#1 – FUTURE OF QUALITY: RISK MANAGEMENT! WHO SAYS? GOOGLE – GREG HUTCHINS

Greg Hutchins pixI’ve been a quality professional for years.  I’ve written some of the best selling books on quality.  But, over the last 10 years, I’ve noticed that quality professionals are endangered professionals.

Well remember the quality guru’s that said; “Everyone is responsible for quality.”  Well they were prescient.  What is the job of the quality professional, when everyone is responsible for quality?  Good question. They may be endangered based on the following data points:

Continue reading

#1 – SIX THINGS RECRUITERS WILL NEVER TELL YOU – ELIZABETH LIONS – CAREERS@ RISK™

Elizabeth Lions PixEarly in my career as a recruiter, I was treated poorly by a job seeker and couldn’t understand why.

After several conversations that felt more like a heated sparring match rather than professional dialogue, I mustered the courage to ask him why he was so curt. Clearly, he was upset and didn’t want to have the conversation.

Continue reading

#2 – RISK MANAGEMENT AND LEAN SIX SIGMA – ADINA SUCIU/G. HUTCHINS – SIX SIGMA@RISK™

By Adina Suciu & Greg Hutchins
adina@adavconsulting.com 206.234.8014

We are living in a VUCA world.

VUCA is an acronym for ‘volatility, uncertainty, complexity, and ambiguity:

  • Volatility is the accelerating rate of change around competition, business, employment, career, and job challenges.
  • Uncertainty may be our biggest challenge and is our inability to cope with volatility.  Things are changing so fast and in so many unexpected ways that it’s overwhelming our ability to cope and to understand what’s going on.
  • Complexity entails all the issues and the chaos that surrounds us, that lead to confusion in making smart decisions in what we call the ‘fog of reality.’
  • Ambiguity is the difficulty and inability to solve complex problems and make clear decisions because of the ‘fog of reality.’  There doesn’t seem to be a linear cause-and-effect relationship between problems and solutions.  This can result in misreads, poor decisions, or more often no decisions.

RESPONDING INSTEAD OF REACTING
VUCA is increasing the dimensions of risk the organizations are facing in today’s competitive environment. One solution is to understand that VUCA is presenting new opportunities to capitalize.  When the answer to VUCA is responding and not reacting, there is the benefit of the innovation opportunities that VUCA is fostering. Responding and reframing VUCA can lead to the following[1]:

  • Volatility yields to Vision:  Vision implies there is a clear understanding of the desired future state.
  • Uncertainty yields to Understanding:  Understanding is the critical acceptance of the short and long term factors that can affect one’s career, work, and personal life.
  • Complexity yields to Clarity:  Clarity is the basis for understanding how to deliver personal value through staying flexible, keeping current with technology, learning new value adding skills, being able to innovate, and being able to deliver increasing value.
  • Ambiguity yields to Agility:  Agility is the ability to be nimble by responding to new situations with new ideas, new approaches, and new skills.

STRENGHENING BUSINESS SUSTAINABILITY
Building the mechanisms to responding to VUCA strengthen business sustainability. Organizational agility encompasses a number of elements including the ability to innovate, collaborate, and manage risks.  In other words, the VUCA responsive organization is an agile organization. An agile organization has mechanisms in place to assess and continuously improve its performance. The Baldrige Criteria for performance excellence defines the following types of performance:

  1. Product performance refers to performance relative to measures and indicators of product and service characteristics important to customers. Examples include product reliability, on-time delivery, customer-experience defect levels, and service response time.
  2. Customer-focus performance refers to performance relative to measures and indicators of customers perceptions, reactions and behaviors.
  3. Operational performance refers to workforce, leadership, organizational, and ethical performance relative to effectiveness, efficiency, and accountability measures and indicators. Examples include cycle time, productivity, waste reduction, compliance, fiscal accountability, strategy accomplishment, and community involvement. Operational performance might be measured at the work level, key work process level, and organizational level.
  4. Financial and marketplace performance refers to performance relative to measures of cost, revenue, and market position, including asset utilization, asset growth, and market share.

