Governance, Risk and Compliance Blog

Using EQMS to manage risk

Posted by Marc Gardner on Mon, Oct 09, 2017

To stay competitive in today's market, it's vital you have a good strategy to manage risk. In recent times, some high-profile organisations have learned the hard way that neglecting risk can not only be costly, but undo years of work building a strong brand and reputation.

If your organisation is ISO-certified, or in the process of becoming certified, you'll already be familiar with risk-based thinking and embedding this way of working across the business. ISO standards now require a risk-based approach, where risk is less an isolated part of your quality management system (QMS) and more a feature of the QMS as a whole. With this approach, you can handle risk much more proactively instead of merely reacting when things go wrong.

ISO 27001, for example, requires you to document how you'll assess and treat risk as you implement your information security management system. And while ISO 9001 doesn't formally say you must do a full risk assessment, it does say you must monitor, measure, analyse and evaluate the risks and opportunities.

A commonly used tool for assessing risk is the risk assessment matrix. You've probably seen one before. A grid of reds, ambers and greens telling you what risks are likely to occur and how severe their impact could be.

Manually creating a risk assessment matrix takes a lot of time – you need to identify what risks apply to your business, decide how you'll evaluate them ('likelihood' and 'impact' tend to be the most common) and then assess them based on the criteria you've chosen.

EQMS Risk Manager

Features

EQMS Risk Manager gives you a framework for identifying, evaluating, managing and monitoring risk. By bringing together data into one integrated, central system, EQMS Risk Manager takes away the problem of business units and departments all working in isolation, without transparency or any knowledge of each other's processes.

Identifying risk Any user can log in and suggest a risk. The system directs the suggestion to your Risk Manager, who then decides whether to log the suggestion as a risk to be further assessed, or reject it. The system records the Risk Manager's response and feeds it back to the user who made the suggestion.
Evaluating risk The system keeps a full list of all the risks your business faces. It assesses each risk against the data provided (including likelihood and impact) and uses a formula to calculate a risk level and risk class.  
Managing risk If the risk class and risk level are unsatisfactory, the Risk Manager may take action to lessen the risk (and perhaps lower its class and level) until it becomes acceptable. For higher risks, the Risk Manager may define which action should be taken when a related incident occurs so its impact can be limited.
Monitoring risk The system has powerful risk analysis and monitoring tools such as configurable risk calculators and risk traffic lights. It provides easy access to a bank of assessments so users can see what controls were tested and the results of the assessments. Risk Managers can access a range of reports to analyse metrics, and apply a number of parameters to help with their decision-making.


Benefits

EQMS Risk Manager saves you time and money by allowing you to assess risks quickly, efficiently and consistently. Its workflow functionality enables you to assign responsibilities and set deadlines to ensure risks are dealt with promptly and never ignored. Your employees know exactly who's responsible for doing what when it comes to limiting risk, which in turn allows you to better demonstrate compliance.

 

What you should do now

If you'd like to know more about how EQMS Risk Manager can help your organisation manage risk easily, arrange a demonstration by clicking the following link.

Request your EQMS Software demonstration

Tags: Risk Management, Risk Based Thinking

What to expect with ISO 45001 – A New Approach to Risk

Posted by Marc Gardner on Wed, Sep 16, 2015

The incorporation of Annex SL into the ISO 45001 standard is a key driver towards the 'risk-based approach'.

If ISO 45001 follows in the same vein as the 9001 and 14001 standards, which is likely, then it'll be necessary to determine the risks and opportunities, plan actions to address them, implement the actions in occupational health and safety management system processes and evaluate the effectiveness of these actions.

Taking a risk-based approach ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

While risk is commonly understood to be negative, risk-based thinking allows for opportunities to be found – this is the positive side of risk. Analysing risks can often bring forth opportunities for improvement and enable businesses to make strategic decisions. Applying a robust management system can also be considered an important aspect of risks and opportunities.

