Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis, and I’m here with Brian Smatko, consultant at CORE Business Solutions. So glad you could be with us today.
Thank you. Thanks for having me.
We’re excited to hear what you have to say. Today’s show is entitled Danger is My Middle Name, and we’ll be talking about common risks associated with your quality management system and some ways to handle them. But first, let’s learn a little bit more about Brian and his experience and journey. Could you tell us a little bit about yourself, Brian?
Sure. I spent five years in the Marine Corps. I then went to the Pennsylvania Department of Corrections, where I worked for 20 years. I retired from there in occupational health and safety when I retired from the prison. I then went back to school and became a C and C machinist, where I then became a C and C programmer. And then I worked my way into quality management and then operations management, and then I ended up with CORE.
Well, that’s great, Brian, thanks so much. First off, if you are a CORE business solutions customer, we’ll be using examples from the improvement plan and you can find it in your resource library in our CORE compliance software. If you’re not a core subscriber, please reach out to us at firstname.lastname@example.org and see how we can help you.
So Brian, let’s start with our first question. How do you identify risks that your company might be facing, both internal and external?
Well, the 2015 version of ISO 9001 emphasizes risk-based thinking in 0.3.3. Most companies don’t address risk until something has happened. Risk impacts every facet of a business and in most cases will affect your customers. Of course, I have identified some prepopulated risks with the use of something I like to call the risk matrix and it could also be based on the experience of that particular organization as well.
What are some of those internal and external risks that we’ve identified in our improvement plan?
Well, some of the internal risks may be quality performance, increasing costs, sales and marketing processes, technology needs and an aging workforce, or even succession planning. Some external risks may be industry trends, competition, employment, market or legal or regulatory compliance.
So internal is going to be something that is within your business that you can control. Probably a little bit easier than some of the external ones. Perhaps you can’t you don’t know what the regulations might come down from some governmental department. You know, we’re from the government and we’re here to help you, but you can do some of the internal ones. You have a little bit more control over.
So what do you recommend our customers do when trying to you know, they’ve determined what the internal and external risks might be? What’s the next step?
We recommend that our customers go through a risk analysis and identify specific risks and how they can impact your specific company so that you can make a more proactive approach rather than a reactive approach.
Yeah, I mean, that’s certainly something that 9001 wants you to do, be a little more proactive than reactive. So kind of plan what you might have going in. Once you’ve identified those risks that your company is facing, what process can you use to prioritize these risks?
Well, it makes sense to prioritize the risks you mitigate because you cannot work on all of them.
It’s difficult. How do you get an elephant? One bite at a time.
The risk assessment for improvement plan allows you to first identify the risk, and then score it. We score it by using impact likelihood, which gives us an overall risk level. And we take that overall risk level to identify which risks are the most impactful to our company. We then take that risk level and we identify the options we have available. For example, we would identify the risk concern for that particular risk. We will identify how it affects our company and list out the issues that it could potentially cause for us.
So let’s say aging workforce, you would list out, Wow, if we have somebody get sick, we might have a key member out that is in control of a lot of things. Or maybe if you’re machining somebody who only knows how to run a certain lathe or certain piece of machinery, that would be that concern.
Absolutely. Aging workforce, you would want to put some type of plan together to identify where first identify the risk. And then once you put the plan together, what you’re going to do to mitigate that risk or at least lessen the severity to your company? You may want to go out and start a proactive approach to recruitment, to get in some recruits for the kind of positions that you’re looking to fill or even maybe partner with a school or some type of trade school that can fill in some of those positions.
Right. So the concern would be there for aging, though, is that, you know, here’s what might happen if we lost somebody.
So you’ve done that. You said you can score your risks here.
Most commonly, you can score your risks by what the impact is on the business. We scored 0 to 3 on the form. So you could do a 0 to 3 or 0 to 5. Then by scoring the likeliness that it can happen to your business 0-3 0-5 you multiply those two numbers to give you an overall risk level to your company.
So you’re prioritizing the risks and determining what you should focus on.
Absolutely. There’s got to be some methodology to prioritizing your risks because at the end of the day, like we said before, you can’t address everything at once. A company only has a certain amount of resources and you want to apply those resources to the most impactful risks to begin with. And then work your way down through the risk.
Okay. So we’ve looked at our risks, their impact, their likelihood, and we determine that risk level that we just talked about. And then you prioritize them.