2015_risk_20161202_4asq-1

Management

Quexx International Ltd.

Vancouver, November 30, 2016

requirement, myth and reality

http://pw21.startlogic.com/wp/


© 1996-2016 Quexx International Ltd. 1-604-728 3373 Page: 2

QUEXX

Risk: Definition

Operational Excellence: Risk Management

…where:

Effect = deviation from the expected

Uncertainty = the state of deficiency of information

“effect of uncertainty

on objectives”




QUEXX

Uncertainty


“the state of deficiency

of information”

Information:

- May be not available

- Is available but not accessible

- Accuracy is unknown

- Origin is fuzzy

- Differs with interpretations

- Depends on multiple factors

- Changes over time




QUEXX

Risk and Business


Risk is intrinsic to doing business.

“… an integral part

of all organizational processes”ISO 31000:2009 (3b)




QUEXX

Risk and ISO 9001: 2015


ISO 9001: 2015 International Standard

“…employs the process approach…

…and risk-based thinking.”ISO 9001: 2015 0.1 General

…The concept or risk-based thinking

has been implicit in previous editions

of ISO 9001 (e.g. Planning, Review,

Improvement, Preventive Action…..)

(ISO 9001:2015 A4)

49

references




QUEXX

Risk in our business


The organization can only decide that

a requirement is not applicable

if its decision will not result in failure to achieve conformity

of products and services… (ISO 9001:2015 A4)




QUEXX

0.1 Risk-based Thinking


- determine the factors that could cause its

processes and its quality management system to deviate

from the planned results

- make maximum use of opportunities as they arise (see Clause 4).

ISO 9001: 2015 - 0.1 General

- put in place preventive controls to minimize negative effects and




QUEXX

0.3.1 Process approach


The process approach …. with

an overall focus on risk- based

thinking (see 0.3.3) aimed at taking

advantage of opportunities

and preventing undesirable results.

Note:

Monitoring is process-specific and depends on the related risks.




QUEXX

0.3.2 The PDCA Cycle


Plan: establish the objectives of the system and its

component processes, and the resources needed to

deliver results, …and identify and address risks and

opportunities.

Do: Implement what was planned.

Check: monitor and measure processes, and the resulting

products and services against policies, objectives and

requirements and planned

activities, and report the results.

Act: take actions to improve

performance, as necessary




QUEXX

0.3.3 Risk and effective QMS


Risk-based thinking is essential for achieving an

effective quality management system.

Addressing risks

and opportunities

leads to improved

results…




QUEXX

5.1.1 Leadership and risk-based thinking


Top management shall demonstrate leadership

and commitment with respect to …

(5.1.1) the quality management system by:

d) promoting the … risk-based thinking;




QUEXX

5.1.2 Conformity of products and services


(5.1.2) …management commitment to customer

focus by ensuring that:

b) the risks and opportunities that can

affect conformity of products and services and the ability to enhance customer satisfaction

are determined and addressed;




QUEXX

6.1.1 and 6.1.2 Actions to address risks and opportunities


6.1.1 … determine the risks and opportunities

6.1.2 …address these risks and opportunities

Options:

- Take risk

- Avoid risk

- Eliminate risk source

- Share or pass risk

- Retain risk

- Change risk likelihood or consequences

- Consider/develop alternative “business exit strategy”?

NOTE: action taken should be proportional to the

potential impact of risks and opportunities




QUEXX

6.1 Actions to address risks and opportunities


Although 6.1 specifies that the

organization shall plan to address risks,

there is no requirement for formal ,

methods or a documented risk

management process.




QUEXX

9.1.3 Analysis and evaluation


The organization shall analyse and evaluate

appropriate data and information arising from

monitoring and measurement…

The output of analysis shall be used to evaluate:

e) the effectiveness of actions

taken to address

risks and opportunities




QUEXX

9.3.2 Management review inputs


The management review shall…. take into

consideration:

e) the effectiveness of actions taken

to address risks and opportunities




QUEXX

A.4 Risk-based thinking


Organization is expected:

- Identify risks

- Plan to address risks

- Focus on performance

- Align risks and objectives

- Risk management = process

- Apply to suit

- Consider evidence

No requirement for:

- formal method

- documented process




QUEXX

A.5 Applicability


… an organization can review the applicability of

requirements due to:

- the size of organization

- the complexity of organization

- the management model it adopts

- the organization’s activities

- the nature and magnitude of risks, and

- the nature and value of opportunities




QUEXX

A.8 Control of externally provided processes,

products and services


“ The organization can apply risk-based thinking

to determine the type and extent of controls

appropriate to particular external providers

and externally provided processes, products and

services.”




