Mastering Risk Management: Essential Principles for QMS Success

Andrew has worked in the compliance management software industry since 2000 and has worked with hundreds of companies and compliance professionals in multiple sectors across Quality, Health & Safety and Environmental management and the views and content below is drawn from those encounters from across more than two decades.

Co-founding Syncronology (now Singlepoint) in 2005 in response to a demand for adaptable, visually-oriented compliance software, Andrew has been a driving force behind Singlepoint’s development, focusing on aligning the product with market needs and ensuring it delivers tangible value to customers.

An introduction to Risk Management

Risk management is fundamentally about identifying potential issues in a business and developing strategies to prevent them before they occur. It’s more than just spotting threats though; it’s about creating a culture of resilience and foresight across the organisation. This involves a detailed analysis of how various risks, whether they are physical, operational, or financial, could hinder the organisation’s goals. By confronting these risks directly, rather than in a piecemeal, compartmentalised way, we can establish a united defence against potential disruptions and dangers.

Central to this approach is moving from a reactive stance, where issues are addressed after they arise, to a proactive strategy that anticipates and counters challenges beforehand. This broad program ensures risk assessment and mitigation efforts are coordinated across the entire organisation, avoiding isolated responses.

While risks can arise from numerous sources, including financial, legal, and regulatory areas, this discussion will concentrate on risk management in product and process design alongside hazardous physical environments. Specifically, it will highlight how a Quality Management System can support a proactive, integrated approach to risk management in manufacturing and engineering organisations.

Managing risk in the product and design process

FMEA

In risk management, methodologies such as Failure Mode and Effects Analysis (FMEA) and risk rating systems stand as foundational pillars for identifying potential problems and their impact.

FMEA is a structured approach widely used across various industries to proactively evaluate and address potential failures in products, processes, or systems. It systematically identifies potential failure modes, assesses their potential effects on operations or customer satisfaction, and evaluates the likelihood of their occurrence. By calculating a Risk Priority Number (RPN) for each failure mode, FMEA prioritises the risks that need mitigation. When the priorities have been agreed upon, organisations then generate appropriate corrective actions for reducing the occurrence of failure modes, or at least for improving their detection

Overview of the FMEA process:

Potential Failure Mode: Describes how the process, product, or service might fail.
Effects of Failure: Details the consequences of the failure mode.
Severity: Rates the seriousness of the effect on a scale (often 1-10).
Causes of Failure: Identifies why the failure might occur.
Occurrence: Assesses the likelihood of the failure caused on a scale (often 1-10).
Detection: Evaluates the chance of detecting the failure before it occurs on a scale (often 1-10).
Risk Priority Number (RPN): Calculated by multiplying Severity, Occurrence, and Detection scores.

FMEA is seamlessly integrated into a QMS through documentation, procedures, and risk registers. Within the QMS, FMEA documents detail identified failure modes, their effects, and recommended mitigation actions. Procedures define how FMEA is conducted and when. FMEA findings can trigger Corrective and Preventive Actions (CAPA) processes, and they are subject to internal audits and reviews to ensure effectiveness. Training requirements related to FMEA are also included in your QMS.

Risk Rating Systems

Complementing FMEA, risk rating systems offer a structured framework for categorising risks based on their potential impact’s severity and the likelihood of occurrence.

These systems typically employ a numerical scale, ranging from 1 to 10, with higher values denoting catastrophic consequences or higher probabilities of occurrence.

This range enables organisations to map and compare risks on a risk matrix, effectively identifying and focusing on those with elevated severity and likelihood scores as critical areas requiring urgent attention.

Example in action

Automotive supply chain Risk Management

In the automotive industry, supply chain risk management is a critical consideration due to the complex and interconnected global supply chains. Automotive manufacturers pioneered the use of Advanced Product Quality Planning (APQP) in conjunction with FMEA to address quality and safety risks associated with multi-tier supply chains.

APQP particularly serves as a framework for fostering collaboration among multi-tier suppliers, ensuring a coordinated approach to risk assessment and mitigation.

FMEA plays a central role in APQP by providing a systematic methodology to evaluate potential failures, their impacts, severity, and likelihood throughout the product development process.

To illustrate the effectiveness of this approach, let’s delve into an FMEA calculation for a potential part failure within the automotive supply chain:

In this scenario, the specific failure mode under consideration is the cracking or breaking of a plastic part used in a vehicle. The potential effect of this failure is significant, as it could lead to the fuel injection system automatically stopping and the engine failing.

To assess the severity of this failure mode, a scale ranging from 1 to 10 is employed, with 10 representing catastrophic outcomes, such as fatalities. In this case, the plastic part failure mode is assigned a severity rating of 8 or 9. While it may not directly lead to fatalities, the safety risks associated with a vehicle breakdown on the road are substantial.

