Monthly Archives: February 2013

#8 – FMEA OR “FACT MAY ERASE APPROACHES” – UMBERTO TUNESI

Posted on by
Reply

I am no fan of FMEA-like risk prevention approaches:  I am more and more convinced that they are neither effective nor reliable, at that.

WHY I DON’T LIKE FMEA?
For a number of reasons:

One:  True human consensus is pure utopia.  In any risk assessment team – from its apparently simplest form, a family, to the most complex company or organization board – when one says “white”, for some inexplicable reasons, all others will say – or at least think of – a different color.  Even “a whiter shade of white”.

Two:  If this opposition-compulsion holds true to determine whether anything is risky or not, it will end up in real personal battles for determining “how” risky it is.  SRA / Society for Risk Analysis demonstrated in one of their papers that men and women perceive risk differently.  And that’s “only” sex: what about age, nationality, culture?  Who would ever live with a six-feet long snake at home?  Only a very, very few, in the western world.

Three:  Rating “how much” risky it is, will end up in destroying the most robust friendships, and partnerships.  Is it a 7 or a 6?  Will it really endanger the end user, or put at stake the process performance?

SWOT = SIGNIFICANT WASTE OF TIME
Therefore, as a USA writer commented that the SWOT approach equals a “Significant Waste Of Time”, any FMEA-like approach is just as formal as the complex forms that have to be used.

Years of third party automotive audits demonstrate that any tier supplier works like this: first, the work instructions; second, the control plan; third, the process flow chart; last – and least – the Design and/or Process FMEA.

Risk assessment?  Maybe a gammon, which is a victory in backgammon reached before the loser has succeeded in removing a single piece!

On the other side of the river there are the tepid ones, for whom maybe even waking up in the morning is a risky activity.  So they fill their FMEAs with 8’s, 9’s and 10’s, even for the highest Cp / Cpk process operations, or the most robust design feature.

In a word, I feel any formal FMEA-like exercise a “Significant Waste Of Time”.

EFFECTIVE RISK ASSESSMENTS
How then, do you come out with effective risk assessments?

Thinking of the key three drawbacks of any FMEA-like approach mentioned above, I would suggest that ONE technician, skilled enough on product and/or process design, drafts a list of risks and just prioritizes them:  what has to be done first, in other words. Then, he or she submits this list to the Risk Assessment & Prevention Team (RAPT, otherwise named Risk Management Team) and waits for the battle between the team members to end.

Here there is an advice to the list drafter, a lesson to be learned: in John Steinbeck’s novel “The Short Reign of Pippin IV”, the to-be-king wins over his adversaries because he keeps silent.

Once the team members have slaughtered each other, he – or she – who stays out of the carnage, wins.

It is no joke: what is highly risky for a daily jogger is routine to the high mountain climber; what is routine to the ultra-sonic war fighter pilot is enormous risk to the car-driving commuter; and so on, and so on.

SOUND RISK APPROACH
The only sound approach I can think of when assessing risk is based on two key inputs:

One:  Use your experience, learn from facts;

Two:  Use your imagination, think as if you were not an expert, dress yourself with naive clothes.

Not to dry your wet cat in a microwave oven  …  And not to abandon your dog on a motorway because he or she barks and pisses …

You see: there are also risks connected to bad use of good technology, and with ignorance, too, or excessive willful thinking: “It will never be like anything else!”.

 

#8 – “I’M OUTTA HERE” – QUALITY AUDITOR – BILL WALKER

Posted on by
Reply

“I’m outta here,” said an AS9100 audititor to me recently.  What’s going on?  Read on:

Let’s look at what is happening with AS 9100 which is titled Quality Management Systems (QMS) – Requirements for Aviation, Space and Defense Organizations.  This Standard is being used in place of MIL-Q-9858A (Quality Program) and MIL-I-45208 (Inspection and Test) which both were canceled in 1996 by the US government.

So what QMS requirement do you see on your customer’s contracts? Continue reading

#9 – ERM INTEGRATED FRAMEWORK FOR AUDITORS – GREG HUTCHINS

Posted on by
Reply

Greg Hutchins pixToday’s quality auditors need to move from detection to analytical auditing.  Quality auditors need to know how to evaluate internal and external controls that manage enterprise risks that result from changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain.

ERM controls or commonly called internal controls are the now the hallmark of good corporate governance because they offer the following benefits:

  • Promote operational efficiency and effectiveness.
  • Manage surprises.
  • Ensure reliability of financial statements.
  • Ensure compliance with regulations and laws.

Quality auditors must be able evaluate the effectiveness of an enterprise risk management consisting of the following eight interrelated components:

  • Internal environment.
  • Objective setting
  • Event identification
  • Risk assessment.
  • Risk response
  • Control activities.
  • Information and communication.
  • Monitoring.[i]

Internal Environment
The control environment is basically the culture of the organization. The environment establishes the ethic of the organization. Senior management sets the ‘tone at the top,’ which permeates the organization; guides, role models, and reinforces behaviors; and influences the control ethic of all stakeholders. The control environment is the foundation of all elements of the control system

The control environment includes:

  • Core values.
  • Oversight by the board of directors.
  • Credibility of the board of directors and senior management.
  • Integrity of the organization.
  • Ethical values.
  • Senior management’s operating style and philosophy.
  • Management deployment of authority and responsibility.