QUEXX Operational Excellence: Risk Management

RISK

Competition

Reputation

Partnerships

Human Factor

Disasters

Compliance

Financial

Economical

Legal

Market Share

Delivery

Cost

Risk: Context of the organization




QUEXX

Risk: Governance


GOVERNANCE“coordinated activities to direct and control an organization”.

- Business environment

- Organization and relationships

- Authority and responsibility

- Objectives and goals

- Policy, strategies and tactics

- Decision-making pathways

- Legal requirements

RISK MANAGEMENT

“coordinated activities to direct and control an

organization with regard to risk”.

Effective governance = effective risk management.





Risks: Business Continuity

• Acts of Nature

• Sabotage

• Political stability

• Terrorism

• Legal and regulatory systems

• Electronic espionage

• Bio-threads

• Environmental

• Social

• other….





Risks: Business Strategy

• Corporate image

• Market reputation

• Benefit of insurance versus value

• Cost of competitiveness

• Profit versus penalty

• Preventive maintenance

• Contingency

• Redundancy

• Diversification




QUEXX

Risk: Competitiveness


… explosion of competitors

… challenging business growth

… poor visibility into sales trends

… inability to control product lifecycles

… expectations of moody customers

... environmental and social changes

… globalization of sourcing

… failure to forecast accurately

… volatile acquisition of customers

… shrinking retention rates

… and more…





Risks: Engineering

• Poor planning and execution

• Inadequate time

• Insufficient resources

• Incompetent management and/or personnel

• Incomplete knowledge / information / research

• Wrong or excessive assumptions

• Non-competitive design

• Incorrect specification

• Lack of experience

• Inadequate QA




QUEXX

Risk: Operations


Risk of losses:

a) resulting from inadequate:

- operational processes

- support activities

- QA and QC

- skills and experience

- systems

b) caused by:

- accidents and incidents

- deliberate actions

- external events




QUEXX

Risk: Supply Chain


Poor forecasting

Lack of proper planning

- materials and media

- shop floor capacity

- engineering support

- subcontracted services

Unsanctioned purchasing

Error-prone inventory

Sub-optimal relationships

Unrealistic scheduling

Ineffective delivery

Increased costs

Business roadblocks

Financial and economic loss

Loss of reputation




QUEXX

Risk: Communication


• Hardware and software

• Access

• Method

• Skills

• Language

Cultural:

… definitions

… misunderstandings

… interpretations

… religious barriers

… customs

… laws and regulations





Integration with other standards, (e.g. OHSAS

18001: 2007 (health and safety), ISO 14001: 2015

(environment) or ISO 31000: 2009 (Risk

management) may increase risk magnitude, frequency, probability, etc.

Solution:

• Balance the integration effects and the risks

• Define “standard” processes

• Commonize terminology

• Always use PDCA

Risk Management : Integrated MS




QUEXX

Risk Management: Strategy


Magnitude

Pro

ba

bilit

yU

nc

ert

ain

ty

Consequences

Mitigate(Probability = No.1

Magnitude = No.2)

Accept

Transfer

or avoid

Mitigate(Magnitude = No.1

Probability = No.2)

%

$

General rule:

1) Resources mitigating risks << consequences of inaction

2) Risk Level = Probability x Magnitude

3) Risk Consequences = Risk Level x Time





Risks Management: Essentials

Do we know the risks?

Do we have correct and reliable information?

Do we have the necessary knowledge?

Do we have the means to control them?

Do we know how to control risks?

Do we have a risk management process which defines:

- What should be done

- Who has to address risks

- Where it should be done

- When it should be done

- How it should be done





Application:

- risk reduction

- process control

- incident / problem / non-conformance reporting

- Continuous Improvement

Risk Management: Application of FRACAS




QUEXX

Risk Management: Workplace / Project Hazards


Major causes:

PeopleEquipment and Tools

Materials

Worksite

Hazard factors:

Condition

Practices

Behaviours




QUEXX

Risk Management: Health and Safety





QUEXX

Risk Management: Hazard Assessment


Process:

- Stop

- Think

- Act: Identify

Assess

Control

Resume





Risk Management: Training



http://elearning-ca.wspgroup.com/course/view.php?id=138








Risk Management: Project Risks at Kick-Off




QUEXX

Risk Management: DOE


DOE steps:

