Why Information Risk is a Board-level Issue

• Every organisation, whether public or private sector, handles information. This information must be appropriately controlled and protected against the threats, non-technical as well as technical, that can affect it

• Compromised information can cause enormous damage to an organisation’s operations and reputation. Information not appropriately protected can lead to serious compliance and legal failures

• Good Information Risk Management helps an organisation get the best out of its information and to move forward and develop, confident that its risks

Read more …

www.capablepeople.co.uk

Post from: Capable People Blog

Information Risk – It’s a Board Room Matter

A chance encounter

Let’s start the story at the beginning. Sometime in 2005 I was on my way back home on a Thai Air flight from Jakarta to Heathrow, via Bangkok. In Bangkok I was joined by a casually dressed, youngish Englishman. One look told me he had some money because his clothes and shoes looked expensive, as was his seat on the plane. After a while we got talking. I told him what I did, he told me what he did. Turned out he was a professional gambler living in Thailand. I was immediately captivated by the glamour of his chosen profession, he seemed keen to talk and while away the hours, I was keen to listen. So in the intervening 12 hours or so I got a pretty good insight into the life of a professional gambler

Well, surprise surprise, it’s not all glamour and it’s not all luck. That was lesson number one and two. The man was a statistician by education, a former mathematics teacher of all things, who had turned a knowledge of statistics to his advantage in the arena of sports betting. The trick to making a profit in the longer term was, apparently, to have an ability to identify when the bookies have got the odds wrong. That’s when you place your bets. They don’t all come off, but the odds start slanting your way as opposed to the way of the bookie. Being able to identify when the odds were wrong involved a working knowledge of statistics, and a better knowledge of the event than the bookie appeared to have, and that usually involved some very painstaking research. He was based in Thailand because the bookies in South East Asia get the odds wrong more often than they do elsewhere. Makes sense

So what were his strategies? Well, here are some that I can remember:

* Bet with a clear head. If you have a favourite team, leave it alone
* Avoid accumulator bets. With each accumulated event, the odds lurch further the way of the bookie
* Do your research. Pick, say, ten football teams a year and study them continually. Find out which games they tend to win, which they lose, which players appear to be key, injury situations etc. This will all give you a clear advantage over the lazier bookies
* Stick to sports you like and understand. You’ll have to study hard, but it will be easier for you if you happen to enjoy the game
* Steer clear of boxing

There were a few others, but that gives a feel for it

Get to the point, Sayers!

Very interesting, you may say, but what’s this all got to do with quality? Well there is a point to this tale, and here it is

Remember in the earlier post, Deming’s inconvenient truth, I suggested that Deming taught that management decisions should wherever possible be based on hard facts and evidence? But also that a lot of management information is both unknown and unknowable? Well that summarises in a nutshell that business is one big lottery. There are no certainties, and for every success there is a failure. If all management information was knowable there would be a scientific formula to remove all elements of risk from the decision making process. But it isn’t and there isn’t. That is a lot like the world of professional gambling. All bets carry an inherent risk, and professional gamblers accept risk and occasional failure as an unavoidable fact of life. HOWEVER the most successful gamblers use as much Management Information as they can get their hands on to slant the odds their way

That, I propose, is probably as close to an absolute definition of “Management Information”, its uses and limitations, that you’re ever likely to get

As definitions go, it is a bit on the long side. Sorry

Post from: Capable People Blog

Making sense of Quality

(With thanks to Chris Baker, Technical Director, Institute of Internal Auditors)

Changing risk profile

The head of internal audit needs to know whether anything has changed in the risk profile of the organisation to create the desire for the audit. Since management is responsible for managing risks, the head of internal audit will discuss with the management responsible for the information security risks their assessment of the effect of the recent events on the organisation’s risk profile

The considerations to take into account relate to the evaluation of the risks and of the responses that management believes are in place to address these risks. They include:

1. The size of a risk depends on the impact on the organisation if the risk event crystallises and the likelihood that it will crystallise. The evaluation of the size may therefore have changed because:

