastery of risk is the foundation of modern life and is what divides modern from ancient times. By consciously or unconsciously calculating probabilities, auditors make intelligent decisions about business processes. First let’s look at a few definitions of risk.
- Risk – The possibility that an event will occur and adversely affect the achievement of objectives.[ii]
- Risk – A situation or circumstance, which creates uncertainties about achieving program objectives.[iii]
- Risk - Uncertainty of outcome, whether a positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance of a positive and negative event, which may involve a hazard, improvement, or new opportunity.[iv]
There are a several critical points to remember regarding these risk definitions:
The essence of risk is variation, variance, or variability away from an objective, target, specification, or standard.
- Risk represents an upside of capitalizing on an opportunity and a downside of an unwanted event.
- Risk has two critical elements, magnitude and likelihood.
- Risk is all about uncertainty, chaos, instability, out of control, and unusual.
- Risk is tied to not meeting business objectives.
RISK AND QUALITY
As you read the previous elements of most definitions of risk, you’ll start seeing there are common elements with ‘conformance’ and ‘value’ based definitions of quality. In other words, the essence of risk is variation, variance, or variability away from an objective, target, specification, or standard.
Let’s look at some risk and quality parallels:
Quality professionals understand variation. Variation a state of nature, whether in business or organizational dynamics. Variation at the business objective, specification target, or process objective is the general condition of all systems. Variation outside of specification, business, or process controls limits represents a risk event waiting to occur. In fact, variations outside of control limits or specification limits are risks or nonconformances already occurring. This is illustrated in the figure, ‘Higher Risk On Target with More Variation.’
Risk can be defined as a variance or distance from a business objective, metric, or standard, all of which indicate risk waiting to occur or already occurring. For example, quality that can be specified in terms of a dimensional tolerance or a surface finish is a variable that can be controlled and ensured. If a target product dimension can be kept in the middle of the specification spread and the variation of measurements are distributed inside the specification limits and process control limits, then the risk of a hazardous event or a nonconforming product can be controlled.
Reliability has always been considered a critical product quality attribute. Look at reliability metrics, such as mean time between failures and mean time to first failure. These are essentially probabilistic risk concepts.
Also, the Six Sigma methodology to define, measure, analyze, improve, and control (DMAIC) is fundamentally a risk management methodology.
WHAT IS RISK MANAGEMENT?
Risk, like quality, can be managed. Let’s look at the following definitions of risk management:
- Risk Management – An organized, systematic, decision-support process that identifies risk, assesses or analyses risks, and effectively mitigates or eliminates risks to achieving the program objectives.[v]
- Risk management - All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.
As risk decision-making has increased, there is now a sense of realization that activity, process, or project-based risk mitigation does not work, much like fixing or correcting the symptom of a quality problem results in recurring problems. Many managers realize that the root cause solution to a chronic or systemic quality problem is through enterprise risk management (ERM). Enterprise risk management (ERM) in many ways is analogous to Total Quality Management (TQM).
ERM AND TQM SIMILARITIES
Enterprise risk management (ERM) and total quality management (TQM) share some similarities.
- Both grew to prominence as a result of policy circumstances, quality as a result of Japanese competitiveness and risk as a result of financial excesses in corporate America and homeland security
- Both share common concepts and techniques, but use different words for them
- Both have similar methodologies
- Both follow a similar deployment mechanism
- Both follow a capability maturity model (CMM) curve
- Both rely on the board of directors and senior management to set the example and lead the initiatives
- Both focus on variance from targets or objectives
- Both emphasize that ultimate responsibility for quality and risk rest with process owners
- Both are company-wide initiatives
- Both focus on achieving business objectives
- Both are process based
- Both have a hard technical side and soft people side.
ERM AND TQM DIFFERENCES
The differences between the two are also compelling.
- Risk management is relatively in its infancy, while quality is a mature technology
- Quality, even Six Sigma, has tactical focus, largely emphasizing execution and metrics.
- Risk management is a board level, CEO, and CFO concern
- Risk management is largely driven by financial regulatory and statutory compliance concerns
As you can see the similarities between ERM and TQM are more pronounced than the differences.
LEVEL OF RISK AND ASSURANCE
The trend for good corporate governance is to focus on enterprise risk management. Internal controls and documentation will have to support the ERM system. The rationale for ERM is straightforward, which is to provide value for all stakeholders. The question then becomes how much risk can or should an organizational assume?
The underlying premise of enterprise risk management is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.
What Do Quality Professionals Need To Do And Know?
Benefits of ERM include:
- Develops integrated and aligned internal control structure
- Provides a rational template for determining which opportunities should be seized
- Aligns risk sensitivity with enterprise strategy
- Controls processes and projects
- Results in fewer surprises and less uncertainty
Quality has fundamentally changed. Therefore quality professionals must take a hard look at their role in this new business environment, assess their current skill set, determine what they need to learn to be relevant contributors of value, and make a decision of where they will be in the near future. Here are but a few suggestions of what we need to do:
- Become career resilient and learn enterprise risk management
- Understand Sarbanes/Oxley Act, which incorporates new accounting and reporting requirements
- Understand enterprise risk management methodologies
- Understand how to conduct risk assessments or audits
- Lean how to establish a risk control structure or system
We all need to be career resilient and most importantly know how to add value. Quality has been very adaptable over the years. The body of knowledge has grown and the quality discipline has evolved from basic inspection to Six Sigma. The applications have expanded far beyond the manufacturing floor to providing quality in healthcare, education, and now homeland security. The contemporary business environment has morphed into one of greater expectations in the quality of corporate governance along with senior management personal accountability.
Risk and risk management are the next evolution in quality.
[i] Bernstein, Peter, Against the Odds: The Remarkable Story of Risk, John Wiley, 1996.
[ii] COSO, Enterprise Risk Management Framework, web, 2003.
[iii] “FAA Programmatic Risk Management, 2002, p. 6.
[iv] “Public Spending and Services, HM Treasury (UK) website, 2003.
[v] “FAA Programmatic Risk Management, 2002, p. 6.
Greg Hutchins is a principal with Quality Plus Engineering in Portland, Oregon. Greg is the author of numerous books in process and supply management. This material is excerpted from Value Added Auditing, see www.ValueAddedAuditing.com for more information.