Feeling Vulnerable? Learn How To Manage Risk With ISO 31000

Below is a full transcript of our Risk Management webinar that offers an overview of ISO 31000 and the financial rewards of a proactive approach to risk.

Webinar Topics

Process

Having a well established approach to ‘Root Cause Analysis’ (RCA) can be a great asset for any organization, large or small. Correcting problems in a way that prevents recurrence is a financially rewarding activity and reduces future non-conformances, a very expensive event.

In this webinar, we discuss an overview of ISO Root Cause Analysis and its benefits. This includes:

  • The hidden factors in typical ‘cost of quality’ calculations
  • How we miss the massive impact on profit of a non-conformance
  • Why ‘operator error’ indicates a weak Root Cause Analysis
  • Corrective Actions and why they can be ineffective
  • How to make Root Cause Analysis pay dividends – case studies
  • How to write nonconformance statements
  • How to use a variety of different RCA tools to improve root cause analysis process

Full Webinar Transcript

Rick:

The unwanted co-host.

Jim:

That’s sad, Rick. Go ahead.

Rick:

I know. Anyway, thanks for joining us today. Glad you all could make it. Why are we doing these sort of expanded ISO standards classes? If you notice, we’re doing beyond the standard , and so forth, and here’s the reason. Basically, organizations are being tasked now to reach beyond that profit motive into the sort of stakeholder service realm. You’ve probably seen a number of CEOs sign that pledge of stakeholder compliance.

Rick:

And these are things that are both inside and outside of ISO reform, but ISO itself has developed a set of standards that support this accountability idea, things like ISO 10004, customer satisfaction; 26000, guidance on social responsibility; 37101, the management system for sustainable development. All those types of things, and really, basically, there’s a gap between the traditional operating roles that people might have in a company, and really what they need to do.

Rick:

It’s interesting, because management system professionals like you guys, quality, safety, health, environmental, we’re in a unique position to fill that gap because of the skillsets we have. So, if you do this, by the way, it’s not only going to help value the organization, which it will, of course, but it values you all for your own profession. You can move on to other things if there’s a bigger and better world out there for you.

Rick:

So, with these webinars, our goal is just to give you the skills you need to do the job, so to speak, but also convince senior management to give you the resources and the authority to enter this new age of ISO standards, if you want to think of it that way.

Rick:

Okay, that’s the context for today, but let me introduce Jim. Most of you know who Jim is, but if you don’t, Jim Moran’s been working in the world of ISO systems for almost 30 years. He’s worked with all sizes of companies, as well as the federal governments of Canada and some in Africa. He sat on the ISO PC Rating Committee, which was responsible for developing ISO guidelines for management consultancy services, ISO 20700 and so forth, which was published in 2017 .

Rick:

He founded the Learning Alliance in 1987, and started Simplify ISO in 1999, and launched the International Management System Institute this year. So, I give you Jim Moran. Thank you.

Jim:

Thank you very much, Rick. Just talking about why managing risk, why with ISO 31000? Well, as you all know, ISO has thousands and thousands of standards. I think the last count that I remember hearing about was over 17000. If you need structure for anything, there’s something there for it. Risk management adds value for you by reducing nonconformances, increasing resilience, and helping you hit objectives.

Jim:

You can develop your own risk management approach, and for those of you who have, maybe taking a look at ISO 31000 will be a way for you to do a check-up, take your temperature, see what’s happening, give yourselves a pat on the back for doing a great job, and maybe find some things in here that can help you do things a little bit better. For the consultants out there, it’s a great way to work with your client to develop a really strong risk management program. There are others you can probably use too, FMEA.

Jim:

The definition of risk, some of you will know this, is the effect of uncertainty on objectives. Basically, if you’re ever 100% sure that you’ll hit an objective, if you’re in a very rare situation, but there’s always risk. It doesn’t matter what it is, what the situation is, where things are in your life. There are risks already. We just experienced one, and we didn’t have a contingency plan for not being able to do the polls.

Jim:

The other thing is, risk management, the phrase, is defined as coordinated activities to direct and control an organization. The managing risk is an activity or a thought or a concept, like saving the environment, creating quality, different things like that. But the actual risk management phrase talks about coordinating things to have processes in place. Iso has always been all about replacing “I hope it happens” with your fingers crossed with a structure, some way to reach things, some way to achieve something.

