Featured Product
This Week in Quality Digest Live
Risk Management Features
James Chan
Start the transition to preventive maintenance
Erin Vogen
Eight steps to simplify the process
Matthew Barsalou
How failure modes and effects analysis became commonplace
Meg Sinclair
100% real, 100% anonymized, 100% scary
Pierre-Nicolas Disser
The benefits of third-party insight

More Features

Risk Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Recognized among early adopters as a leading innovation for the life sciences industry
Handle document, audit, and concerns management more effectively
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance

More News

Greg Hutchins

Risk Management

Must-Know Risk Facts for Quality Professionals

Intelligent business decisions result when you calculate probabilities

Published: Tuesday, May 14, 2013 - 10:22

In Against the Gods: The Remarkable Story of Risk (Wiley, 1998), Peter Bernstein says the mastery of risk is the foundation of modern life and is what divides modern from ancient times. By consciously or unconsciously calculating probabilities, quality professionals make intelligent decisions about business processes.

First let’s look at a few definitions of risk from various sources:
• The possibility that an event will occur and adversely affect the achievement of objectives —Committee of Sponsoring Organizations (COSO)
A situation or circumstance, which creates uncertainties about achieving program objectives —Federal Aviation Administration (FAA)
Uncertainty of outcome, whether a positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance of a positive and negative event, which may involve a hazard, improvement, or new opportunity. —United Kingdom’s HM Treasury
Effect of uncertainty of (meeting) objectives —ISO 31000

There are a several critical points to remember regarding these risk definitions:
• Risk represents an upside of capitalizing on an opportunity and a downside of an unwanted event.
• Risk has two critical elements: magnitude and likelihood.
• Risk is all about uncertainty, chaos, instability, being out of control, and the unusual (beyond the norm).
• Risk is tied to not meeting business objectives.

Risk and quality

As you read the above elements of most definitions of risk, you’ll start seeing parallels with conformance and value-based definitions of quality. In other words, the essence of risk is variation, variance, or variability away from an objective, target, specification, or standard.

Let’s look at some risk and quality parallels.

Quality professionals understand variation. Variation is a state of nature in business and in economic behavior. Variation as a business objective, specification target, or process objective is the general condition of all systems. Variation outside of specification, business, or process control limits represents a risk event waiting to occur. In fact, variations outside of control limits or specification limits are risks or nonconformances already occurring. This is illustrated in figure 1.

Figure 1: Higher risk—on target with more variation

Quality and risk parallels

Statistical process control (SPC) is an example of risk and how it can be detected, measured, and controlled. Risk can be defined as a variance or distance from a business objective, metric, or standard, all of which indicate risk waiting to occur or already occurring. For example, quality that can be specified in terms of a dimensional tolerance or a surface finish are variables that can be controlled and ensured. If a target product dimension can be kept in the middle of the specification spread and the variation of measurements are distributed inside the specification limits and process control limits, then the risk of a hazardous event or a nonconforming product can be controlled.

Reliability has always been considered a critical product quality attribute. Look at reliability metrics, such as mean time between failures and mean time to first failure. These are essentially probabilistic risk concepts.

Also, one method for reducing defects that has become a key factor in successful Six Sigma projects—define, measure, analyze, improve, and control (DMAIC)—is fundamentally a risk management methodology.

What is risk management?

Like quality, risk can be managed. Let’s look at a few definitions of risk management:
• An organized, systematic, decision-support process that identifies risk, assesses or analyses risks, and effectively mitigates or eliminates risks to achieving the program objectives
All the processes involved in identifying, assessing, and judging risks; assigning ownership; taking actions to mitigate or anticipate them; and monitoring and reviewing progress
Coordinated activities to direct and control an organization with regard to risk —ISO 31000

As risk decision-making has increased, people are realizing that activity-, process-, or project-based risk mitigation does not work. It’s similar to when you correct only the symptom of a quality problem, but recurring problems aren’t addressed. Many managers realize that the root-cause solution to a chronic or systemic quality problem is through enterprise risk management (ERM), which in many ways is analogous to total quality management (TQM).

ERM and TQM similarities

ERM and TQM share some similarities.
• Both grew to prominence as a result of policy circumstances: quality as a result of Japanese competitiveness, and risk as a result of financial excesses in corporate America and the need for homeland security.
• Both share common concepts and techniques but use different words for them.
• Both have similar methodologies.
• Both follow a similar deployment mechanism.
• Both follow a capability maturity model curve.
• Both rely on the board of directors and senior management to set the example and lead the initiatives.
• Both focus on variance from targets or objectives.
• Both emphasize that ultimate responsibility for quality and risk rest with process owners.
• Both are companywide initiatives.
• Both focus on achieving business objectives.
• Both are process-based.
• Both have a hard, technical side and a soft, people side.

ERM and TQM differences

The differences between the two are also compelling.
• Risk management is relatively in its infancy, while quality is a mature technology.
• Quality, including Six Sigma, has a tactical focus, largely emphasizing execution and metrics.
• Risk management is a board-level, CEO, and CFO concern.
• Risk management is largely driven by financial-regulatory and statutory-compliance concerns.

As you can see, the similarities between ERM and TQM are more pronounced than the differences.

Level of risk and assurance

The trend for good corporate governance is to focus on enterprise risk management. Internal controls and documentation will have to support the ERM system. The rationale for ERM is straightforward, which is to provide value for all stakeholders. The question then becomes how much risk can or should an organization assume?

The underlying premise of enterprise risk management is that every entity, whether for profit, not for profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty, associated risk, and opportunity, and thereby enhance the capacity to build value.

What do quality professionals need to do and know?

Benefits of ERM include:
• Develops integrated and aligned internal control structure
• Provides a rational template for determining which opportunities should be seized
• Aligns risk sensitivity with enterprise strategy
• Controls processes and projects
• Results in fewer surprises and less uncertainty

Quality has fundamentally changed. Therefore, quality professionals must take a hard look at their roles in this new business environment, assess their current skill set, determine what they need to learn to be relevant contributors of value, and make a decision about where they will be in the near future.

Here are but a few suggestions of what we need to do:
• Become career-resilient and learn enterprise risk management
• Understand the Sarbanes/Oxley Act, which incorporates new accounting and reporting requirements
• Understand ERM methodologies
• Understand how to conduct risk assessments or audits
• Lean how to establish a risk-control structure or system

We all need to be career-resilient and, most important, know how to add value. Quality has been very adaptable over the years. The body of knowledge has grown, and the quality discipline has evolved from basic inspection to Six Sigma. Applications have expanded far beyond the manufacturing floor to providing quality in healthcare, education, and now homeland security. The contemporary business environment has morphed into one of greater expectations in the quality of corporate governance along with senior management’s personal accountability.

Risk and risk management are the next evolution in quality.

Used with permission of the CERM Academy.


About The Author

Greg Hutchins’s picture

Greg Hutchins

Greg Hutchins is an engineer, certified enterprise risk manager, and the founder of the Certified Enterprise Risk Management Academy, Made in the U.S.A., WorkingIt.com, and Quality + Engineering.


Nice charting

Hi Greg, well said. However, some Mr. Taguchi developed a quality function loss theory, that seems more exhaustive to me when interpreting quality risks. As a quality professional myself, I'm well aware that quality professionals' vision is warped by conformity, instead of focusing on risk - though, as living creatures, we are much more concerned with risk than with quality. I do really wish the up-coming ISO 9001 will put aside the sin-tasting concept of conformity and be more practical on risk factors. Thank you.