I was on a quality management discussion forum the other day and stumbled upon an argument that made me wonder if I had lost my sanity

The gist of it was whether or not the management of “risk” had anything to do with quality management and whether an understanding of “risk” was necessarily a knowledge pre-requisite for a QMS auditor. The case for the defence cited that nowhere in ISO 19011 was there any specific reference to “risk”. And on that point, they were quite right – I checked

That really made me wonder whether the “quality fraternity” had actually lost the plot. Or, more to the point, whether they had ever had it in the first place

It started me on a bit of a quest to see if I could unravel any semblance of rationale from this apparent nonsense. After all, it could be just me. So I started by looking in ISO 9000:2005. I found this

“2.8.1 Evaluating processes within the quality management system

When evaluating quality management systems, there are four basic questions that should be asked in relation to every process being evaluated.
a) Is the process identified and appropriately defined?
b) Are responsibilities assigned?
c) Are the procedures implemented and maintained?”
d) Is the process effective in achieving the required results?”

On the face of it that doesn’t introduce much controversy. those are, after all, reasonable questions. But there is no mention of assessing how well risks are controlled, so should there be?

Well I’d have to say “yes” to that, and my reason for that is why should a quality management system be any different to any other management system? If we take the example of ANY other management system, financial, information security, environmental, occupational health & safety, the identification and control of risk is an absolute cornerstone. It is the inarguable starting point. No debate about that at all. So why is “quality” different? What is it about quality management that justifies developing the management system from a completely different starting point, with almost completely different priorities, and to somehow justify side-stepping the whole concept of risk management at every stage?

One question that it does leave unanswered (for me at least) is how this all sits with the inclusion of “quality” within an integrated management system?

So, what do you think? Am I right? Am I the one who has lost the plot? Am I missing something? Seriously, tell me

Post from: Capable People Blog

Quality risk

Too many people have no idea what “risk” actually means – let alone how risks can be mitigated or controlled. So let’s try and get to grips in this post with the fundamental principles

Too risky …

Risk is a combination of the harm or damage that an event may cause, and the likelihood that the event will occur. What that means is that the highest risk activities are those that are highly likely to happen and will cause a lot of harm when they do. The lowest risk activities are obviously the reverse of that, events that are unlikely to occur and would cause little harm even if they did

As an example to illustrate this I heard an interesting debate halfway through the year when scientists were preparing to fire up the Large Hadron Collider (LHC) under the Alps. Some people suggested that the event could get out of hand and create a black hole that would swallow the earth. This would be a highly inconvenient event for all of us should it happen. The scare stories were immediately tempered by many qualified scientists who were keen to point out just how minuscule the likelihood of that was. So in “risk” terms, we were talking about high harm versus tiny likelihood – giving an overall low risk score. However, one commentator asked how high the likelihood of planetary oblivion needed to be before the risk became unacceptable. In other words, is a very small chance we will wipe out civilization tolerable? A fair point you might think

But tolerable risk is a difficult concept over which to achieve universal agreement. Some years ago, the Health & Safety Commission published a document entitled “Taking a Sensible Approach to Risk”. This was seen by many at the time to be a reaction to some high profile inappropriate risk management strategies that had been adopted particularly by public sector bodies, especially schools. The problem with quantifying risk is that it is not an exact science. People have different perceptions of what might be the potential harm and particularly the likelihood of it transpiring. When we identify a risk, we have three broad choices for how we deal with it. We can;

• Accept it (decide we can live with it, or that we can’t do much about it anyway)
• Reduce the risk (implement controls that reduce the potential harm of the event, or reduce the likelihood, or both)
• Eliminate the risk completely (clearly, all things being equal, the most preferred option)

Take the example of school field trips and excursions as an example of an activity that carries some risk. At worst it may present a combination of circumstances that may end up with a fatality – it happens unfortunately. Because of this risk many school headmasters are minded to take the “most preferred option” of eliminating all risk associated with these activities …. by banning them. Is this the right thing to do or is it a disproportionate action? It’s a difficult call, but normally we have to find a way of getting on with our lives, doing things, but also finding ways of reducing our exposure to unnecessary risk. We can’t hide under the bed indefinitely. It might collapse on top of us and kill us

