Professional Documents
Culture Documents
Spring 2008
Volume 34, Number 2
www.asq-qmd.org A Peer-Reviewed Publication of the Quality Management Division of the American Society for Quality
In recent years there has been a blending of the concepts underlying quality management, project management, and enterprise-wide risk management. As one examines the framework of enterprise risk management1,2 it becomes apparent that quality and project management concepts play an integral role in how risks are identified, analyzed, evaluated, and managed. This article is the first in a series that illustrates pragmatic approaches to integrating quality management, project management, and risk management practices. We will build a foundation by explaining the bodies of knowledge necessary for such integration. From quality, project, and risk perspectives, businesses need managers who can think at the following four levels: 1. Enterprise-wideManagers need to think about quality, projects, and risks from a generic perspective, with a focus on synthesizing scalable approaches to delivering value by reducing or eliminating variability in time, cost, and quality. 2. Portfolio/ProgramManagers need an industry perspective on quality, projects, and risks where groups of interrelated projects may share common problems or uncertainties.
3. ProjectManagers need a companyspecific perspective on quality, projects, and risks by using specific quality tools to eliminate or mitigate variability. 4. ProcessManagers need to use quality tools to eliminate or mitigate risks; the relationship to projects is that this should be done at the work-package level or the lowest level of a project plan.
Quality Management
Quality management is defined as all activities that determine the quality policies, objectives, and responsibilities. These activities are implemented through quality planning, quality assurance/ quality control, and quality improvement. Quality planningActions that establish quality objectives and quality requirements. Quality assurance and quality control Actions performed to ensure the quality of a product, service, or process. Quality improvementActions taken throughout the organization to increase the effectiveness and efficiency of processes in order to provide added benefits to both the organization and its customers.
(Merging
the
Articles published in The Quality Management Forum may not be reproduced without consent of the author(s).
Chairs Message
By Heather McCain It was great to see so many of you at the 20th Annual Quality Management Division Conference in Orlando! I always enjoy talking to members and meeting new people. There were excellent courses and presentations on proven approaches, valuable tools, and successful strategiesall related to attaining excellence. We heard from four great keynote speakers, including retired Marine Corps Lieutenant General Jefferson Davis Howell, Jr., Michael Dreikorn, who is the President of IPL Group, Dr. David Spong, who is a retired President of Aerospace Support for Boeing Integrated Defense Systems, and Britt Berrett, who is the President and CEO of Medical City in Dallas, Texas. At the conference we recognized several hardworking QMD members: on Bane received the Quality Management Divisions most R prestigious honor, the Howard L. Jones Leadership Award, for his dedication to the Division. Ron has held a variety of positions in the Division, including Vice Chair of People, Treasurer, Vice Chair of Marketing and Strategic Initiatives, and Vice Chair of Regional Activities. In 1999 he chaired the highly successful Quality Management Conference. Ron has always been willing to step in and help new Vice Chairs and fill in when positions have been open. rt Trepanier received the Roger Berger Award, which is given A in recognition of spirit and commitment by implementing significant projects of benefit to the Division. Art has worked tirelessly on the QMD conference for several years, and he is currently on the Technical Program Committee for the World Conference. he Partners in Quality Award was presented to EMSI for T that companys support of the Division and to Katrina Harris for her work with the Divisions metrics and as Treasurer. The Partners in Quality Award is our highest organizational/ individual honor and is given to recognize long-term support by an organization and individuals of that organization who have helped fulfill the Division's programs and goals. EMSI also supported Bill Denneys efforts over the years as Technical Committee Chair. utstanding Service Awards were presented to Carol Kurtz, O Lois Cowden, and Bill Denney for their remarkable volunteer service. Carol coordinated the purchase of projectors and computers for the conference as well as all the other items necessary to use and transport the equipment. Lois Cowden has coordinated and updated the QMD booth for conferences. Bill Denney reestablished the Technical Committees and worked with committee members to get four new booklets published. I would also like to thank the Conference Committee: David Little, Claud Russey, Bill Hackett, Gayle Norman, Dick Matthews, Milt Krivokuca, Sam Maloof, Art Trepanier, Bill Denney, Ron Bane, and Beth Harmon. We really appreciate their hard work and commitment to the conference. Last but not least, I would like to thank all the volunteers from the Florida sections who helped with various activities at the conference. You did a great job! At the conference we unveiled our new QMD website: www.asq-qm.org. The new website gives us the flexibility to add podcasts and more content. Please visit the new site and click on Create an Account so you can access podcasts and other member-only information. You can also upload papers for the Quality Management Forum, presentations and course ideas for the 21st Annual conference, and additional content for the website. Finally, I would like to encourage you to mark your calendar for the 21st Annual QMD Conference, which will be held in Irvine, California, March 56, 2009. We have three great keynote speakers confirmed, including Tom England of Tyco Electronics, JR McGee of Xtreamlean, and Shane Yount of Competitive Solutions. The theme is Results through People, Processes and Performance. Please submit papers and courses through the new website. I hope to see you there! Keep in touch and send any comments or suggestions to me at heatherMcC@aol.com
Spring 2008
ProcurementThe processes that acquire goods and services from outside the organization.
