Every year between the 8th and 12th of November quality professionals around the world celebrate their teams’ achievements and the contributions that quality management makes to delivering business excellence.
“Managing quality means constantly pursuing excellence: making sure that what your organisation does is fit for purpose, and not only stays that way, but keeps improving”, explains The Chartered Quality Institute. In other words, quality management is an essential element of success and growth, and any good business strategy will utilise one or more of its components: planning, assurance, control and improvement.
On the other hand, as the Harvard Business Review points out, “managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the ‘can do’ culture most leadership teams try to foster when implementing strategy”.
So why are we, a risk management company, talking about quality? What is the connection between risk management and the pursuit of excellence if they seem to be focused on different things? The simplest approach to explaining the powerful relationship between risk and quality management involves looking at a core component of both: controls.
Risk management and quality management are complementary
When it comes to managing risks, the mission of identifying, assessing and preparing for any threats to the business results in a risk management plan. Where the decision is to mitigate a risk (as opposed to tolerate, transfer or avoid) then specific controls will be required to reduce the risk of disruption to your business activity.
And for quality management, controls are also essential to a job well done: Quality Control (QC) is “the set of activities that control the quality of product being developed by identifying any bugs that might be present”, which contributes to Quality Assurance (QA) – “the implementation of processes, methodologies and standards that ensure that the product developed will be up to the required quality standards”.
Furthermore, as a recent British Standards Institute (BSI) paper on the importance of risk in quality management points out, “In the context of ISO 9001” – the international standard for Quality Management Systems (QMS) – “the concept of ‘risk’ relates to the uncertainty of achieving the objectives of the system, which is to provide products and services that conform to customers’ requirements.”
“By understanding those risks and exploring ways in which the risks can be mitigated, the organization will also have an opportunity to drive change and improvement.”
Clearly, the relationship between risk management and quality management is not one of opposition but rather a complementary approach to achieving the same objective: continual business improvement and ultimately excellence in providing products and services that deliver customer value. Quality thrives in a business environment that manages risk effectively.
A risk-based approach to quality management: key steps towards business excellence
Maximising the opportunity from a risk-based quality management strategy starts with a very important question: What are the risks to my business that my quality controls are trying to mitigate? From there, you can determine your priorities according to your risk tolerance, which has a variety of benefits, including: “improving management system performance and resilience” and “enabling organizations to respond to change effectively and protect their business as they grow” (BSI).
Ultimately, a risk-based approach to quality helps organizations prioritise risk remediation efforts to maximise return on investment (ROI) and perform better, while also complying with standards such as ISO 9001 for quality and ISO 27001 for information security.
In our experts’ experience, the following features of a risk-based approach to quality management are essential to achieving business excellence:
- Assess the controls
STREAM provides flexible and configurable schemes to assess and quantify the effectiveness of controls.
- Determine relevance
Make sure that the controls are effective as applied to business assets, including people, processes, technology and vendors.
- Continuously monitor
Automatically import assessments and metrics data from third-party applications for continuous controls monitoring.
- Generate reports on demand
You can generate compliance reporting with pre-configured content and mappings for frameworks such as ISO 27001, GDPR, PCI-DSS and NIST.
- Accumulate evidence
Continually gather evidence to demonstrate your diligent, risk-based approach to compliance to minimize regulatory fines and reputational damage following a breach.
- Establish accountability
Detail accountability for controls assurance and compliance with scheduling, tracking and workflow to address any control weaknesses.
- Integrate controls assurance with other risk applications
Seamlessly integrate controls assurance and compliance with other applications – ineffective controls can signal higher risks while incidents can signal controls failures.
- Plan controls investments based on ROI
Use ROI-based analysis and risk-based prioritization for controls investments and improvements.