People’s perception of risk

The way that people view a risk is in turn affected by variables. There is, for example, the phenomenon of desensitization. That means that the more we are exposed to a risk without suffering harm, the less high we are likely to rate that risk. A good example of this might be the attitude of a dangerous driver. The more times he gets away with dangerous over-taking manoevres, the more cavalier his attitude to the inherent risk is likely to be. In this case the individual is underestimating the size of the risk by underestimating the “likelihood” side of the equation. Chances are he knows fine well that a head-on collision will do him no favours at all, he just believes it is unlikely to happen

Another thing that affects people’s attitude to risk is previous experience of or exposure to the harm. For example a person who has recently been bitten by a dog (or knows someone that has) is likely to see the event as more likely to occur than someone who has not. Maybe that’s where the old saying comes from …

In business terms we have to find a way to get things done and, as it is often very difficult to eliminate risk, it is usually inevitable that a certain amount of risk must be tolerated. It is difficult to quantify what “tolerable” actually is, however perhaps the best way to look at it might be to apply the old gambling adage

Never bet more than you can afford to lose

Click here to view the embedded video.

This clip actually provides a useful illustration on the concept of “desensitization” to risk. Despite the fact that the young lady comes within a second of being pulped, notice how quickly she recomposes herself and walks off as though this was the most normal of occurrences. If that had been me, I’d have been quivering on the platform for a good few minutes

Post from: Capable People Blog

What is “risk”?

This article reprises the themes raised by my earlier post Deming’s inconvenient truth, and makes an attempt to draw some additional sense from the apparent paradox. For this article I have Hilary Burrage to offer some credit to, for posing a question on the LinkedIn forum that got some pennies dropping

Let’s start the story at the beginning. Sometime in 2005 I was on my way back home on a Thai Air flight from Jakarta to Heathrow, via Bangkok. In Bangkok I was joined by a casually dressed, youngish Englishman. One look told me he had some money because his clothes and shoes looked expensive, as was his seat on the plane. After a while we got talking. I told him what I did, he told me what he did. Turned out he was a professional gambler living in Thailand. I was immediately captivated by the glamour of his chosen profession, he seemed keen to talk and while away the hours, I was keen to listen. So in the intervening 12 hours or so I got a pretty good insight into the life of a professional gambler

Well, surprise surprise, it’s not all glamour and it’s not all luck. That was lesson number one and two. The man was a statistician by education, a former mathematics teacher of all things, who had turned a knowledge of statistics to his advantage in the arena of sports betting. The trick to making a profit in the longer term was, apparently, to have an ability to identify when the bookies have got the odds wrong. That’s when you place your bets. They don’t all come off, but the odds start slanting your way as opposed to the way of the bookie. Being able to identify when the odds were wrong involved a working knowledge of statistics, and a better knowledge of the event than the bookie appeared to have, and that usually involved some very painstaking research. He was based in Thailand because the bookies in South East Asia get the odds wrong more often than they do elsewhere. Makes sense

So what were his strategies? Well, here are some that I can remember:

* Bet with a clear head. If you have a favourite team, leave it alone
* Avoid accumulator bets. With each accumulated event, the odds lurch further the way of the bookie
* Do your research. Pick, say, ten football teams a year and study them continually. Find out which games they tend to win, which they lose, which players appear to be key, injury situations etc. This will all give you a clear advantage over the lazier bookies
* Stick to sports you like and understand. You’ll have to study hard, but it will be easier for you if you happen to enjoy the game
* Steer clear of boxing

There were a few others, but that gives a feel for it

Very interesting, (you may say) but what’s this all got to do with Deming? This is (supposed to be) a quality improvement blog, is it not?