Project Management
According to the Project Management Body of Knowledge (PMBoK),3 project management is the application of knowledge, skills, tools, and techniques to guide project activities to meet customer and stakeholder requirements. A project team manages the work on the project, and this typically involves: Identifying user requirements Establishing objectives alancing the competing demands for cost, customer B satisfaction, quality, risk, scope, and time ealing with stakeholders who have different needs and D expectations A simple acronym commonly used to assist project team members with establishing objectives is called SMarT: SpecificWhat objectives do you want to achieve? MeasurableHow will achievement of the objectives be measured? achievableAre the objectives achievable? realisticAre the objectives realistically attainable? TimeWhen do you want to achieve the set objectives? The project management knowledge areas as defined in the PMBoK 3 include: integrationThe processes that ensure all project work packages are appropriately coordinated. ScopeThe processes that ensure the project comprises all the work required, and only the work necessary, to complete the project. TimeThe processes that ensure the timely completion of the project. CostThe processes that ensure the project is completed within the approved budget. QualityThe processes that ensure the project will satisfy the requirements for which it was agreed to. human resourcesThe processes that make the most effective and efficient use of the people involved with the project. CommunicationsThe processes that ensure timely and proper generation, collection, storage, and dissemination of project knowledge. riskThe processes concerned with identifying, analyzing, and responding to project risks.
Enterprise Risk Management (ERM) is aimed at improving organizational performance through the coordinated and systematic identification and assessment of significant risks.4 These risks are present at the enterprise, portfolio/program, project, and process levels across the organization. Specific tactics and strategies must be developed at all levels of the organization to minimize exposure to and the effects of these risks. Properly implemented ERM programs allow for significant improvements in overall organizational performance, along with targeted improvements in particular operating parameters. Risk is inherent in almost any organizational activity and usually orginates from divergent but sometimes interrelated factors. Risk is generally conceptualized in terms of impact (severity or magnitude) and likelihood of occurrence. As related to project or quality management, risk can be defined as any variance from the planned or desired outcome. More specifically, as defined in the PMBoK,3 risk management encompasses the processes of Risk identification Risk assessment Response planning Strategy selection As detailed by the Risk and Insurance Management Society (RIMS),1 seven core capability (or maturity) levels evaluate how well enterprise risk management is accepted by the organization. The maturity level is determined by the weakest link or the lowest level of acceptance and formal integration into the organizations processes and workflow. As one examines these links, it is important to acknowledge that, if organizations are not effectively integrating quality management and project management into their ERM efforts, they cannot progress on the RIMS ERM maturity scale. The following section discusses each of the seven maturity levels. In Level 1the lowest level of maturitymanagers are in the earliest stages of encouraging ERM approaches. By the time organizations achieve Level 7, ERM is fully integrated into all organizational processes.
level 1The degree of executive support exhibited for ERM within the corporate culture. This goes beyond regulatory compliance and crosses all business functions, processes, activities, tasks, and steps, of integration, communication and coordination of internal audits, information technologies, compliance, control, and risk management.
(Merging
the
level 2The degree of ERM integration into business processes to identify, assess, evaluate, mitigate and monitor risks. It also includes managements role in facilitating, coordinating, and communicating the use of qualitative and quantitative assessment tools. level 3The degree of risk tolerance in the organization. These tolerance levels must be consistent, easily interpreted, and understood with regard to the businesss risk-reward tradeoffs. Managements role is to provide guidance to address gaps between perceived and actual risk. level 4The degree of discipline applied to determining and measuring a problems root cause. The focus needs to be on eliminating risks at the business process level. At this level the organization begins to categorize or develop risk taxonomies to address enterprise-wide, program, project, and process risks at their points of origin. level 5The degree to which management and employees use databases and other electronic files to assess interdependencies and correlate problems across the organization. level 6The degree to which the organization monitors performance improvements. Does management integrate the execution of the organizations vision and strategy? What data are collected and analyzed from financial, customer, business process, and learning and growth perspectives? Are balanced scorecards in place? level 7 The degree to which ERM is integrated into operational planning. Examples include the level of analysis of supply chain and distribution dependencies, sources of supply chain disruptions, significant market pricing changes, cash flow volatility, and business liquidity.
not all organizations implement the full complement of quality, project, and ERM management systems, or keep them in their original form, many of the core ideas are adopted. It is readily apparent that these three managerial approaches have a lot in common. In todays competitive environment, good managerial practices must focus on the continuous integration of quality, project, and risk management. By successfully integrating these three approaches, managers reduce risks, project teams receive better project visibility, and customers receive projects that are delivered on time, within budget, and at levels of quality that meet or exceed stakeholder expectations. Subsequent articles will build on the linkages and integration of quality, project, and risk management practices by providing practical examples and applications through using existing quality tools.
