Organizations can improve their quality management by using a planning approach called risk-based thinking. By specifically employing risk prediction tools to detect and lower the potential of quality-related problems, organizations can have a progressively better chance at good outcomes by using a method to quantify both success and failure.
A risk-based quality management system is about foreseeing threats before they arrive, using objective information so that an organization can make targeted improvements in the design of its systems.
Risk-based thinking can help an organization:
- Improve quality management outcomes
- Assign probability and impact to specific risks
- Evaluate the best potential actions to prevent or respond to risk
- Prevent quality-based problems
The Process Behind Risk Based Quality Management
Risk-based thinking is already a part of any quality management process, whether or not an organization acknowledges it. The conscious adoption of risk-based thinking can ensure that this thinking is systemized and embedded throughout the quality management system.
Risk-based quality management seeks to implement a structured process to identify actions based on analyzing known or anticipated risks associated with each action. The approach considers all necessary or appropriate activities and evaluates all relevant information.
At its core, risk-based quality management uses objective information to assign a probability to uncertain events and ascribe the appropriate risk. The goal is to progressively increase an organization’s chance at success using a method that quantifies probability and impact.
To prevent risks successfully is to foresee both their consequences and probability.
How Risk-Based Thinking Improves Quality Management Outcomes
How, specifically, can risk-based thinking improve quality management outcomes?
- Risk-based thinking allows for more knowledge of risks and systemizes preparedness as part of quality management.
- Risk-based thinking makes achieving organizational objectives more probable.
- Risk-based thinking makes avoiding negative results more likely.
- Risk-based thinking embeds the habit of preventing risks throughout the organization.
Once an organization has experience with risk-based thinking and decision-making as a cultural habit and organizational necessity, it can improve its efficiency, lower costs, and innovate more.
Examples of specific risks
Supply risks
As recent years have shown, supply chains are vulnerable. A company may see material shortages, inadequate parts that don’t meet specifications or higher shipping costs.
With a risk-based thinking process, a company can use a supplier scorecard to evaluate specific risks with each supplier. For example, a supplier scorecard can rate suppliers based on how many will likely experience shortages or raise prices, or what supplier(s) are most prone to disrupted deliveries.The scorecard can be developed based upon elements such as past performance, market conditions, known interruptions such as weather, raw materials costs, etc. and supplier audits.
Using Risk-Based Thinking to Predict Risk Probability and Impact
Risk-based thinking considers the probability and impact of specific risks, focusing on the impact. Consequence analysis is one method to prevent problems by foreseeing their likelihood of occurring and the probable severity. All possible scenarios are considered to measure risk impact and determine aggregate risk.
Operational Risk Example | Operational Risk Mitigation |
A worker can err through carelessness or distraction, leaving equipment broken or a product late for shipment. | Workers can receive initial and regular training and evaluation about responsibilities and the most frequent errors and risks. A company can also proactively engage its workers, requesting feedback and taking their concerns seriously. |
Equipment can break unexpectedly, with no qualified workers around to repair it or with vague instructions to allow other workers to address the failures. | Before equipment fails, an organization can have a regular maintenance schedule with specific workers trained and assigned to particular equipment. These workers can be regularly evaluated for their performance. Additionally, the organization can document every identifiable risk associated with each piece of equipment, outlining specific procedures to prevent each risk and repair the equipment should it fail. |
A network device can crash, stalling operations and preventing products from shipping. | Suppose a company relies on a computer network for regular operations. In that case, the company can ensure that the network has the most up-to-date hardware and software and is protected by the best affordable security. The organization can maintain regular communication with trusted IT specialists who identify common risks and non-experts on staff. |
Categorizing risk before predicting probability and impact
Identifying and classifying risks should never stop, as new threats are not easily identified or anticipated. While some risks are predictable, others take time and analysis to understand fully.
Below are several common quality-related areas of risk that should be identified and expanded depending on the organization’s objectives:
- Operational: The day-to-day operations can be disrupted by human error, inadequate processes, or broken equipment and technology.
- Health and safety: This category can include human health and safety, such as workplace safety and preventing injury or health problems. It can also include product or design safety, such as ensuring that products are non-hazardous and safe or that equipment is used correctly and regularly maintained.
- Legal and regulatory: Failure to comply with legal and regulatory requirements, such as environmental, health and safety, and quality-based specifications, can result in legal penalties and lost revenue.
- Costs: Due to supply chain disruptions, higher material or component costs, or equipment failures are clear risks. Other risks to revenue include lower prices from the competition, declining customer satisfaction, tariffs and trade barriers, or seasonal hazards such as inclement weather.
- Production schedule: Productions, even those that use forward-thinking time and cost estimates, are susceptible to unanticipated delays, costs, or disruptions.