Well there is a point to this tale, and here it is

Remember in the earlier post, Deming’s inconvenient truth, I suggested that Deming taught that management decisions should wherever possible be based on hard facts and evidence? But also that a lot of management information is both unknown and unknowable? Well that summarises in a nutshell that business is one big lottery. There are no certainties, and for every success there is a failure. If all management information was knowable there would be a scientific formula to remove all elements of risk from the decision making process. But it isn’t and there isn’t. That is a lot like the world of professional gambling. All bets carry an inherent risk, and professional gamblers accept risk and occasional failure as an unavoidable fact of life. HOWEVER the most successful gamblers use as much Management Information as they can get their hands on to slant the odds their way

That, I propose, is probably as close to an absolute definition of “Management Information”, its uses and limitations, that you’re ever likely to get

As definitions go, it is a bit on the long side. Sorry

Post from: Capable People Blog

Making sense of Deming

SUPPORT (Sponsorship) from the Top

The implementation must be sponsored at board level and positively supported by all senior people within the organisation. There are a number of ways this can be done: presentations, devising a risk policy, inclusion on agendas

POLICY

Every organisation should have a risk management policy, whatever the approach by the organisation is to risk. Such a policy should be formal and set a framework within which an organisation has to implement its risk management responsibilities and processes. The policy should include:

• Objectives and the overall purpose of risk management for the organisation (statement of intent). There should be links to other policies, for example audit (internal and external), control, governance, conduct, insurance and so on
• Responsibility for risk management should be clearly set out at board, management and operating levels. This should be repeated in specific functionresponsibilities and job descriptions throughout the organisation.
• If there is an audit and/or risk committee in an organisation their responsibilities for risk management should be clearly stated in their terms of reference. This applies also to internal audit and any other internal or external assurance activity
• Risk appetite, the level of risk the board is prepared to accept to achieve its objectives, in specific circumstances or possible events. Indicating the levels of control that are needed to mitigate against specific risks
• An explanation of the key components that sets out the overall approach to risk management, including the commitment of resources (staff and information systems), training and development
• It is necessary for key risks to be considered on a regular basis and reported up the hierarchy as required. Designated managers at various levels report upwards (on either a quarterly of half yearly basis) on the work done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility.
• A common risk language, defining the terms to be used

STRATEGY

The organisation must develop a clear articulated and communicated strategy, explaining how risk management will operate according to an implementation plan (timetable). This will be consistent with specific responsibilities and roles set out within the policy

Risk management must be linked into other activities as a matter of routine, such as business plans, project plans, team meetings etc.

Risk management must be a high priority for everyone in the organisation and must be clearly built into both departmental and individual performance objectives.

STRUCTURE (STAFF)

Linked to strategy there needs to be in-house expertise and sufficient resources within the business in the form of an organisational structure

TRAINING & EDUCATION (SKILLS)

Training and education are needed to help people understand their role as well providing explanation and practice of the process. This helps to ensure consistency and should be based upon clear guidelines and a simple working method that is effective. The method for identifying and assessing risk must be easy to use and not be an end in itself

A good way of helping the process is to run risk workshops

If you’d like a full copy of Chris’ article, please request it using the contact form on the Capable People website

The McKinsey’s 7 S framework is a good basis for developing a risk culture

Post from: Capable People Blog

Embedding Risk Management

The phrase “corporate governance” is prominent in both the business world and the public sector. This is due to the increasing pressure to protect shareholder value and public money following a number of high profile financial scandals, which have received media attention

Good governance is about the effective supervision of the company, and managing risk, so that business is done competently, with integrity and due regard of the interests of all stakeholders. It is the means by which organisations can achieve their objectives and sustain their performance

Investors, including financial institutions and banks, have put a growing emphasis on how well companies manage themselves and their relationships with shareholders and stakeholders. Those organisations that can demonstrate that they act with honesty and probity are now seen as having a competitive advantage

The benefits to be gained from applying best practice in governance include:

Confidence of investors – who may be more inclined to support development and growth

Trust of employees – with the likelihood of increased commitment and retention

Stakeholder & Customer confidence – leading to increased competitiveness in the market place