• The projected impact of losing personal data may now be thought to be higher than before because the damage to reputation could be greater given the publicity and public interest in the issue, and the potential sanction demanded by the data protection regulators may be higher than before
• It is possible that the likelihood of this happening might be changed – perhaps there will be increased interest of external parties in trying to force an incident or perhaps managers have decided immediately to follow the actions of HM Customs and Revenue, to remove the drive bays and connections ports and thus to terminate the possibility of moving any data onto digital media
• The actual effectiveness of existing responses to the risk may change – e.g staff may be more sensitive to the risk as a result of the publicity.
• The perceived effectiveness of responses to the risk may also change – managers may have been relying on technical access controls to protect access to confidential data, not taking into account the vulnerabilities related to transferring data outside the organisation

All of these may change the relative priority of data security issues and the appropriate treatment in the internal audit plan Source of assurance and skills available to internal audit. The internal audit plan will take into account not only the risk analysis but also those areas on which those responsible for governance want the independent and objective assurance that internal audit can offer as well as the skills available to internal audit to provide that assurance

Given the greater focus on data security issues, senior management and the board may feel a need for more independent and objective assurance. This would be a reason for including a new project in the internal audit plan

However, the head of internal audit may be able to minimise the work to be done by internal audit by reviewing the work being done by other assurance sources. Internal audit can assist the organisation by helping senior management and the audit committee to understand all the monitoring and assurance activities that the organisation undertakes and by providing a bridge between the data security specialists and the audit committee, if one is needed

Although in an ideal world, all internal audit activities will have the skills necessary to address data security issues, it may still be the case that some organisations do not have those skills available. The head of internal audit will have reported this to those responsible for governance and obtained their approval of the implications – that certain assurances could not be provided. Given the changes in the perceptions of data security issues, this may no longer be acceptable. In that case, the head of internal audit will be required to identify and source skilled resources from elsewhere

Post from: Capable People Blog

A risk-based approach to internal audit planning

Corporate Governance is a hot topic at the moment, so I think it is probably an opportune time to re-post this excellent article that was written for this blog some time ago by Chris Baker, Technical Director at the Institute of Internal Auditors.  I was reading some comments on a quality management chat forum recently where people were arguing that the apparent failures across the News Corp organisation was a failure of QUALITY management. Discussions like this make me wonder whether the concept of Corporate Governance is really understood. There are some that will argue that Quality Management encompasses all processes and disciplines, but in my opinion this is incorrect and simply displays an ignorance of the complexities that other processes, professions and disciplines

I could suggest that if the only tool you have in your tool box is a hammer, then it is perhaps understandable to see every problem as a nail. Anyway, for what its worth, here’s a summary of Corporate Governance principles

GOVERNANCE PRINCIPLES

The phrase “corporate governance” is prominent in both the business world and the public sector. This is due to the increasing pressure to protect shareholder value and public money following a number of high profile financial scandals, which have received media attention

Good governance is about the effective supervision of the company, and managing risk, so that business is done competently, with integrity and due regard for the interests of all stakeholders. It is the means by which organisations can achieve their objectives and sustain performance

Investors, including banks, place a growing emphasis on how well companies manage their affairs. Those organisations that can demonstrate that relationships are managed with probity are seen as presenting a lower risk to investment, and secure an obvious competitive advantage. It should be noted at this point that demonstrating probity is not the same as being presumed innocent until proved otherwise

The benefits to be gained from applying best practice in governance include:

• Confidence of investors – who may be more inclined to support development and growth
• Trust of employees – with the likelihood of increased commitment and retention
• Stakeholder & Customer confidence – leading to increased competitiveness in the market place
• Long-term sustainability – through achievement of aims and financial strength
• Resilience and adaptable to change – built upon a firm foundation of risk management and control

The key guidance on corporate governance is directed towards companies listed upon the stock exchange and is set out within the Combined Code, which was originally published in 1998 but has been revised in 2003 and 2006. The code is voluntary and is designed to strengthen and increase the effectiveness of the unitary Board system (one main board with a chairman and a CEO). The main principles of the code are as follows:

A. Every company should be headed by an effective board collectively responsible for the Company. Their duties should include:

o Setting the company’s strategic aims

o Providing the leadership to put strategies into effect

o Supervising the management of the business

o Reporting to shareholder on their stewardship

B. Levels of remuneration should be sufficient to attract, retain and motivate directors. There should also be a transparent policy for setting executive remuneration.