The next step involves estimating the likelihood of the plastic part actually cracking or breaking in its current design. This assessment considers various factors, including the part’s design, material properties, and expected stresses. Initially, a likelihood rating of 5 out of 10 is assigned to this failure mode.

A third factor is considered – ‘Detection’ – this is the manufacturer’s capability to detect faults/failures during the process. Again, usually scored from 1-10, with a low score indicating good capability to detect. For our example, let’s say that the ‘Detection’ score is 4

To determine the overall risk priority number (RPN), the severity, likelihood and detection scores are multiplied. For this example part failure, the resulting RPN falls within the range of 160-180. This RPN range indicates a risk that requires mitigation efforts to reduce its impact and likelihood of occurrence.

Managing risk in a physical environment

In physical environments, be it factory floors, construction sites or any workspace where physical risks are present, the challenge of risk can go beyond merely identifying where risk lies. Organisations need to develop and manage a comprehensive process that not only recognises risk, but translates their identification into effective action.

Bridging the gap with Singlepoint’s Risk Management Module

Singlepoint’s Risk Management module offers significant advantages to organisations that may currently lack a robust risk management strategy or employ a disjointed approach.

Streamlined Risk Management: The module streamlines risk management by providing automated features such as notifications, tracking mechanisms, and task management. This is a significant improvement over manual methods like Excel spreadsheets.

Task Assignment and Tracking: Singlepoint’s Risk Management module allows for the assignment of tasks related to risk mitigation. It also provides real-time tracking of task completion status and offers mechanisms for escalating overdue items. This ensures that risk-related actions are consistently followed up on.

Integrated Risk Reviews: The module supports integrated risk reviews on a recurring schedule. This feature ensures that both new and existing risks are periodically re-evaluated, aligning with the principles of continuous improvement.

Living Record of Risk: Unlike traditional risk documentation that may end up filed away after a one-time exercise, Singlepoint’s module facilitates the maintenance of a “living record” of risks. This active and ongoing approach ensures that risk management remains dynamic and responsive to changing circumstances.

Example in action

Hitachi Rail

Hitachi Rail Europe’s adoption of Singlepoint for document control, quality, and health and safety process management showcases an advanced approach to managing risk in a holistic manner.

The practical application of Singlepoint at Hitachi Rail’s facilities, including the Newton Aycliffe manufacturing plant and Ashford Train Maintenance Centre, demonstrates its effectiveness in not only managing documents but also in overseeing engineering changes, audits, and health and safety incidents. The shift from manual processes to an automated system facilitated a significant leap in managing physical risks, ensuring a safer, more compliant, and operationally efficient environment.

Evolving from a document management solution to a comprehensive risk management system. Singlepoint’s flexibility allowed Hitachi Rail to tailor the software to their specific needs, enhancing document accessibility and control critical for efficient day to day operation and rigorous audits.

Continuous Risk Management in your QMS

A quality management system plays a pivotal role in effectively managing risks within an organisation. Here’s how it can seamlessly integrate into the broader context of risk management:

Establishing Risk Management Processes

A QMS provides a structured framework and procedures for the systematic identification, assessment, and control of risks. This includes the utilisation of essential tools like risk registers to document and manage identified risks.

Automating Record Keeping

Automated QMS tools offer the advantage of centralising risk-related information, assessments, and records electronically. This single source of truth ensures that risk data can be efficiently stored and tracked over time.

Facilitating Ongoing Reviews

Proper use of a QMS ensures that risks are not addressed as a one-time effort but are subject to periodic re-evaluation. This occurs as part of management reviews and internal audits, ensuring that risk assessments remain up-to-date and aligned with organisational objectives.

Monitoring Task Completion

The QMS workflow capabilities enable the assignment of mitigation tasks, tracking of task completion, and escalation mechanisms for overdue tasks. This ensures that actions identified in risk assessments are not only planned but are actively executed.

Promoting Continuous Improvement

A core component of a QMS revolves around the Plan-Do-Check-Act (PDCA) cycle. Risk management is tightly integrated into this cycle, allowing organisations to identify emerging risks, close existing gaps, and continually enhance their processes.

Integrating with Other Systems

The QMS serves as a central hub where risk data can inform quality objectives and be linked to corrective and preventive action processes. This holistic integration ensures that risk management is not isolated but is part of a broader quality management approach.

Book a demo

View more case studies

Amcor: Document Management

“Singlepoint is a very good system for control of documentation. You have everything on the system and it’s user-friendly. Everybody in the company can use it.” – Irene, Quality Systems Manager

The Mentholatum Company: Document Management

The Mentholatum Company, a US-based developer of OTC products, faced challenges with document management and regulatory compliance under FDA and cGMP guidelines. Adopting Singlepoint’s Document Management System, they transformed their paper-based system into a digital powerhouse, enhancing document security, access control, and audit readiness.