Monthly Archives: February 2013

#9 – NISO AND NICE RISK ANALYSIS – JIM LAMPRECHT

Posted on by
Reply

Why would an international standard require companies to perform risk analysis?

NISO
The same question was asked a few years ago with the ISO 9000 series of standards but here at least one could supposedly claim that a quality system would theoretically improve the overall quality of a product still, one could ask the same question:  why make it a requirement to do business after all, for centuries the “market” had been and continues to be a semi-efficient process whereby inefficient and/or below average performing companies are eventually eliminated. Continue reading

#8 – DISAGREEMENT ON BELIEFS – JOHN BLAKINGER & GREG RANSTROM

Posted on by
Reply

JohnBlackingerPhilosopher Charles Bernard Renouvier said “There is no certainty, only people who are certain.” And when it comes to contested issues, people tend to project absolute certainty in their opposing beliefs.

Continue reading

When You’re in the Box, You Can’t See the Box

Posted on by
Reply

Greg Hutchins pixI like disruptive technologies.  They change things.  They make things fun.  They create opportunities to make money or find a new job.

The problem is that they can be changing things all around you and you can’t see the changes?  Why?  Think of it as Hutchins POV (Point of View)  principle.

Continue reading

It’s a Bird … It’s a Plane … No,It’s a Meteor Attack

Posted on by
Reply

I saw the meteor crash into Russia yesterday.  I heard and felt the sonic boom from the YouTube videos.  It was hugely scary.

If the Soviets had seen this 20 years or more ago, they would probably have thought it was a preemptive nuclear strike.  The Soviets would have retaliated and that would have been the end of the world as we know it.

Could this be the beginning of a new type of space warfare against incoming huge meteors?  Speculation.  Not really.  A few years ago, there was a movie made on this very topic.  Huge meteor was going to hit the planet.  A strike force was sent up to destroy the comet which they did successfully.

It’s strange how other worldly risk events, such as meteors  can take our focus away from the day to day concerns.

7A – WHAT DO QUALITY AUDITORS NEED TO KNOW? – GREG HUTCHINS

Posted on by
Reply

There is a shift and some would even say there is a paradigm shift occurring in business, that impacts quality auditing.  We, as quality professionals and quality auditors, must be aware of the drivers of change and adjust accordingly.  Also, we must adapt to add value, including being able to conduct assurance and analytical assessments that provide senior management and the board of directors with peace of mind.

Specifically, we need to know how to conduct analytical risk assessments, such as:

  • Corporate governance assessments
  • Risk based internal audits
  • Homeland security assessments
  • Customer-supplier assessments
  • ‘Effectiveness’ audits

MOVING FROM DETECTION TO ANALYTICAL ASSESSMENTS
What struck you when you read the definition of internal auditing?  While, ISO 9000  stresses process and ‘effectiveness’ auditing, ISO registrars and most companies still seem to conduct systems or compliance audits.   This is a problem in today’s business environment, where senior management and board of director’s audit committees want more forward-looking, analytical risk assessments.

By its nature, compliance auditing is ‘after the fact’, specifically that it is done after a quality system has been deployed, product has been produced or a service has been conducted.  Also, it is document intensive.  So, some call compliance auditing, a form of detection or inspection.  And, companies are asking: ‘Where’s the value in a compliance audit?’

Analytical risk assessments are now the key element of today’s corporate governance in both publicly-held as well as governmental organizations.  Auditors or assessors must be able to evaluate the effectiveness of internal controls to manage risks.  The Securities and Exchange Commission as well as other regulatory agencies are moving to a risk-based model such as COSO – an acronym for ‘Committee of Sponsoring Organizations.’

ENTERPRISE RISK MANAGEMENT AND CONTROLS
The COSO model has been used for more than a decade to evaluate internal financial controls.  Now this model is being used to evaluate internal operational controls and even regulatory controls.  Compliance is fine for complying with the letter of regulatory and statutory standards, but now the governance bar is much higher as companies must meet the intent or spirit of the requirement.  Quality auditors must be able to conduct ‘analytical’ assessments that evaluate effectiveness, efficiencies as well as the economics of operations.

It all comes down to being able to evaluate the effectiveness of risk management:  COSO defines enterprise risk management (ERM) model as:

“…a process, effected by an entity’s  board of directors, management, and other personnel applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

There are critical takeaways in the above definition, specifically ERM:

  • Is a process.  It’s a means to an end, not an end it
  • Is applied across the enterprise and at every level
  • Is designed to identify risk events
  • Manage risks according to the organization’s risk sensitivity
  • Provides ‘reasonable assurance’ to the organization’s board of directors and senior management
  • Focuses on achieving the organization’s mission critical objectives
  • Is a continual process of assurance, risk identification, and control effectiveness
  • Is managed by process owners throughout the organization
  • Is applied in strategy development and deployment

ENTERPRISE RISK MANAGEMENT INTEGRATED FRAMEWORK
Today’s quality auditors need to move from detection to analytical auditing.  Quality auditors need to know how to evaluate internal and external controls that manage enterprise risks that result from changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain.

ERM controls or commonly called internal controls are the now the hallmark of good corporate governance because they offer the following benefits:

  • Promote operational efficiency and effectiveness
  • Manage surprises
  • Ensure reliability of financial statements
  • Ensure compliance with regulations and laws.

Quality auditors must be able evaluate the effectiveness of an enterprise risk management consisting of the following eight interrelated components:

  • Internal environment
  • Objective setting
  • Event identification
  • Risk assessment
  • Risk response
  • Control activities
  • Information and communication
  • Monitoring

Bottom LIne:  It’s a new normal for all quality auditors.  What are you going to do?

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below: