Skip to main content

An overview of risk management

Published: 12 Sep 2022

Bob Hughes CQP FCQI, Director of Temple QMS, highlights how proper risk management enhances the work of the quality profession, outlining the benefits of an effective risk review of a management system.

More than ever, it's important to manage the risks of not effectively meeting intended outcomes and quality goals. Between us in the quality profession, we need to innovate and re-emerge, and not be content with ‘the norm’.  

In the analysis of an organisation’s performance, risks and opportunities need to be effectively addressed and communicated – after all, the actions needed to make a change begin with the engagement of people.  

Approach to risk

There are always different approaches to risk. In the manufacturing and service sectors, we have a ‘non-conformance and corrective action log’, whereas in the construction sector, the terminology often used is a ‘lessons learnt log’.  

During introductory discussion with organisations, we always ask: “what are your biggest risks and challenges?”. Various factors are then referenced; however, later in the day when you look at actions to address risk and opportunity in Clause 6.1 of ISO 9001:2015, there is no reference to points that have earlier been identified. The business impact is not being addressed in applicable parts of the quality management system. 

During introductory discussion with organisations, we always ask: ‘what are your biggest risks and challenges?

For example, where product returns have occurred, there may be no mention of potential product recalls, customer complaints, internal identified non-conformance, rework/retro fits, or documentary evidence recorded or acted upon. Also not outlined may be processes that could be improved to define the approach to risk management, in addition to specific identified roles and responsibilities.  

What does the process say?

Clause 10.2 of ISO 9001 states: ‘When a nonconformity occurs, including any arising from complaints, the organisation shall…’ and follows up with a list of actions. The question that should be asked, however, is when was this list last audited line by line.   

With the emphasis on opportunity, are we actually and effectively identifying preventative actions? In the spirit of quality, we should be focusing on preventative action to eliminate potential nonconformities. In addition, we should analyse any nonconformities that do occur and take actions to prevent recurrence that are appropriate for the effects of the nonconformity. Furthermore, in terms of Clause 10.2.d, we should review the effectiveness of any corrective action taken. 

Risks and opportunities 

Working with various organisations, we have seen a number of key risk points, as well as the opportunity they offer that organisation, should it re-focus on a different approach to risk.  

Price increases 

Price variation is attributed to the cost of quality. Organisations should ask themselves when they last looked at their supplier selection criteria. A key question to ask is: ‘have we networked with our supplier base to gain information on what is happening in the markets and our influences and challenges?’ 

Product shortages and managing external providers of materials and outsourced processes 

A lack of process has been identified as a link to a lack of effective batch traceability – missing an interaction link to product release because the defined criteria was missed.  

Risks for operational suppliers can include:   

  1. Environmental – such as natural disasters, pandemics or extreme weather.  
  2. Geographical – for instance, corruption, terrorism, political instability and trade restrictions.  
  3. Economic price unpredictability, energy shortages and surging costs, delays at borders and currency fluctuations.   

All of the above need their own risk-based thinking/action approach. 

Cost down demands 

As they strive to manage global competitiveness, some organisations are seen to demand cost down on some critical external providers – the purchasing department must meet their targets. 

This can create conflict in meeting the organisation’s supplier quality assurance manual (SQAM), putting aspects of quality at risk.  

Managing new starters 

The onboarding of new staff can provide a risk pinchpoint. If an induction is rushed to get new starters on the job, an opportunity is missed for the quality principle of engagement of people. Not referencing that the business has a quality system, or quality policy (in some cases done by staff who haven’t got the time to do it) can lead to a bad first day at work, creating a lost opportunity to inspire quality from day one.   

Changing build demands 

Build plan, schedule control and meeting customer orders and demands can be an ever-increasing challenge. Meeting customer order requirements with a parts shortage is seen as forcing organisations into successive production changes. This adds extra pressure on staff to meet on-time delivery performance targets – not easy to manage, but impacts potential ‘right first time’ quality.  

Managing design change 

The rush for a new product launch can lead to the potential for poor-quality control of sampling, fit and function and reliability, with approvals not done and not fully engaging with suppliers. The customer bears the impact when a product does not effectively function after a short time, causing conflict and impacting key performance indicators (KPI). 

New product introduction 

New product introduction is high on the list of business impacts associated with risk control. It can be a missed opportunity to control a new product from concept to production and eventual release to the customer. There are many risk-associated management points here, including roles and responsibilities for decision-making, ambiguity in process ownership, release authorisation and setting up training.  

Managing control of product release
 
ISO 9001 Clause 8.6 references ‘planned arrangements to verify product and service requirements have been met’. This has been seen as a tendency to layer inspection on top of inspection. Product release is often seen as not being linked to the skills matrix – a retrofit scenario is not captured. The parts released are possibly defective, which is linked to fit and function and the visual appearance of the parts.  

Control of specifications


Organisations not fully referencing specification requirements on purchase orders can lead to materials being used not to specification, and organisations and suppliers working to different specifications. This has created a perception of quality not being fully fit for purpose when out in the field. Importantly, this can impact on statutory and regulatory requirements not being met. 

First-party and second-party audits not fully effective 

Internal audit programmes can show that all processes are equal, with the same amounts of audits within a cycle. This does not illustrate that audits link to the importance of risk processes.  
Other key risk areas are core basic competency of audits, checklists that don’t link to fully audit criteria of specifications, processes and the Standard. The results of audits may not be effectively illustrated in a management review, meaning the real sprit and value of audits is missed. Internal auditor training is essential. 

Improving business performances 

Many, if not all, organisations are affected in some way by the above criteria. This underlines that the spirit of a risk-based approach could be improved. We could better deploy management systems by using quality to improve business performance in planning a review and reaching continual improvement.  

ISO 9001:2015 does not have a separate clause for preventative action, where, we shall determine and implement action(s) to eliminate the causes of potential nonconformities in order to prevent their occurrence. This is transmitted through a risk-based thinking approach. 

We do need to have a look in more detail at Clause 6.1 to review our quality management systems, using an approach of interaction of processes in terms of context of organisation/stakeholder expectations. In some cases, we have seen it left to the quality manager to tick the boxes, but we could be more effective by working together, using quality, to manage our risks.  

Very often, organisations are unhappy with their quality, with poor performance meaning targets are not met. 

Let’s better manage our risks, carrying out a formal management review of our business management systems. If we also invigorate our engagement of people, we can head into the last quarter of the year with a positive approach – the glass is definitely half full. 

More on risk

Find out from Estelle Clark CQP FCQI FRSA about risk management, risk appetite, and the necessary balancing act between the two.