- Reputation: A damaged reputation through unforced errors, lower than expected revenue, poor planning, or unsatisfactory customer service is incredibly risky to an organization.
- Performance: Given how many things an organization is expected to do, the risks to performance are numerous. Products may not deliver the expected value to customers or fail to live up to specific expectations; customer service satisfaction can decline over time; a piece of technology, such as a tech product that promises increased efficiency, can fail due to unforeseen problems.
Predicting the probability of risks occurring
An organization can use a simple matrix like the one below to evaluate how certain probable risks will occur.
Organizations can measure risk occurrence depending on what timeframe the organization works with:
- Near-term risks may occur between the present and one month into the future.
- Mid-term risks may occur within 2-6 months.
- Far-term risks may occur six months or beyond.
The highest probable risks should be dealt with first, as risks with a high probability of occurring are often problems needing a solution now.
Predicting the probability of risk consequences and impact
An organization can evaluate the specific impact of risks in terms of their severity. A three-tiered matrix could assess the impact and effects in terms of the following:
- High: A critical risk
- Medium: A significant risk
- Low: A minor risk
To begin assigning a risk to one of the above categories, answer some of the following questions to get an understanding of what penalties might result if the threat were to occur during normal operations:
- The amount by which costs could increase over a specific timeframe
- The amount by which revenue could decrease over a specific timeframe
- How long production could be delayed or scaled back
- Specific projects that may be at risk of missing deadlines
- How negatively product quality is affected
- How shipments and deliveries could be delayed or disrupted
- How the scope of a project has expanded or scaled back
- What costs arise from failing to meet legal or regulatory requirements
Combining risk probability and risk impact
For each risk event, assign it the probability of occurrence and the probability of impact/severity. An example chart for doing both appears below:
Working with external auditors
Many organizations have used risk-based thinking in connection to ISO 9001:2015, an international standard to govern and improve an organization’s quality management system. Within ISO 9001, organizations must show to an external auditor that their quality management system successfully reduces risks. Below is a list of actions that an organization can take to show how its risk-based management system is successful:
- Demonstrate the organization’s progress in reducing risks through audits, nonconformances, and management reviews.
- Establish records of how specific actions changed the risk landscape within the organization, showing how risks are taken into account in decision-making.
- Show that the organization’s knowledge and infrastructure have grown to address risks.
Bringing all stakeholders to the table
The failure to involve all stakeholders is a frequent contributor to poor risk management. Without formal procedures to guarantee two-way communication between stakeholders, success in risk-based quality management is unlikely.
When considering different risks and potential actions to prevent or reduce them, an organization should formalize its procedures to collect stakeholders’ perspectives within a predetermined timeframe so that schedules are not disrupted. Additionally, the timeframe should allow adequate participation of stakeholders with more significant expertise in reducing specific risks and of stakeholders whose perspectives have otherwise not been considered.
Preventing Quality Problems with Risk-Based Thinking and Decision-Making
Organizations can combine their evaluation of risk probability and impact with other factors to provide a complete picture of addressing specific risk events. These other factors can include:
- Recommended actions for the risk event
- The individual responsible for monitoring and responding to a risk event
An example spreadsheet combining these factors appears below:
Similar risk-based quality management tools focus on identifying root cause quality problems. One practical approach is a “failure mode effects analysis” (FMEA).
FMEA is a system used to identify how any step in a process can fail and how to prevent and detect such failures, precisely their causes, from occurring.
Failure modes include errors, mistakes, or defects that could reasonably occur. Effects, or effects analysis, look at the consequences of failure, particularly on the client or customer.
Below is an example chart outlining a fundamental FMEA analysis.
Failure Mode Effects Analysis (FMEA) | |
Process | Explanation |
Process Function | What is the step to take? |
Potential Failure Mode | In what ways can this step go wrong? |
Potential Effect(s) of Failure | Impact on customer/client if the failure is not avoided or corrected |
Severity Level | How severe will the failure be, on a scale of 1 (least severe) to 10 (most severe)? |
Potential causes | What causes the step to fail? |
Occurrence/frequency (1-10 scale) | How frequently do the causes of the failure occur, on a scale of 1 (least frequent) to 10 (most frequent)? |
Current Process Controls | What existing procedures can prevent the failure from occurring or detect it if it occurs? |
Probable detection of failure (1-10 scale) | How probable is it that the failure or its cause be detected, on a scale of 1 (least likely) to 10 (most likely)? |
Risk priority number | Severity level * Occurrence/frequency * Probable failure detection = Risk priority number |
Recommended actions | What actions can reduce occurrences of the cause or improve detection? |
Conclusion
Risk-based thinking and decision-making can assess and evaluate risks that help an organization use its strengths to achieve the most significant value. While it cannot reduce all risks as much as possible all the time, a risk-based quality management system can still foresee problems and lead to better solutions.