Professional Documents
Culture Documents
Handbook — Supporting a
Quality Culture Across
Your Business
etq.com
Risk-based thinking applies the concept of risk
to quality and EHS processes, so that there is
a common language and metrics for assessing
how those processes are meeting their goals
2
etq.com
Foreword
3
etq.com
The current challenge for businesses is how its scope from the development and delivery establishing itself as the proven approach.
to maintain a strong level of compliance of products and services, and is addressing Risk is a concept that is universal to most
where there is greater uncertainty, strategic objectives across the organization. A organizations – most people speak risk, even
complexity and ambiguity in both the broader range of stakeholders now engages if they don’t speak quality or environmental
internal operational context and the broader in quality management, and this is how quality performance.
external environment. Businesses have has become a culture. This quality culture
begun to recognize that succeeding under involves setting high bars for performance Risk-based thinking applies the concept of
these conditions will involve a company-wide throughout the organization, whether that’s risk to quality and EHS processes, so that
commitment to realizing strategic goals, for quality, environmental performance or there is a common language and metrics for
where there is a high degree of coordination safety. assessing how those processes are meeting
and collaboration between functions, with their goals. It allows a company to normalize
quality as a common principle. As a result, businesses need a systematic how it communicates its measures of
and objective way to measure themselves, operational efficiency to more people within
This is leading to a shift in mindset around not just within quality and compliance but the organization.
quality and compliance. Quality is extending across all operations. Risk-based thinking is
4
etq.com
So risk is no longer confined to Governance, what they do on an operational level to a risk- at a real life example and take you through
Risk and Compliance (GRC) but instead is based paradigm. the issues you need to address in order to
becoming embedded in all aspects of the develop the people, processes and systems
business, as operational risk management. The big challenge now for many businesses essential to establishing a risk-based quality
Quality, EHS and compliance are viewed is how to implement risk. This guide will help culture across your business.
through the lens of risk to improve the you start your risk journey. We will provide an
efficiency of their processes. There is greater overview of the most critical risks businesses
visibility and more control, leading to better face today and show you how to apply risk- Tim Lozier, Director of Product Strategy, EtQ
decisions. Businesses are able to translate based thinking to your processes. We’ll look
5
etq.com
Watch now
6
etq.com
7
etq.com
8
etq.com
9
etq.com
10
etq.com
Reputational Risk where a crisis could spread globally within a growing number of people are choosing social
matter of hours, or even minutes. media over traditional sources as their main
source of news, fake news has emerged as a
Damage to brand and reputation is New threats are emerging alongside the significant risk to reputation.
the highest ranking concern globally, traditional threats of defective products,
according to Aon’s 2017 Global Risk poor customer service, workplace accidents The speed with which damage to reputation
Management Survey. and the like. Damage to reputation can now escalates means that businesses are often
occur because of an inappropriate tweet by forced to respond in real time. It is therefore
Reputational risk has been greatly amplified an employee, or through social media posts critical that your business has a robust
by new technologies, such as social media, complaining of poor workplace practices. As a reputational risk strategy in place.
11
etq.com
Regulatory Risk
12
etq.com
Despite leaving the EU, UK companies will Both these measures will require businesses Effective regulatory compliance management,
still be subject to these regulations if they do to take appropriate technical and especially in heavily regulated industries such
business with EU companies. Most likely, the organizational risk management measures, as life sciences, has become a competitive
UK will implement similar domestic laws in including measures to prevent and minimize advantage for today’s businesses. For this
order to remain competitive, otherwise they the impact of incidents, as well as report reason, regulatory risk should feature in the
may face restrictions on the transfer of data serious incidents to national competent risk conversation as well as the formulation of
from the EU. authorities. business strategy.
13
etq.com
14
etq.com
15
etq.com
16
etq.com
Which risk assessment tool you use depends on the complexity of the
risk you are trying to measure and how much data you have to guide your
decision. The four main risk assessment tools are:
17
etq.com
Risk Matrix
The Risk Matrix is designed to help you calculate risk across various
outcomes, which then gives you clear guidelines on whether that
risk is acceptable or unacceptable. It defines risk as the probability
of a hazard occurring, multiplied by its impact. It plots five levels of
severity against five levels of frequency in a color-coded chart to show
overall risk for different situations, like so:
18
etq.com
19
etq.com
FMEA enables you to identify risks early on these failure points. FMEA is used to foresee analyzed to the core, with the risk assessed at
in your design process. It is far more cost- failure and allows an organization to take each possible point of failure.
efficient than finding adverse events post- action before the product is even produced.
market. It is particularly effective if you have a It approaches risk from every possible angle Analyzing risk in design helps to anticipate
lot moving parts in your supply chain. of product design, considering each and every failures, serving as a proactive approach
element and asking – where are the potential to risk.
