With the adoption of ISO 9001.2015 and the Office of Management and Budget’s (OMB) revision of Circular A-123, management of both the private sector and federal government must now pay formal attention to risk across their enterprise. In addition, the Government Accountability Office (GAO) has updated the “Standards for Internal Control in the Federal Government”, the Green Book, to better accommodate risk assessment.

One of the major changes is the incorporation of major Committee of Sponsoring Organizations (COSO) elements. This is the first time the Green Book has been linked to COSO guidelines. This is significant because COSO provides the guidelines for private sector Internal Audits.

CERM BOOTCAMP
With ISO certified organizations in the United States accounting for only a small portion worldwide, around 2.2% in 2010, any significant movement away from a strict focus on quality could impact the profession in the United States and ASQ significantly. Further,

Greg Hutchins and Ed Perkins, the instructors of a week-long Enterprise Risk Management workshop, made four points which are particularly germane to this discussion.

The first is that risk analysis should be adjusted based on the organization’s maturity level. The levels can be defined as Product/Transactional, Program/Project and Enterprise. At the first level, the standard ISO audit process can be used along with a risk assessment methodology. At the second level, ISO 31000 guidelines and a risk assessment methodology are applicable. However, at the Enterprise Level, it is recommended that COSO guidelines and a risk assessment methodology be used.

Second, since risk is now to be examined across the whole spectrum of the organization, more than just SPC techniques are necessary.

Third, because the COSO guidelines are what Internal Auditors use, their professional associations believes they should conduct Risk Based Auditing. Finally, ISO 9001.2015 and OMB both require the CEO and Board of Directors be involved in the risk analysis process. This places the issue of risk management at the highest levels of an organization.

CHALLENGES TO THE QUALITY PROFESSION
These points indicate the possibility of three key challenges to the Quality Profession and ASQ. The first is that the emphasis on risk and the involvement of CEOs and the Board of Directors could result in quality being relegated to a minor role within the organization. Second, in order to stay relevant quality auditors, particularly those specializing in ISO Certification Audits, will have to upgrade their skill set. They will need familiarity with COSO guidelines and risk analysis methodologies.

Lastly, as companies begin to seek ISO 9001.2015 certification, auditors with risk based methodology skill sets will take primacy over those without such skills. Consequently, unless ASQ upgrades it auditing courses, members will obtain this training elsewhere. A sustained movement away from ASQ training and certification could mean a substantial loss in membership, revenue and influence.

While I have used could and possible in my challenges, this is not totally speculative. Let me provide three examples. First, the book ISO: Risk Based Thinking, a book in ASQ’s book store, has been selling better overseas than in the United States. Second, the FAA’s settlement with Boeing Commercial Airplanes requires Boeing to use risk based criteria in identifying areas for internal audits.

Lastly, in the Enterprise Risk Management workshop I attended, several participants are ISO Certified Auditors.  They are adding ERM to their portfolio of services.

Bio:

James J. Kline is a Senior Member of ASQ. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local government and non-profit organizations. He has also published numerous articles related to quality in government.