Risk-Based Thinking In Quality Management Systems

Risk-Based Thinking in QualityManagement Systems:How to Incorporate Risk into Your ProcessesTim Lozier, Verse SolutionsCONFIDENTIAL: This document contains information that is confidential and proprietary to EtQ, Inc. Disclosure, copying, distributionor use without the express permission of EtQ is prohibited. Copyright 2012 EtQ, Inc. All rights reserved.Tim Loziertlozier@versesolutions.com

Agenda Understanding Operational Risk ManagementHow Risk Management processes drive new ways of lookingat compliance in operationsISO 9000:2015 and Risk ManagementCommon tools for leveraging risk in compliancewww.versesolutions.com

Increasing Rate of Changewww.versesolutions.com

There is an Increasing Rate of Change We are more complex– Global Scale of Production, Design, Sourcing– More Mergers, Acquisitions– Growing Supply-Chain There is more competition– Competition leads to shorter product lifecycles– Increases in product complexity– More variety of goods in more areas Companies need to maintaincompliance AND keep up with thepace of business!www.versesolutions.com

Time to shift our mindset? How compliance keeps up with change– Automation of compliance processes– Integration with business systems– Harmonization of compliance processes Cost of compliance is skyrocketing– Cost of systems, people and time– Cost of holding back operations– Cost of holding back inventory Quality and Compliance need to expand!– We must think beyond Quality silo– From audit results to risk assessments– Risk is a more efficient measure ofcompliancewww.versesolutions.com

Risk Management: Hazard vs Risk The terms "hazard" and "risk" are often usedinterchangeably. However, in terms of risk assessment,these are two very distinct terms.HAZARDwww.versesolutions.comRISK

Risk Management: Hazard 1.Insurance: Condition or situation that creates orincreases chance of loss in an insured risk, separatedinto two kinds (1) Physical hazard: physicalenvironment which could increase or decrease theprobability or severity of a loss. It can be managedthrough risk-improvement, insurance policy terms,and premium rates. (2) Moral hazard: attitude andethical conduct of the insured. It cannot be managedbut can be avoided by declining to insure the risk.2.Workplace safety: Dangerous event or situationthat may lead to an emergency or disaster. It couldalso be a biological, chemical, or physical agent in (ora property of) an environment that may have anadverse health effect, or may cause injury or loss. Assuch, a hazard is a potential and not an actualpossibility.Read hazard.html#ixzz3miUj2jq1www.versesolutions.com

Risk Management: Risk Risk is defined as the probability that exposure to ahazard will lead to a negative consequence, or moresimply:Probability ofRisk Hazard x Exposure Thus, a hazard poses no risk if there is no exposure tothat hazard.www.versesolutions.com

Risk Management: Hazard vs RiskConsider the following example from David Okrent's 1980 article, "Comment on Societal Risk":300 in a ship3 in a boatThree people crossing theAtlantic in a rowboat face ahazard of drowning.Three hundred people crossingthe Atlantic in an ocean linerface the same hazard ofdrowningwww.versesolutions.com

Risk Management: Hazard vs RiskConsider the following example from David Okrent's 1980 article, "Comment on Societal Risk":The risk to each individual per crossing is given by the probability of theoccurrence of an accident in which he or she drownsRISK probability of accident occurring x hazardHigh Probability equipment, #of people, environmentLow Probability equipment, #of people, environmentwww.versesolutions.com

Risk Management: Hazard vs RiskConsider the following example from David Okrent's 1980 article, "Comment on Societal Risk":The hazard [drowning] is the same for each individual, but the risk[probability of drowning] is greater for the individuals in the rowboat thanin the ocean linerHazard HazardProbability ProbabilityLESS RISKMORE RISKwww.versesolutions.com

Risk Management: the Process Risk Management is a broad standard (ISO 31000)Identify all relevant risks (e.g.,hazard analysis)Risk IdentificationQuantify the risk (e.g., probabilityand severity)Risk EvaluationDevelopment and evaluation ofrisk assessment methodsRisk management decisionsImplemented solutionImplement a processUse objective and proven toolsAccept (worth it), reduce (mitigate),compensate (insure), transfer(partner), avoid (stop)Change management to introduce orimprove controlswww.versesolutions.com

Risk Management: Areas of Coveragewww.versesolutions.com

Risk Management: Rationale for RiskRepeatableand objectivemethodsA way toevaluate risk inan operationalcontextEasy tounderstand forthe uninitiatedDrives shortterm and longterm changeRiskManagementis the CoreMethodologywww.versesolutions.comBeware a falsesense ofsecurity

ISO 9000:2015 .it’s not just requirements,It’s a company mindshare of Quality.There should be a company-wide commitment/leadership around Qualitywww.versesolutions.com

ISO 9000:2015 view on riskSection 5: LeadershipProvide leadership by encouraging afocus on qualityPromote the use of risk‐based thinking.Section 6: PlanningConsider risks and opportunities whenyou plan your QMSPlan how you’re going to manage risksand opportunitiesDISCLAIMER: The ISO view on risk is SIMPLY STATED. “Use Risk‐based thinking” to manage andplan . But what does that really mean? Broad, and simple – lots of interpretation!www.versesolutions.com