Jim:

ISO 31000 is a neat tool. It’s big, but there could be bits and pieces here and there out of it that you can find helpful for your clients, if you’re consulting for yourself, if you’re working. You’ll sleep better when you use ISO 31000 because it will help you create coordinated activities, this idea, sort of a framework process. But we’re going to start with up here, if you can see my pointer at the top. We’re going to look at the principles first, then we’re going to move on to the framework, we’ll have a few slides on the framework, and then we’ll finish up with the actual process.

Jim:

We’ll set the stage here with just the principles. It starts up here with integrated. Make risk-based thinking part of your fabric, as opposed to have a risk exercise, let’s go out and see how our risks are doing today. Make risk-based thinking part of your fabric. Make it part of, just like health and safety, just like quality. Create a risk-based thinking environment. You all know in clause 5.1.1 of ISO 9001, one of the top managing requirements is to promote the use of risk-based thinking and the process approach. They just go hand in hand so beautifully.

Jim:

We’ve got then create a structure. We’ve got making it part of your thinking, then create a structure for consistency, and so you can compare results in one quarter for risk management to another. That will always help. We make good business judgments, and then we have down in here, customize. I’ve seen a few templates … I’m actually going to show you a link to some templates that you could get for free on risk management and other things, as well.

Jim:

But the important thing here is to make sure that your risk management process is tailored to the context that you’re in, your internal conditions, your external conditions, your interested parties, and of course, you want to make sure that you’re designing your risk program in order to help you meet your objectives, quality objectives, health and safety objectives, environment objectives, energy management objectives. Anything at all. Cyber protection objectives. Anything at all that is going to help you hit the targets that you’re after is going to be a good addition to your risk management activity.

Jim:

Inclusive. You have lots of people in your organization, with lots of knowledge and lots of skills. And of course, each individual person in your organization has a perception of what’s going on at your place. And your stakeholders, that could be your actual shareholders, it could be some regulatory bodies. They’re all interested to know how well you’re managing risk. Ministry of Labor, different things like that. If you use the knowledge, skills and perception of your stakeholders, everybody’s awareness about what the issues are with risk is going to improve.

Jim:

Next, keep it dynamic. The last thing you need is a 38-page manual on how to manage risk. You want it flexible. We’re going to see some examples of flowcharts. That helps keep it dynamic. Make sure that your detection tools are going to make you aware of when something is happening, like what the World Health Organization did with COVID detection tools .

Jim:

Then, acknowledgement. Some countries acknowledged it, some countries didn’t. So, detection is one thing, but you have to acknowledge it and then figure out how to respond to it. Excuse me. And like rust, risk never sleeps. It’s always there. It’s always everywhere. Thank goodness there’s risk when we maybe don’t have a pulse anymore.

Jim:

Next thing, you won’t ever have all the information, but you want to have the best available information that you can. You can use history, current conditions. If you have anticipated the future and you’ve got some way to record that. This could be part of management review. This could be part of a quarterly review.

Jim:

That’s the other thing you need to decide in your program: how long do you want to wait between risk reviews? But if you have it integrated into your organization, and you’re actually using this phrase called risk-based thinking, then it’s not really a specific point in time, it’s more always ongoing, almost layered process, auditing away.

Jim:

All these things impact risk management, and you need to make it timely, you need to make it clear, and this is a really important word here, available. It needs to be available to people. Of course, systems don’t manage risk, people do, so you need to design the risk management program, or design your risk management processes to be used by the folks in your organization.

Jim:

And finally, you can apply the same analysis and improvement methodologies that you use for all of your processes. It’s no different, and you want to be looking at how well risk is being managed during internal audits. Of course, we’re going to talk a little bit about that later. We’ve got a sample of an internal audit checklist that you could consider using to match up with your internal audit activities, match the checklist up to the flowcharts, that kind of thing.

Jim:

All right, I’ll just ask Rick for a second, are there any notes in the chat box I should be looking at?

Rick:

No, Jim. We haven’t actually asked for any, but by people, feel free if you want to ask for clarification.

Jim:

Yeah, good. Thanks.

Rick:

If you want to add something to the discussion, type them in.

Jim:

Good. Have a look at this list of principles that we just covered. Which of the principles need attention in your organization? And if you wouldn’t mind typing those into the chat box for us, that would be great. Anything coming into the chat box?

Rick:

Yes. Steven mentioning his organization, integrated and dynamic. Barbara says that her organization is structured and human cultural. Diana says most of them. Linda says integration, especially at top management level. That’s a key thing we keep hearing over and over again.

Jim:

Yes.

Rick:

Kind of why we’re doing this. Paul says human and cultural inclusive. If everybody can … I don’t know if you want to go over those again, Jim, or not.