C. The Board should carry out a balanced and understandable assessment of the company’s position:

o The board should maintain a sound system of internal control to safeguard shareholder’s investment and the company’s assets

o The board should at least annually conduct a review of the effectiveness of the system of internal control and should report to shareholders that they have done so.

o The review should cover all material controls, including Financial, Operational and Compliance controls and Risk Management systems

D. Dialogue with shareholders based on objectives, including an AGM to encourage shareholder participation

Since the publication of the Combined Code and related guidance upon the nature of internal control issued in 1999 (Turnbull Report) there has been a great deal of debate and academic research upon what represents best practice with regard to corporate governance. There are differences of opinion but the following list, reported in Tottel’s Corporate Governance Handbook2005, is generally regarded as a useful summary

Principles of Corporate Governance, Tottel’s Handbook 2005.

1. Stakeholder involvement and control in the business
2. A strong, involved board of directors
3. Risk assessment and control
4. A strong, independent element on the board
5. A balanced board composition
6. Maximum and reliable public reporting
7. Avoidance of excessive power at the top of the business
8. Effective monitoring of management by the board
9. Competence and commitment
10. A strong audit process

While much of this may seem remote and of passing interest to small or medium size companies there are a several practical aspects that can be drawn from the detail that could provide a competitive advantage to small and medium size organisations. Consider the action you can take under the following categories to improve governance

Strategic

• Fully document and communicate your values and business objectives to stakeholders: employees, customers, investors. Seek feedback
• Set specific targets and objectives for the most senior managers and hold review meetings
• Establish a simple and effective system of risk management that will prevent things from going wrong. Encourage involvement is risk
• Find or appoint a critical friend(s) who is prepared to ask challenging questions about performance and direction of the business

Operational

• Look at how you receive assurance that the business complies with regulations and contractual conditions, such as the Companies Act, Inland Revenue, VAT, Data Protection, and Health & Safety etc
• Consider the need for audit processes to gain full assurance
• Create a simple set of measures (key performance indicators) that tell you how the business is performing. Include stakeholder measures to provide a balanced scorecard
• Set out standards of behaviour and customer expectations to emphasis the importance of customer care

Financial

• Prepare long-term financial plans, cash flow projections and annual budgets that link directly to your business plans and objectives
• Establish decision and authority levels for managers so that financial risks are understood and applied.
• Set credit limits for your key customers and carefully monitor and mange your debts.
• Ensure that there is reconciliation of your balance sheet figures to supporting records. Report and regularly review financial performance

If you would like to discuss corporate governance issues further or would like to implement risk management and audit processes within your business please contact Capable People

Chris Baker

Technical Development Manager for the Institute of Internal Auditors,

and critical friend of Capable People

Post from: Capable People Blog

Corporate Governance

Introduction

This short piece of guidance provides a summary and introduction to ‘adequate procedures’ a guidance document issued by the UK Ministry of Justice designed to help organisations prevent bribery and corruption. We set out the key principles of the guidance, procedures that organisations should be thinking about and the role that internal auditors can play in helping organisations to build and maintain these procedures.

Background

The UK Bribery Act, which came into force on 1 July 2011, introduces an offence of corporate failure to prevent bribery. The defence for a company against this liability is to prove that it had ‘adequate procedures’.

The Ministry of Justice has issued guidance and case studies to clarify the meaning of ‘adequate procedures’ following an extensive consultation process that began in September 2010. The guidance is high level, principles-based and non-prescriptive in character formulated around six “principles”:

• Proportionate procedures
• Top level commitment
• Risk assessment
• Due diligence
• Communication
• Monitoring and review

The objective of the Bribery Act is not to bring the full force of the criminal law to bear upon well run commercial organisations that experience an isolated incident of bribery. Organisations are encouraged to develop preventative procedures appropriate and proportionate to their circumstances taking into account their size, structure, complexity and risk exposure. This involves applying a risk-based approach to focus effort according to the organisation’s jurisdictions, business sectors, business partners and transactions.