References 1 RIMS (2007). RIMS Risk Maturity Model for Enterprise Risk Management. Retrieved January 20, 2008. http://www.rims.org/Content/NavigationMenu/ERM/Risk_Maturity_Model/RMM.htm 2 Guide to Enterprise Risk Management (2006). Montreal, Quebec, Canada: Protiviti, Inc. 3 PMBoK. (2004). Project Management Body of Knowledge. Project Management Institute. 4 Young, Peter C. and Steven C. Tippins (2001). Managing Business Risk: An OrganizationWide Approach to Risk Management. New York: American Management Association.
Ron Meier is a Professor in the Department of Technology at Illinois State University. Ron leads the project, quality, and risk management curriculum and research initiatives in the Masters of Technology program. Ron is the Vice Chair of e-Based Initiatives for the Quality Management Division of the American Society of Quality. Ron can be reached at rlmeier@ilstu.edu. Mike Williams is a Professor in the Department of Marketing at Illinois State University and the Director of the Professional Sales Institute. Mike is an avid researcher and educator in the areas of organizational performance, quality, and enterprise risk management and consults with organizations across a diverse assortment of industries. Mike can be reached at mrwilli@ilstu.edu. Rodger Singley is a Professor in the Department of Marketing at Illinois State University. Rodger is involved with teaching and research in the areas of product quality and risk/liability issues, international marketing, and sales management. Rodger can be reached at rbsingl@ilstu.edu.
Summary
Risk is inherent in almost any organizational activity and usually stems from many divergent but sometimes interrelated factors. While
The goal of risk identification is to identify the significant loss exposures that projects or organizations face. Ideally, a project manager would utilize a systematic process for identifying risks that would ensure comprehensive coverage. As shown below, a number of techniques are used to source and develop information inputs for the risk identification process: risk ChecklistsChecklists offer a convenient roadmap for identifying a projects risks and are available from sources such as consultancy firms, professional associations, and accountants. The benefits of a checklist are fairly self-evident; however, these commercial lists are not customized to a specific organization or project, and using them runs the chance of missing important risk exposure. Document reviewDocuments such as audit reports, special studies, budgets, forecasts, and financial statements provide factbased information on overall financial position and trends, detail the flow of resources, identify assets, and highlight material events that could affect a project. 6
Affinity analysis is one tool from quality management practice that has been effec-
External
Standards Political/Legal Regulatory
Internal
Business Partner Business Operations Business Environment Organizational Change Third-Party Contractors
Process
Communications Work Prioritization Portfolio/Program & Project Management Component Management Service Management Resource Management Process Inadequacy
Technology
System Architectures Product Engineering & Development Information & Data Security Performance Analysis Unit & Integration Testing Implementation
edited for clarity, vetted for relevance and significance to the project, and are then grouped into categories. A second phase of convergent thinking begins as the group considers each category, one at a time, and looks for possible gaps or missing risks, which, if found, are then added to the category. The result is a thorough and complete list of relevant program/project/process risks. The individual risk items comprising each category are synonymous with the idea of a checklist. However, unlike the generic, standardized risk checklists discussed above, this risk list offers the advantage of being generated for and customized to the specific project being managed. When it is formatted into its family of categories and macrocategories, the list provides the project manager with a comprehensive taxonomy of risks specific to the project.
were brought together for a facilitated workshop, with the project manager serving as a moderator. Some participants were executives and managers, while others were support staff. Other members of the group were from outside the organization. After a short briefing on the projects goals and activities, participants were given several pads of sticky notes and felt-tip pens (notes should be large enough and pens dark enough to read written comments from a short distance). They were then instructed to write down all the risks they could think of that the project might faceone risk per sticky note. Participants then proceeded to generate as many items
as possible in fifteen minutes; a total of 203 risks were recorded onto sticky notes. Participants placed their sticky notes on a large, open wall and provided an explanation of each risk as it was placed onto the wall. Duplicates and items deemed not relevant were eliminated at this phase of the process, producing 133 unique items. The next step of the process involved sorting the defined risks into related categories by grouping the sticky notes on the wall, which resulting in 22 categories. Each category was labeled with a descriptive name based on its content. Subsequent sorting and discussion yielded four macro(Using A ffinity A nAlysis, continued on page 8)
To identify the risks relevant to a technology expansion project for a global financial services organization, seven individuals with expertise on different areas of the project
Technology Risks
System Architectures New Technologies Technology Infrastructure Application Architecture Data Architecture Product Engineering & Development Application Design Data Design System Complexity Development Environment Documentation Purchased Product Configuration & Customization Information & Data Security Confidentiality Data Integrity Information Availability Performance Analysis Usability Response Time Reliability/ Availability Capacity Testing Data Unit & Integration Testing Testing Processing Testing Environment Testing Tools Testing Coverage Suspensions Testing Personnel Implementation Hardware Installation Software Installation Procedure & Training Delivery Transportation/ Logistics
categories as family groupings of the original 22 categories. Table 1 illustrates the taxonomy, its four main categories of risk, and the respective 22 subcategories. The participants then examined the categories for additional risks. They provided a list of 21 additional risks and produced a final set of 154 risks identified as relevant to this project. Table 2 depicts some of the individual risks in the technology category.