ENTERPRISE RISK MANAGER SOLUTIONS
Managing performance includes managing risk at enterprise level. There are many Enterprise Risk Frameworks. For example, the COSO ERM:

As we can see, it has all the dimensions of managing performance and addressing VUCA. Managing performance implies managing risk and it is more efficient if they are done together, as part of the value stream. Performance management is effective when processes are well defined and managed. Using Lean Six Sigma methodology and tools proved to be key in ensuring high performance levels.

One best practice in Lean Six Sigma Methodology is to clearly define the quality requirements for inputs and outputs along the value stream. When we also define the assumptions on the inputs and outputs, we have the risks exposed and an opportunity to assess, mitigate and control. We also want to discuss the regulatory and compliance requirements and the response to emergency and business continuity requirements and assumptions along the end to end processes. With this approach, operations incorporate not only quality, but also risk.

Another critical component of agility is collaboration, the bases of a learning organization.  Collaboration or teamwork can foster innovation and product development.  Team work is essential: everybody in the organization, all the process participants, directly involved in day-to-day operations, are the people in the best position to innovate. Looking at risks, will trigger other opportunities for innovation. The leaders’ responsibility is to allow and foster a culture of organizational learning. This means the employees are empowered to continuously improve and make the right risk based decisions.  The above characteristics of an agile organization are also characteristics of a high performing organization.

QUALITY AND SIX SIGMA
Quality does not specifically address VUCA.  But it is much easier to start to manage VUCA (build or strengthen the Enterprise Risk Management) when quality systems and processes are  in place; in other words, when processes are stable and capability is ensured by managing the risk-controls. By building on an effective quality deployment, organizations can get an early jump by incorporating risk management into their strategic planning and operational processes. External and internal risk factors will be identified, addressed and continuously monitored to be minimized. In this way, organizations will be better prepared to handle rapid changes and unexpected challenging events.

Addressing risk, organizations will strengthen not only operations, but also the product and service offerings because the potential harm to the environment and society (communities, customer, employees) of their offerings will also be identified as another type of risk and it will be managed and minimized. In doing so, organizations ensure their long-term survival in a VUCA world.

Quality offers the ideal platform for risk management. Quality tools assist in risk management and the quality professionals are well positioned to expand their skills to risk management. Systemic thinking and process thinking along with ability to use tools like SWOT analysis, FMEA, Capability Studies, QFD, Statistical Process Controls, etc, are a strong foundation for VUCA management.

For  engineers involved with quality, it is a natural evolution to incorporate risk management in their work. There is an increased awareness regarding risk management: even if the quality compliance is very high, one gap in risk management could have dramatic impacts. Any process has to be effective, efficient, well measured and monitored for key performance indicators and key risk indicators. All the interdependencies between processes within work systems have to be assessed and the risk mitigated.

The shift from quality to risk management is a “must” in this VUCA world. The engineers who recognize this fact and expand their skills to incorporate risk management will be very well positioned in the job market for many years to come.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

#2 – ASSESSING THE RISKS OF RISK ANALYSIS – UMBERTO TUNESI – QUALITY@RISK™

By Umberto Tunesi
Management System Auditor
© 2012 Quality Digest, All Rights Reserved

Just a few reminders to start with: In the automotive supply chain, process failure mode and effects analysis (FMEA) must be based on—or at least must take into consideration—design FMEA. This is the case whether a given supplier is responsible for the design or not.

During an FMEA, severity (S) is ranked from 1 to 10, depending on the severity of an effect on a product, customer, manufacturing process, or operator.

Occurrence (O) is ranked from 1 to 10, based on the number of incidents per items per vehicles. It’s interesting to note that a rank of 1 (i.e., very low) is based on the criterion “failure is eliminated through preventive control.”

Detection (D) is also ranked from 1 to 10. A rank of 1 is based on error prevention, but a rank of 10 is assessed as “no current process control.” Curiously enough, ISO/TS 16949:2009 cites “error prevention” in the notes to clauses 7.1 and 7.3, but then switches to “error-proofing” in the note to clause 7.3.2.2 (“Manufacturing process design input”: mark it!), as well as for clauses 7.3.3.1, 7.3.3.2 (“Manufacturing process design output”), 8.5.2.2, and Annex A, Section A.2d.

Now, if detection is ranked as 1 when errors are prevented, should it be ranked zero when error-proofing methods are in place?

