Definitions of quality

Let’s us look at common working definitions of quality: zero defects, customer satisfaction,
control of process variance, reliability, security, and fit for purpose. These are all objectives a
quality program is aimed at satisfying. ISO 9000:2005—“Fundamentals and vocabulary for
quality management systems” defines quality as the “degree to which a set of inherent
characteristics fulfills requirements.”

BusinessDictionary.com states this definition of quality: “In manufacturing, a measure of

excellence or a state of being free from defects, deficiencies, and significant variations,
brought about by the strict and consistent adherence to measurable and verifiable standards to
achieve uniformity of output that satisfies specific customer or user requirements.”

If we switch to a risk perspective, these common definitions of quality become: risk of defects,
risk of customer dissatisfaction, risk of uncontrolled process variance, risk of product
unreliability, risk of security breach, risk of lack of fitness. Or in other words, failure to
achieve objectives.

Thus in the risk domain, the focus is not on the objectives per se, but on the risk to achieving
the objectives. Risk management is applied to control the risks and enhance the likelihood of
achieving the objectives. Risk can be looked at as a two-sided coin: opportunity or danger.
Either way, the same approach can be used to manage risk.

Another parallel between quality and risk is their respective focus. Quality had its Deming and
his plan-do-check-act (PDCA) cycle. Greg Hutchins, an upcoming risk authority identifies the
four Ps of risk: proactive-preventive-predictive-preemptive.

Quality management and risk management

Let’s look further at the link between quality management and risk management.

Quality management can be thought of as the process of designing and executing products and
services effectively, efficiently, and economically. In this context, effectiveness primarily
involves the ability of the products and services to meet or exceed customers’ expectations,
while efficiency involves the ability to provide products and services without wasting any
resources. Economics involves the ability to generate requisite revenues from the process so
that the organization can be sustained.

Risk management is the process of identifying, addressing, prioritizing, and eliminating potential
sources of failure to achieve objectives. Applying risk management means being proactive,
preventive, predictive, and preemptive. Risk asks the question, “What if?” and looks at likelihood
and consequences to determine which of the what-ifs are significant and need to be addressed.
If we look at process quality, we see that objective gaps imply higher deltas in the process,
which means higher risk: more variances, or higher variation, leads to less uniformity in product
or service. By reducing the risk of deltas, we reduce objective gaps and variation, and increase
process quality.

What is risk management?

Most definitions of risk management cover the entire enterprise. For example, the Committee
of Sponsoring Organizations (COSO) defines risk management as: “A process affected by an
entity’s board of directors, management, and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”

In ISO 31000:2009—“Risk management—Principles and guidelines on implementation,” risk is

defined as the “effect of uncertainty on objectives,” and risk management as something that
“aids decision making by taking account of uncertainty and its effect on achieving objectives
and assessing the need for any actions.”

For our purposes, we restrict risk to be in the operations domain and not the finance domain.
Financial risk management typically focuses on hedging costs, fluctuations in currencies, and
insurance.

There are three main types of operational risks:

Enterprise risk—Risk related to the operation of a business, execution strategy, systemic
issues, and material issues
Project risk—Risk related to the planning and delivery of a product or service, and of not being
able to meet project “triple constraints,” i.e., scope/quality, schedule, and cost, including
technology and other factors
Process risk—Risk relating directly to planning and delivery of a product or service and of not
being able to meet process stability, process capability, and continuous improvement—meaning
the inability to achieve consistent outcomes

To ensure consistency of approach to risk management, standards and models have been and are
continuing to be developed. Standards provide the following benefits:
1. Reference for risk management processes
2. Define consensus and best practices
3. Define frameworks to guide and support risk decision process
4. Provide common vocabulary to discuss and compare risk processes
Some risk-based standards include: ISO 28000, which addresses supply chain security; ISO
27000, for IT security; ISO 22000 for food safety; the FAA Safety Management System, and
AS 9100 for aerospace.

The critical elements of risk management identified in ISO 31000 are:

Risk identification—Identifies the sources of risk, risk events, and their potential
consequences
Risk analysis—Analyzes the causes and source of the risks and the likelihood that they will
occur
Risk evaluation—Determines whether risks need to be addressed and treated
Risk treatment—Determines strategies and tactics to mitigate or control risks

Further, ISO states that risk management should “ensure that organizations have an
appropriate response to the risks affecting them.” Risk management should thus “help avoid
ineffective and inefficient responses to risk that can unnecessarily prevent legitimate activities
and/or distort resource allocation.” And, to be effective within an organization, risk
management should be “an integrated part of the organization’s overall governance,
management, reporting processes, policies, philosophy and culture.”

The ISO risk management process involves “applying logical and systematic methods” for:
• Communication and consultation throughout the process
• Establishing the context
• Identifying, analyzing, evaluating and treating risk associated with any activity, process,
function, project, product, service, or asset
• Monitoring and reviewing risk
• Recording and reporting the results appropriately

Why is risk proactive, preventive, predictive, and preemptive?

Risk assessment is proactive in that a formal analysis is undertaken to identify, rate, and
address risk. This involves risk identification (predicting and listing possible risks) then risk
analysis (rating them as to seriousness). Seriousness is determined by looking at the likelihood
of occurrence and the resulting consequences. There are several risk analysis techniques
available, but they fall into two camps: qualitative and quantitative.

Qualitative analysis relies on subject-matter experts who rate both likelihood and consequence
of potential risks using a gradated scale, e.g., 1–5, or high/medium/low, or using a “heat map.”
Likelihood and consequence are recorded in a two-dimensional grid.

Quantitative analysis relies on using numerical values or scores because this is felt to be a more
objective method. Historical or scientific data on the process or activity is used to determine
values. This method requires an understanding of probability; for cases where data are
available, removes some uncertainty.

Using either approach, highly likely risks with high consequences obviously must be taken
seriously.

Once the serious risks are determined, they can be consciously dealt with. By applying
mitigation steps, the risks can be prevented, preempted, or reduced in impact. You can accept
risk, avoid risk (by stopping the risky activity), reduce risk (by reducing likelihood consequence
or both), or share risk (pool, outsource the activity, insure against the risk). A key point to note
is that this process represents a conscious effort, which by its nature must be visible to
management.

Summary

We have looked at the link between quality and risk and the basic elements of risk management
and operational risk. By changing your perspective to view quality as a risk function, you can
shift from a largely reactive approach of measuring and controlling variances, to proactively
identifying, addressing, prioritizing, and eliminating potential sources of failure.

https://www.qualitydigest.com/inside/quality-insider-column/linking-quality-management-and-
risk-management.html