The Quality Hub Podcast

Listen Below. Learn More.

Spotify-The Quality Hub Podcast

Episode 17 – Your QMS and Risk Management

Your QMS and Risk Management

In this episode of The Quality Hub, expert Brian Smatko joins host Xavier Francis to discuss effective risk management strategies. They explore the identification of internal and external risks, prioritization methods, and the importance of proactive risk analysis. Drawing from Brian’s experience, they highlight the significance of documenting actions and showcasing a commitment to continuous improvement.

Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.


Episode 17 Your QMS and Risk Management Key Content

Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis, and I’m here with Brian Smatko, consultant at CORE Business Solutions. So glad you could be with us today.

Thank you. Thanks for having me.

We’re excited to hear what you have to say. Today’s show is entitled Danger is My Middle Name, and we’ll be talking about common risks associated with your quality management system and some ways to handle them. But first, let’s learn a little bit more about Brian and his experience and journey. Could you tell us a little bit about yourself, Brian?

Sure. I spent five years in the Marine Corps. I then went to the Pennsylvania Department of Corrections, where I worked for 20 years. I retired from there in occupational health and safety when I retired from the prison. I then went back to school and became a C and C machinist, where I then became a C and C programmer. And then I worked my way into quality management and then operations management, and then I ended up with CORE.

Well, that’s great, Brian, thanks so much. First off, if you are a CORE business solutions customer, we’ll be using examples from the improvement plan and you can find it in your resource library in our CORE compliance software. If you’re not a core subscriber, please reach out to us at and see how we can help you.

So Brian, let’s start with our first question. How do you identify risks that your company might be facing, both internal and external?

Well, the 2015 version of ISO 9001 emphasizes risk-based thinking in 0.3.3. Most companies don’t address risk until something has happened. Risk impacts every facet of a business and in most cases will affect your customers. Of course, I have identified some prepopulated risks with the use of something I like to call the risk matrix and it could also be based on the experience of that particular organization as well.

What are some of those internal and external risks that we’ve identified in our improvement plan?

Well, some of the internal risks may be quality performance, increasing costs, sales and marketing processes, technology needs and an aging workforce, or even succession planning. Some external risks may be industry trends, competition, employment, market or legal or regulatory compliance.

So internal is going to be something that is within your business that you can control. Probably a little bit easier than some of the external ones. Perhaps you can’t you don’t know what the regulations might come down from some governmental department. You know, we’re from the government and we’re here to help you, but you can do some of the internal ones. You have a little bit more control over.


So what do you recommend our customers do when trying to you know, they’ve determined what the internal and external risks might be? What’s the next step?

We recommend that our customers go through a risk analysis and identify specific risks and how they can impact your specific company so that you can make a more proactive approach rather than a reactive approach.

Yeah, I mean, that’s certainly something that 9001 wants you to do, be a little more proactive than reactive. So kind of plan what you might have going in. Once you’ve identified those risks that your company is facing, what process can you use to prioritize these risks?

Well, it makes sense to prioritize the risks you mitigate because you cannot work on all of them.

It’s difficult. How do you get an elephant? One bite at a time.

The risk assessment for improvement plan allows you to first identify the risk, and then score it. We score it by using impact likelihood, which gives us an overall risk level. And we take that overall risk level to identify which risks are the most impactful to our company. We then take that risk level and we identify the options we have available. For example, we would identify the risk concern for that particular risk. We will identify how it affects our company and list out the issues that it could potentially cause for us.

So let’s say aging workforce, you would list out, Wow, if we have somebody get sick, we might have a key member out that is in control of a lot of things. Or maybe if you’re machining somebody who only knows how to run a certain lathe or certain piece of machinery, that would be that concern.

Absolutely. Aging workforce, you would want to put some type of plan together to identify where first identify the risk. And then once you put the plan together, what you’re going to do to mitigate that risk or at least lessen the severity to your company? You may want to go out and start a proactive approach to recruitment, to get in some recruits for the kind of positions that you’re looking to fill or even maybe partner with a school or some type of trade school that can fill in some of those positions.

Right. So the concern would be there for aging, though, is that, you know, here’s what might happen if we lost somebody.


So you’ve done that. You said you can score your risks here.

Most commonly, you can score your risks by what the impact is on the business. We scored 0 to 3 on the form. So you could do a 0 to 3 or 0 to 5. Then by scoring the likeliness that it can happen to your business 0-3 0-5 you multiply those two numbers to give you an overall risk level to your company.

So you’re prioritizing the risks and determining what you should focus on.

Absolutely. There’s got to be some methodology to prioritizing your risks because at the end of the day, like we said before, you can’t address everything at once. A company only has a certain amount of resources and you want to apply those resources to the most impactful risks to begin with. And then work your way down through the risk.