Offences

The Bribery Act contains two general offences (under section 1 and 2) covering the offering, promising or giving of a bribe (active bribery) and the requesting, agreeing to receive or accepting of a bribe (passive bribery). It also sets out two further offences which specifically address commercial bribery related to bribing foreign officials (section 6) and failing to prevent bribery (section 7).

To be liable under section 7 a commercial organisation must have failed to prevent conduct that would amount to the commission of an offence under sections 1, 2 or 6. Where the prosecution can not prove that an offence has been committed the section 7 offence will not be triggered. The precise nature of what is an offence and what is not is quite complex so further reading of the detailed explanations and case studies within the government’s guidance is recommended (these can be found on pages 8 to 19).

Provided the organisation is incorporated or formed in the UK, or that the organisation carries on a business or part of a business in the UK (wherever in the world it may be incorporated or formed) then UK courts will have jurisdiction.

More information?

We have a detailed fact sheet that supports the Bribery Act available to anyone who is interested. It’s a bit long to blog, but if you email us, we’ll be happy to send you a copy

Post from: Capable People Blog

Bribery Act

Let’s start with a joke

There is a well-known joke in economics circles that goes something like this:

A student approaches his economics professor to challenge a low mark that he has been given on a recent assignment

“I can’t understand the low mark you’ve given me – I got the same question last year and you yourself gave me an A-grade” wails the student

“Yes I did” responds the professor “but this year the correct answer is different”

Of course somebody will get it right …

We are living in a continually changing world with few stable and absolute truths, consequently the future is at best difficult to predict. On any given day we can listen to countless economics experts debating the state of the global economy and what even the short-term future is likely to mean to nations, sectors and economies. There are dozens of different points of view and, no doubt, in two years time, somebody or other will be able to proclaim that they were right. Thing is, though, statistically, provided there are enough differing points of view, someone has to be right. But let’s not get too carried away with ourselves. No-one is always right because if such a person existed we would all know his name, because he would be king of the world. We actually live in a world of uncertainties. Deming knew this, and we’ve written on the subject a couple of times in the past. He knew that not all management information was known or even knowable, and that planning was merely an exercise in trying to shorten the odds on success – but it was no guarantee

Evolution, some rules

A while ago Channel 4 broadcast Richard Dawkins’ series “The Genius of Darwin”. During the course of the series a few striking and maybe unexpected parallels between the natural world and the business world have, well, evolved. They may be direct parallels, they may be metaphors, they may only be coincidental, but at worst they offer a new way of looking at things, which is usually a good thing in itself

Let’s start by taking a look at evolution (even if you don’t believe in it, try and stay with the argument, it’s imprtant). There are a few general truths about evolution that you need to understand before you can get your head around the way it works

1. Evolution has no goals. It just happens. Some species survive, others die out, but there is no end-game as such

2. The more successful species in the short term are those that can successfully exploit the status quo

3. The more specialised and “niche” a species is, the more vulnerable it is to environmental change

4. The more successful species in the longer term (especially in times of change) are those that can exploit a changing set of circumstances (i.e. they can learn and/or adapt)

Business is business

What does that have to do with goal-driven long-term business planning and how does that even suggest it may be a waste of time?