Jim:

Oh, yeah, definitely. Linda’s point about top management commitment. Rick and I have been talking with some organizations about this program, advancing the position of the people looking at the management systems in organizations, and this was one of the very first things that came out, was the idea of convincing top management that there’s more to ISO than a certificate. I guess I hadn’t thought of quite phrasing it that way, but that’s really what we’re talking about here.

Jim:

How can you use ISO to make better profits? How can you use the whole concept of a management system to strengthen your organization? I guess you could say increase profits, hopefully make things run more smoothly. Especially in the area of nonconformances. If top management would shift their thinking from who screwed up when nonconformance happens, to where was the weakness in the system that allowed this to happen, then top management might start to see the value of doing something like risk management to anticipate nonconformances a little more easily.

Jim:

In clause 10.2, in corrective actions, you’ll also see a requirement to review your risk activities, and you’re kind of asking the question at that point, if we had done a better risk analysis, could we have avoided this nonconformance? So, top management needs to give people time and skills to be able to do a good risk assessment, in order to avoid nonconformances. We’re going to make a financial case for how expensive nonconformances are, and how much extra revenue you have to pay for an error.

Jim:

Anything else in the chat box?

Rick:

Sayed also mentioned structure, human and cultural factors, improvement, and as I look back through the responses, human and cultural comes up three out of six times or so, so it obviously is going to require people and attitudes that must change.

Jim:

Yep, and changing an attitude, it’s not an easy task. Many of you know that if you’ve ever had to change the attitude of somebody near and dear to you. All right, thanks very much. Thanks for your participation, folks.

Jim:

And so, we’ve moved from the framework. We’re now going to take a … Moved to framework. We’ve moved from the principles to the framework. So, we’ll take a look at what kind of things could make up the framework, and then the last part, we’ll do after the framework another poll, and then we’ll head into the actual process.

Jim:

In the framework, there’s that word, integration, again. We want to make sure that risk is managed in every corner, everyone is responsible for risk, just like health and safety. In most of your organizations, if I were to ask some of your employees who’s responsible for health and safety, most of them would say, “I am.” If we asked them who’s responsible for quality, they’d say, “John is,” or “Linda is.” Sometimes, depending on the organization, how enlightened management is.

Jim:

But with risk, it could be the same way. “Oh, yeah, we’ve got a team that goes around and looks for risks.” As opposed to saying, “I’ve got my process. I know how to do it. I manage risk in my area.” Once you get to that point in your organization, then you know you’re on the way to better integration.

Jim:

The design includes context, of course. Starting with your context, you need to know what’s going on in your organization. We can take a look at the workflow. Most organizations have a workflow, something like this, where you’re starting with the customer, or you’re figuring out requirements, you’re accepting the order, doing design. Some of you design. Most of you will do some kind of purchasing. Produce the product or service.

Jim:

At each of these stages, there are risks inherent. You don’t understand completely what the customer wants. Missing something in the customer requirement that you have to provide later. That can impact profits, of course. Then, even accepting the order, deciding whether or not you have the capability to do it. So, if you at least follow a workflow, that’s going to give you a pretty good start on how to take care of yourselves.

Jim:

Then, you want to reverse engineer the Ishikawa fishbone. If you haven’t had any chance at all to understand how to build an approach to risk management, one simple way is to start with the Ishikawa fishbone. We’ve put this into our management system platform, and you can see from our Ishikawa perspective, here’s opportunities related to people. Then you see down here, risks related to people. Opportunities related to processes, and then risks related to processes. Work environment, you’ll notice all those things, and you can grab … the form actually looks like this, and you fill it in. It’s on our system.

Jim:

We’ve got risk and opportunities here. We’ve got infrastructure risks and opportunities, customers, suppliers. And then, in order to see them, you just take a look at the flowchart, or the review page, and then, of course, the page shows up here, and the information you’ve decided on for that. You can review this daily, weekly, monthly, quarterly, whatever, and then they just edit from the front end.

Jim:

I’m just going to head back to … get this out of the way. So, anything you can create for yourselves to quickly and easily track these things will help. So, reverse engineering the Ishikawa fishbone can be one way to do it. Again, any fishbone that you use, any version of the Ishikawa fishbone will be helpful, and you can make different categories up. But this gives you something visual to start with, as well, so that when you’re reviewing the effectiveness, especially when you’re doing root cause analysis, you can see if there was something in here you missed.

