WIXLIB

Quality Revolution EvolutionHow to Apply Risk to yourQuality Management System:Defining and Building a Risk Management Strategy forQuality and Compliance Management SystemsTom Barlow, EtQ, Inc.tbarlow@etq.comASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Agenda Objectiveso How to measure compliance in the complexity of business todayo How Risk Management processes drive new ways of looking atcomplianceo Understand the relationship between Risk Management and RiskAssessmentASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Increasing Rate of Change ASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Increasing Rate of Change More complex organizationso Design and production facilities are worldwideo Mergers and acquisitions introduce cultural differenceso Suppliers are providing more of the product More intense competitionooooCompetition leads to shorter product lifecyclesNew technology increases product complexityGlobalization introduces local differencesBetter marketing data expands product selection Companies need to maintaincompliance AND keep upwith the pace of business!ASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

makes ComplianceMore Difficult How compliance keeps up with changeo Software automation of compliance processeso Integration with business systemso Harmonization of compliance processes Cost of compliance is skyrocketingo Cost of systems, people and timeo Cost of holding back operationso Cost of holding back inventory Time for compliance objectives to change?o From 100% to Acceptableo From audit results to risk assessmentso Risk is a more efficient measure of complianceASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Compliance Standards areCatching OnISO 31000ISO 14000Guidance for riskmanagement inany organizationsISO9000:2008(environment) &OHSAS18000 (safety)Identify andassess every riskTitleISO13485/14969No directreference, but staytuned for 2015!Meeting thestandards ofcompliance(medical device),ICH Q10/Q9(pharma)Explicit referenceto riskmanagement14 CFR Part5ISO 27000(informationsecurity)Primary focus is risk,taking intoaccount threats,vulnerabilities andimpacts(air transportation)Primary focus is riskassessment, controland overallmanagementASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Management ProcessRisk Analysis Risk Management is a broad standard (ISO 31000)Risk IdentificationRisk EvaluationDevelopment and evaluation ofrisk assessment methodsRisk management decisionsIdentify all relevant risks (e.g.,hazard analysis)Quantify the risk (e.g.,probability and severity)Implement a processUse objective and proven toolsAccept (worth it), reduce(mitigate), compensate (insure),transfer (partner), avoid (stop)Change management tointroduce or improve controlsImplemented solutionASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

HazardRisk ManagementTerminologyo A situation that poses a level of threat to life, health, property orenvironment (an undesired event) Risk– The potential that achosen action oractivity will lead to anundesirable event Control– A method of evaluatingpotential losses and takingaction to reduce or eliminatethe potential for an undesiredeventASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

alityRisk Management, ManyApplicationsASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Challenges with RiskManagementFrom “A Transformational Approach to Safety Risk Management” Bob Dodd, Aloft Lots of Focus on Process, but Content is Keyo How to manage unidentified hazards?o How to calibrate risk levels? Understand the Limitations of the Processo We are not good at assessing risk We don't expect the unexpected We reconstruct instead of replay We see patterns in random events We confuse understanding with knowledge We group thinko Prediction is hard (experts are no better)o Dealing with very small sample sets (single occurrence) Use a Structured Approach: Risk Models Collect Lots of Datao Roll out models everywhereo Monitor near misses in addition to recording critical eventsASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Assessment is theCore MethodologyEasy tounderstand forthe uninitiatedRepeatable andobjectivemethodsA way toevaluate risk inan operationalcontextDrives shortterm and longterm changeRiskAssessment isthe CoreMethodologyBeware a falsesense ofsecurityASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Where to Assess (Operational) RiskProduct and Process Design Change Management Production Part Approval Process (PPAP) Failure Mode Effects Analysis (FMEA) Job Safety AnalysisManufacturing and Delivery Nonconforming Reports and PlannedDeviations Incident and Accident ReportingPost-Production Complaints Handling Supplier Performance Rating Internal Audits Corrective /Preventive Actions (CAPA)ASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