Well, first we must make a distinction between making provision for the future (which is eminently sensible) and trying to predict what the future may look like and then identify what will be our specific niche in that unknown
future-world. It is the latter that we propose may largely be a waste of time – simply because there are far too many unknowable variables to make any sort of rational specific predictions worthwhile. We can aim to make the most of today, certainly, as there are fewer unknowns. We can make reasonably specific short-term plans as the volume of variables in the short-term will be lower. However the longer our time horizon, the less likely it is that we will be able to plan accurately, because we are likely to get more than a few things wrong

So why do people bother with long-term, goal driven planning (because they do)? Well, maybe because it is a comfort. Like the idea of an after-life, it’s nice to think that we can develop and execute long-term plans, because the alternative may be an uncomfortable thought. Maybe

Returning to the evolutionary metaphor, if we really want to survive (and even thrive) in the longer term, and we would prefer to have some influence over our chances, it may be more practical to concentrate on developing our inherent capabilities, rather than goal or outcome driven strategies. In planning terms we may find it difficult to identify what volume of widgets we will be selling in what market and at what margin in 5 years time – although we can easily wish for it. What we can do more easily, however, is to adopt a policy of re-investment with capability driven outcomes, and to place our faith in the general statistical rule that it is the more capable that survive, grow stronger etc.

Dragons schmagons

Now, some people may counter this view with an argument along the lines of

“Well I bought this book in an airport last week written by this millionaire tycoon fellow, and he quite graphically describes how he built his empire up based on a long-term strategic vision. He may not have predicted the future, but he certainly anticipated the future AND he was right – you can get his book yourself if you don’t believe me”

OK yes, we do have our tycoons and, yes, many of them do claim to have some sort of gift of foresight. Some may even claim you can learn it (usually after reading their $19.99 book). However for every startling success there are numerous abject failures about whom no books are written. It’s like if we put 100 would-be tycoons in a room and asked them to flip a coin over and over. If we wait long enough someone will flip 20 consecutive heads. We may actually find that when we speak to our expert coin-tosser that he attributes his success to technique rather than pure chance. Maybe he too would put all that it in a book. You see statistically there has to be some successes, but some factors will be completely incidental to that success, even though in hind-sight we may be able to weave an alternative and plausible yarn. Be entertained by it by all means, but don’t be fooled

Anyway, the gist of this article is to suggest that far too much time and effort is wasted on planning for a future that never arrives, at the expense of continual and relentless investment in capability. The future contains too many unknowns

Post from: Capable People Blog

Is long-term planning a waste of time?

Too many people have no idea what “risk” actually means – let alone how risks can be mitigated or controlled. So let’s try and get to grips in this post with the fundamental principles

Too risky …

Risk is a combination of the harm or damage that an event may cause, and the likelihood that the event will occur. What that means is that the highest risk activities are those that are highly likely to happen and will cause a lot of harm when they do. The lowest risk activities are obviously the reverse of that, events that are unlikely to occur and would cause little harm even if they did

As an example to illustrate this I heard an interesting debate halfway through the year when scientists were preparing to fire up the Large Hadron Collider (LHC) under the Alps. Some people suggested that the event could get out of hand and create a black hole that would swallow the earth. This would be a highly inconvenient event for all of us should it happen. The scare stories were immediately tempered by many qualified scientists who were keen to point out just how minuscule the likelihood of that was. So in “risk” terms, we were talking about high harm versus tiny likelihood – giving an overall low risk score. However, one commentator asked how high the likelihood of planetary oblivion needed to be before the risk became unacceptable. In other words, is a very small chance we will wipe out civilization tolerable? A fair point you might think

But tolerable risk is a difficult concept over which to achieve universal agreement. Some years ago, the Health & Safety Commission published a document entitled “Taking a Sensible Approach to Risk”. This was seen by many at the time to be a reaction to some high profile inappropriate risk management strategies that had been adopted particularly by public sector bodies, especially schools. The problem with quantifying risk is that it is not an exact science. People have different perceptions of what might be the potential harm and particularly the likelihood of it transpiring. When we identify a risk, we have three broad choices for how we deal with it. We can;

• Accept it (decide we can live with it, or that we can’t do much about it anyway)
• Reduce the risk (implement controls that reduce the potential harm of the event, or reduce the likelihood, or both)
• Eliminate the risk completely (clearly, all things being equal, the most preferred option)

