Quality Risk Management and Business Continuity

There is no overarching ISO standard for quality risk management (QRM). There are guidance documents and industry specific regulatory requirements, various standards for quality, various standards for product/service risk management and a number of standards for enterprise risk management. QRM is understood to lie between these, and it evolves in a non-standardised way for every industry sector and organisation. But none of this matters.

As Covid-19 has shown us, business survival depends upon operational agility, foresight and resilience. The questions is, how does QRM fit into that? Isn’t quality about fitness for use and conformance to requirements? Doesn’t our job stop at that? Think again.

A plant in 1998 produced the highest quality ‘​3 1⁄2-inch floppy discs’ and yet it still closed down due to market cannibalisation of compact discs (CD-ROM). In his book, Out of Crisis, quality guru W Edwards Deming says ‘quality is responsibility of the management’ and that quality should be focused on the consumer needs, present and future. He also says quality begins with intent, which is fixed by the management. The ‘quality’ intent covers enterprise strategy to operational realities since it all contributes to the fulfilment of the intent in quality product or service.

Systematic quality

To truly understand systemic ‘quality’, we need to understand the enterprise system of the organisation. Quality envelops the entire production, distribution and supply chain from incoming material to consumer to redesign and innovation of products and services.

With this perspective, think again about what quality risks are and what QRM means. Most of the time, quality exists within the system in specialised but disconnected siloes. It must become part of the enterprise and strategic decision-making process. This can be achieved by using a systems approach and recognising QRM as a part of Enterprise Risk Management (ERM). Russell Ackoff – another ‘systems’ guru – tells us that systems can be understood by viewing and analysing them from different perspectives.

A systems approach to risk management involves awareness of the position of ‘quality’ within the organisational ‘system’. Risks to quality need to be identified, analysed and evaluated first and then treated, monitored and communicated for every step within a systemic risk governance framework.

A system’s risk thinker will realise that:

• There are multiple variables, which operate within a complex organisational system. Most of them affect quality.
• The processes within the system may appear independent but are causally related. Input and output quality at various upstream processes will determine the quality of input/output of downstream processes.
• The system and process input-output mechanism is cyclical and uses some form of feedback to align itself with the changing environment. Quality is a major component in this feedback.
• The system’s output may have overall positive and negative consequences (two tailed risk).
• A system will produce both intended and unintended consequences; short and long term. This speaks to need for risk readiness, risk response and risk resilience.

Once the management starts thinking of QRM from a system’s standpoint, avenues will open up for it to be aligned with ISO 31000 and ISO 22301. ISO 9001:2015 has already taken the first step by embracing the definition of risk from ISO 31000:2018, which focuses on its positive (opportunity) and negative (threat) aspects. Systems and systemic quality risks need to be understood and managed to make the system risk-resilient, thereby optimising its sustained output. A risk response strategy that skips quality risk will be incomplete and bound to fail.

Vaccine manufacturers, for example, have displayed great agility by adapting their organisations from an enterprise, strategic and operational standpoint to produce Covid-19 vaccines. To ensure that the vaccines are successful, the systemic risks to quality must be addressed proactively from day one. If the vaccine does not work, it’s not the scientists or the researcher’s fault; it’s the management’s fault because, as Deming said it best, management is responsible for quality. In corollary, management is responsible for risks to quality.

Systems approach to risk management involves an open mind to view QRM as an integral part of an enterprise risk management system. Risk management, at its core, involves decision making, and in an organisation there are several layers of decision making to be had. To stay relevant, QRM needs to be focused on adding value, and this can be accomplished by its alignment with other risk management systems in an organisation, which includes ERM.

Attribute to original publisher/ publishing organization: Jayet Moon, CQP MCQI, Quality Engineering Lead at Terumo Medical Corporation, US, and Veronica Cavendish-Stephens, https://www.quality.org/knowledge/the-evolving-role-of-quality-risk-management