Determining risks and opportunities

Many professionals approach Qualsys for advice on how to determine risks and opportunities and the appropriate level of action to take to address them.

When planning for your occupational health and safety (OH&S) management system, you should identify the risks and opportunities you must address to:

  1. Ensure that your management system can achieve its intended result(s)
  2. Reduce any undesired effects as far as possible
  3. Achieve continual improvement.

Put simply, to determine risks and opportunities, you must first determine your organisation's objectives before you can identify potential events that may prevent you from achieving those aims.

Analyse and prioritise

ISO 9001:2015 and ISO 14001:2015 define a risk as "the effect of uncertainty on an expected result". It's highly likely that this definition will again be applied to ISO 45001. If this is the case, then it follows that:

  • an effect is a deviation from the expected – positive or negative

  • risks are about what could happen and what the effect of this happening might be

  • risk also considers the likelihood of an event occurring.

There are various methods to approaching ISO 45001 risk-based thinking; which method is appropriate is determined by the nature of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. regular reviews of documentation, clear sight of training and competencies, sufficient data for analysis and continual improvement).

In contrast, many busy teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow means you can assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee critical actions never go ignored.

Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

  • avoiding risk
  • eliminating the risk source
  • changing the likelihood or consequences (likelihood and impact)
  • sharing the risk
  • retaining risk by informed decision
  • even taking risk in order to pursue an opportunity.

When doing your own planning, it's again imperative that you consider the context of your organisation. For example, the process of planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than planning actions to mitigate the risk of paper cuts.

Similar to this, the risk presented by polluted air in a country with whom an organisation has little trade or links is minor in comparison to the country in which it mainly trades and operates. It's essential to understand your organisation and its strategic direction as this will enable you to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the relevant individuals. This ensures actions to address risks are completed via a closed-loop process.    

Check the effectiveness of the actions – do they work?

In simple terms, to check the effectiveness of your actions to address risk, you need to ask, "Do they work?". There are various methods you can employ to do this, including:

  • Audits and internal reviews
  • KPI analyses
  • Project evaluations

One important aspect of this checking involves having the right data available to make informed decisions. By improving how you aggregate risk data, you can strengthen your capability in making judgements about risk. This leads to gains in efficiency, reduces the chances of loss events occurring, and enhances your strategic decision-making.

Many organisations are now employing KPI dashboards such as EQMS Dashboard to provide instant access to real-time management information. With an overarching view of key performance indicators that are determined by management, organisations can track performance in critical areas and make informed decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notifications give you the ability to 'take the temperature' of your organisation, carry out trend analysis and demonstrate that you are operating a 'culture of compliance'.

Moving forward

The ISO 45001 standard will likely encourage organisations to build risk management into their entire management system.

With risk-based thinking, you're able to adopt a risk-based approach to improve customer confidence and satisfaction, and to establish a proactive culture of prevention and improvement.  With such explicit benefits, this can only be seen as an opportunity and a step in the right direction.

 

What you should do now

Download the EQMS Datasheet Pack to learn more how EQMS Risk Manager can improve your approach to risk management.

Trusted ISO Compliance Software

Tags: Risk Based Thinking, ISO 45001

Friday Feature – Mistakes Can Cost the Earth... and Pay for Space Flight

Posted by Alastair Atcheson on Fri, Jul 17, 2015


Human error, fraud, and badly managed budgets cost businesses billions of pounds every year. Although these losses may be small on an individual scale, they can add up astronomically.

Understanding loss is often much more tangible when put it is put in perspective. For example, how much do businesses lose compared to the total cost of sending a space craft to the most distant planet in our solar system?


New_Horizons_Probe

Putting a Price on Pluto

This week, NASA’s New Horizons mission to Pluto showed us an entirely new world. The probe revealed giant ice mountains, craters and huge valleys on the surface Pluto and its moons, all for the fraction of a cost of some costly business errors.

The total cost of the New Horizons mission was around $700 million, or about $46.7 million per year for the 15 years it took scientists to design, build and fly the probe to a distant speck 3 billion miles away.

