Risk Management

How to Define a Risk

Management Strategy for
Quality and Compliance
Management Systems
Change is the only constant in business. Evolving Organizations must address quality, safety
products, processes and regulations are all driving one and compliance, but these efforts can become
another towards faster rates of change, making quality disorganized with added business complexity.
and compliance management more and more complex. The question becomes, how can companies deliver
on mission-critical responsibilities in the face
Simultaneously, many organizations are increasing of accelerating change?
their global footprint, adding new locations and
growing through mergers and acquisitions. And as
companies expand in size and geographic location,
regulatory requirements and compliance practices
both tend to proliferate.

© Copyright 2019 www.etq.com | +1 800-354-4476

2 | Keeping Pace with Compliance

Introduction
In this paper, we look at risk management as a tool for driving
compliance, exploring topics such as:
• The basics of risk management
• The role of technology in risk management
More and more, global management standards for benchmarking
compliance are incorporating risk into their requirements,
including standards like:
• ISO 9001 for quality management

• How and when to use common risk assessment methods • ISO 13485 for medical devices
• ISO 31000 for risk management

Keeping Pace with Compliance This evolution is a response to the market by the framers of
ISO standards, recognizing the role that risk plays in business
Technology and automation of essential compliance processes
operations and process excellence.
can help a company adapt to increasing complexity and change.
Industry 4.0 is here, and with it companies are implementing
technology to streamline and connect business processes through Risk Management Basics
automation.
Risk management is a cyclical process that broadly aligns with the
Goals of automating processes and best practices to maintain plan-do-check-act approach:
compliance include:
Plan Do Check Act
• Integrating more areas of the company to break down
information silos
• Improving visibility into operations Hazard Risk Decision- Continued
Assessment Making Adjustment
Identification Monitoring
• Harmonizing processes with consistent workflows
Of course, implementing compliance systems requires a significant
investment in time and resources. Quality systems reporting,
adhering to new regulations, reworking production processes—all of
these go into the total cost of compliance. • Hazard identification: Start by defining relevant risks in your
business operations.
In this context, risk management is emerging as a strategic tool for • Risk assessment: Systematically and objectively measure
mitigating costs while streamlining compliance in an objective and risk, which is typically defined as severity multiplied by
systematic way. probability or likelihood.
• Applying decision-making criteria: Implement a
standardized process for evaluating risk assessment results
Risk Management as a Key Compliance Tool and taking action.
Many people think risk management is equivalent to risk • Reevaluating risk: Monitor and measure whether your
assessment, when the reality is that risk assessment is just one part actions effectively reduce risk over time.
of a holistic risk management strategy. Ultimately, a comprehensive
• Make adjustments: When risk is still unacceptably high, start
set of risk management processes is essential to making compliance
the process again from the beginning.
streamlined and efficient.

