Part 3 in a series of articles from Sr. BRC Consultant Michael Haycock…
Sometime ago (years) I wrote an article that aside from doing Registration audits, I also was the marketing, sales and training manager for one of the major registrars. One of the responsibilities that I quite liked was going to an organization when requested – and presenting their registration certificate or plaque. Often the organization would have a BBQ if in the summer but in some manner the event was celebrated. Registration was a “big deal” or at least seemed so.
This was particularly appropriate because (I believe) it represented recognition by management of the effort made by all employees and the overt communication this was important to the organization. This was a BIG deal. The most senior management in the organization was typically present and management from different parts of the organization, including from other countries, would be present. Where has this gone??
I am not wishing for the “good old days”. What is a concern is that the system value is still there – but it is often not recognized as such or communicated as such – within the organization. My opinion – the recognition of value is still necessary.
During the holidays I read a fairly long study and evaluation of Risk Management within a group of large organizations (nothing like some easy reading). This included the value and need for risk management (98% agreed there was a need and that it provided value), some analytical models and risk analytics. A common complaint from senior management was that there was a shortage of resources – people – who could understand and deal with Risk Management. The perceived shortage of risk resources was both surprising – and not surprising. The Quality Management System that you have in place and for which there is an ongoing need for maintenance, change, improvement of effectiveness and efficiency is IN FACT a tool for Risk Management.
Just to back up for a second. “Risk” is the effect of uncertainty on objectives. By having a QMS you address a great deal of uncertainty:
- The structure addresses the complete organization (or should).
- Determining processes should provide the understanding of how the organization operates.
- Documentation provides communication and evidence (records).
- Management is supposed to provide direction.
- Competent resources allow the organization to produce as expected.
- Product realization addresses planning, contracts, design, suppliers, production – nor service provision.
- Measuring analysis and improvement provide the means to understand where and how to accomplish what is important, and the measurements to confirm or deny this is being done.
Now, the article had a strong risk emphasis on legislation. OK – I understand that. Regardless, the organization does not exist to “address legislation” – it exists to provide a product or service. My point is that while there was a clear need for integration of Risk Management throughout the organization, there was no comment – “NONE” – about the organizations’ Quality Management System (QMS) as a tool or means to address this integration. In fact, the words “Quality Management System” were not used anywhere in the article. While I suspect that most of you do not use the word “risk” on a day to day basis – you are in fact the front line for much of the RISK the organization faces.
Again, let me go back to a previous article – “Quality is a Given”. Much or most of Quality is seen at a middle management level. That participation by senior management I referred to early in this article is mostly gone. I do understand everyone is busy – I get it.
Does management reinforce the “Quality Policy Statement”? Do they even know what it is?
When you do your internal audits – do you audit all of Management Responsibility – or just the Management Review section with the Management Representative?
Do you have any members of senior management present when you do you audit open/closing meetings?
Does management make a point of communicating the importance of the work that each employee is doing?
All of the above are specifically identified in section 5.1 Management Commitment”. We are not finding fault – hopefully we are finding opportunity. Management can be delegated – leadership cannot.
While carrying out training on-site at an organization, the frequent comment – sometimes open and sometimes subtle – is, “Why isn’t management present for this training?” OR ‘What training related to the QMS has senior management actually received?”. The reality is – very little! Some years ago we were doing training for military logistics. All training starts with a round of introductions. There were civilians, Warrant Officers and a couple Captains present. During the introductions one of the participants stood up and introduced himself as a “ Lt. Colonel XXX”. I paused for a moment and asked, knowing others present would be carrying out his instructions, what brought him to the training. His response has stuck with me. To paraphrase he said – when he asked people to do something important – it was essential for HIM to know what he was asking them to do.
And all of this to say – “so, what’s your point”.
Always we emphasize benefit, with value, and improvement. To use the effort that has already been made – in more than one way.
Hopefully this is seen as a positive effort. To bring to the attention of our management that the tools for management of risk (which is clearly important) are at their (our) fingertips. Based on the study information and expectation – the means to manage “risk” is to a large extent already in place – it’s called the “Quality Management System.” While there are certainly speciality areas for “Risk Management”, YOU are the instrument for what is most necessary and valuable. Let the speciality (often legal) people deal with something like Sarbanes-Oxley (if in the U.S.). My concern would be did we produce properly, inspect properly, and then get the proper units in the proper quantity in the correct container to be shipped. (That’s the type of risk most of you deal with day to day.)
Quality is not the Quality Control or Quality Assurance of past years. While Control/Assurance will not go away, a Quality Management System is the structure to ensure all the other tools are identified and used and improved – with an overall system approach for the organization.
In the previously mentioned article, risk is seen to be responsibility of management at the most senior levels, and the means for dealing with risk need to be determined. If there were an understanding of the QMS, there would be recognition that much of what is necessary, is already in place. Which could mean, (I know I’m stretching) there could be additional support and resources available for the work you need to carry out. It would also mean that you would be present at their meetings and they in all likelihood would be present at some of your meetings.
While most of you will never be the “Chief Risk Officer” you will continue to be the “instrument” by which the organization will deal with “risk” issues on a practical basis.
We will provide additional detail, in future articles, on training that would allow the best perspective on risk, simple tools for managing risk, and ways that risk will add value to the organization. The concept of “RISK” can be made very complicated. (As in the case of actuaries – trying to figure the cost for insurance policies, based on the expected life span for most of us – yes it is.) Simple is better – if we don’t understand something – we are unlikely to use it – or use it badly.
Just a quick executive overview of the rest of this section of the system:
Customer Focus – While it must be clear there is a leader to direct us to ensure the customers’ needs are clear and met, is it also clear that everyone is responsible to participate?
Quality Policy Statement – Is this a simple explicit statement that can be known, understood and believed by all? (You could randomly select 5 employees from the organization – to say what you want to say – or to restate what has already been said. (Supposed to be a periodic review.)
Objectives – Are people clear about what success looks like – for them and the organization?
Management Representative – Only one specific person is identified within the organization. Would it not be important that “all” know who this is?
Management Review – At least once a year (typically) a compilation or evidence is expected that confirms these simple requirements are covered. Have you ever included employees at all levels to bring their issues, concerns, and communication to this event? You don’t have to but this could be an event that is then communicated to the organization? While there may be some sensitive information that could be excluded, my experience is that the organization – in some way – will always benefit from the efforts to communicate.
While the new QMS standard is in the works, it will not be issued for some time. You can, however, take credit for the strength you already have and with a little creativity be able to address what will be required in the future – and with confidence – support your senior management team and the organization.
And what about our lion and antelope. Our lion realizes the risk of starving is actually quite low. Our antelope understands the risk of it being eaten is actually quite low. What we should all understand is while likelihood is low – consequence is high. While there is no absolute – the best way to manage this responsibility and risk – is to be running.