At Bob’s Machine Shop, we recognize risk as being a combination of probability and consequences. We weigh the probability of impactful events occurring in an uncertain world and the severity of their consequences. Accordingly, we determine if risk is acceptable or if mitigating actions are needed to bring risk to an acceptable level.
Recognizing customer dissatisfaction is a consequence of providing discrepant or untimely product to customers, this is the risk focused upon from the perspective of the QMS. Negative consequences of poor quality may arise due to one event, or they may arise as the result of several contributing factors.
Risk is managed here in two ways. Risk associated with accepting particular customer orders, and risk associated with operating the quality management system and its processes.
RISKY ORDERS
When a potential order is particularly risky (per criteria defined below), a Risk Analysis (RA) checklist is completed specifically for the potential order. RA checklists are circulated to affected departmental management personnel for assessment from a departmental perspective. Once an RA checklist is initiated, the potential order will not be pursued further unless risk is found to be acceptable.
Sales personnel consider orders risky enough to warrant RA checklists if any of the following circumstances pertain. We consider each of the following to be equally risky:
- Short lead times involving non-standard material
- Linear tolerances less than .0005”
- Radial tolerances less than .001” in arc segments representing less than 33% of a circular surface
- Exotic material requirements and availability
- Non-standard thread requirements
- Excessive set-up or processing time (consult Production)
Product dimensions exceeding 4’ x 3’ x 2’ exceed Bob’s machining capability. Likewise, processing requirements involving class 1,000 or cleaner clean-room requirements cannot be performed at Bob’s. Risk associated with potential orders containing such requirements is unacceptable without mitigating actions. (However, as the RA checklist will show, outsourcing these operations to qualified suppliers brings risk to an acceptable level.)
Sales personnel generate RA checklists as needed and assigns responsibilities for their completion (including those with bearing on the issue at hand). As appropriate, Sales personnel highlight the specific sources of risk for that particular order on the RA checklist, or specific sources of risk are added to the checklist, as appropriate. Once RA checklists have been reviewed to be complete and correct, Sales personnel distribute them to designated management personnel for completion.
Assigned management personnel consider each risk, determining severity, likelihood, and acceptability. If risk is not acceptable, mitigating actions are determined, as is post-mitigation severity, likelihood, and acceptability. Results are recorded on RA checklists, which are submitted to the General Manager once complete. While approval or disapproval of departmental management is evidenced upon completed RA checklists, the General Manager must finally approve RA checklists and accept the risk for the organization.
RISKY BUSINESS
Risk pertaining to the QMS in general, to processes and their activities, is also addressed using RA checklists. During Management Review meetings, and more frequently as circumstances dictate, the General Manager (top management) assesses risk to the QMS in general and risk to QMS processes. Risk associated with processing within each department is assessed by, or with input from, departmental management. While the RA Checklist itself may be adjusted during management review, the most current copy is maintained with Management Review minutes.
Likelihood: event probability estimation
| Failure Event Likelihood | Definition of Likelihood (probability of occurrence) |
| Highly likely | Potentially unavoidable or almost certain failure (³80% chance of occurrence) |
| Likely | Failure is moderately certain (between 20% and 80%) |
| Somewhat likely | Failure is less than moderately certain (3%-20%) |
| Not likely | Failure is possible but not probable (£ 3% chance) |
| Never | Existing provisions preclude failure event |
Severity: impact of consequences estimation
| Severity Level | Definition of Severity Levels |
| Critical | Event results in late delivery or delivery of discrepant product causing delays to customers’ processing and/or causing loss of confidence in our abilities as a supplier |
| Major | Customer discovered discrepancies in timeliness or product quality (not caught by us or communicated to the customer) |
| Minor | Customer accepted late or discrepant product under concession arranged before shipment |
| No impact | Event results in no impact |
RISK ANALYSIS AND RISK ACCEPTABILITY
Risk is considered as being in one of three categories of acceptability:
- Acceptable (no further action is needed)
- Actionable (minor action is needed, or action is required for a particular order, or in a certain circumstance, to bring risk to acceptable levels)
- Unacceptable (major action, attention, or outsourcing is required to accept risk)
| No Impact | Minor | Major | Critical | |
| Never | acceptable | acceptable | acceptable | acceptable |
| Not likely | acceptable | acceptable | actionable | actionable |
| Somewhat likely | acceptable | actionable | actionable | unacceptable |
| Likely | acceptable | actionable | unacceptable | unacceptable |
| Highly Likely | acceptable | actionable | unacceptable | unacceptable |
CONTROLLING RISK
The following checklist is used to identify risks and risk events, estimate their likelihood of occurrence, the severity of their consequences, any mitigating actions, and the acceptability of risk after mitigation. Consider potential risks to process effectiveness and product conformity.