Planning your QMS with risk in mindIdentifyRisks EvaluateRisksTreatmentof RisksTakeActionIdentify risks and opportunities to influence QMSperformanceDetermine how you’re going to measure those risksBuild risk treatment optionsDefine actions to address these riskswww.versesolutions.com

Planning your QMS with risk mindIdentifyRisks EvaluateRisksTreatmentof RisksHow to start Identifying risks?– Survey your operations– Audit, Survey, collect, analyzewww.versesolutions.comTakeAction

Planning your QMS with risk in mindIdentifyRisks EvaluateRisksTreatmentof RisksEvaluate How to handle the riskRisk Assessment– Should be repeatable, objective– Should be backed by REAL-WORLD DATAQuantitative means to build a risk assessmentwww.versesolutions.comTakeAction

Planning your QMS with risk in mindIdentifyRisks EvaluateRisksTreatmentof RisksTakeActionWe know the risk .how do we handle it?Acceptance: “Worth it”Reduction: “Mitigation”Compensation: “Insurance”Transference: “Move it”Avoidance: “Stop it”www.versesolutions.com

Planning your QMS with risk in mindIdentifyRisks EvaluateRisksTreatmentof RisksTakeActionTake Action: Create Visibility and Control the Riskwww.versesolutions.com

Planning your QMS with risk in mindIdentifyRisksEvaluateRisksTreatmentof RisksTakeActionDOCUMENT YOUR ACTIVITIESHow?Audit FindingsSurvey ResultsReport onFindings DocumentyourEvaluation:Control yourmethods,tools,processesDocument thetreatment, theoveralldecisionfactorsLinkAssessmentsto Actionstaken,improvementsmadeDocument the process in order to have traceability.www.versesolutions.com

Planning your QMS with risk in mindIdentifyRisksEvaluateRisksTreatmentof RisksTakeActionProactive Continuous ImprovementPotential butnot realizedHazards:Surveyimprovementareas How can wedetermine theimpact ofpotentialevents?Where can wemeasureimpact provements, Etc.It’s not all for just the Risks! Identify Opportunitiestoo!www.versesolutions.com

Common Tools for Risk Management Treatment(a sample) Decision Tree Risk Matrix Risk Registerwww.versesolutions.com

Decision Tree AnalysisEasy to integrate with everyday processeswww.versesolutions.com

Decision Tree Example When to report to the FDA– Medical device manufacturer– Reporting decision embedded in complaint handlingprocess– Filled out by analysts for every potential adverseevent– Drives decision to report (Yes/No) and acceptabledelay (when?)Prioritize internal notification– Global Utilities company– Automated determination of who needs to benotified of incidents based on risk level– Immediate initial risk assessment determines risklevel– Risk level determines email distribution list,including SMS (text) alerts for highest level– Follow up risk assessment performed afterinvestigation is completed (for long term trendanalysis)– Take immediate action on critical issues, andimplement long term improvements onunacceptable trendswww.versesolutions.com

Risk MatrixQuick, easy, colorfulQuantifies the risk level usingtested assumptionswww.versesolutions.com

Risk Matrix Example Identify potential adverse events– Medical device manufacturer(a different one)– Customer complaints routed for investigation– Subject matter experts perform riskassessment (meeting)– Risk levels drive decisions for recalls,notifications, CAPA Survey of known and unknown threats– Services organization– Periodic survey to all business functions– Managers re-calculate risk levels for knownthreats and suggest new threats– Prioritization of compiled risk levels drivesstrategic risk mitigation initiatives (managedthrough CAPA process)www.versesolutions.com

Risk Register Monitors risk levels over time– Library of hazards (typically known for each industry)– Collects risk assessment data from many processes– Provides visibility into critical events and data fortrend reportingPDCA Cyclewww.versesolutions.com

Summary Complexity and scale breeds the need for changeRisk is a universal compliance constantISO 9000:2015 is about enrolling everyone in QualityRisk in ISO 9000:2015 is simply stated, but maps wellto the risk methodologyFigure out your path to risk, and leverage tools toexpand to a risk-based QMSThere are tools to help ease this transition!www.versesolutions.com

Thank you!Questions?Designed for smallworkgroups in Quality, EHSand Compliance looking totrack events, issue actionitems and launch correctiveactions.Designed especially for SMBcompanies that are lookingfor full functionality in anaffordable SaaS solution.Designed for global, multi‐site deployments, with theneed to integrate complianceacross the enterprise.Free DownloadTake a Free TrialRequest a q.comwww.versesolutions.com

Risk Management: the Process Risk Management is a broad standard (ISO 31000) Risk Identification Risk Evaluation Development and evaluation of risk assessment methods Risk management decisions Implemented solution Identify all relevant risks (e.g., hazard analysis) Quantify the risk (e.g., probability and severity) Implement a process