divergent and convergent thinking, affinity analysis has proven to be a highly effective tool for the development of project-risk taxonomies. Through affinity analysis, managers can organize and illustrate linkages among the various categories, subcategories and individual risks specific to the project. Ron Meier is a Professor in the Department of Technology at Illinois State University. Ron leads the project, quality, and risk management curriculum and research initiatives in the Masters of Technology program. Ron is the Vice-Chair of e-Based Initiatives for the Quality Management Division of the American Society of Quality. Ron can be reached at rlmeier@ilstu.edu. Mike Williams is a Professor in the Department of Marketing at Illinois State University and the Director of the Professional Sales Institute. Mike is an
avid researcher and educator in the areas of organizational performance, quality, and enterprise risk management and consults with organizations across a diverse assortment of industries. Mike can be reached at mrwilli@ilstu.edu. Rodger Singley is a Professor in the Department of Marketing at Illinois State University. Rodger is involved with teaching and research in the areas of product quality and risk/liability issues, international marketing, and sales management. Rodger can be reached at rbsingl@ilstu.edu.
Summary
One of the first steps in developing a project plan is the identification of potential risks that may affect the project schedule, budget, or level of customer satisfaction. Risks are best identified through a process that uses all project team members individual expertise to ensure a comprehensive listing of risks. Due to its integration of
An In-Depth Look at Quality Management Tools and Customer-Focused Organizations in the CMQ/OE Body of Knowledge
By Carol Kurtz, CMQ/OE, CQE, CQA, Vice Chair Operations The previous issue of the Forum provided an in-depth review of Management Elements and Methods, the third major area of the CMQ/OE Body of Knowledge (BoK). This issue focuses on the fourth and fifth elements of the BoK: Quality Management Tools and Customer-Focused Organizations. The seven elements provide the foundation of our work as leaders and managers, and the last two elements will be reviewed in the next issue of the Forum. The elements are: 1. Leadership 2. Strategic Plan Development and Deployment 8 3. Management Elements and Methods 4. Quality Management Tools 5. Customer-Focused Organizations 6. Supply Chain Management 7. Training and Development or problem, and root causes. Some tools also help to manage systems, changes, and improvements, while using measuring and monitoring tools to assess and evaluate. The certified manager is expected to correctly select, describe, interpret and apply these tools. Three categories of Quality Management Tools are indicated in the BoK: problemsolving tools; process management techniques; and measurement, assessment, and metrics. There are 28 questions in the exam related to this area.
To improve products and processes, managers have a comprehensive quality toolbox from which to choose. The tools help to distinguish between cause and effect, symptom
T hE Qua liT y M a nagE M En T Foru M Problem-Solving Tools The tools in this category provide visual information for evaluation, assessment and analysis. Certified managers use these tools to systematically determine root causes and solutions, to explore ideas from multiple perspectives, and to communicate results in business terms, such as the cost of quality. The tools use data as a basis for fact-based decision making. The problem-solving tools specified in the body of knowledge are listed below. The Seven Classic Quality ToolsPareto charts, cause and effect diagrams, flowcharts, control charts, check sheets, scatter diagrams, and histograms. Basic Management and Planning Tools Affinity diagrams, tree diagrams, process decision program charts (PDPCs), matrix diagrams, interrelationship digraphs, prioritization matrices, and activity network diagrams. Process Improvement ToolsRoot cause analysis, PDCA, six sigma DMAIC model, failure mode and effects analysis (FMEA), and statistical process control (SPC). Innovation and Creativity ToolsVarious techniques and exercises used by managers are creative decision-making and problemsolving, which includes brainstorming, mind mapping, lateral thinking, critical thinking, and design for six sigma (DFSS). Cost of Quality (COQ )The certified manager can define and distinguish between prevention, appraisal, internal, and external failure cost categories and the impact that changes in one category will have on the others. improving cycle time, eliminating waste, removing constraints, eliminating special causes of variation, maintaining gains, and continually improving. The CMQ/OE can describe how Process Goals are established through linking with strategic plans, measured through structured methods or defined metrics, and monitored for effects on product or service quality. Process mapping, flowcharting, and other visual aids are tools used by the CMQ/OE to analyze a process and compare it to written procedures, work instructions, or other documents. Process Analysis is useful for comparing processes before and after changes, gaining better understanding of processes, and for identifying and diagnosing possible problems. Certified managers use Lean Tools, such as, cycle-time reduction, 5 Ss, just-in-time (JIT), kanban, and value streams to improve productivity and process flows, and to reduce waste. The CMQ/OE understands key concepts of Theory of Constraints (TOC) including local vs. system optimization, physical vs. policy constraints, throughput, and more. He or she can classify various types of constraints such as finite resources, increased expectations, and more. SamplingThe certified manager understands basic sampling techniques, such as random and stratified; understands the risks of sampling and when sampling is appropriate. Statistical AnalysisBasic statistical techniques, such as measures of central tendency, measures of dispersion, and types of distribution are used by managers for analyzing data. These summaries are used to monitor processes and make data-based decisions. Trend and Pattern Analysis Certified managers assess data sets, graphs, charts, and other information to identify various trends, such as cyclical, seasonal, environmental, and patterns such as shifts. Theory of VariationManagers distinguish between common and special causes of variation. Process CapabilityManagers determine the capability of a process in terms of Cp and Cpk indices. Reliability and ValidityManagers use measurement theories of reliability and validity to develop survey instruments and to support inferences about the data gathered by them. They understand content-, construct-, and criterion-based measures. Qualitative AssessmentBy identifying subjective measures, such as verbatim comments from customers, observation records, and focus group output, managers determine how these differ from objective measures and determine when measurements should be made in categories rather than in terms of numeric value. Survey Analysis and UseManagers analyze survey results and ensure that they are interpreted and used correctly.