The following is a page from Bob’s RA checklist. It’s the page devoted to quoting activities within the Sales process:
|
Process |
Risk |
Severity |
Likelihood |
Acceptability |
Mitigating Action(s) |
Severity after mitigation |
Likelihood after mitigation |
Acceptability after mitigation |
| Sales: quoting | Production CapabilityLinear tolerances less than .0005”,Radial tolerances less than .001” in arc segments representing less than 33% of a circular surface,Exotic material requirements and availability,
Non-standard thread requirements |
Major | Somewhat likely | Actionable | Procedural control, RA checklist | Minor | Not likely | Acceptable |
| Production CapabilityProduct dimensions exceeding 4’ x 3’ x 2’ | Critical | Highly likely | Unacceptable | Outsource(See Purchasing) | Minor | Not likely | Acceptable | |
| Production CapabilityProcessing requirements involving class 1,000 or cleaner clean-room | Critical | Highly likely | Unacceptable | Outsource(See Purchasing) | Minor | Not likely | Acceptable | |
| Production CapacityProduction forecast | Critical | Not likely | Actionable | Procedural control, responsibility assigned | Minor | Not likely | Acceptable | |
| Production CapacityExcessive set-up or processing time required | Major | Somewhat likely | Actionable | Procedural control, RA checklist | Minor | Not likely | Acceptable | |
| Production CapacityShort lead times non-standard material | Major | Somewhat likely | Actionable | Procedural control, RA checklist | Minor | Not likely | Acceptable | |
| Production CapacityOutsource unavailability | Critical | Not likely | Actionable | Procedural control (see Purchasing) | Minor | Not likely | Acceptable | |
| Inspection capability | Critical | Not likely | Actionable | Procedural control (see tolerance capabilities chart) | Minor | Not likely | Acceptable |
Notice that in the above table, the mitigating action associated with, say, Sales personnel being too aggressive and making promises exceeding capacity, this risk is controlled via a procedural provision and assignment of responsibility. The procedural provision might require Sales personnel to consult the production capacity forecast before quoting orders, for example. Thus, Sales personnel are responsible for implementing this risk mitigating action during the quote phase of the Sales process.
As far as use of the table goes, if the risk level is acceptable prior to mitigation, then N/A would be entered into the check-boxes pertaining to mitigation and post-mitigation action/analysis. (Or a line could be drawn through them to indicate N/A.)
As far as auditing is concerned, it seems an auditor should treat the risk requirements like any other requirements. During document review, an auditor should find that the above complies with the risk requirements of ISO 9001:2015. During stage two, the auditor verifies that what is stated above has been effectively implemented.
For example, during document review, an auditor can see that the mitigating action associated with exceeding production capacity during the quote phase is a procedural control. The auditor can look through the procedure to ensure the control is present. Then at stage 2, the auditor checks to see if Sales personnel consistently consult the Production capacity forecast before quoting orders. Auditors should also ask for records of completed RA checklists. At Bob’s, records of RA checklists arising in connection with management reviews are maintained with management review records. Records of RA checklists associated with particular risky orders are maintained in the associated quote/order files.
The explanation of how Bob’s handles risk is contained in the Quality Manual and in the Management procedure (which contains the management review routine as well as the risk assessment routine). In Bob’s case, no separate “Risk Management” procedure has been raised.
Bio:
T. D. (“Dan”) Nelson is a quality management consultant, author, and trainer
specializing in the process approach, ISO 9001, and related sector schemes.
Dan has roughly 20 years of experience with ISO 9000 and over 15 years’
experience with the process approach. Dan holds an MA in Business
Administration from the University of Iowa. Dan can be reached at:
dan@tdnelson.com
720.412.7994