This tool looks into the design of a product to failure points of the component? It then looks
determine potential failure points and then into how these failures can be avoided. The
outlines steps to mitigate the effects of end result is a product that has been
20
etq.com
21
etq.com
Incident Reporting
22
etq.com
Corrective Action (CAPA) result of the corrective action.The Risk Matrix tolerance and quality standards.
is applied to the Corrective Action (CAPA) to This concept of risk mitigation provides
Applying a risk-based methodology to the measure its severity and frequency in order objective evidence that the event was
CAPA process ensures that the CAPA has to determine whether it has reduced risk to corrected effectively and within acceptable
been truly effective, thereby lowering the within acceptable risk tolerances. risk levels.
likelihood of the problem persisting or
recurring. According to this method, once If so, then the event is considered to be The risk mitigation history is automatically
an intolerable risk has been treated via the corrected. If not, then it is sent back to the displayed throughout the lifecycle of the
CAPA process, a second risk assessment is beginning of the CAPA process and reworked complaint, so that any risks associated with
carried out to measure risk mitigation as a until it is corrected within the business’s risk the complaint are traceable and reportable.
23
etq.com
Risk Register then be stored in a centralized location – the manner, meaning that problems can be
Risk Register – to provide visibility into risk handled more efficiently.
The effectiveness of your people’s ability to within the whole organization.
manage risk rests on the quality of the data Your Risk Team will use this historical data
available to them. As the business measures The Risk Register is literally a library of hazards to help fine-tune its risk picture and ensure
risks and takes actions, it is building its own that takes risk data from all events, such as accurate results. They can examine how risk
risk history. It should draw data from all its Job Safety Analyses, incidents and adverse management has evolved over time, spot
operational areas to see the full picture, and events. As a centralized hub, it will give you trends, analyze high risk areas and determine
record all types of data, including near misses, visibility into risks within all operations. Events those areas needing more oversight. The
not just the critical ones. This data should with similar risks can be handled in the same Risk Register helps the business refine its
operations, informed by its risk history.
24
etq.com
25
etq.com
It recognizes that risk is not just limited to Risk management grants the business control • Generating actionable data from key
quality management or EHS, but is pervasive over its processes to drive improvements performance indicators (KPIs)
throughout the organization. and the visibility needed to make better
decisions. It drives operational excellence by • Collaboration among cross-
With concepts and language already widely promoting efficiency and consistent execution functional teams
understood and systematic, repeatable of operations through:
processes, it is possible to manage risk from
an enterprise perspective and implement • Standardization of systems to
controls on a strategic level to mitigate it. increase reliability
26
etq.com
Standard in Focus
ISO 31000 Risk Management
ISO 31000:2009, Risk Management – Principles and Guidelines, provides
the principles, a framework and a process for managing risk.
27
etq.com
28
etq.com
29
etq.com
Case Study
Maple Leaf Farms Selects EtQ Reliance
to Standardize Enterprise-Wide
30
etq.com
customize, a Web-based
portal, mobility and
extended software uses
beyond the initial model.
31
etq.com
32
etq.com
Innovation Trend
The Risk Register
33
etq.com
The Risk Register automatically gathers this The second function of the Risk Register This becomes a crucial reference point for
risk data from all operational areas and stores is to provide a library of hazards. This is building a quality culture. Any event with
it in a central repository. Not all areas will a centralized reference for all the known a similar risk can be handled in a similar
assess risk in the same way, but when data is hazards in different areas of the business. It fashion, standardizing and streamlining the
stored in a common location, businesses can provides a useful collection of information process. By referring to the knowledge base,
see how risk management has evolved over for using hazards to identify risks. The Risk the business can take action much more
time and analyze trends to identify high risks Register helps the business make better quickly, and handle problems more efficiently.
that would otherwise remain hidden. With decisions faster. As more and more events,
greater visibility, the business can improve incidents or complaints enter the system, a
operations using risk as a benchmark for risk history is building – a growing knowledge
overall compliance. base of events with similar risk levels.