Long-term sustainability – through achievement of aims and financial strength

Resilience and adaptable to change – built upon a firm foundation of risk management and control

The key guidance on corporate governance is directed towards companies listed upon the stock exchange and is set out within the Combined Code, which was originally published in 1998 but has been revised in 2003 and 2006. The code is voluntary and is designed to strengthen and increase the effectiveness of the unitary Board system (one main board with a chairman and a CEO). The main principles of the code are as follows:

A. Every company should be headed by an effective board collectively responsible for the Company. Their duties should include:

o Setting the company’s strategic aims

o Providing the leadership to put strategies into effect

o Supervising the management of the business

o Reporting to shareholder on their stewardship

B. Levels of remuneration should be sufficient to attract, retain and motivate directors. There should also be a transparent policy for setting executive remuneration.

C. The Board should carry out a balanced and understandable assessment of the company’s position:

o The board should maintain a sound system of internal control to safeguard shareholder’s investment and the company’s assets

o The board should at least annually conduct a review of the effectiveness of the system of internal control and should report to shareholders that they have done so.

o The review should cover all material controls, including Financial, Operational and Compliance controls and Risk Management systems

D. Dialogue with shareholders based on objectives, including an AGM to encourage shareholder participation

Since the publication of the Combined Code and related guidance upon the nature of internal control issued in 1999 (Turnbull Report) there has been a great deal of debate and academic research upon what represents best practice with regard to corporate governance. There are differences of opinion but the following list, reported in Tottel’s Corporate Governance Handbook2005, is generally regarded as a useful summary

Principles of Corporate Governance, Tottel’s Handbook 2005.

1. Stakeholder involvement and control in the business
2. A strong, involved board of directors
3. Risk assessment and control
4. A strong, independent element on the board
5. A balanced board composition
6. Maximum and reliable public reporting
7. Avoidance of excessive power at the top of the business
8. Effective monitoring of management by the board
9. Competence and commitment
10. A strong audit process

While much of this may seem remote and of passing interest to small or medium size companies there are a several practical aspects that can be drawn from the detail that could provide a competitive advantage to small and medium size organisations. Consider the action you can take under the following categories to improve governance

Strategic

• Fully document and communicate your values and business objectives to stakeholders: employees, customers, investors. Seek feedback
• Set specific targets and objectives for the most senior managers and hold review meetings
• Establish a simple and effective system of risk management that will prevent things from going wrong. Encourage involvement is risk
• Find or appoint a critical friend(s) who is prepared to ask challenging questions about performance and direction of the business

Operational

• Look at how you receive assurance that the business complies with regulations and contractual conditions, such as the Companies Act, Inland Revenue, VAT, Data Protection, and Health & Safety etc
• Consider the need for audit processes to gain full assurance
• Create a simple set of measures (key performance indicators) that tell you how the business is performing. Include stakeholder measures to provide a balanced scorecard
• Set out standards of behaviour and customer expectations to emphasis the importance of customer care

Financial

• Prepare long-term financial plans, cash flow projections and annual budgets that link directly to your business plans and objectives
• Establish decision and authority levels for managers so that financial risks are understood and applied.
• Set credit limits for your key customers and carefully monitor and mange your debts.
• Ensure that there is reconciliation of your balance sheet figures to supporting records. Report and regularly review financial performance

If you would like to discuss corporate governance issues further or would like to implement risk management and audit processes within your business please contact Capable People

Chris Baker

Technical Development Manager for the Institute of Internal Auditors,

and critical friend of Capable People

Post from: Capable People Blog

Corporate Governance

Well there’s no doubting that some quality departments are so wrapped up with their own methods, tools, techniques, definitions and auditor requirements that there is a risk that the whole concept of “business” gets blurred, lost even. Maybe that is where Paul was coming from. But even then, is it right to re-focus just on process? We recall a quote attributed to Winston Churchill (that we can no longer locate, so we’ll have to paraphrase) that went something like “no matter how beautiful the process, we do have to keep an eye on the result”. Can’t argue with that surely. What with our obsession with elegant solutions, we do have to ensure that they are, fundamentally, solutions, don’t we?