Measurement: assessment and Metrics Data, abundant in most organizations, needs to be collected, analyzed and presented in ways that measure critical business indicators. The CMQ/OE applies appropriate techniques to determine what data are gathered and used. Various techniques, methods and tools used to transform data into information as specified in the CMQ/OE BoK are listed below. Basic Statistical Use The CMQ/OE uses the goal-question-metric (GQM) model and others to identify when, what, and how to measure projects and processes. He or she distinguishes how metrics and data gathering methods and people affect each other.
Process Management The Certified Manager of Quality/ Organizational Excellence Handbook states: Process Management is using a collection of practices, techniques and tools to implement, sustain, and improve process effectiveness. Process Management includes planning and setting goals, establishing controls, monitoring, and measuring performance, documenting,
Customer-Focused Organizations
Sam Walton has been quoted as saying: There is only one bossthe customer. And he [sic] can fire everybody in the companythe chairman on downsimply by spending his [sic] money somewhere else.
At
Customer identification and Segmentation It is important to identify different customer types in order to manage and improve processes, determine customer satisfaction, and perform and evaluate market research. Segmentation is an important methodology that organizations use to understand customer needs and wants, and then to create products and services to fulfill those needs and wants. The CMQ/OE BoK states the following requirements. Internal CustomersThe CMQ/OE defines and describes the impact an organizations treatment of internal customers will have on external customers and develops methods for energizing internal customers to improve products, processes, and services. External CustomersBy determining and describing external customers and their impact on products and services, and by developing strategies for working with them, the CMQ/OE can help the organization improve products, services, and internal processes.
Customer Satisfaction and LoyaltyThe CQM/OE develops systems to capture customer perceptions and experiences by using a variety of feedback mechanisms, such as complaints, surveys, interviews, and guarantee/warranty data. Also used are customer value analysis and corrective actions to measure and improve satisfaction. The CQM/OE understands how to measure the value of existing customers and the financial impact of losing customers. Basic Customer Service Principles Managers use principles such as courtesy, politeness, smiles, attention to detail, and rapid response. Multiple and Diverse Customer Management Certified managers establish and monitor priorities to avoid and resolve conflicting customer requirements and demands and to develop methods and systems for managing capacity and resources to meet the needs of multiple customers. They understand the effect that diverse customer groups can have on all aspects of product and service development and delivery. The next Forum article in this series will focus on the last two categories: Supply Chain Management, and Training and Development. Additionally, the constructed response requirement of the exam will be reviewed. For more information on these topics, consult the CMQ/OE Body of Knowledge and The Certified Manager of Quality/Organizational Excellence Handbook edited by Russell T. Westcott, which were used as a references for this article.
Volunteer Opportunities
If you are currently a Certified Manager of Quality/Organizational Excellence and you are able to help as a Subject Matter Expert (SME), please e-mail your contact information to MMartin@aSQ.org. Two (2) CEU Credits are given for participation in our workshop sessions and can be used towards your certification renewal as a CMQ/OE. Travel expenses are reimbursed. Carol Kurtz is a Quality Management Consultant in the Milwaukee, WI, area. A long time ASQ member, Carol holds the following certifications: CMQ/OE, CQE, CQA, CQT, CQI. In July 2007, she began serving as QMD Vice Chair of Operations and in 2006 as CMQ/OE Exam Chair.
Customer relationship Management Customer Relationship Management (CRM) focuses on the primary customers of an organization. CRM is a relatively new concept that supports the strategy to obtain an in-depth understanding of an organizations important customers to cultivate partnerships and alliances with them. Or, the objective may be to cultivate a strong customer preference toward the organizations products and services. The CMQ/OE BoK specifies the following. Customer NeedsUsing various tools and techniques, including the voice of the customer, house of quality, quality function deployment (QFD), focus groups, and customer surveys, the CMQ/OE identifies and prioritizes customer needs and expectations.
10
Types of Risk
There are four types of risk that concern an organization: strategic risk, organizational risk, compliance risk and operational risk.