Jim:

Assign responsibilities. It’s like anything else. It’s important that everybody is really clear on what their role is in the identifying of risk areas, and mitigating the risk areas. We’ve been using the word risk a lot, but you’ll find that, I’ll give you an example in a minute of how making the improvement can actually bring out the opportunity side.

Jim:

We’re working down our way to the design part, and then we need to allocate resources. These things don’t happen on their own out of thin air. It’s important that management understands that this requires some resources. It could be time. It could be people. It could be money. All three. There could be some physical things you might need from time to time, like a small example of the tiny physical thing you needed.

Jim:

And then, of course, collaboration. No one of us knows as much as all of us. So, the more you can get people in your organization who can contribute to the effect of managing risk, collaborate with them. Communication is a synonym for life. Make sure that you take every advantage that we can.

Jim:

And if we think of the plan-do-check-act model, design has a lot of planning to it, as well. But when you implement, this is where you need the stakeholders really involved, so they can all contribute their share of their knowledge and their skills and experience to create a risk-based thinking culture.

Jim:

Then we take a look at the evaluation, plan-do-check-act. Measure against the purpose. One of the things you need to do in the planning stage is determine the purpose. And you need to do this with any process that you create. You need to understand that if you want to make it, you want to build a process, create the process for a purpose, and then the measurement. And this is true of all the measurements that you take. Any KPIs or anything that you do, make sure that everybody understands the purpose, and first, why is the process there, but secondly, why are we measuring?

Jim:

And then, of course, acting to make some improvement to the activity, some improvement to your risk-based activity. This will also be a clue to you when you look at nonconformances. When you think about nonconformances, look at nonconformances, look at the data, you’ll find perhaps that there were things you could have done a little bit better in the risk management activity to give yourselves a better chance of avoiding the problem.

Jim:

If you could just take a look at the slides, here. Which parts of the framework need attention in your organization? Just give us a little bit of an idea of which ones apply, and if you could just keep an eye on the chat box there for us, Rick. Anything going on in there?

Rick:

Not yet, but we’ll get there.

Jim:

All right. And feel free to ask any questions while we’re there, as well. Don’t wait for the end. You can certainly ask questions as we’re going along. Not a problem.

Rick:

I have a question. When you say integrating risk management with operations, can you give any examples of that?

Jim:

There could be, for example, an inspection and test plan. That might be an example of integrating with operations. Let’s see. It could be go/no-go gates for physical production. There could be, if you have a form you’re filling in in a personnel agency, you would maybe make some of the fields mandatory, like we did on our form, actually, where the mandatory … you wouldn’t have noticed it, probably, filling the form in, but you get a little asterisk in some of the fields, and those fields, you can’t submit the form if you don’t have them filled in. So, there’s ways to reduce the risk of not gathering the right type of information, perhaps.

Jim:

There’s a couple of things, lots of different arguments around peer evaluation. That could be an example of getting some into the actual process, creating a way for people to make sure our dimensions are correct. Once again, there’s lots of things you can automate with today. I’ve got one little example, too, when we get back into the next part, that you may find interesting, as well.

Rick:

The results are coming here.

Jim:

Oh, great.

Rick:

I’ll just talk through them. Barbara says all are appropriate, which makes sense. John is saying integration. Chris is saying integrated risk management with operations and executive leadership. There’s that executive part again.

Jim:

Yeah.

Rick:

says everything, but especially evaluation, which makes sense.

 

Jim:

Excellent.

Rick:

Steve also says evaluation and improvement.

Jim:

Oh, good.

Rick:

Linda says evaluation of risk management and risk exposure, which is kind of an interesting subtopic. Sayed says implementation and improvement, and Diana says implementation and evaluation. Mohammed says evaluation and improvement. Sandy says implement and evaluation. So, it looks to me like the evaluation component is very important, and obviously the idea of risk exposure is kind of neat, too.

Jim:

Yeah. The challenge we face in any organization with those, with the evaluation piece in particular, since it seemed to come up more than some of the others, is that when you have three people looking at a situation and trying to determine the level of risk, high, medium, or low, you’ll get three different perceptions of how well or not so well the risk is being managed. It’s personal, it’s perception, and people who, even a lot of times a person, it’s just simply their personality can impact how they feel about how risky something is. And someone mentioned, of course, the evaluation of how they approach that.

Jim:

It’s really important that you constantly try to find ways to evaluate risk exposure and risk management objectively. I wouldn’t say always quantitatively, but if there’s some way you can give it a score. We’ll show you how we apply a score to risk management with our internal audit.