There is something more to this. ISO/TS 16949 clause 7.6.1 states, “This requirement shall apply to measurement systems referenced in the control plan.” Since these systems shall be developed from the process FMEA, and clause 7.5.2.1 requires that “all process for production and service provision” be revalidated, doesn’t this mean that the process FMEA must be subjected to measurement system analysis and revalidation?

It may sound a bit crazy, yet it isn’t really so when we consider the reality behind FMEA and observe how S, O, and, D rankings are personality-driven. As happens elsewhere in human interactions, the person who shouts the loudest, looks the fiercest, or whose fist hits the table first, is the “winner who takes all.”

Let’s look at a typical production process. In the beginning, there’s a customer’s request for a quote, along with the usual deadline for submittal “yesterday.” Then the supplier’s top management—under time and budget constraints—comes up with a quote based on the criteria, “Let’s put the order in the box, then we’ll see; this widget is similar to what we’ve been doing for years.”

The drawing comes in and is read as such, not as the design record that it actually is. There are also tests and their specifications, and these reference further standards, specifications, and customer-specific requirements.

A production part approval process (PPAP) package is hastily put together and submitted to the customer, together with an initial sampling. The customer’s quality manager, under similar time constraints as the supplier, signs the parts submission warrant, and there we are.

We then move to the ramp-up and mass production, where the only documentation is the setup and work instructions from the similar widget the company has already produced, and the drawing of the new one. But what about the records? Well, let’s not waste time making the line operators write down the measurements that they read; they take more measurements than what’s required, so an OK or a tick is more than enough. Plus there’s quality control at the end of the line; they will do offline controls with a CMM and all sorts of expensive devices.

Sooner or later, though, there’s a mess, a catch, be it an 8D or similar request, a CSL1 or CSL2, a new business hold (NBH), a customer audit, or the periodic registrar’s audit.

And the mess, whatever it is, highlights that the PPAP package is mostly comprised of counterfeits: process flowcharting, process FMEA, control plan, work instructions, measurement system analysis, training records, feasibility commitment, and so on.

Therefore—and now we’re back to time constraints—the business is at stake. The poor quality manager, who may have sounded the alarm well in advance of the quote and the PSW submittal, now bears all the weight on his shoulders.

Of course, this is a worst case scenario, yet many similarities are found in real cases, where control plans come after work instructions, FMEAs come after control plans, process flowcharting comes after PPAP—just the opposite of any golden rule for prevention.

It’s true the automotive supply chain is under a lot of pressure to save both money and meet deadlines. And I have no financial title to back my opinions about costing issues, yet I believe suppliers could and should do better, in terms of risk assessment, feasibility analysis, and prevention.

For one thing, it’s the suppliers that own the knowledge of the machinery, materials, personnel, products, and processes. It’s useless to start a process FMEA at the same time as the incoming inspection, especially when incoming materials are inspected only for quantity and external appearance. The same holds true for sampling plans, both in-line and at the end of the line: The usual answer to the question, “Why every hour and not every four?” is, “We’ve always done it this way.”

Process flows are charted with the same level of detail as the history of humankind, beginning with Adam and Eve. These charts don’t focus on risks and often are too generic to pinpoint what can—and will—make the process go wrong.

Process FMEAs often suffer the same problem: All sorts of potential failure modes are listed, along with issues that have little to do with the operation in question, based on the criterion that “one never knows what can happen.” The redundancy is built in just to err on the safe side. (“Let’s see, belt and suspenders, what else? Fasteners on the waist?”)

No wonder that “severities” are seldom ranked below 7. Is this effective risk analysis?

The process of determining potential effect(s) of failure is based on the same criteria, but it’s made worse when FMEA-makers confuse product failure—and therefore design failure—with process operation failure.

To quantify these situations, Mr. Pareto would need to revise his famous 80-20 rule—where 80 percent of the effects come from 20 percent of the causes—to say that 99 percent of the effects of process failure are “human error”—i.e., humans who erred when they wrote the process FMEA, and humans who erred by endorsing it. This can extend even to high-severity rankings when no corrective action is determined. It seems these people adhere to the principle that “to err is human,” but forget that “to persist is the devil’s work.”

Control plans, which should in principle originate from process FMEAs, often are mish-mashes of input from the FMEA, previous experience of the same or similar process, and a constraint to produce either stamp-sized or a monster-sized documents—in either case useless except for documentation purposes.