There was a great thread on learn sigma (14th November) that demonstrated how some people can get all hot under the collar as soon as a particular methodology is mentioned. So much so that the whole issue of context is completely ignored. Quality guys, eh? So where does that take us? Well somewhere along the line we need to raise the sites up a bit above all our ISO/EFQM/Lean/Sigma and remember what the business is trying to achieve and the fundamental dynamics of it all. The 7th November thread on Rachel Elnaugh’s blog brings us back to risk and reputation management. So are we about to propose that we actually need to adopt a business approach to managing quality? Worth thinking about. We’ve had a great article (an as yet undiscovered gem to most) on the high level concepts of risk and assurance posted in our main site members’ area for a little while now, we may as well share it with you. Take a look at it. It’s great sense, the foundation of a quality strategy you could say. But after reading it ask yourself the question “by the time we get to the operational implementation of quality, do we still remember where it all came from and why we’re doing it?”

In other words “do we adopt business approach to managing quality or a quality approach to managing quality?”

Dare we suggest that if the QA department was as fastidious with the calibration and periodic re-calibration of its strategy as it is with the re-calibration of its measuring instruments, that we’d all be a bit better off?

“poking the eye of quality … just to see what happens”

Post from: Capable People Blog

Risk and assurance – A business approach to managing quality

Certain things shouldn’t happen, true enough, but if they can happen they will do In risk management terms we must assume that anything that can happen, sooner or later, will. The only question worth asking is whether the risk is worth managing, or whether we are prepared to accept the risk and live with the consequences The recent problems concerning the contamination of baby milk, and confectionery with the harmful chemical melamine, demonstrate the potential consequences of poor management of risk.

But let’s not dress this up as anything it is not. This is not a case where incompetence, weak process control or contaminated materials have allowed out of specification product to be inadvertently produced and shipped. In each of these cases it was a deliberate act by the manufacturer concerned. The melamine was supposed to be there, the products were designed to be poisonous. The consequences for the consumer being of secondary importance to the manipulation of test results to show a higher than actual protein content (something that melamine does), and therefore to command a higher sale price So what lessons can be learned from these recent events?

Well, if nothing else, that there is no such thing in life as a free lunch. The low cost of Chinese produced goods has been attractive to many western firms over the past half decade or so, but we do need to proceed with our eyes wide open. Certain risks are increased and, let’s face it, if children’s sweets and baby milk are not off-limits for dangerous and fraudulent activity, nothing is. Melamine even poisons primates

The European Commission has “acted swiftly” to suspend the import of all Chinese baby food that contains traces of milk to the EU. Given China’s recent record it beggars belief that anyone would contemplate importing baby milk from that location just now under almost any circumstances Everything comes at a cost, and with low production costs often that means corners are cut.

incredible

www.capablepeople.co.uk

Post from: Capable People Blog

Understanding your risks – the key to quality control

• Compromised information can cause enormous damage to an organisation’s operations and reputation. Information not appropriately protected can lead to serious compliance and legal failures

• Good Information Risk Management helps an organisation get the best out of its information and to move forward and develop, confident that its risks

Read more …

www.capablepeople.co.uk

Post from: Capable People Blog

Information Risk – It’s a Board Room Matter

A student approaches his economics professor to challenge a low mark that he has been given on a recent assignment

“I can’t understand the low mark you’ve given me – I got the same question last year and you yourself gave me an A-grade” wails the student

“Yes I did” responds the professor “but this year the correct answer is different”

We are living in a continually changing world with few stable and absolute truths, consequently the future is at best difficult to predict. On any given day we can listen to countless economics experts debating the state of the global economy and what even the short-term future is likely to mean to nations, sectors and economies. There are dozens of different points of view and, no doubt, in two years time, somebody or other will be able to proclaim that they were right. Thing is, though, statistically, provided there are enough differing points of view, someone has to be right. But let’s not get too carried away with ourselves. No-one is always right because if such a person existed we would all know his name, because he would be king of the world. We actually live in a world of uncertainties. Deming knew this, and we’ve written on the subject a couple of times in the past. He knew that not all management information was known or even knowable, and that planning was merely an exercise in trying to shorten the odds on success – but it was no guarantee