34
etq.com
35
etq.com
36
etq.com
What is a quality culture? What are the core benefits of the to that hazard. Risk management is knowing
risk-based approach? what those hazards are and estimating the
A quality culture is one that pursues
probability of each one manifesting itself.
continuous improvement across all the Risk provides metrics and a common
organization’s activities through a program language for assessing your businesses
of operational excellence. Operational processes. It allows a company to normalize
What is the risk conversation?
excellence is about executing the business’s how it communicates its measures of
strategy more efficiently, consistently and operational efficiency to more people within This is a collaboration between key risk people
reliably than its competitors. the organization. Risk management delivers from across your organization, including your
greater visibility and more control, leading to supply chain, to identify risks and use objective
better decisions. and systematic means of measuring them. Its
What role does risk-based thinking purpose is to cut across functional boundaries
play in a quality culture? to understand how various risks interrelate, in
What’s the difference between a order to develop a system to identify, assess
Risk is a concept that is universal to most
hazard and a risk? and judge the collective effect they have on the
organizations – most people speak risk, even
organization’s overall level of risk.
if they don’t speak quality or environmental The terms hazard and risk are often used
performance. Risk-based thinking provides interchangeably, but they mean different
a systematic and objective methodology for things. A hazard is a condition or situation
What are currently the three most
measuring performance, not just within quality that creates the opportunity for a problem to
critical risks that every business
and compliance but across all operations. occur – a potential, but not a possibility. Risk is
should address?
the likelihood that the hazard will lead to that
negative consequence. Some hazards pose Reputational risk, compliance risk and
no risk, if there is no probability of exposure EHS risks.
37
etq.com
What are the most effective risk How can I make my risk What process should I use to
assessment tools? management team more effective? implement a risk-based approach?
Decision Tree, Risk Matrix, Bowtie Model Provide them with a high level of visibility Use the Plan-Do-Check-Act (PDCA) protocol
and Failure Modes and Assessment Analysis and control with automated tools and best central to operational excellence programs.
(FMEA). Hazard Analysis (HACCP) is also widely practices, such as incidence reporting that It is an iterative process which you can keep
used in the food and drink industry. includes near-misses, a centralized Risk reapplying to your risk management practices
Register and a CAPA process that includes to continuously improve your approach to risk.
risk-based verification to ensure the risk has
After performing a risk been effectively managed.
assessment, can I consider my risk
effectively managed?
Are there published guidelines for
No. Risk tools alone will not solve your risk adopting a risk-based approach?
problem. You need people to interpret the
Yes, the ISO 31000 standard provides a high-
results. Assemble a risk team, drawn from
level set of principles and guidelines on how to
across the functions of your organization, to
implement risk management. By aligning risk
review the different risk outcomes, build risk
management with the standard, your business
treatment options and define actions to treat
will increase the likelihood of achieving your
those risks. Treatment of risk should be a
objectives, improve your identification of
combination of people, process and tools.
opportunities and threats, and effectively
allocate and use resources for risk treatment.
38
etq.com
Implementing risk-based
thinking across your business
may seem like a daunting task.
However, by breaking down the
process into four basic stages
using the Plan-Do-Check-Act
(PDCA) methodology that
makes operational excellence
programs so effective, you can
make meaningful progress.
What’s more, PDCA is an
iterative process – you can
keep reapplying it to your
risk management practices
39
etq.com
40
etq.com
41
etq.com
Include near-misses.
Encourage open Collecting and analyzing
communication. near-miss data helps you
Employees should be find patterns and trends
problems.
Analyze your Risk Register
to identify high-risk areas,
trends and correlations.
42
etq.com
4. Act
• Avoidance – Stop the process
altogether Document your treatment of risk into
your Risk Register, so risks with a similar
profile can be identified and prevented.
Take immediate action on critical
issues through your Corrective Action
(CAPA) process. Implement long-term improvements on
unacceptable trends.
43
etq.com
Takeaways
Risk-based thinking Too many subjective Risk management Risk assessment tools The Risk Register
is a systematic and judgments and internal provides a unified will allow you to identify automatically gathers
objective way to measure silos relating to understanding and and reduce potential and stores data from
performance across the multiple risks can leave universal methodology risks. all operational areas,
organization, not just businesses exposed. for addressing numerous allowing businesses
regarding quality and risk factors. to analyze trends to
compliance. identify high risks that
would otherwise remain
hidden.
44
etq.com
Find out how to break down the silos that stand in the way of
enterprise-wide quality culture by downloading our free eGuide
About EtQ
EtQ is the leading Quality, EHS, Operational Risk and Compliance management software provider for identifying, mitigating and preventing
high-risk events through integration, automation and collaboration. At the core of EtQ’s framework is a compliance management platform that
enables organizations to implement best-in-class compliance processes configured to meet their existing processes, create new compliance
processes and automate and control their compliance ecosystem. EtQ was founded in 1992 and has main offices located in the U.S. and
Europe. To learn more about EtQ and its various product offerings, visit www.etq.com or blog.etq.com.
45