Featured Product
This Week in Quality Digest Live
Management Features
Gleb Tsipursky
Only a third of organizations have hybrid policies in place
Joe Judge
How you do anything is how you do everything
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Shiela Mie Legaspi
Set SMART goals
Mike Figliuolo
Creating a guiding maxim helps your people think ahead, too

More Features

Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Accelerates service and drives manufacturing profitability
New video in the NIST ‘Heroes’ series
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Manufacturers embrace quality management to improve operations, minimize risk
How well are women supported after landing technical positions?

More News

Tim Lozier


Risk Management Outside Your Four Walls

Implementing risk strategies for the supply chain

Published: Thursday, April 21, 2016 - 08:10

When we look at business dynamics, regardless of industry, we see an increasing rate of change in products, processes, and regulations. One process affects the next, and with a growing focus on regulations and standards, complexity becomes an ever-expanding theme, whether related to quality management or general compliance.

The consequence is that organizations are becoming more complex. Businesses are increasing their global footprint. Couple that with the addition of mergers and acquisitions, and you begin to see disparate trends in quality and compliance. As we get more complex, our organizational cultures change.

A more complex world means that the level of regulation shifts. Whether a company operates solely in the domestic arena or worldwide, it is faced with regulations from the local to the international. These vary by country and region, and shift constantly to meet complex requirements. Organizations must ensure that quality and compliance are achieved as they continue to roll out new process and products, and employees need adequate training to keep quality and safety considerations in line with these new complexities.

Increased complexity is seen specifically in the supply chain. Companies are outsourcing more and more, and with this come inherent risks. We need to make sure that our suppliers are factoring in the same level of quality that we expect internally.

With all these factors weighing on an organization, coupled with the need to maintain compliance at the ever-faster pace of business, how can companies keep up? This article will review how an organization’s quality management system (QMS) can help support its partners and thereby extend quality throughout the supply chain.

The role of the quality management system in the supply chain

From a quality management perspective, a few things need to be done. The first is to figure out how to effectively extend quality to the supply chain. This means that companies need to find the current quality gaps (which tend to be manual) and fill them with automation. To do so requires making changes to specifications, better performance tracking, and faster response to adverse events, such as out-of-spec, nonconformities, complaints, and more. You then need to make sure that any corrective actions taken that involve suppliers are factored into the process, that any deviations and specifications are aligned with the business, and that you build in tools to make everything run seamlessly.

Companies also need to consider this issue from a broader perspective. What is the commitment to quality, and what are the areas needed to ensure compliance? It is critically important to identify culture, communicate processes, manage the quality system, and understand the deeper levels of the supply chain. Knowing who you are (and making sure that the suppliers know who you are) come into play to ensure efficiency and consistency in your level of quality.

Finally, companies take all these factors and apply a risk assessment to them. Risk management is a process that involves systematically reviewing, assessing, treating, and controlling our risks. This can be done internally, and many of the standards are approaching this level of operation, but it needs to extend to the supply chain as well.

The risk management process

Risk management, like most everything else, is a process. If you can define the steps and logically apply them, you’ll be able to build a strategy that not only doesn’t impede on your existing processes, but actually enhances them. Take, for example, the ISO 31000 standard for risk management. It’s a broad standard, and not one you would use to adhere to business operations. Rather, it should be used as a general interpretation of how the risk management process is defined. It’s a good starting point, and a great way to get started on the risk journey.

Risk management starts by looking at your operations, determining where the hazards are, and what the risk of those hazards might be. This is not done in a vacuum; you should assemble a team to help identify these risks throughout your operations.

Next, consider your known risks and determine a way to quantify them. Look for ways to measure a risk in a systematic and objective way. A common approach is tol use scales, such as severity and probability. Then implement a process for evaluating and assessing the risk. This is where “risk assessment” plays its part in the overall risk management process.

The key point of risk management is the ability to come to a decision as a result of your assessment. You can use tools to help you quantify and filter the risk, but ultimately you need to make a decision on how to handle the risk. There are many factors, but you can:
• Accept it (it’s worth the risk)
• Reduce it (take steps to mitigate risk)
• Use compensation (find ways to insure yourself against the risk)
• Transfer risk (source out risk to a partner/supplier with a better management process)
• Avoid (just stop the process altogether)

Once you’ve made a decision, you then need to implement that decision. This can be done by managing changes to processes or operations, implementing controls to mitigate or reduce the risk, or starting improvement activities that can ultimately support your decision. That’s risk management at a high level.