Take the example of school field trips and excursions as an example of an activity that carries some risk. At worst it may present a combination of circumstances that may end up with a fatality – it happens unfortunately. Because of this risk many school headmasters are minded to take the “most preferred option” of eliminating all risk associated with these activities …. by banning them. Is this the right thing to do or is it a disproportionate action? It’s a difficult call, but normally we have to find a way of getting on with our lives, doing things, but also finding ways of reducing our exposure to unnecessary risk. We can’t hide under the bed indefinitely. It might collapse on top of us and kill us

People’s perception of risk

The way that people view a risk is in turn affected by variables. There is, for example, the phenomenon of desensitization. That means that the more we are exposed to a risk without suffering harm, the less high we are likely to rate that risk. A good example of this might be the attitude of a dangerous driver. The more times he gets away with dangerous over-taking manoevres, the more cavalier his attitude to the inherent risk is likely to be. In this case the individual is underestimating the size of the risk by underestimating the “likelihood” side of the equation. Chances are he knows fine well that a head-on collision will do him no favours at all, he just believes it is unlikely to happen

Another thing that affects people’s attitude to risk is previous experience of or exposure to the harm. For example a person who has recently been bitten by a dog (or knows someone that has) is likely to see the event as more likely to occur than someone who has not. Maybe that’s where the old saying comes from …

In business terms we have to find a way to get things done and, as it is often very difficult to eliminate risk, it is usually inevitable that a certain amount of risk must be tolerated. It is difficult to quantify what “tolerable” actually is, however perhaps the best way to look at it might be to apply the old gambling adage

Never bet more than you can afford to lose

Click here to view the embedded video.

This clip actually provides a useful illustration on the concept of “desensitization” to risk. Despite the fact that the young lady comes within a second of being pulped, notice how quickly she recomposes herself and walks off as though this was the most normal of occurrences. If that had been me, I’d have been quivering on the platform for a good few minutes

Post from: Capable People Blog

What is “risk”?

I was on a quality management discussion forum the other day and stumbled upon an argument that made me wonder if I had lost my sanity

The gist of it was whether or not the management of “risk” had anything to do with quality management and whether an understanding of “risk” was necessarily a knowledge pre-requisite for a QMS auditor. The case for the defence cited that nowhere in ISO 19011 was there any specific reference to “risk”. And on that point, they were quite right – I checked

That really made me wonder whether the “quality fraternity” had actually lost the plot. Or, more to the point, whether they had ever had it in the first place

It started me on a bit of a quest to see if I could unravel any semblance of rationale from this apparent nonsense. After all, it could be just me. So I started by looking in ISO 9000:2005. I found this

“2.8.1 Evaluating processes within the quality management system

When evaluating quality management systems, there are four basic questions that should be asked in relation to every process being evaluated.
a) Is the process identified and appropriately defined?
b) Are responsibilities assigned?
c) Are the procedures implemented and maintained?”
d) Is the process effective in achieving the required results?”

On the face of it that doesn’t introduce much controversy. those are, after all, reasonable questions. But there is no mention of assessing how well risks are controlled, so should there be?

Well I’d have to say “yes” to that, and my reason for that is why should a quality management system be any different to any other management system? If we take the example of ANY other management system, financial, information security, environmental, occupational health & safety, the identification and control of risk is an absolute cornerstone. It is the inarguable starting point. No debate about that at all. So why is “quality” different? What is it about quality management that justifies developing the management system from a completely different starting point, with almost completely different priorities, and to somehow justify side-stepping the whole concept of risk management at every stage?

One question that it does leave unanswered (for me at least) is how this all sits with the inclusion of “quality” within an integrated management system?