Rick:

I don’t want to get off course here, but I think Chris has made a comment that’s very poignant. He says most of this is lip service. It’s about the ticket versus the effort to actually do effective risk management. That’s the perceptions and difficult to shift mindset in culture. I think that’s, I’m not trying to talk over that, but I mean, that’s the whole point of some of this stuff, where we totally hear this over and over and over again, that the sheer frustration from the management system professional and not being heard.

Rick:

I think that’s what we’re talking about this whole series. Not only just giving the tools, but changing the way the language speaks, and I think you’re going to talk about this later, in terms of quantifying and putting all these topics, in terms of the dollars and cents, ROI argument that you can make to senior management, which is the only, quite frankly the only argument that they’re going to listen to in any case. Would you agree?

Jim:

Yes, yes. We’ve got a couple of tiny, little examples of ROI at the end, return on investment, and it’s possible that it could trigger something in some of your worlds to help you get some ideas together. It might even just be an idea of a direction to go. Thanks very much. That was Chris, you said.

Jim:

All right, we’ve looked at the principles, we’ve looked at the framework, so let’s get right down to the process. What could this actually look like?

Jim:

We start up here with helping stakeholders understand what risk is, and of course, one of the stakeholders we’ve already talked about is management. Needless to say, if they’re made aware of the implications of not managing risk, which we are seeing quite clearly now in this unusual time. If everybody can understand what risk is, it can make a big improvement in their involvement.

Jim:

I know myself, a lot of times, if I’m facing something that I’m not too sure about, I tend to hang back, not be too involved, and so on, and it’s important that you figure out what is the best way to communication. And also, you can see this word up here, consultation. The communication and consultation side is critical. Again, the more the merrier. The more cross-functional your team is, the better result you’ll get.

Jim:

And you know, I just realized something, Rick, I didn’t mention at the beginning. This is the diagram in ISO 31000. I’m hoping it was assumed, but I’ll make that absolutely clear. ISO 31000. It’s available from ISO.org.

Jim:

Anyway, sorry. Starting with the stakeholders, getting them to understand what risk is and how it impacts them, as well. It’s pretty easy to get lots of good examples.

Jim:

Then you can determine the scope, just like you do with an actual audit, objective scoping criteria. Scope, context, and criteria. You want to design the process to meet your objectives. You want to make sure that all the activities in the organization are lining up so that you can very easily tell whether or not you’ll be able to make your objectives meet. Quality objectives, environmental objectives, health and safety objectives, energy objectives, cybersecurity objectives. Any objectives you have, 1345, quality objectives for medical, anything that you need to achieve, you want to make sure that the risk areas and the risk management activities will help you meet those objectives.

Jim:

We’ve got this again. It’s planning, communication and consultation, part of the planning process. Scope, context, criteria, part of the planning. Now we get into actually performing a risk assessment. You can see that there’s three parts to performing the risk assessment: risk identification, risk analysis, and then risk evaluation.

Jim:

Every organization I’ve seen has taken a unique approach to this based on what they have to do, and it’s important that you again try to avoid the temptation to use a cookie cutter approach, and make sure that you take the time to do something that’s going to be helpful for you.

Jim:

In this particular case, you can see that they’ve discovered some, put a little R in a circle, and we felt that by having it pop out of the corner of the box, that it might be a little more obvious. This is a fab shop in Ingersoll. They make custom parts, and they have some RASTM, so they have an extra few steps to reduce the risk that they won’t hit that quality.

Jim:

This particular group makes the nickel hydroxide, and they not only put in the quality risk areas, over here, they actually added a … I’ll go back … they added a tree for it, to identify the environmental. I have one other client that actually put some little miniature hard hats on the boxes where there were dangers to health and safety. So, there are a lot of ways to make it visual.

Jim:

The other thing is that, with a flowchart like this, you can show that by having a nonconformance happen here, or a risk that you’re not managing in one area, it impacts other areas, as well, and that can certainly help management see that they need to be aware that the impact of missing one risk can have.

Jim:

Then, you need to select options, implement the plan, making sure that you have decided what risk treatment makes sense, not only from just simply managing the risk aspect, but also from a financial aspect. It’s just like correcting nonconformances. You need to make the risk treatment match the potential effects of the risk being realized.

Jim:

Then, finally, assess the effectiveness of the risk management program, just like you would assess the effectiveness of any other process that you have.

Jim:

And then, down here, communicating the outcomes, and making this communication concise and clear. Using graphs, maybe. Getting case studies built in your organization, perhaps. And there’s probably nothing wrong with using nonconformances as the root, since everybody’s tracking nonconformances anyway. You could show the nonconformance effect, and we’re going to talk about the cost of quality in a minute. Bu you can show the nonconformance effect and demonstrate how a better risk program could have helped you perhaps avoid them.

