The Risk and Compliance Paradigm: Risk Management's Impact on QMS
Last week was EtQ's annual User Conference, where users of EtQ software come from all over the world to learn about technology, trends and topics in the Quality Management and EHS Management industry. One of those topics was on Risk and Compliance. See, we continue to write about and develop solutions centered around Risk Management Software, and I think for many, Risk remains this enigmatic and elusive concept. The perception is that they are so concerned with operational issues, that conducting risk, while strategically significant, seems way off in the future for them. This is far from the reality - in fact many companies are already doing risk in some way or another, and not even knowing it.
In fact, I was so sure of this Risk Management paradigm, I went out and put myself on the Quality Digest Live program to sweat under the hot lights and talk about Risk and Compliance:
(I can also be booked for private parties and special events - If requested I can talk about risk while making balloon animals and paying the harmonica. Call me, maybe.)
So all kidding aside, let's drive home my original point - Risk Management is everywhere, and is not some lofty strategic element that is limited to top floor suits making enterprise-wide decisions. Risk is just another tool in the quiver of the compliance process; it is a method for streamlining your business, like any other compliance process. The ISO group has seen this for many years, and is looking to push Risk into its various standards.
|ISO Standard||Risk Management Elements|
–Guidance for risk management in any organizations
–Not industry specific; applies to any risk; not intended for certification
|ISO 14971||–Guidance for risk management in Medical Devices|
|ISO 14001 & OHSAS 18001||
–Identify and assess every risk
–Mitigate significant risks and control minor risks
|ISO 13485 & ICH Q10/Q9||
–Med Device and Pharma: Explicit reference to risk management
–Primary focus is risk, taking into account threats, vulnerabilities and impacts
–No direct reference, but stay tuned -2015 revision has extensive RM elements planned
Risk Management is becoming an integral part of the compliance process. Like anything else, Risk Management is simply a process. It's a means of looking at potential hazards, assigning a weight to those hazards, and taking steps to control those hazards. Below is an example of the Risk Management process flow:
Identify all relevant risks (e.g., hazard analysis)
Quantify the risk (e.g., probability and severity)
Measure and monitor risk with objective, proven tools
Assessment: Accept (worth it), reduce (mitigate), compensate (insure), transfer (partner), avoid (stop)
Change management to introduce or improve controls
It's a fairly straightforward method for conducting analysis and mitigating hazards. There are many ways to look at Risk, and each industry has developed different risk based tools to suit their specific business needs. Here's just a sample set of some risk tools:
Risk Matrix: A useful (and colorful) matrix that takes typically two metrics - severity and probability, and ranks them in a grid to determine either a number or color.
Failure Modes and Effects Analysis (FMEA): Is a design or process method that breaks down a product or process to its individual components and conducts a "what if" scenario to identify failure points and control these potential failures at the most base level. Once the product of process is rolled back up, the risks are identified and mitigated.
Decision Tree Analysis: This is another method that outlines a "what if" scenario. By answering a series of questions of conditions, you can follow the tree through logical examples, and come to a decision on the overall risk.
Hazard Analysis and Critical Control Points (HACCP): Commonly used in the food industry, HACCP breaks a process into steps and conducts a hazard analysis on each step; "what could go wrong, and how can we control it?" For each hazard, a control is implemented and a risk is mitigated.
Bowtie Risk Methodology: This is a risk method designed to assess low-occurrence events, but when the occurrence is often very serious. Airlines use bow-tie very frequently, because the emphasis is not on the risk of an occurrence, it is more on the measurement of how effective the control is. What's attractive is that it is easy to read and translates well to all areas of the organization.
Risk Register: The Risk Register is like a library of historical risks and their outcomes. For every event with a risk associated with it, the risk register collects the data and is used to create a visibility into the risk timeline of an organization. This helps to provide trending and analysis on future events based on the past risk of similar events.
People ask, "Why risk"? Quality Management and EHS processes work just fine, and we report on CAPAs and incidents, and Job Safety well enough. Well, reporting at the operational level works, but when you want to report across industries, it becomes necessary to normalize the data for making aggregate decisions. Risk is that universal language - some final thoughts:
Risk Management is not automatic; It requires people: All these tools and technologies will only help you with Risk. The real Risk Management process happens with the people making the decision. Assemble a Risk Team, a cross-functional group that can sit and review the different risks, and weigh them using risk tools to come to a decision.
Risk is Universal in terms of the enterprise focus: Not all people speak Quality; not all people speak Safety; everyone speaks risk. When rolling data up to the enterprise level, normalizing operational processes in terms of risk help to create a universal language that decision makers can use to make better decisions.
And that's why Risk Management is continuing its charge through the Compliance industry - the tools outlined above and other tools (Fault Tree, HazOps, and so forth) are prime examples of how Compliance processes, whether Quality Management, EHS Management or others, are utilizing risk as a core benchmarking metric for decision-making in the enterprise.