So, what do you think? Am I right? Am I the one who has lost the plot? Am I missing something? Seriously, tell me

Post from: Capable People Blog

Quality risk

Risk management needs to become part of the way business is conducted. Embedding risk management in the regular, daily affairs of the organisation is not an easy task and requires continuous effort. To achieve this measure of acceptance may take some time; however, a number of steps can be taken to help the process

SUPPORT (Sponsorship) from the Top

The implementation must be sponsored at board level and positively supported by all senior people within the organisation. There are a number of ways this can be done: presentations, devising a risk policy, inclusion on agendas

POLICY

Every organisation should have a risk management policy, whatever the approach by the organisation is to risk. Such a policy should be formal and set a framework within which an organisation has to implement its risk management responsibilities and processes. The policy should include:

• Objectives and the overall purpose of risk management for the organisation (statement of intent). There should be links to other policies, for example audit (internal and external), control, governance, conduct, insurance and so on
• Responsibility for risk management should be clearly set out at board, management and operating levels. This should be repeated in specific functionresponsibilities and job descriptions throughout the organisation.
• If there is an audit and/or risk committee in an organisation their responsibilities for risk management should be clearly stated in their terms of reference. This applies also to internal audit and any other internal or external assurance activity
• Risk appetite, the level of risk the board is prepared to accept to achieve its objectives, in specific circumstances or possible events. Indicating the levels of control that are needed to mitigate against specific risks
• An explanation of the key components that sets out the overall approach to risk management, including the commitment of resources (staff and information systems), training and development
• It is necessary for key risks to be considered on a regular basis and reported up the hierarchy as required. Designated managers at various levels report upwards (on either a quarterly of half yearly basis) on the work done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility.
• A common risk language, defining the terms to be used

STRATEGY

The organisation must develop a clear articulated and communicated strategy, explaining how risk management will operate according to an implementation plan (timetable). This will be consistent with specific responsibilities and roles set out within the policy

Risk management must be linked into other activities as a matter of routine, such as business plans, project plans, team meetings etc.

Risk management must be a high priority for everyone in the organisation and must be clearly built into both departmental and individual performance objectives.

STRUCTURE (STAFF)

Linked to strategy there needs to be in-house expertise and sufficient resources within the business in the form of an organisational structure

TRAINING & EDUCATION (SKILLS)

Training and education are needed to help people understand their role as well providing explanation and practice of the process. This helps to ensure consistency and should be based upon clear guidelines and a simple working method that is effective. The method for identifying and assessing risk must be easy to use and not be an end in itself

A good way of helping the process is to run risk workshops

If you’d like a full copy of Chris’ article, please request it using the contact form on the Capable People website

The McKinsey’s 7 S framework is a good basis for developing a risk culture

Post from: Capable People Blog

Embedding Risk Management

Well there’s no doubting that some quality departments are so wrapped up with their own methods, tools, techniques, definitions and auditor requirements that there is a risk that the whole concept of “business” gets blurred, lost even. Maybe that is where Paul was coming from. But even then, is it right to re-focus just on process? We recall a quote attributed to Winston Churchill (that we can no longer locate, so we’ll have to paraphrase) that went something like “no matter how beautiful the process, we do have to keep an eye on the result”. Can’t argue with that surely. What with our obsession with elegant solutions, we do have to ensure that they are, fundamentally, solutions, don’t we?

There was a great thread on learn sigma (14th November) that demonstrated how some people can get all hot under the collar as soon as a particular methodology is mentioned. So much so that the whole issue of context is completely ignored. Quality guys, eh? So where does that take us? Well somewhere along the line we need to raise the sites up a bit above all our ISO/EFQM/Lean/Sigma and remember what the business is trying to achieve and the fundamental dynamics of it all. The 7th November thread on Rachel Elnaugh’s blog brings us back to risk and reputation management. So are we about to propose that we actually need to adopt a business approach to managing quality? Worth thinking about. We’ve had a great article (an as yet undiscovered gem to most) on the high level concepts of risk and assurance posted in our main site members’ area for a little while now, we may as well share it with you. Take a look at it. It’s great sense, the foundation of a quality strategy you could say. But after reading it ask yourself the question “by the time we get to the operational implementation of quality, do we still remember where it all came from and why we’re doing it?”

In other words “do we adopt business approach to managing quality or a quality approach to managing quality?”

Dare we suggest that if the QA department was as fastidious with the calibration and periodic re-calibration of its strategy as it is with the re-calibration of its measuring instruments, that we’d all be a bit better off?

“poking the eye of quality … just to see what happens”

Post from: Capable People Blog

Risk and assurance – A business approach to managing quality