How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
3 | The Risk Umbrella
As for how you decide to handle the risk, you have several options:
• Acceptance: Decide that it’s worth the risk
• Reduction: Take steps to mitigate risk
• Compensation: Find ways to insure against the risk
• Transfer: Outsource risk to a partner or supplier with a better
management process
• Avoidance: Stop the process altogether if the risk is too high
It’s important to note that risk management isn’t something you
can do in a vacuum. You’ll need to assemble a team to formalize
your company’s approach to evaluating risk and how you’ll use that
information to guide decisions.
The Risk Umbrella
Risk management doesn’t just affect one area of the business.
Risk is pervasive in all areas of an organization, from quality to
environmental, health and safety (EHS) to finance and supply
chain.
Enterprise
Risk Management
Quality Safety
Regulatory Financial
Environmental Commercial
That’s what makes risk management so powerful, providing a
universal methodology for benchmarking compliance. And while we
typically think of risk assessment tools from a tactical perspective,
it’s the strategic process behind them that ensures ongoing hazard
identification and risk reduction.
After all, having a risk management tool is helpful, but it won’t
necessarily spot new or unknown hazards. The tool is a fixed point
for risk assessment, while the risk management process looks at
operational context to ensure you adapt to emerging risks.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
The Trouble with Humans
As humans, we’re not always good at assessing risk or anticipating
unexpected events. And when we do encounter hazards, our ability
to objectively reconstruct them is often flawed.
Why is this?
• We tend to see patterns in random events: We look for order
where it doesn’t exist, leading us to a subjective evaluation.
• We think we have deep knowledge of processes: We often
bring only a basic understanding to the question, resulting in
biased conclusions.
• We tend to group-think: When everyone comes to a similar
consensus, we think it must be the right decision.
The point is that without a structured process, tools alone lead to
subjective errors. It’s essential to realize that prediction is hard, and
even experts aren’t always right.
Too Much or Too Little Data?
A common conundrum many organizations face is
having either too little data or having so much data
they can’t effectively anticipate risks.
If you don’t record enough risk items, you won’t have
a large enough data set for making good decisions.
Conversely, recording too many minor events often
means people ignore all of them—even when taken
together they could pack a huge punch.
Consider the following normal circumstances:
• Operating at max production
• Performing routine fire safety maintenance
• Starting up a new production line
On their own, each of these events may present a
low risk. If they all happen on the same day, however,
safety risk jumps significantly. Organizations need
to adjust to this way of thinking, using risk
technologies to make sense of data and transform
insight into action.
4 | The Value of a Risk Assessment Tool within Risk Management Processes
The Value of a Risk Assessment Tool Within Risk
Management Processes
A robust risk management program minimizes subjectivity while
maximizing the effectiveness of risk assessment tools in the overall
process. Organizations need to collect lots of data to see the bigger
picture, going beyond a single operational area to roll out risk
management enterprise-wide.
What’s more, they need to record not just critical data, but also
near-miss data—when hazardous events are narrowly avoided—in
order to be truly proactive. What makes risk assessment tools so
powerful is that they:
• Are objective and repeatable
• Replace a “gut feeling” approach with standard decision-
making criteria
• Make it easy for non-experts to make risk-based decisions
Risk assessment tools drive both short-term and long-term change,
but it’s worth repeating that they aren’t solutions in and of
themselves. Companies must be careful to avoid the false sense of
security that comes from relying on tools alone.
It’s important to continuously test and reevaluate risk assessment
protocols based on data and make adjustments to your tools
based on that data. Your team should also regularly vet tools and
processes to monitor results and make necessary changes as new
data, operations and risks emerge.
Uncovering Operational Risk in Quality, EHS
and Compliance
Looking at the landscape of business operations, companies
typically find risk assessment a useful tool in areas such as:
• Production planning: Incorporating risk management into
planning ensures compliance benchmarking throughout
the process. Risk can strengthen procedures like change
management, production part approval process (PPAP) and
failure modes and effects analysis (FMEA).
• From a safety perspective, you can incorporate risk into
activities like job safety analysis (JSA) and industrial hygiene
tracking.
• Manufacturing: As you collect data on non-conformances
and deviations, you can use risk information to spot trends
and gauge the severity of defects. Risk assessment tools can
also help filter critical events and provide guidance for more
informed decisions.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
• Internal audits: Building risk management into the auditing
process can improve effectiveness in assessing operational
compliance. More specifically, you want to flag audit non-
conformance findings by risk, so you can pinpoint high-risk
gaps for priority follow-up.
• Corrective and preventive action: Corrective action enables
you to identify and correct systemic issues. Conducting a
risk assessment before closing out a corrective action also
lets you see whether it was actually effective. If risk is still
unacceptably high, you need to take further action.
• Post-production: Building risk management into continuous
improvement initiatives lets you mitigate hazardous events
and capitalize on new opportunities. Best practices include
filtering complaints by risk to ensure events don’t fall
through the cracks, as well as benchmarking suppliers by
risk.
Common Tools for Assessing Risk
Organizations use a number of risk-based tools to meet their
specific needs. Below we discuss some of the most common risk
tools in use today.
Risk Register
The risk register is a comprehensive library of hazards that
compiles risk data from all events, including information from:
• Safety incidents and injuries
• Adverse events
• Complaints
• Corrective actions
• JSA and behavior-based safety (BBS)
• Industrial hygiene monitoring
A risk register provides a centralized location for building and
viewing a risk history from all operational areas, allowing you
to analyze and report on trends. In this sense, the risk register
data gives you a big-picture view of compliance so you can adjust
operations based on risk history.
Risk Matrix
A risk matrix is a grid that’s quick and easy to use, color-coded to
provide a clear view of acceptable vs. unacceptable risks. A risk
matrix typically plots severity against frequency (or probability),
allowing for fast calculation of risk level for a given hazard or event.
5 | Decision Tree

Bowtie Risk Assessment

The bowtie model is useful for rare events without much historical
data, but whose impacts are so catastrophic that you can’t afford
to ignore the hazard. This model helps visualize complex risks,
building out scenarios in which the event could occur to identify
controls.