How to Assess Risk (onlya sample) Risk MatrixFailure Modes and Effects AnalysisDecision TreeHACCPBowtieRisk RegisterASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk MatrixQuick, easy, colorfulQuantifies the risk level usingtested assumptionsASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Matrix Example Identify potential adverse eventsooooMedical device manufacturerCustomer complaints routed for investigationSubject matter experts perform risk assessment (meeting)Risk levels drive decisions for recalls, notifications, CAPA Monitor occupational injurieso Global facilities management companyo Incident reports submitted by safety professionalso Perform initial risk assessment on submission, using detailedguidelines (over 30 options divided into 5 categories)o Risk levels drive alerts, immediate actions and trend reportsASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Matrix Example Survey of known and unknown threatso Services organizationo Periodic survey to all business functionso Managers re-calculate risk levels for known threats and suggestnew threatso Prioritization of compiled risk levels drives strategic risk mitigationinitiatives (managed through CAPA process) Identify job hazardsooooPower utility serving 7 countriesAnalysis performed for every job position, periodically reviewedInitial risk assessment of each job stepMitigate risk through protective equipment and process changeuntil residual risk is acceptableASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Failure Modes and Effect AnalysisFor design of products and processesASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

FMEA ProcessPlanning StageAnalysis StageReview StageImplementation Stage41Develop andExecuteFMEAStrategicPlan2Develop FMEAs5FMEAQualityAudit6SupplierFMEAsTest andField Failures7ExecuteActions toReduce orEliminateRisk8Linkage toLinkage toOtherLinkage toOtherProcessesLinkage toOtherProcessesOtherProcessesProcesses9ASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Sample FMEA FormASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

FMEA Example Demonstrate acceptable quality to customerooooGlobal engineering companyUses PPAP to coordinate design changes with parts suppliersFMEA submitted by supplier and evaluated by engineersRisk Priority Number (RPN) drives remedial actions and generalacceptabilityASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Decision TreesEasy to integrate with everyday processesASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Decision Tree Example When to report to the FDAooooMedical device manufacturer (a different one)Reporting decision embedded in complaint handling processFilled out by analysts for every potential adverse eventDrives decision to report (Yes/No) and acceptable delay (when?)ASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Hazard Analysis (HACCP)Preventive approach to ssmentCCP3.1B: BiologicalC Chemical:PathogensP:Steps taken tomitigate hazardStandardProceduresrelated GMPQ1Q2Q3Q4No-3.2B: BiologicalC Chemical:PathogensP:Steps taken tomitigate hazardStandardProceduresrelated GMPQ1Q2Q3Q4No-3.3B: BiologicalC Chemical:PathogensP:Steps taken tomitigate hazardStandardProceduresrelated GMPQ1Q2Q3Q4YesYesYesASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Hazard Analysis(HACCP) Example Determine inspection level for incomingmaterialso Large food manufacturero HACCP created to identify CCPs in manufacturing process,including incoming food products from vendorso HACCP used by control manufacturing and inspection stepso Dictates amount of monitoring required for each step and productASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Bowtie ModelFor low-occurrence events that are redEvent(Hazard)SeverityASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

BowtieFor low-occurrence events that are catastrophicASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Bowtie Example Analyze flight safety reportso Worldwide commercial airlineo Safety reports submitted by any of the 60,000 employees andsubcontractorso Safety analysts use Bowtie model consisting of thousands ofthreats and controls, with only 9 possible consequenceso Automatic calculation of risk level for each threat based onhistorical frequency data, and estimated likelihood and severityo Risk levels drive alerts, immediate actions and trend reportsASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Register Monitors risk levels over timeo Library of hazards (typically know for each industry)o Collects risk assessment data from many processeso Provides visibility into critical events and data for trend reportingRiskRegisterASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Register is the New CenterASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Register Example Promote high risk events across theorganizationooooWorldwide commercial airline (a different one)Events from flight crew, ground crew, airport security, auditorsUses 4 different risk matrices, but harmonized risk levelsAutomatically displays highest risk events on employee portalASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ

Risk Technology fromStart to FinishASQ 22nd Audit Division Conference October 10-11, 2013 Hilton el Conquistador Resort, Tucson, AZ