Strategic risk Strategic risk relates to the inability to achieve high-level goals. For strategic risk assessment, management should consider technology changes, creditors demands, competitors actions, economic conditions, political conditions and customer needs.
organizational risk Organizational risk is based on the companys structure and is affected by external and internal factors. External factors include technology developments, competition, legislation, and the global environment. Internal factors include physical security, information system processing, and changes in management responsibilities.
Compliance risk Compliance risk relates to legal and regulatory requirements. The focus is on legal, financial, health and safety, security, and environmental factors. Patent infringement is an example of a legal compliance risk. Environmental compliance risks include liquid spills, gaseous emissions, and solid waste. Compliance issues concern management because of the possibility of fines, shutdowns, or criminal prosecutions.
for
11
Risk-Level Matrix
Consequences
Insignificant Likelihood Minor Moderate Major Catastrophic
industrial espionage, and fraud. The new ISO/IEC 27001:20052 is designed to manage information security. Logistics RiskLogistics risks include transportation of raw materials and completed products, damage to shipped products, delays causing under-stocking of materials, and homeland security. Searches for weapons of mass destruction, for example, may slow the shipping process. Effects of Natural DisastersNatural disasters include hurricanes, flood, fires, earthquakes, infrastructure problems, contamination, and epidemics. Organizations need to have plans for disaster recovery and business continuity because of these risks.
H M L L L
H H M L L
E H H M M
E E E H H
E E E E H
Risk management methodology starts with the organization determining its risk appetite and risk tolerance so that personnel can understand the organizations risk philosophy. Risk appetite is the amount of risk that an entity is willing to accept, while risk tolerance is the amount of variation relative to the organizations objectives that an entity is willing to accept. Risk appetite defines the boundary of acceptable risk, while risk tolerance defines the variation in risk appetite that management deems acceptable. It is the responsibility of top management and the board of directors to align risk appetite and risk tolerance with the organizations strategy. One key tool for managing risk is the organizations set of controls. Financial auditors test controls as part of the Sarbanes-Oxley compliance process. Financial controls exist at two levels, the entity and activity levels. Quality controls also exist at these levels and appear in ISO 9001 and ISO 140013 as shall statements accompanied by requirements to submit records. Such records are often used to identify impending risks. For example, ISO 9001, Clause 7.4.1 requires records of supplier evaluations. This control might identify a negative trend in one of the key suppliers capabilities. Examples of entity-level controls are HR policies, Codes of Conduct, accounting practices, managements risk assessment processes, organizational responsibilities, and contract review (ISO 9001:2000, Clause 7.2.2). Activity-level financial controls include reconciliations, data validation, and approval of paper-based information. Activity-level quality controls include identification of non-conforming product (ISO 9001:2000, Clause 8.3), design and development validation (ISO 9001:2000, Clause 7.3.6), preventive and corrective action (ISO 9001:2000, Clauses 8.5.2 and 8.5.3), and identification of significant environmental aspects (ISO 14001:2004, Clause 4.3.1).
A key risk management tool is the risk-level matrix.4 For each risk, the consequences and likelihood of occurrence are estimated. These data are then entered into a risk-level matrix: The meanings of the entries in the risk level matrix are as follows:
Symbol
E H M L
Meaning
Extreme Risk Immediate action; senior management involved High Risk Management responsibility should be specified Moderate Risk Manage by specific monitoring or responses Low Risk Manage by routine process
Once the level of concern is ascertained, preventive actions can be implemented for the extreme risks and high risks. Organizations can then use the ISO 9001 preventive and corrective action processes. Other risk management tools include ORCA (see below), the ISO 9001:2000 improvement process, failure mode and effects analysis (FMEA), and the risk-control matrix. ORCA5 is an acronym that stands for: Identify business and process operations Identify operational and other risks Define business or other controls nalyze and assure the effectiveness of the processes to a satisfy objectives Because ORCA is applied across the entire organization, it provides consistency to the organizations approach to risk management. The ISO 9001 improvement process consists of continually managing the quality policy, management system planning, objectives, audit results, data analysis, corrective and preventive actions, and management review. Data analysis is used to identify opportunities for corrective and preventive actions, and then changes are made during management review to mitigate the risks to the management system.
12
T hE Qua liT y M a nagE M En T Foru M FMEA 6 is a method that examines potential failures in products or processes and helps select remedial actions that reduce risks. It starts with a description of the parts of a system. Next, the consequences of each potential failure are determined. The risk-level matrix (see above) can be used to evaluate the level of concern of each failure. Also determined is the ability of controls to detect failures. Actions are identified that could eliminate or reduce the occurrence, or improve the palatability of risks. Finally, changes are tracked to avoid potential problems. A risk-control matrix7 can be used to track risks and their associated controls. It contains the following information in tabular form: (1) the process, (2) the risk, (3) the control objective, (4) the controls, (5) the control owner, (6) the process narrative, (7) the control category, (8) the control type, (9) primary or secondary control, (10) the frequency of the control, and finally (11) the control design assessment. evaluation and mitigation of risks provide many opportunities to improve the quality management of the organization and to achieve its objectives.