Common tools for risk management treatment

This is just a sample of some of the ways you can go about assessing risk in your organization. Below are some risk tools that are commonly used in organizations:
Decision tree analysis. Many will use this method, perhaps without even knowing it’s a tool for risk assessment. In a decision tree, you are given an input (i.e., an adverse event) and you use the decision tree to help determine the outcome of that event. Decision trees can be built in such a way that will provide guidance and help you come to the right decision. This is an effective way to assess risks, especially because it allows the user to follow a path, usually through question-and-answer trees (e.g., “If this, then this; if yes, then this”). Because they have no mathematical context such as a risk matrix, you can build decision trees directly into the system as part of the process. This is especially good when assessing the effect of a supplier material on a finished product, reviewing inspections, or determining whether to issue a supplier corrective action or approve a deviation.
Risk matrix. Perhaps the most common risk-assessment tool in many industries is the risk matrix. This is a grid that is quick, easy, and colorful—it’s designed to make the risk level evident to all people in the operation as well as your suppliers. A risk matrix plots two (sometimes three) levels on a graph. These are usually severity and probability (or likelihood). Each risk level is assigned a number, and within the graph you plot a formula to calculate where the two numbers intersect (usually this is done by multiplication). Then, you assign a color to the level of risk, such as red, yellow, or green (some will use more colors depending on the complexity of the result). The goal is to define a risk level based on two factors and build guidance into the results to help foster a decision based on the calculation. However, be careful to vet your risk matrix; sometimes you may get results that are mathematically sound but do not fit in the context of your operations. To mitigate this, you need to vet the matrix using real-world examples (i.e., historical data), to ensure that your results are actually proper and correct. Some tweaking may be required, but once you have vetted the graph, the risk matrix is a powerful risk assessment tool.
Bowtie model. You may tell yourself, “We don’t have that many critical events, so we really don’t have a history of risk.” If so, then the bowtie model is a great method for assessing risk in low-occurrence events. In some cases you may have few data on potential critical events, but the undesired effect of these events are so catastrophic that you can’t afford to sit and wait for them to happen. Unlike the previous tools, the bowtie is considered a proactive risk assessment tool in that it seeks to mitigate risk before it happens. This model really looks at the undesired effect (which is usually something bad, like loss of life), and builds out controls as “barriers” to prevent that event from occurring. Here’s how it works: You have an undesired event in the center, and you analyze the effect of that event. You are effectively building out a scenario in which that event might occur and putting preventive controls in place to mitigate the risk of it actually happening. Similarly, you also want to build out recovery controls to minimize the effect if the event does in fact occur.


The supply chain is becoming more complex. Industry is just now catching up to the tools needed to achieve the necessary visibility and control over outsourced processes. Furthermore, there are inherent risks associated with the supply chain, and we need to find ways to mitigate these risks.

Much of the challenges around supply chain risk concerns having a more traceable, visible way of communicating key processes, and receiving timely responses from suppliers. The concept of a supplier network isn’t new, but creating and maintaining this network ican be elusive. Solutions exist to help us mitigate risk. Most notably, achieving supply-chain operational excellence means implementing an aspect of a production system that is separate from the internal systems, but is linked so that it’s possible to send information to suppliers, showing them only the elements they need to see. Such a system, built with risk mitigation in mind, becomes a cornerstone of creating excellence.

Some of the risk management elements are available to us, and we just need to recognize that risk management in itself is a process, one that if inserted an followed in our daily operations can uncover a great deal of data, decision-making capabilities, and insights into redefining our supplier relationships. With these tools in place, we can effectively take our compliance and quality operations outside of our four walls and extend them to a larger supply-chain network.

For more information on this topic, be sure to register for the webinar, “Risk Management Outside Your Four Walls: Implementing Risk Strategies for the Supply Chain,” on Thursday, April 28, 2016, at 2 p.m. Eastern, 11 a.m. Pacific.


About The Author

Tim Lozier’s picture

Tim Lozier

Tim Lozier is the director of product strategy for EtQ, in Farmingdale, New York. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user-interface design and development. He began his career in digital marketing before taking a turn into software design and marketing at Quark Inc. Since then, he’s never looked back—helping to foster the development (and blog about) leading quality management software solutions.