Jim:

That’s an example here of a report. You can see up here, there’s risk acceptance criteria. That’s one. I’m just going to go back to this one. Sorry, this guy here. This is from, you can see it at the bottom there, bust80037rmf.com, kind of a catchy name. They have some pretty interesting stuff there, if you want to head over there sometime. You can see the confidentiality. Tolerable risk level is seven. Integrity, seven.

Jim:

These are just arbitrary areas they’ve chosen, but you can see on this report, they’ve put a little bit of explanation in it. So, if you think this style of report would help your folks understand the impact of their inputs to risk, then that would certainly be something you could consider using.

Jim:

And there’s also this traditional risk. On this side, you see the likelihood: rare, unlikely, moderate. On this side, you see the consequence. So, you have very low, no injuries, no financial losses, and very rare. You have this particular square. There’s lots and lots of examples online about how to approach this.

Jim:

You can see here, the areas where you need to be paying attention. Excessive consequence is in here, but still rare, but it needs some attention. Excessive consequence but unlikely needs more attention. Excessive consequence but moderate. So, you need to give yourself some kind of way to determine you can’t manage everything. This is one technique for prioritizing.

Jim:

You can see this address here, this name is a little easier to understand. Sampletemplates.com, and there’s lots of them. These happen to be the risk analysis templates, but there are other templates there, as well. That’s their site there. They have sample risk analysis templates, and there’s business analysis templates. There’s all kinds of stuff there, so feel free to pop by there.

Jim:

Communicate the outcomes. We talked about that. Provide information for decision-making. There’s another line that’s popped up there. Improve your risk management activities. And finally, improve interaction with stakeholders. I think there’s one more.

Jim:

By good risk management, by having a good process in place, by making sure that you’re including as many people as you can, just involving the stakeholders in the risk assessment activity can improve your interaction with the stakeholders. The more you can improve the interaction with stakeholders, the more you can improve everybody working together, the more value you’re going to get out of this activity.

Jim:

Rick, we have another poll. What do you need for your next step along your risk management journey? Feel free to use the chat box, if you wouldn’t mind typing in.

Rick:

Yeah.

Jim:

Go ahead, yeah.

Rick:

In the meantime, Linda has made a comment. She says any clearly quantified customer parameters for all risk-related processes, which are all processes. She’s saying without them, risk analysis is not objective, even though subjectivity will never be completely removed. I think that cuts to the core of just about any quality function, is subjective versus objective data collection. From just my work in the survey land, you do need both. You do need the subjective phase, and in our world, it was sort of like focus groups. You get ideas and so forth, broadly. Then you need to subject them to some sort of quantification, how that works in the quality realm.

Jim:

Exactly the same way it works in the survey. If you don’t have enough sample points, your information is skewed or suspect, anything like that. Thanks. Anything else coming into the chat box?

Rick:

Yeah. Vance also says, peer group collaboration and case studies. I’d like to, when we get to the and there, we were going to make an offer about almost making a case history or something, and letting groups collaborate on that, but I think that’s an option for people. I’m glad people are interested in that, helping each other, in effect.

Jim:

Yeah.

Rick:

Linda also says examples are always helpful, which you and I have talked about that a number of times.

Jim:

Yep. It’s always great if the example has some direct connection to your situation, your world, but sometimes examples … I hope myself that a lot of times, examples can be, what’s the word we’re looking for? Examples can be assimilated. That’s it. Assimilated to other situations.

Rick:

Right, and I think you bring up a good point. It’s really hard to compare very disparate or different industries, so there’s a possibility that a group might have to be structured around a particular type of industry or problem.

Jim:

That’s a good point. There will always be certain key things at the heart of any, whether it’s an aircraft manufacturer or a personnel agency. Communication is going to always be an issue. There’s always the risk of people not understanding what the president has said, or what the project manager has said. So, communication is probably one thing, I think, anyway, Rick, that could cut across all areas, especially people communicating what they feel the risks are in their area, and even the risk management project leader explaining to people how to identify risks in their area. Even that kind of communication can impact the effectiveness and impact the outcomes of the risk.

Rick:

And one last comment. Chris also mentions, often, many times, the culture does not align, leading to high and increased costs associated with poor risk management culture. I mean, culture is an issue that comes up a lot. Obviously it’s a top management-driven thing. I still think that everybody has, like you said, everybody has a role for safety. Everybody also has a role for getting management’s attention on key things. And sometimes it happens and sometimes it doesn’t. I think that making that process more efficient, effective is part of what our mission is, so we’ll see.

