All About Risk

By Peter Sanderson, November 21, 2016

Quality management is more than a living for me, it is my life’s work. I got my start working with quality standards during the military boom of the nineteen eighties, working in the defence, nuclear, and aerospace industries. Throughout my career, I have seen quality methods and processes in manufacturing and services come and go. I began my own total quality business in 1989 when ISO 9001, ISO 9002, and ISO 9003 became popular in North America. Back then organizations had to have multiple quality manuals, one for each certification or auditing agency. It was not uncommon to hear announcements on the company public address system telling employees which customer was auditing that day so that the appropriate quality manual would be used to respond to the audit.

Luckily things have changed dramatically. Today it is most often possible to work with a single quality system incorporating all customers’ requirements. These unified systems are usually centered around ISO 9001 and AS 9100. Back in the 1980s we focused on statistical process control using x̅ and R charts and fish-bone problem solving techniques. Those basic approaches are returning today in the guise of what we now refer to as Risk Analysis.

If I walk into a company today and ask personnel what x̅ and R charts or fish-bone diagrams are, they have no clue. But they are all familiar with ISO 9001, quality policies, metrics, and now Risk Analysis.

This evolution has me thinking about how much the 1980s have in common withthe methods we use today in process management. In some ways, it’s as if we had the cart in front of the horse back then. Today the horse is where it belonged in the first place. That’s progress.

Quality Control - 1980

In the 1980s we focused on problem solving and corrective action. We focused on determining the root causes that led to quality concerns. We used measurement methods to isolate problems and used corrective action to fine-tune processes in the hope of avoiding future problems. Measurement consisted of using x̅ and R charts, inspections while production was in process, as well as final inspections, and, of course, customer product rejections. The premise was that if we continued to address the root causes within our processes that we would continually approach perfection. We believed that having a full understanding of our process would yield predictability of the process’s output. I suppose that the 1980s approach would have been the last word on quality management if:

  1. We had sufficient funding to absorb the cost of all the failures and rejections while we fine tuned our processes using problem solving and corrective action techniques, and
  2. We had sufficient time to solve the quality problems before we lost our customers, and if
  3. The production processes weren’t constantly changing.

I suppose that in the 1980s we all believed that life would not be changing quite so quickly. Yet here we are thirty-five years later.  Today we have smart phones, internet access, wireless networks, tablet computers, the manufacturing base is shifting to third world countries, and many high-end processes are performed by robots. Somewhat paradoxically, we still struggle with quality.

What we have learned since the 1980s is that processes evolve as they adapt to meet the customer’s challenges with new technology whether in their products or in their manufacturing equipment.

The approach we take today is to attack the production line proactively at its inception rather than measuring instances of failure and working backwards searching for causes. That is what I mean when I say that in the 1980s we had the cart before the horse.  So today we finally have the horse where it belongs. We call this new approach Risk Analysis. In keeping with the new approach we changed the term “quality control” to “quality management”. One consequence of this evolution is that, rather than having a small quality control department, we now have many more organizational tools with which to manage the overall performance of the organization which yields better results in the end-quality of our products and services.

Risk Analysis is the hot topic since the release of the new ISO9001:2015 standard.

Organizations in all industry sectors are struggling with this new requirement. The change is so fundamental that “risk management” could well be the new term for “quality management”. I appreciate that these are just words and that we are still faced with the challenge of implementing Risk Analysis in our organizations so that we can conform to the current ISO9001:2015 standard and our customers’ expectations. 

What if some of the tools we used in the 1980s could be applied to help us with today’s approach to quality management? What would that look like? Is that something we should be considering?

To measure risk and to mitigate it, we need to understand our processes, identify each of the risk factors, and assign meaningful metrics to them so that we can assess and monitor them in real time, and make more informed process decisions that reliably yield the quality we seek.

In other words, we need a system, like homeland security, in which processes are assessed as green, orange or red, where green is good, red is bad, and orange is work in progress. To achieve such metrics, we need mathematical formulas consistently based on an in-depth analysis of each process. Unfortunately this is definitely not a case of one size fits all. I believe the key is to design effective controls based on appropriate metrics, and to apply those controls consistently throughout all processes.  Whether we chose to measure miles per gallon or liters per 100 kilometers doesn’t matter, we just need to pick one approach and use it consistently when the objective is to measure the fuel efficiency of a vehicle.

Access, identity, and analysis are the keys to good risk management. Once risks are identified and the right metrics are applied we can use existing corrective actions and root cause analysis techniques to reduce in a meaningful and measurable way the potential failures that we identified in applying the Risk Analysis method.

Let me bring you back in time to the fish-bone diagram and combine that with an Internal Process Auditing Technique that together will Identify, Analyze and Assess the risks present in each process. I believe that this technique can be driven by software ranging from a simple spreadsheet, to a MS Access database, or ultimately an integrated quality management system such as the one we offer in CIS Continuous Improvement Software.

Fish Bone Diagram


If we create an internal process audit program based on a fish-bone diagram and apply two simple metrics to the results, we can derive an overall risk management rating for the organization and for each individual process.

The first metric to be applied is the failure severity of the process. For example, if the product or service fails its final inspection, the severity factor will be very high versus for example the failure of a picking process in advance of an in-process inspection. Similarly, a process failure where the product can be reworked will be scored as less severe than one where the materials are destroyed.

The second metric is the actual risk of failure present in each process.

Can you see it now? If you audit each process using a fish bone diagram methodology, then you can:

  1. Identify and analyze potential problems (RISK) and assign a number, and
  2. Identify the severity of the failure, if it occurs and assign it a number, and
  3. Combine those numbers to achieve an overall risk factor rating.

Depending on the type of processes in the organization or the type of business we can create a standard set of auditing questions based on:

  1. Measurements used in the process and the effectiveness of such measurements,
  2. Environmental impacts of or to the process,
  3. Materials consumed and their impact in the process,
  4. Methods and procedures used and their effectiveness,
  5. Personnel and their competence and training,
  6. Machines and equipment.

Defining the questions in your internal process audit program is the first challenge. Questions such as the following may be considered as part of your internal process audits:


  • Is there a metric used in the process?
  • Are instruments used to measure?
  • Are these instruments calibrated?
  • Is the calibration system effective?
  • Are these instruments suitable for the measurement accuracy?
  • Was there more than one nonconformity reported in the last year?
  • ...


  • Does dirt, dust or air quality affect the process?
  • If yes, is it controlled?
  • Are the controls effective?
  • Does weather, humidity, temperature affect the process?
  • If yes, is it controlled?
  • Are the controls effective?


  • Are materials used in the process inspected to meet specifications?
  • Are there systems in place to identify and segregate defective materials?
  • Are the inspections effective?
  • Are there better materials available that could be used?
  •  …


  • Are the process methods used consistently and are they understood by all personnel?
  • Do the training materials or process procedures accurately reflect the process?
  • Do all personnel understand the process methods and are they all consistent?
  • Are the methods current and effective?
  • Are safety requirements defined?


  • Are all personnel trained?
  • Does the process have competency requirements and do all personnel meet these requirements?
  • Is there a large turnaround of personnel in the process on a regular basis?
  • Are all safety guidelines followed by all personnel?


  • Are the machines and instruments regularly serviced?
  • Is the maintenance program effective?
  • Are the machines and instruments in excellent operating order?
  • Can the machines and instruments maintain the specified accuracy or performance throughout the process?

If we have a set of questions that are standard for each process, we can then assign a number or metric. What we seek is not a magic number or perfect metric, but rather a simple number that is more than adequate to serve the purpose for the process in question.

For example, if we create ten questions for each of the fish-bone categories then we end up with sixty questions in total. A simple yes or no answer will suffice for each question and then we can either add a number for each “yes” or subtract a number for each “no” (either approach will yield the same result).

Example if we add 1 for each yes:

60 Questions Total

45 Yes Answers

15 No Answers

Metric for the process risk rating = 45

The next step is determining the severity of the process if it were to fail and then assign a measurement to it. To simplify the mathematics here we could say that if the risks involved total a possible score of sixty when there is no risk present then the balance when subtracted from one hundred would be forty. Therefore, why not make the severity a simple measurement such as:


Now we have some numbers or metrics that we can apply to a simple Risk Analysis measurement in the following manner.


 The last metric to determine for our organization is Overall Organizational risk key measurement such as:


The above is only a suggestion but consider the following mathematical challenges. If the failure of a process is 0 then the risks of the process should be 60 to prevent it from happening since if it does happen it will result in customer return, customer failure or failure in use, which is the worst-case scenario.

But if the severity is 20 then the risk could be 40/60 to achieve an acceptable risk. Again, this is subject to the type of products and services and each organization’s overall objectives. I think the most important part of the equation is to constantly apply the measurement across all processes.

It is important to also note that the organization’s current risk is not a static measurement and it could change daily or weekly. For example, If we perform an audit on a process and identify possible risks based on the audit questions, corrective action may follow and a follow-up audit would then change that process’s risk measurement, hopefully improved. That change would have a very slight impact on the organization’s current risk rating.

In conclusion, we can use simple tools such as an internal process audit program and the famous fish‑bone diagram to satisfy the risk management requirements of ISO 9001:2015 and AS 9100. I hasten to add that the measurements and real time calculations are best left to a software system designed to display current measurements. One such system is the one we have implemented in CIS Continuous Improvement Software,  where the header is red, orange, or green depending on the overall current risk rating for the organization.

The End

Questions on this paper may be addressed to