Managing risk is fundamental to virtually every subdomain of management science. QMS is certainly no exception. In fact, the ISO 9001:2015 standard includes an increased focus on risk management, and many of the industry-specific standards incorporate risk as a key element of success as well. ISO 13485, for example, calls for medical device manufacturers to “apply a risk-based approach to the control of appropriate processes needed for the quality management system.” (ISO 13485:2016, clause 4.1.2(b)).
Even in the absence of specific components in the quality standards to drive risk management, it still makes sense for organizations to assess potential pitfalls; understand the impact they might have on the company, its products, and its customers; and put measures in place to control and manage that risk. In this article, we’ll take a brief look at the fundamental building blocks of the risk management process, it will discuss some of the best techniques for managing risk in the context of QMS processes.
The risk management process
The overall risk management process can be broken down into eight fundamental steps:
1. Risk identification
Entails listing potential hazards that could exist in the QMS process. This may be based on historical data, as well as the opinions and concerns of key stakeholders. The key question that must be addressed at this stage is “What might possibly go wrong?” It also makes sense at this point to begin identifying possible consequences if those hazards actually come to pass. This will provide a foundation upon which all of the remaining steps in the quality system risk management process can be built.
2. Risk analysis
Establishes an understanding of the likelihood of a potential hazard occurring and the impact it will have if it does happen. Some low-probability events may have an enormous impact and should be addressed in a risk management plan, whereas the majority of risks to be addressed will fall toward the middle of the “high probability” end of the spectrum. Analysis should include some assessment as to the credibility of each threat. It is the combination of likelihood and impact that ultimately determines the priority with which risks must be addressed.
3. Risk control
Often involves a decision to accept certain levels of risk or to apply measures to reduce or eliminate existing risks. Consideration must be given to the costs of such measures, – including monetary costs, soft costs, and opportunity costs. Care must also be taken that risk control measures do not introduce additional, net new risks, – or if they do, that those new risks be managed as well.
4. Risk evaluation
Generally entails quantifying the potential hazard based on a combination of its likelihood and impact, as initially determined in the risk analysis phase and as modified in the risk control phase. In many respects, this step represents an iterative refinement of the risk analysis that was performed earlier.
5. Risk reduction
focuses on measures that can be taken to reduce the likelihood or impact of remaining risks. Again, this serves as a kind of iterative approach to further reduce the potentially harmful effects of each risk on the organization and its stakeholders.
6. Risk acceptance
Serves as a formal recognition that the organization will take on certain risks that have been identified (and potentially mitigated to some extent) so that they can be communicated to stakeholders throughout the organization.
7. Risk communication
provides an important step in aligning people throughout the company around the risks that exist, the likelihood of their occurrence, and the potential impact, and protecting the measures being taken to manage them. This step often includes the presentation of a formal risk management plan to executives within the organization, such that leaders in the business clearly understand the risks the organization faces, have an opportunity to review them along with the measures being taken to address them, and can give their formal approval.
8. Risk review
Companies should periodically review their risk management plan, identify any potential new risks that have emerged, and make revisions as necessary.
Although these steps describe the risk management process in general terms, there are some specific techniques that can be applied in a QMS context to guard against risks associated with breakdowns in quality management.
The four techniques
Risk management technique #1: supplier risk management
In today’s complex global economy, supplier relationships are more important than ever. Unfortunately, it’s a fact of life that suppliers can introduce risks that impact the quality of your product. Effective techniques for managing and mitigating that risk include rigorous receiving and inspection protocols, structured processes for rating and managing vendors, supplier certification on appropriate quality standards (e.g. ISO 9001 or corresponding industry-specific standards), and corrective action tracking. Companies that pay close attention to supplier performance, initiate feedback to track non-conformance and corrective action, and establish clear expectations will be one step ahead of the game.
risk management technique #2: sharpen your corrective action processes
A good QMS system should be capable of collecting, storing, and analyzing a large body of data, providing important insights into the root causes of quality problems and potential trends that may indicate bigger-picture issues. Effective analysis helps companies to understand problems upfront, initiate corrective action, and assess the effectiveness of their CAPA programs.
A strong QMS system should have automated workflows to ensure nothing slips through the cracks. This is essential to this process because it guarantees a complete and accurate data set based on all available nonconformance data.
risk management technique #3: focus on the design phase
As every quality manager knows, it’s substantially better to prevent problems from occurring in the first place than it is to intercept them downstream after they have occurred. By proactively zeroing in on the product design phase, managers can reduce the number of issues that occur in production or which show up when real-world customers are using use the product.
Consider employing some of the well-established models for risk assessment. The bowtie method, for example, has been used successfully for many years in aerospace engineering and life sciences. Bowtie focuses on various high-impact events and explores them at a very granular level of detail. Failure Mode and Effects Analysis (FMEA) was pioneered by the US military in the early 1940s to identify all possible points of failure in a design and is also widely used to assess risk in this phase.
By engaging product designers, engineers, and other stakeholders in identifying potential risks during the design phase, you can not only defend the potential problems before they happen but – will also reinforce quality-oriented thinking throughout your organization.
risk management technique #4: make the most of customer feedback
Finally, quality managers must listen to their customers closely and carefully. Customer feedback comes in many forms, – from social media posts to phone calls with the help desk and complaints to field service personnel. Unfortunately, companies that are ineffective in collecting and collating that information are simply not in a position to use it wisely.
By creating systems through which everyone in the company can funnel customer feedback to a common system, quality managers can ensure that the voice of the customer is being heard. In doing so, they also reinforce the company’s commitment to quality. That gets through to customers and employees alike, fostering a positive attitude about your organization and its products and services.
If your company is seeking to level up its quality management game, Intellect would love to speak with you. Contact us today to tell us about your quality management programs and find out how Intellect can help you.