Jim:

Yep, that’s for sure. And once again, the idea of creating the culture and balancing between we want to make great quality and we want to make profit. There’s no need to think that you have to have one at the expense of the other. Many people today, John, Linda, Paul, they’re all involved with getting waste out of processes, so you can improve the quality, sometimes with spending less money, the risk around the customers. You saw on that one page we looked at on our website tool.

Jim:

You can have all kinds of other areas included, but basically, make sure, as far as risk goes, make sure you’re communicating well enough with the customer to know what they really want. It’s tragic when I see organizations skipping that section, considering their customers as a stakeholder. They don’t always spend the time they need to with the customers to find out what they really like.

Jim:

And don’t forget internal customers, as well. In the case of risk, that can be even a higher priority, finding out what the next person in the process flow needs from you, or they need from each other, and where things could go wrong. Thanks. Anything else in there?

Rick:

Nope, I think we’re good.

Jim:

Well, all right. By creating a little map here, I’m hoping to leave everybody with something, as well. Make sure to begin shaping the process … well, after you’ve decided on the objective, and really, everybody’s clear on why you’re doing risk management. Get your flowcharts together. Look for weaknesses end-to-end. This kind of sounds like Lean. A great place for guidance on this is Taiichi Ohno, in his Toyota Production System book. It’s a great tool for looking end-to-end.

Jim:

He was still working when he was 82. Maybe I’ll be, as well. But someone asked him what he was doing that day at the shop, at 82, and he said, “I’m trying to find ways to shorten the distance, or shorten the time, between when the customer calls and when the money for that order goes into the bank.” So, that’s what you can think about and see where the risks are along the way that could extend that time.

Jim:

Another thing, mark the danger points. You saw some of those examples, the one with the tree, the little Q for quality. Put some hardhats on there if you want, or any other. You could put a picture of a little computer, or a little electrical sign, what’s that stuff, a little electricity sign for the IT function, or just put the letters IT. And of course, these days, it’s certainly all the way through all of your activities.

Jim:

Assess risk management during internal audits, and I will show you, this is our sheet, our internal audit sheet. This is the organization’s management system. You put the location here. This is whatever ISO standard you’re auditing to. Then, you put the first box of the flowchart in here, and of course, if any of you have read the IRCA paper called “Next Generation Auditing,” we’re trying to get auditors to focus on the results, as opposed to were people just simply following the procedure. Great, if it’s a well-written procedure. Not so great if it’s a poorly-written procedure. So, if you get the focus.

Jim:

And then, for each process, have a look at risk. Are the risks associated with this process being managed well? On this particular scale, I call a one or a two a nonconformance, a three or a four an opportunity for improvement, and five is okay. As with any traditional checklist, you put your evidence in here, mark it off here.

Jim:

I tend to cover off all these things. People, that’s 7.1.2 and 7.2. Infrastructure, 7.1.3. Work environment, 7.1.4. Awareness, 7.3. Communication, 7.4, and document control. You can see these things constantly, so then you don’t actually have to go back out. This reduces the risk that in your audit, you might miss some parts of this. And again, if you go out and just audit these as a separate unit, it may not be as effective, time-wise.

Jim:

So, there’s one way where you can build a risk culture, help thinking about risk get into, I won’t say everything, because you don’t do audits every day. Layered process auditing. You could definitely continually check risk, and that would reinforce this thing called the risk-based thinking, and enhance the risk culture.

Jim:

And then, finally, improve your risk management activities. Assess it, and then improve it.

Jim:

Rick mentioned this a little while ago. How can we make top management realize that they are accountable for risk? And it’s not easy. Sometimes top management is very aware of things. Sometimes they aren’t. One thing you can definitely do is to show them, in clause 5.1.1 in ISO 9001, that they’re accountable for the effectiveness of the management system, and of course, that would include managing risk.

Jim:

But a lot of people aren’t particularly interested in doing stuff that isn’t directly related to their immediate condition, so you might be able to just quantify this, meaning their return on investment refers to risk opportunities. When you mitigate risk, you’re improving a process.

Jim:

This was a story from an organization I was doing some training at that made rebar, and they had these long ladders for the crane operators to work from, and a lot of times they’d be up there for a long enough time that they wanted to take something up to eat. So, they had their lunch pail in one hand, and there were a number of near misses, where they’d slip and fall. With the lunch pail in one hand, they couldn’t maintain three- and four-point contact.