But there’s no need to drift into a Hamlet-type soliloquy here: It’s not a question of “to FMEA or not to FMEA.” Rather, how should we effectively assess risk, using FMEA or alternative methods? I find hazard analysis and critical control points (HACCP) a great, simple, and effective way. It’s still used chiefly in the food and cosmetic business, although its key principles pop up elsewhere occasionally. HACCP is based on FMEA, and in its simplest form states that, given any potential failure, if the downstream process will take care of it, then it’s not critical, or a risk, anymore.

This is the closest to error-prevention I can think of—and to error-proofing, too, for that matter. The product-realization process can be so designed and engineered that it can take risks for various reasons (e.g., cost, cycle-time, tolerance, machinery age, shop-floor layout, operators’ skills), but there will always be an operation, or a device, that will correct or scrap the defect.

Those of you who are familiar with AIAG’s APQP manual may share my interest in it. I find it very valuable. The supplements J and K, and A-1 through A-8, pose stimulating, though sometimes redundant, questions. I particularly like the following from the A-7 Process FMEA checklist:

  • Do the effects consider the customer in terms of the subsequent operation assembly, and product?
  • Have the causes been described in terms of something that can be corrected or controlled?
  • Have provisions been made to control the cause of the failure mode prior to the subsequent or the next operation?

And the A-8 Control Plan checklist:  Are sample sizes based upon industry standards, statistical sampling plan tables, or other statistical process control methods or techniques?

ISO 31000:2009—“Risk Management—Principles and guidelines” is surely worth at least reading. Sections 4.3—“Design of framework for managing risk”; 4.4—“Implementing risk magement”; and 4.5—“Monitoring and review of the framework” demonstrate that risk assessment and analysis, as part of risk management, is itself a process, and therefore worth investigating for stability, variability, and revalidation.

#1 – I’M MAD AS HELL AND I’M NOT GOING TO FACEBOOK ANYMORE – CAROLYN TURBYFILL – LIFE@RISK™

By Carolyn Turbyfill, Ph.D.
cturbyfill@me.com

For those of you who have never seen the movie “Network”, (http://www.imdb.com/title/tt0074958/), I am paraphrasing the character Howard Beale, the “mad prophet of the airwaves”, who strikes a chord with his TV audience when he tells them to turn off their TV’s, go to the window, and shout “I’m mad as hell and I’m not going to take it anymore.”

What are we giving up as we merrily update our status?  Potential passwords:  birthdays, anniversaries, graduation dates, names of pets, children and friends?  Vacation and other travel plans so burglars know when your home will be vacant?  Work information: conferences, co-workers, work locations? Phone numbers, email addresses?  Lots of pictures that someone can use to add verisimilitude to your supposed acquaintance?   Social networking sites are a gold mine for spammers, identity theft, spear phishing, whaling and advanced persistent threats.  Companies are even jumping on the Facebook bandwagon, creating Facebook groups for employees.  But these groups, private or not, are still hosted by Facebook and can provide another target for attackers (insiders and outsiders).

Service providers and their partner websites plant cookies galore on your computer, track your browsing and even upload your address book.  Even when a service provider has a clear privacy policy that you can live with, the policy almost always has a disclaimer stating that you may link to web sites from the service provider that does not apply the same privacy policy.  Vendors may also change their policies so you can’t assume that the policy you agreed to is still extant.

I recently cancelled my Facebook, LinkedIn and Plaxo accounts for several reasons.  First, I was getting way too much spam, which has been greatly reduced.  Second, I was getting too many invitations from people I didn’t know or didn’t want to add to my network.  The last straw on LinkedIn was an alleged bio-weapons expert from Afghanistan.  Third, I am thinking less is more.   I don’t want to live my life like I am on a TV reality show.    I have a few friends who know me well.  Every acquaintance is not a friend.  When I have something to contribute, I can provide content to a blog or a website.

So think about not being one of the 800 million notches in Facebook’s belt and fattening the pockets of people who sell your information. Form some exclusive mailing lists – like people who are really friends or family.  Use some great privacy and anonymity services and even pay for them:

http://www.guard-privacy-and-online-security.com/international-anonymizers.html

http://filesharefreak.com/2008/11/29/the-10-best-free-web-proxies-for-anonymous-surfing/

Better yet, write a letter on real paper. A handwritten note may do more to get someone’s attention than one of many emails.