Objective Setting
In quality land, we are very familiar with how quality strategies, plans, tactics, and objectives are deployed down the organization. In much the same way, risk strategies, plans, tactics, and objective are developed and deployed.  Mission critical business objectives have associated risks in terms of not being able to identify, mitigate, and manage these risks.  Risk events are occurrences that can prevent deployment of risk strategies, plan, tactics, and objectives.
Event Identification
The second law of thermodynamics says that entropy, chaos, and risk tend to increase.  This is the natural state of physical systems as well as organizational systems.  Senior management and key process stakeholders must be able to separate the ‘critical few’ variables or events from the ‘insignificant many’ variable event.  The critical few variables are those that that have significant risks.

Events can be identified based on:

  • Historical analysis.
  • Process analysis.
  • Interview with critical stakeholders and subject matter experts
  • Upper and lower limit real time triggers.

Risk Assessment
Risk is the key filter for senior management decision-making. An organization faces risk from many sources; from within and outside the organization.  How it identifies, monitors, controls, mitigates, and ultimately manages overall risk determines how successful and profitable it will be.

All organizations have mission-critical strategies, objectives, tactics, and plans, which are deployed down the organization and into the supply chain. One definition of risk is the ability to meet these objectives consistently. In other words, the ability to assess and ultimately manage risks reflects on the ability of an organization to meet its business objectives.

Risk assessment includes:

  • Determining critical business objectives.
  • Identifying risks that impact the ability to meet objectives.
  • Developing a system to manage the risks.
  • Developing mechanisms for managing change.

Risk Response
The risk response is based on the likelihood and magnitude of the event.  High dollar, health/safety/environment exposure, or few internal controls require higher levels of assurance and control.  A cost-benefit decision is then made based on these and other criteria to bring risk within the tolerance or acceptance range of the organization.

Risk response usually involves one or a mixture of the following:

  • Risk reduction
  • Risk sharing
  • Risk avoidance
  • Risk acceptance

Control Activities
All organizations today face uncertainty and risks.  The solution is to develop internal controls that mitigate uncertainty and manage risk.  These controls are:

“…any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur).”[ii]

Controls activities occur through the organization and into the supply chain. There are basically two types of controls: 1. soft controls and 2. hard controls.  Soft controls deal with the messages and reinforcers that the board of directors and senior management want to communicate. This is sometimes called ‘tone at the top.’ Hard controls include policies, procedures, and work instructions that detail how management directives and work is carried out. These help ensure that the necessary actions are anticipated and taken to address the risks of not meeting an organization’s objectives.

Information and Communication
Reliable data and accurate information are required to control processes and activities. Without them, there is no control. So critical control information must be identified, captured, and communicated to the right parties so it’s relevant for informed decision making and external reporting. The information must also be in a form and timeframe so process owners can meet their responsibilities.

Information should be captured based on critical needs of the organization. Risk points are identified throughout the organizational value chain and externally into the supply chain. Communication is also reported externally to customers, suppliers, regulators, and shareholders. Risk points become organizational points of control. Information from these points, nodes, or areas may be communicated up, across and down the organization.

Monitoring
Once processes are stable, capable, and improving, these processes must be monitored.  Monitoring may mean first party assessments; real time monitoring; second party evaluations such as internal auditing; or third party audits such as by regulatory authorities.

Monitoring ensures critical system, process, and product performance improves over time. Management should Pareto (80 – 20 rule) critical risk-control points within the organization.  The scope and frequency of monitoring depends on the evaluation of the control effectiveness to manage critical risks. Then, control deficiencies are reported to process owners, senior management, or the board of directors depending on the risk, materiality, or exposure to the organization.[iii]

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

[i] COSO Enterprise Risk Management Framework (draft), 2003.

[ii] Source: IIA Redbook

[iii] “Executive Summary of the Integrated Framework,” www.COSO.com, p. 3, 2003.

#9 – ISO 9001 RISK CHALLENGES – SANDFORD LIEBESMAN

Posted on by
Reply
The global economy has provided organizations with many opportunities that didn’t exist even ten years ago. But it also presents organizations with many risks because of the flattening of the Earth via the Internet and extensive outsourcing to countries such as China, Mexico and other nations.The designers of COSO, the guidance commonly used for compliance support of Sarbanes-Oxley Law (SOX), recognized as early as1992 the importance of risk management by including it as one element of the system of internal control. And now ISO 9001 developers are including risk in the 2015 revision. Continue reading

#9 – WHY DO COMPANY’S COLLAPSE? – JIM KLINE

Posted on by
Reply

Why do companies collapse?

Risk can be defined in many ways. The most relevant and difficult definition is “The probability of an undesired outcome.” (Chicken 1996)  The most obvious undesired outcome is going out of business. The history of business shows many examples of bad strategic decisions.  Some brought about by hubris and some by the inability to accurately judge the impact of disruptive technology.  Two more subtle problems are the subjects of three books: Producing Prosperity (Pisano and Shih, 2012), Restoring The Innovative Edge (Hage2011), and Inventing the Electronic Century (Chandler, 2001).

Continue reading