Over past few weeks, Channel 4 has been showing Richard Dawkins’ excellent series “The Genius of Darwin”. During the course of the series a few striking and maybe unexpected parallels between the natural world and the business world have, well, evolved. They may be direct parallels, they may be metaphors, they may only be coincidental, but at worst they offer a new way of looking at things, which is usually a good thing in itself

Let’s start by taking a look at evolution (assuming you believe in it, if you seriously think the world is only a few thousand years old, this article is definitely not for you). There are a few general truths about evolution that you need to understand before you can get your head around the way it works

1. Evolution has no goals. It just happens. Some species survive, others die out, but there is no end-game as such

2. The more successful species in the short term are those that can successfully exploit the status quo

3. The more specialised and “niche” a species is, the more vulnerable it is to environmental change

4. The more successful species in the longer term (especially in times of change) are those that can exploit a changing set of circumstances (i.e. they can learn and/or adapt)

Right, what does that have to do with goal-driven long-term business planning and how does that even suggest it may be a waste of time?

Well, first we must make a distinction between making provision for the future (which is eminently sensible) and trying to predict what the future may look like and then identify what will be our specific niche in that unknown
future-world. It is the latter that we propose may largely be a waste of time – simply because there are far too many unknowable variables to make any sort of rational specific predictions worthwhile. We can aim to make the most of today, certainly, as there are fewer unknowns. We can make reasonably specific short-term plans as the volume of variables in the short-term will be lower. However the longer our time horizon, the less likely it is that we will be able to plan accurately, because we are likely to get more than a few things wrong

So why do people bother with long-term, goal driven planning (because they do)? Well, maybe because it is a comfort. Like the idea of an after-life, it’s nice to think that we can develop and execute long-term plans, because the alternative may be an uncomfortable thought. Maybe

Returning to the evolutionary metaphor, if we really want to survive (and even thrive) in the longer term, and we would prefer to have some influence over our chances, it may be more practical to concentrate on developing our inherent capabilities, rather than goal or outcome driven strategies. In planning terms we may find it difficult to identify what volume of widgets we will be selling in what market and at what margin in 5 years time – although we can easily wish for it. What we can do more easily, however, is to adopt a policy of re-investment with capability driven outcomes, and to place our faith in the general statistical rule that it is the more capable that survive, grow stronger etc.

Now, some people may counter this view with an argument along the lines of

“Well I bought this book in an airport last week written by this millionaire tycoon chappy, and he quite graphically describes how he built his empire up based on a long-term strategic vision. He may not have predicted the future, but he certainly anticipated the future AND he was right – you can get his book yourself if you don’t believe me”

OK yes, we do have our tycoons and, yes, many of them do claim to have some sort of gift of foresight. Some may even claim you can learn it (usually after reading their $19.99 book). However for every startling success there are numerous abject failures about whom no books are written. It’s like if we put 100 would-be tycoons in a room and asked them to flip a coin over and over. If we wait long enough someone will flip 20 consecutive heads. We may actually find that when we speak to our expert coin-tosser that he attributes his success to technique rather than pure chance. Maybe he too would put all that it in a book. You see statistically there has to be some successes, but some factors will be completely incidental to that success, even though in hind-sight we may be able to weave an alternative and plausible yarn. Be entertained by it by all means, but don’t be fooled

Anyway, the gist of this article is to suggest that far too much time and effort is wasted on planning for a future that never arrives, at the expense of continual and relentless investment in capability. The future contains too many unknowns

Carpe Diem

www.capablepeople.co.uk

Post from: Capable People Blog

Is long-term, goal driven planning a waste of time?

… and then some light relief

Post from: Capable People Blog

BS 31100 – a new code of practice for risk management