Okay. So we’ve looked at our risks, their impact, their likelihood, and we determine that risk level that we just talked about. And then you prioritize them.

So let’s say you have 20 risks and you’ve prioritized them and you find five you want to deal with. What are some of your response options once you’ve scored your risk?

Once you score your risks, it will then help you determine which one of those to focus on and begin to list the actions that need to take place to help you with the proactive approach.

So you’re planning out what your responses are?

You’re planning out what you’re doing. Those actions are essentially an improvement plan. Your quality policy or QMS states your commitment to continuous improvement and the best way to show evidence that you’re committed to continuous improvement is to document your actions. Be sure to include owners who are accountable for addressing the risks and estimated due dates. A good plan has those variables. However, no regulatory body is going to tell you what your priorities are, but it’s very important to have all of the things you’re working on to improve your business in writing.

So you need to document and that’s something that is required by this by the standard, correct?


Okay. Could you give us some examples of maybe an action you would be addressing a risk? I know you talked a little bit about supply chain and you talked about an aging workforce. Is there another example that maybe you can take us through? That’s an internal one and an external one.

Sure. Well, let’s say training is needed for an internal risk. So in training needs, when you identify as a company that you have some training issues that could cause risk for your company, The first thing you want to do is you’re going to want to put together a plan of how you’re going to affect that risk. So the first thing you do is you develop some actions. You would want to put together a plan of action of what you’re going to do as a company, whether to affect or reduce that risk. And then you’re going to assign an owner.

You’re going to want somebody to be responsible. You know, Eisenhower once said the buck stops here. And that kind of flows through to everybody’s business nowadays. You want one person that you can go to to get some answers for that. Okay. And then you’re going to apply the urgency. What’s the urgency of this risk? So, you know, if you’re talking succession planning or recruiting, it could be one urgent. But training needs could be another urgency. You may need to get your workforce trained up quickly.

And let’s say you’re dealing with a succession plan and you’re trying to get somebody hired that might be something like an apprentice or something. And they need to be trained up on all that stuff. So that might go hand in hand.

Absolutely. They will most definitely go ahead. And then a lot of these internal issues and even some external issues, as companies review them, they’ll see that they all play into each other. You know, you could be talking about an aging workforce and recruiting at the same time. Because those risks may go hand in hand that you have identified that the workforce you currently have you want to at least supplement some newer workforce in there so you can pass on that knowledge so that, you know, if one person were to leave the company, that knowledge doesn’t get passed away.

Right, right, right. What about some external ones? You said that you can only do so much, but what wouldn’t be a good example of what you could do?

Well, let’s say, economic concerns for your company. The big risk for now, especially in this market of how the economy is. So you would want to put a plan together. You might want to address that risk and put some actions together to perhaps expand your employment market. Where am I looking for my candidates? How am I feeling about my position? Where do I look for? Maybe I used to only use the newspaper, but now because of the day and age, maybe cyber is a lot better to do some recruiting. There are a lot of internet sites out there that can provide, you know, opportunities for improvement as far as employment goes.

Maybe where you’re looking to if you’re not, if you’re a manufacturer, you might have to have someone local. But if you’re in a service organization, you might be able to have somebody more remote.

Absolutely. I think that when companies broaden their look at the risks that they face, they realize that there are more options available to reduce them than they once initially thought.

Okay, that makes sense. Well, this is a ton of great information and it can make a difference in your business as well as your quality management system. Now, clearly, you’ve explained that you’ve had a lot of experience. Do you have any stories or an example of working with a company that’s done a really good job of managing and mitigating the risks?

Absolutely. I work with a company out in California and when we first started working together, they’ve never even heard of a risk analysis or even identifying risk that affects their company. They don’t. They didn’t look at their approach towards their business through a risk-based approach like ISO would like it to do.

Well, then. So there’s so they’re right at the beginning.


They’re probably doing it in some manner, but they’re not doing it formally and not well.

And I think almost every company does some form of risk analysis you just may not document or realize that’s actually what you’re doing.

Once you score your risk, then you’re going to determine whether you need to accept or address the risk, because there are some risks out there. For example, an external issues supply chain could be a risk to a lot of companies now out there. But from the internal aspects of your company, what kind of effect can I have on the supply chain outside of my business? So in those kinds of situations, you would maybe look to accept that risk and then put together a justification of what you do internally to deal with that risk. Maybe you maximize the use of your supplies or maybe you are looking for a second vendor instead of having a sole source vendor. So you have some options when it comes to what you’re looking for.

About Core Business Solutions, Inc.

“Core Business Solutions was started by my brother, Mike Dawson, and myself, true entrepreneurs at heart looking for a better way to make a living and help small businesses improve the quality of the products and services they provide.

The bottom line: we are real people that have developed a team to come along side you to help you grow and succeed.”

Scott Dawson, President and Co-Founder