References 1 COSO Guidance: Internal Control--Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, May 1994. See the COSO website: http://www. coso.org/ 2 ISO/IEC 27001:2005, Information technology Security techniques Information security Management Systems Requirements, the International Organization for Standardization, Geneva, Switzerland, 2005. 3 ISO 14001:2004, Environmental management systems Requirements with guidance for use, the International Organization for Standardization (ISO), Geneva, Switzerland, 2004. 4 Mr. Ozog, IOMOSAIC Corporation, Designing an Effective Risk Matrix, www.IOMOSAIC.com. 5 Larry D. Hubbard, Assigning Risk, the Internal Auditor, August 2002, 22-23. 6 Cliff Welborn, Using FMEA to Assess Outsourcing Risk, Quality Progress, August 2007, 17-21. 7 Sandford Liebesman, The Sarbanes-Oxley Law: QMS & EMS can Reduce the Risk, Ellis Ott Conference, Newark, NJ, 9/13/06. For a copy contact the author at sandfordl@msn.com.
Conclusions
Risk management in an organization must start by defining objectives. These should be measurable, as required by ISO 9001, Clause 5.4.1. Risks are obstacles that impede progress toward achieving the objectives. Organizations need to determine their risk appetite and risk tolerance so that the staff will have a consistent risk philosophy. The organization can determine risk levels by combining the likelihood of an event and its consequences in a risk-level matrix. The results are used to determine the appropriate management actions. The
Dr. Sandford Liebesman had over 35 years experience in quality at Bell Laboratories, Lucent Technologies, Bellcore (Telcordia) and KEMA Registered Quality. He is an ISO 9000 subject matter expert and is author of the books TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, 2nd Edition, and Using ISO 9000 to Improve Business Processes. He is president of Sandford Quality Consulting LLC and is leading the ASQ SOX Team in support of compliance to the Sarbanes-Oxley Law (SOX). He has presented seminars and published articles on QMS/EMS support of SOX and chaired the 2005 and 2006 ASQ SOX conferences. Dr. Liebesman has an engineering degree from the United States Naval Academy and MSEE and PhD (Operations Research) degrees from New York University. He taught statistics, quality control, quality management, and operations research at Rutgers University. He is Chair-Elect of the ASQ Electronics and Communications Division and was recently elected as a Fellow of ASQ.
13
C a l l f o r Pa Pers
This conference offers many opportunities for industry leaders, academicians, quality/ organizational excellence experts, and other knowledgeable practitioners/researchers to present essential tools, techniques, and approaches supporting the conference theme. Presentations should be offered in a manner whereby attendees will gain an understanding from practical examples and be able to implement the knowledge gained to immediately improve organizational performance. When submitting a paper or course proposal, please indicate the track category, People, Process, or Performance, that your proposal supports. Call for papers, abstracts, and other required information must be submitted by July 15, 2008. For more Call for Paper submission information, visit www.asq.org/qm/conferences.
14
H e a t h e r M c C ai n
CHAIR QMD AUDIT
S a m M al o o f
J o a n A lli g e r
VICE-CHAIR MEMBERSHIP VICE-CHAIR MARKE TIng
SECRETARY
Katrina Harris
VICE-CHAIR PRInT InITIATIVES VICE-CHAIR FACE-TO-FACE InITIATIVES
TREASURER
J d M a r h e v ko
VICE-CHAIR e-BASED InITIATIVES
CHAIR-ELECT
g. Dennis Beecrof t
VICECHAIR OPER ATIOnS VICE-CHAIR TECHnICAL COMMIT TEES
PAST-CHAIR
John Sharp
Awards Chair Member Data Analyst Member & Volunteer Support
Milt Krivokuca
Conference Marketing Chair
- Jim Pasquali
H. Fred Walker
Forum Editor
David Little
Conferences
Ron Meier
Webmaster
- OICGroup
Carol Kurtz
Operations Manual
- Jd Marhevko
Steve Babb
People & Systems
- Chair: (Open)
- Doug Wood - Pat Townsend
- Dan Zrymiak
- Bruce DeRuntz
- Wayne Paupst
Deputy Editor
- Rebecca Patrick
Web Development
- OICGroup
Editorial Review
- Denis Leonard
Speakers List
- Sam Maloof
- Carol Kurtz
- Virginia Carr
Examining
- Fred Hammond
- Russ Westcott
Arrangements
- Bill Hackett
By-Laws
- David Little
Program Management
- Chair: (Open)
QMD Officers
Chair
Heather McCain Garmin International 1200 East 151st Street Olathe, Kansas 66062 Office Phone: Cell: Fax: E-Mail:
Booth Management
- Lois Cowden - Chair: (Open)
Performance Improvement
Vice-Chair, Membership
Chair Elect
John Sharp Tyco Electronics Inc. Global Industrial & Commercial BU Mail Stop 018-11 2100 Paxton St. Harrisburg, PA 17105 Office Phone: (717) 810-3315 Fax: (717) 810-3400 E-Mail: jmsharp@tycoelectronics.com Milt Krivokuca 9 Olympus Irvine, CA 92603 Home Phone: Cell: E-Mail:
- Stephen Marsh - James Schlichting - Glenn Strausser - Brent Grazman - Jonathon Andell - (Liaison Stats Div)
Risk Management
Jd Marhevko SPX Corporation 40 Oak Hollow Ste. 265 Southfield MI 48034 Office Phone: Cell: E-Mail:
Vice-Chair, Marketing
(949) 854-5110 (219) 613-4574 milt619@cox.net
G. Dennis Beecroft G. Dennis Beecroft Inc. 254 Brookview Court Ancaster, Ontario, Canada L9G 1J8 Office Phone: (905) 304-3313 Home Phone: (905) 648-2146 Fax: (905) 304-4075 E-Mail: dennis@g-dennis-beecroft.ca
Past Chair
Secretary
H. Fred Walker Department of Technology 100 Mitchell Center University of Southern Maine Gorham, ME 04038 Office Phone: (207) 780-5425 Home Phone: (207) 926-5322 Office Fax: (207) 780-5129 E-Mail: hfwalker@usm.maine.edu
Joan H. Alliger 200 Thayer Road Fairport, NY 14450 Home Phone: E-Mail: Katrina Harris EMSI PO Box 2409 Hewitt, Texas 76643 Office Phone: Home Phone: Fax: E-mail:
Carol J. Kurtz CJ Kurtz & Associates 7615 S. North Cape Road Franklin, WI 53132 Office Phone: Fax: E-Mail:
Vice-Chair, Operations
Treasurer
David M. Little Tyco Electronics MS 18-11 PO Box 3608 Harrisburg, PA 17105-3608 Office Phone: (717) 810-3741 E-Mail: dmlittle@tycoelectronics.com
Steve Babb REAL Balanced Solutions, Inc. 9126 Maple Court Seminole , FL 33777 Office Phone: (727) 543-9513 Fax: (727) 392-6041 E-mail: sbabb@REALBalancedSolutions.com
To see a QMD organization chart and complete roster of QMD officers, committee chairs, and volunteers, go to the QMD Organization pages on the QMD Web site at www.asq-qmd.org.
15
PAID
Boulder, CO Permit No. 94
H. Fred Walker
Quality Management Forum Editor
Suzanne Andrews, Metropolitan Life Insurance Company Hank Campbell, University of Arkansas at Pine Bluff Mark R. Chandler, Federal Highway Administration Eleanor Chilson, Pylon Manufacturing Mary Ellen Costello, University of Southern Maine Deepak Dave, Bobcat Ingersoll Rand Company William Denney, Quality Texas Foundation Mac McGuire, McGuire & Associates Consulting Pradip V. Mehta, Mehta Consulting LLC Oz Rahman, Harley Davidson Motor Company Matthew J. Roe, Eaton Corporation Truck Components Mustafa Shraim, SQPS Ltd Chad Vincent, Baxter Health Corporation The Quality Management Forum is a peer-reviewed publication of the Quality Management Division of the American Society for Quality. Published quarterly, it is QMDs primary channel for communicating quality management information and Division news to Quality Management Division members. The Quality Management Division of ASQ does not necessarily endorse opinions expressed in The Quality Management Forum. Articles, letters and advertisements are chosen for their general interest to Division members, but conclusions are those of the individual writers. Address all communications regarding The Quality Management Forum, including article submissions, to: Bruce DeRuntz, PhD College of Engineering Southern Illinois University Carbondale Carbondale, Illinois 62901-6603 Office: (618) 453-7829 E-Mail: bruce@siu.edu Address all communications regarding the Quality Management Division of ASQ to: Heather McCain Garmin International 1200 East 151st Street Olathe, Kansas 66062 Office Phone: (913) 440-2236 Cell: (913) 302-9350 Fax: (816) 274-4084 E-Mail: HeatherMcC@aol.com Address all communications regarding QMD membership including change of address to: American Society for Quality Customer Service Center P.O. Box 3005 Milwaukee, WI 53201-3005 1-800-248-1946 or (414) 272-8575 For more information on how to submit articles or advertise in The Quality Management Forum see the Quality Management Division Web site at www.asq-qmd.org. Articles must be received ten weeks prior to the publication date to be considered for that issue. Contact the ASQ Customer Service Center at 1-800-248-1946 or (414) 272-8575 to replace issues lost or damaged in the mail.
Advertise in
The Quality Management Forum
If you provide products or services to the quality profession, The Quality Management Forum will help you reach your target market. Every quarter, the Forum can convey your advertising message to nearly 20,000 Quality Management Division members. These members include many of ASQs quality executives, managers, supervisors, and team and project managers. Most are decision makers or influencers for products and services such as: Consulting Training Publications ISO Registration Conferences Business Shows Software ... and more
For information on advertising in the Forum, contact ProjectWest, 117 S. Spring St., Suite 201, Aspen, Colorado 81611 Phone 970.925.4234 x 17, Fax 970.925.4862 or E-mail info@projectwest.com.
16