Professional Documents
Culture Documents
Introduction
In this paper, we look at risk management as a tool for driving More and more, global management standards for benchmarking
compliance, exploring topics such as: compliance are incorporating risk into their requirements,
including standards like:
• The basics of risk management
• The role of technology in risk management • ISO 9001 for quality management
• How and when to use common risk assessment methods • ISO 13485 for medical devices
• ISO 31000 for risk management
Keeping Pace with Compliance This evolution is a response to the market by the framers of
ISO standards, recognizing the role that risk plays in business
Technology and automation of essential compliance processes
operations and process excellence.
can help a company adapt to increasing complexity and change.
Industry 4.0 is here, and with it companies are implementing
technology to streamline and connect business processes through Risk Management Basics
automation.
Risk management is a cyclical process that broadly aligns with the
Goals of automating processes and best practices to maintain plan-do-check-act approach:
compliance include:
Plan Do Check Act
• Integrating more areas of the company to break down
information silos
• Improving visibility into operations Hazard Risk Decision- Continued
Assessment Making Adjustment
Identification Monitoring
• Harmonizing processes with consistent workflows
Of course, implementing compliance systems requires a significant
investment in time and resources. Quality systems reporting,
adhering to new regulations, reworking production processes—all of
these go into the total cost of compliance. • Hazard identification: Start by defining relevant risks in your
business operations.
In this context, risk management is emerging as a strategic tool for • Risk assessment: Systematically and objectively measure
mitigating costs while streamlining compliance in an objective and risk, which is typically defined as severity multiplied by
systematic way. probability or likelihood.
• Applying decision-making criteria: Implement a
standardized process for evaluating risk assessment results
Risk Management as a Key Compliance Tool and taking action.
Many people think risk management is equivalent to risk • Reevaluating risk: Monitor and measure whether your
assessment, when the reality is that risk assessment is just one part actions effectively reduce risk over time.
of a holistic risk management strategy. Ultimately, a comprehensive
• Make adjustments: When risk is still unacceptably high, start
set of risk management processes is essential to making compliance
the process again from the beginning.
streamlined and efficient.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
3 | The Risk Umbrella
As for how you decide to handle the risk, you have several options: The Trouble with Humans
• Acceptance: Decide that it’s worth the risk As humans, we’re not always good at assessing risk or anticipating
• Reduction: Take steps to mitigate risk unexpected events. And when we do encounter hazards, our ability
• Compensation: Find ways to insure against the risk to objectively reconstruct them is often flawed.
Enterprise
Too Much or Too Little Data?
Risk Management A common conundrum many organizations face is
having either too little data or having so much data
they can’t effectively anticipate risks.
Quality Safety
If you don’t record enough risk items, you won’t have
Regulatory Financial a large enough data set for making good decisions.
Environmental Commercial Conversely, recording too many minor events often
means people ignore all of them—even when taken
together they could pack a huge punch.
Consider the following normal circumstances:
• Operating at max production
That’s what makes risk management so powerful, providing a • Performing routine fire safety maintenance
universal methodology for benchmarking compliance. And while we
• Starting up a new production line
typically think of risk assessment tools from a tactical perspective,
it’s the strategic process behind them that ensures ongoing hazard On their own, each of these events may present a
low risk. If they all happen on the same day, however,
identification and risk reduction.
safety risk jumps significantly. Organizations need
After all, having a risk management tool is helpful, but it won’t to adjust to this way of thinking, using risk
necessarily spot new or unknown hazards. The tool is a fixed point technologies to make sense of data and transform
insight into action.
for risk assessment, while the risk management process looks at
operational context to ensure you adapt to emerging risks.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
4 | The Value of a Risk Assessment Tool within Risk Management Processes
The Value of a Risk Assessment Tool Within Risk • Internal audits: Building risk management into the auditing
process can improve effectiveness in assessing operational
Management Processes
compliance. More specifically, you want to flag audit non-
A robust risk management program minimizes subjectivity while conformance findings by risk, so you can pinpoint high-risk
maximizing the effectiveness of risk assessment tools in the overall gaps for priority follow-up.
process. Organizations need to collect lots of data to see the bigger • Corrective and preventive action: Corrective action enables
picture, going beyond a single operational area to roll out risk you to identify and correct systemic issues. Conducting a
management enterprise-wide. risk assessment before closing out a corrective action also
lets you see whether it was actually effective. If risk is still
What’s more, they need to record not just critical data, but also unacceptably high, you need to take further action.