Jim:

So, they spent $7.85 and put a strap around their shoulder, and clipped the lunch pail to the strap, and they could now use both hands and both feet to climb the ladder. So, by mitigating the risk, they improved the process of them getting up to the area.

Jim:

Speak the language of finance. If you have a $1,000 mistake in your organization because you didn’t manage risks well enough, and if your organization has a 2% net profit, you have to have $50,000 in revenue to have $1,000 left over if you have a 2% net profit. So, by speaking the language of finance, you might be able to catch people’s attention.

Jim:

And then, in the risk management activities, return on investment will help you set directions and meet objectives. This is really important, making informed decisions, especially in areas where you feel you’re managing risk well and you want to make some changes, then you know you can go on ahead. Move ahead safely, move ahead with confidence.

Jim:

By all means, look into this thing called the cost of quality. Many, many, many areas of information. Lots of information on the web, and if you’re interested more in the cost of quality calculator, Rick can direct you to those, as well. But managing risk will definitely reduce errors.

Jim:

Improves profits. That’s always one good way to think about attracting management’s attention, profits. We all know that nobody here is in business as a charity, and we’ve got to make some money, so by taking care of risks, you can sometimes enhance that possibility.

Jim:

Here’s the Simplify ISO website. Hop over there any time. We can schedule you a demo. This tool of ours that we’ve had now for some time, going on eight years, is the perfect tool for virtual audits, if any of you are thinking about it. If you feel you can save the travel expense with your registrar by having virtual audits, it’s a full documentation, document management program, and then we have a built-in nonconformance and corrective action tool, as well.

Jim:

This is what the page looks like. This is your first page, your company quality policy, here. It’s very, very simple to use. No training is required for your employees, because it looks just like a webpage and behaves the same way.

Jim:

And the next webinar is going to be on July 27th. We’ll definitely send you all some information on it before then, of course. Over the next three weeks, I’ll be doing weekly mail outs on root cause analysis, as well. We did a survey last Wednesday, asking people what they would like to see in the future, and three-quarters of the respondents said root cause analysis.

Jim:

Over to you, Rick.

Rick:

Well, thanks, Jim. It was a really good webinar for everybody. Just wanted to throw a couple of things at you. We talked a lot about collaboration during this presentation. Not necessarily the whole point of what Jim’s doing. It’s not just to talk at you, but we would like to establish simply a working group, and people could come together and take an actual, real world problem, dissect it, give each other help on it, and you end up with something that you can actually present to management, back to that idea of influencing management.

Rick:

And some of the things that might come out of that, we’ve been hearing a lot about, as Kirk mentioned, a lot of less skepticism, in effect, from top management. So, how do we get through to them? Well, we speak their language. They don’t speak the quality or safety language in that sense, but they do speak financial language.

Rick:

One of the ideas we’re tossing around is creating a risk management calculator, taking some of the quality and management system, the KPIs, and translating them into essentially a financial ROI type of impact. So, that’s one idea.

Rick:

Peer group, I just mentioned, but the idea could be, we could all agree on a topic or problem, or somebody could offer up a particular problem, if the group felt they wanted to use the resources for that particular problem, or a class or a type of problem, that would be something very valuable. Essentially, we’d be consulting for and with each other.

Rick:

And then, out of that, we’re hoping that we can develop use cases or methodologies that would help, in a sense, present our case to top management with some real solutions. We’ve also been talking to some software companies about increasing real-time data collection and monitoring. There’s some new tools out on the market that’s going to, we hope, drastically reduce the cost of this type of thing.

Rick:

I guess, the bottom line is, we’re sending out emails to you guys to say, hey, can we talk, Jim, you, and I, one-on-one, and see what this might look for you, what you might like to have out of this? Just give us some input as to how we can from these sort of help groups up. So, you’ll see that email coming to you. If you could, if you have the time to spend an hour with us, to understand what you would need and where you would like the group to go, that would be tremendously helpful. Next slide, Jim.

Jim:

Yes, thank you. I was just checking the … If any of you is interested, I have nine spots left in July for a complementary lunch and learn. You can use one of our topics. If there’s a topic you’ve seen from joining us for these webinars, I’d be happy to redo one of those, customize it for you, of course. Or if there’s something that you want your management to hear, or even employees, just send me a note. You can see my email address here, Jim@SimplifyISO.com. Just tell me what the topic, give me some contact information, I’ll give you a call, and we can set it up.