Within the risk matrix, the resulting values will fall into one of
three ranges:
• Green: Low or generally acceptable (GA) risk
• Red: High or generally unacceptable (GU) risk
• Yellow: Moderate risk
Some risk matrices will use more colors depending on the
complexity of the results. Once you’ve defined your risk levels,
you need to add decision-making guidance based on the calculated
value. Obviously, the yellow region is the biggest question mark, so
it may make sense to have a specific cutoff value above which you
require new controls.
The oil and gas industry was one of the first to adopt bowtie risk
assessment, using it to better understand and prevent catastrophic
events like wellhead explosions.
Since then, it has spread to many other industries. The aviation
industry uses the model to address risks around loss of aircraft
control, while pharmaceutical and food companies use it to mitigate
risk of contamination events.
At the center of the bowtie is the undesired event. On the left are
threats and preventive controls to block those threats and reduce
the risk of occurrence. On the right are potential consequences and
recovery controls to minimize impact if the event were to occur.
Threat Preventive Recovery Consequence
Controls Controls

It’s also crucial to periodically vet your risk matrix with real-world Threat Preventive Undesired Event Recpvery Consequence
Controls (Hazard) Controls
examples and historical data. This means plugging past events into
Preventive Recovery
your risk matrix to verify whether it delivers the correct result. If Threat
Controls Controls
Consequence

the calculated risk falls into the green region but resulted in an
adverse event, you need to revisit your decision-making criteria.
A good way to understand bowtie risk assessment is to think about
driving. One undesired event would be loss of control of the vehicle.
Decision Tree
Your bowtie assessment might include:
A decision tree is a flow chart that uses yes or no questions to help • Threats: Rain, poor visibility, driving too fast, bad tires
people make decisions based on pre-defined company policies. For
• Preventive controls: Windshield wipers, headlights,
example, you might use a decision tree to help determine:
following the speed limit, routine tire replacement
• Whether to record a workplace injury
• Consequences: Accident, injury, loss of life
• How to respond to a hazardous material spill
• Recovery controls: Seatbelts, airbags, guard rails,
• When to open a corrective action for an adverse event crash barrels
• The impact of process changes in a change
management context
What makes decision trees so useful is that you can embed them
directly into operational processes, helping standardize decision-
making without mathematical calculations.

How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
6 | Key Takeaways

Key Takeaways
Incorporating risk management into operational processes
is quickly becoming a best practice for benchmarking and
streamlining quality efforts.

However, using risk technology doesn’t automatically guarantee

compliance. Risk assessment methods such as risk matrices,
decision trees and bowtie analysis don’t replace people—they’re
just tools to inform choices and best practices. While these tools
help minimize subjectivity, decisions ultimately rest on individuals
transforming that insight into action.

Process excellence requires assembling a risk team to guide

decision-making, using historical data to fine-tune operations and
a big-picture view of risk. Risk applies to every operational area,
making it a universal language companies can use to:
• Filter and prioritize adverse events
• Break down departmental silos
• Improve the speed and quality of decision-making
Ultimately, risk terminology provides a common reference point
for understanding complex operational issues, allowing for easy
interpretation at all organizational levels. Once you learn to “speak”
risk, you drastically improve your ability to improve compliance,
uncover new opportunities and energize the business as a whole.

About ETQ
ETQ is the leading provider of quality, EHS and compliance manage-
ment software, trusted by the world’s strongest brands, like Kimber-
ly-Clark, Novartis, Herman Miller and Chobani. More than 500 global
companies, spanning industries including automotive, biotech, food
and beverage, manufacturing and medical devices, use ETQ to secure
positive brand reputations, deliver higher levels of customer loyalty
and enhance profitability. ETQ Reliance offers built-in best practices
and powerful flexibility to drive business excellence through quality.
Only ETQ lets customers configure industry-proven quality processes
to their unique needs and business vision. ETQ was founded in 1992
and has main offices located in the U.S. and Europe.

To learn more about ETQ and its product offerings,

visit www.ETQ.com.

↗ Call +1 800-354-4476

How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019