near-miss data—when hazardous events are narrowly avoided—in
• Post-production: Building risk management into continuous
order to be truly proactive. What makes risk assessment tools so improvement initiatives lets you mitigate hazardous events
powerful is that they: and capitalize on new opportunities. Best practices include
• Are objective and repeatable filtering complaints by risk to ensure events don’t fall
through the cracks, as well as benchmarking suppliers by
• Replace a “gut feeling” approach with standard decision-
risk.
making criteria
• Make it easy for non-experts to make risk-based decisions
Common Tools for Assessing Risk
Risk assessment tools drive both short-term and long-term change,
but it’s worth repeating that they aren’t solutions in and of Organizations use a number of risk-based tools to meet their
themselves. Companies must be careful to avoid the false sense of specific needs. Below we discuss some of the most common risk
security that comes from relying on tools alone. tools in use today.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
5 | Decision Tree
The oil and gas industry was one of the first to adopt bowtie risk
assessment, using it to better understand and prevent catastrophic
events like wellhead explosions.
Within the risk matrix, the resulting values will fall into one of
Since then, it has spread to many other industries. The aviation
three ranges:
industry uses the model to address risks around loss of aircraft
• Green: Low or generally acceptable (GA) risk control, while pharmaceutical and food companies use it to mitigate
• Red: High or generally unacceptable (GU) risk risk of contamination events.
• Yellow: Moderate risk
At the center of the bowtie is the undesired event. On the left are
Some risk matrices will use more colors depending on the threats and preventive controls to block those threats and reduce
complexity of the results. Once you’ve defined your risk levels, the risk of occurrence. On the right are potential consequences and
you need to add decision-making guidance based on the calculated recovery controls to minimize impact if the event were to occur.
value. Obviously, the yellow region is the biggest question mark, so
it may make sense to have a specific cutoff value above which you
require new controls. Threat Preventive Recovery Consequence
Controls Controls
It’s also crucial to periodically vet your risk matrix with real-world Threat Preventive Undesired Event Recpvery Consequence
Controls (Hazard) Controls
examples and historical data. This means plugging past events into
Preventive Recovery
your risk matrix to verify whether it delivers the correct result. If Threat
Controls Controls
Consequence
the calculated risk falls into the green region but resulted in an
adverse event, you need to revisit your decision-making criteria.
A good way to understand bowtie risk assessment is to think about
driving. One undesired event would be loss of control of the vehicle.
Decision Tree
Your bowtie assessment might include:
A decision tree is a flow chart that uses yes or no questions to help • Threats: Rain, poor visibility, driving too fast, bad tires
people make decisions based on pre-defined company policies. For
• Preventive controls: Windshield wipers, headlights,
example, you might use a decision tree to help determine:
following the speed limit, routine tire replacement
• Whether to record a workplace injury
• Consequences: Accident, injury, loss of life
• How to respond to a hazardous material spill
• Recovery controls: Seatbelts, airbags, guard rails,
• When to open a corrective action for an adverse event crash barrels
• The impact of process changes in a change
management context
What makes decision trees so useful is that you can embed them
directly into operational processes, helping standardize decision-
making without mathematical calculations.
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019
6 | Key Takeaways
Key Takeaways
Incorporating risk management into operational processes
is quickly becoming a best practice for benchmarking and
streamlining quality efforts.
About ETQ
ETQ is the leading provider of quality, EHS and compliance manage-
ment software, trusted by the world’s strongest brands, like Kimber-
ly-Clark, Novartis, Herman Miller and Chobani. More than 500 global
companies, spanning industries including automotive, biotech, food
and beverage, manufacturing and medical devices, use ETQ to secure
positive brand reputations, deliver higher levels of customer loyalty
and enhance profitability. ETQ Reliance offers built-in best practices
and powerful flexibility to drive business excellence through quality.
Only ETQ lets customers configure industry-proven quality processes
to their unique needs and business vision. ETQ was founded in 1992
and has main offices located in the U.S. and Europe.
↗ Call +1 800-354-4476
How to Define a Risk Management Strategy for Quality & Compliance Management Systems
© Copyright 2019