- Plan experiments

- Develop predictive models

- Conduct experiments

- Analyse outcomes

- Optimize processes and products

- Solve problems with multiple variables

DOE = impact of variability in controllable and uncontrollable factors

on important responses. DOE use mathematical models to optimize

process and product performance. and

identify variables and their

interactions which may

affect key outcomes.



http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj_9uDMp7bQAhVC9WMKHY-bA4EQjRwIBw&url=http://www.rombio.eu/lucr_8_dumitrascu Bt.htm&psig=AFQjCNGZJzyNWwYfsCeytKQD3zd0Ui3GBQ&ust=1479695729498467

http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj_9uDMp7bQAhVC9WMKHY-bA4EQjRwIBw&url=http://www.rombio.eu/lucr_8_dumitrascu Bt.htm&psig=AFQjCNGZJzyNWwYfsCeytKQD3zd0Ui3GBQ&ust=1479695729498467


QUEXX

Risk Management: FMEA


S = Severity

O = Occurrence

D = Detection

C = Criticality (S x O)

RPN = Risk Priority Number

RPN = C x D

S = Severity

O = Occurrence

D = Detection

RPN = Risk Priority Number

RPN = S x O x D





Decision base: 80% facts, 20% assumptions, 0% gossip

Regulatory, statutory and contractual reqt’s = a “must”

Soft landing for the worst case scenario

Redundancy of systems, hardware and software

Serviceability and service support

Post-Mortems and Lessons Learned

What goes up… How to keep it “up”?!

Risk Management : General recommendations





Organization and its context

Risk Management Policy

Accountability

Integration

Resources

Communication and reporting

(internal and external)

Risk Management Framework: Key components

(ISO 31000: 2009 Section 4.1)

Continual Improvement

Organization

Monitoring and review

Implementation





Communication

and

Consultation

Establishing

Context

Based on

ISO 31000: 2009

Section 4.1

Risk

Identification

Risk

Analysis

Risk

Evaluation

Risk

Treatment

Monitoring

and

Review

Risk

Asses sment

Risk Management process: Integration

System(s)

RiskManagement System

Management





Report

Incident

Immediate

CAPA

Initiate

CAPA

Investigate

and

Analyse Risk

Final

CAPA

Verify

Final

CAPA

Immediate

Evidence-based

CAPA

Risk Management process: Real-life CAPA

Initiate

Follow-up

CAPA

Immediate

CAPA

Follow-up





Business Model:

- Profile

- Process

- Compatibilities

- Inter-dependencies

RM Process:

- Integral

- Embedded

- Tailored

RM Factors:

- Prioritization

- Support Systems

- Efficiency

- Effectiveness

Risk Management process: Design

RM Outcome:

- Benchmarks

- Objectives

- Strategy

- Policy





Risk Management: Evolution

Past:

Risk Management = ‘risk avoidance’.

Present:

Risk Management = business protection

and regulatory compliance.

Future:

Risk Management = business growth

based on risk intelligence which unlocks

opportunities and stimulates business

evolution.

Risk = …





Risk = positive and

negative outcomes

1) Plan for the outcomes

2) Eliminate or reduce negative

3) Learn from positive and negative

4) Turn negative into positive

Risk Management: Outcomes

“… any uncertainty can have

positive and negative effects.”

ISO 9001: 2015 0.3.3 “Risk-based thinking”





Turn negative

into positive…

Risk Management: Outcomes





Risk Management Benefit: Improved business performance

• Dynamic business model

• Improved business controls

• Fact-based decision-making

• Effective operations, achieved objectives

• Regulatory and statutory compliance

• Sound governance and reporting

• Adequate RM resources

• Effective incident management

• Enhanced visibility of opportunities

• Proactive loss prevention

• Resilience to potential threats

• Stakeholder confidence and trust

• … and more





Risk Management Benefits: Summary

Businesses with properly implemented

risk management strategy

are more likely to be successful.



This presentation was delivered by…

QUEXX International Ltd.Quality Management Support Services

Quality Management SystemsLEAN Quality ManagementProject Quality AssuranceSupplier / Contractor QA

Ph.: (604) 469 6002 Fax.: (604) 469 6070Cel.: (778) 628 6807

(604) 728 3373 E-mail: [email protected]

[email protected]

QUEXX




2015_risk_20161202_4asq-1

Documents