Managing Risks in Business

Processes with PFMEA

Even tough the term risk management sounds technical, it is something that
we are all practice in our lives subconsciously, everyday, in official and
personal decision making. Yet, it is a separate topic by itself in business and
project management. No wonder, the 2015 version of ISO 9001 has explicitly
brought out risk management as one of the requirements for organizations
aspiring to implement its tenets.

ISO 9001 has always had a risk management element in it, albeit coated as
preventive action and linked with potential nonconformance. In the 2008
version of the standard, risk management was hinted though it wasn't made as
a requirement. It is, in fact, a blessing in disguise to all sincere quality
management professionals that risk management has been delinked from the
term preventive action and there by dissociating it from unnecessary
confusion with corrective action and nonconformances. The result is that
risks could be seen and identified in process designs upfront without having
to see them in connotation of product defects.

PFMEA

Process Failure Mode Effects Analysis (PFMEA in short), is a tool quite

familiar to designers, project managers, reliability engineers and quality
assurance professionals in automotive and aerospace industries. It owes its
origins to space program where it is paramount that all the risks be
objectively evaluated before the design and the processes to be established in
producing the design are implemented. It is not surprising that the automotive
industry adopted it and made it mandatory for everyone in their supply chain.

However, PFMEA is typically seen in the context of manufacturing processes

established for production of products. It is seldom used to study, quantify
the severity of the risks and the capability of the controls to mitigate the risks
for business processes such as hiring, training, purchasing, bidding,
production planning, document control etc. The good news is, PFMEA could
be used as a very effective tool for such processes as well.

Documentation of risks and controls

A company that has established a quality management system in accordance

with ISO 9001:2000 or later versions, should have identified its quality
management processes as per clause 4 of the standard. Even though, there is
no requirement that the organization maintain written procedures for all of
these processes, depending on the size and complexity of its operations, most
organizations keep documented procedures for its processes and activities.
Some organizations choose to keep these procedures as flowcharts and some
as descriptive documents.

Irrespective of the form of such procedures, they provide a quickstart to a

PFMEA. The procedures provide a flow of the process, and various controls
for expected issues in the process execution and results. The controls could
be independent review, approval or waiver by a certain individual,
inspections, surveillance, requirements for qualification and competance of
personnel, usage of specific equipment and so on. It is obvious that the
organization put those controls in there as mitigation against some risk it
foresaw like oversight of people doing the task, inconsistency in the
capability of the equipment used, and so on.

Problem with typical procedures in risk management

The problem with typical documentation as described in the previous section

is that it does not objectively quantify the impact of the risks determined and
hence either underestimates the effectiveness of the controls or retains
redundant controls even after the risk has vanished or been reduced.

For example, an organization would have made it mandatory for its supplier
quality engineer to audit all the subcontractors annually at a time when the
industries in its area did not have an expected quality level. Over a period of
time, the subcontractors would have matured and improved their quality
levels making the annual audit a redundant activity. Because, there is no
objective reevaluation of the controls established in its procedures, it would
end up carrying out annual audits on its suppliers who have improved their
product quality.

PFMEA as a tool for business processes

There are good resources in the internet with general guidance and templates
for PFMEA, including one by ASQ. An organization with well defined
procedures for its business activities is half way into effective risk
management using PFMEA.

In order to start the tool, the organization needs to take each step from its
procedure and list out all the potential risks arising out of that activity. This
goes into the potential risks column of the PFMEA. The next column should
risk the effects of the risks. This effect needs to be objectively evaluated in a
scale of 1 to 10 with 10 being very severe. (AITF FMEA manual provides a
very good guidance with respect to an automobile but one should be able to
use it to adapt the idea to any business)

For example, the activity create a PO could have a risk that the information in
the PO could be different from the material requisition. The effect would lead
to buying wrong material or service. The effect could be 5, if the material
could be easily exchanged when detected or 8-9 if not so.

The next column would the likelihood of occurrence of such risks.

The controls are most likely documented in the procedure. Say, a review of
the PO by a third party could be one control. Or, having the items integrated
from the material requisition to PO automatically through software system
could be another. The next column quantifies the effectiveness of these
controls in mitigating the risk. Again, in a scale of 1 - 10 with 10 being the
least effective one, independent review of PO would likely score somewhere
at 5 and the software integration at about 2.

The final task is quantification of the risk, typically called RPN or Risk
Priority Number, which is a product of severity of risk, occurrence rating and
effectiveness of the control. The organization should determine its risk
appetite in terms of a critical RPN. A RPN above the risk appetite warrants a
re-look into the controls to make them effective or a change in the process to
totally avoid the risk.

Periodic Review of the Procedure and PFMEA

In order to ensure that no new risk has crept into the business process and
also to ensure that controls that have become redundant are modified, the
organization would need to do a periodic review of the PFMEA, just as
companies that do PFMEA for its manufacturing processes do. This review
will result in better controls in its procedures and also make it easier for
people to appreciate and follow them.

I believe that if PFMEA is used a tool, in stead of other namesake tools done
to satisfy the intent and not the spirit of the requirements of the ISO
9001:2015, organizations stand to benefit by managing risks effectively.