While that may sound like a lot, it looks like money-well-spent compared to some of these costly errors.


1. Improper Medicare payments cost the American government nearly 1000 times as much each year as New Horizons

In 2013, ‘improper payments’ consisting of overpayments, payments sent to the wrong people, and fraud, cost the US government $45.7 billion. To put that in even better perspective, the government spends less than $10 billion on NASA every year.


2. Annual payments to dead federal workers cost more than the Pluto mission’s annual spend

$84.7 million was paid to federal workers who had already died by the government’s Office of Personnel Management in 2013. That’s nearly double the cost of New Horizons.



3. NASA previously lost a Mars orbiter craft by mixing up metric and imperial

NASA’s impressive budget handling had no doubt been influenced by their previous mistakes, like the time they lost a $125 million orbiter craft in space by forgetting to ensure that everyone involved was using the same measuring system.

In 1999, American company Lockheed Martin still worked in feet and inches, and an unfortunate oversight meant that the craft’s coordinates weren’t transferred between Lockheed in Denver and NASA in California.


tom_hanks_apollo

As you can see, organisations face a huge range of variables when it comes to managing and minimising loss. While it is impossible to predict and prevent every area of loss, the first step to ensuring that your organisation has maximum control is to implement the proper management systems.

EQMS software consolidates and integrates governance, risk management and compliance initiatives across your organisation with a single solution. EQMS tools manage your policies, audit programme, risk assessments, incidents, accidents, business issues and more.

No longer will your team be mixing up measurements, sending payments to the wrong people, or losing probes in space. While that last one may not strictly apply to your business, effective management systems are vital to minimising loss and improving efficiencies.

Ensure that mistakes don’t cost your organisation the Earth! Learn more about EQMS software with our datasheets here, or follow the link below.

 

ISO 9001 Software


Picture credits:
www.news.discovery.com
w
ww.sporcle.com


 

Tags: Risk Management, Risk Based Thinking

ISO 9001:2015 – The CQI's Richard Green on 'Risk and Opportunities'

Posted by Alastair Atcheson on Thu, May 28, 2015

Risk is a concept that many people naturally assume is something bad; ‘That’s a bit risky, are you sure you want to risk that?’ However, the upcoming changes to ISO 9001 will require businesses to move away from this perception and instead view risk as ‘risk and opportunity’.


As part of his presentation on clarifying the jargon of ISO 9001:2015 (see the full webinar here), The Chartered Quality Institute’s Head of Technical Services, Richard Green, discusses the definitions of risk and how organisations should approach the increased focus of risk in ISO 9001:2015.

 

Why Watch?

In this segment, Richard defines risk as ‘the effect of uncertainty’ that can be ‘positive or negative’. A hot area of debate, a universal definition of risk is something that still needs to be resolved.
Annex SL does not prescribe a risk management methodology, but it does require companies to:

  • determine their risks and opportunities
  • plan and take actions to address them


While many companies will already approach risk similarly, Richard argues that the bulk of the work to come is due to organisations general focus on risk, rather than both risk and opportunity. However, you have the freedom to do this in any way that works for you, as long as you determine and plan.

 

 

See the Full Webinar!

Receive one hour’s worth of IRCA CPD points by watching the full 25 minute presentation here and completing a summary questionnaire on the topics covered. Correct submissions will be sent a PDF certificate confirming CPD points from IRCA. Richard’s presentation covers the essential changes to ISO 9001:2015 and was recorded at the annual EQMS User Group in April 2015.

 

ISO 9001 Changes IRCA Webinar

 

Tags: CQI, ISO 9001:2015, Risk Management, Events, Risk Based Thinking

ISO 9001:2015 Revision Explained: Risk-based thinking

Posted by Alastair Atcheson on Wed, Feb 11, 2015

The revised ISO 9001 standard has moved away from what it called "preventive action" towards a "risk-based approach". Preventive action was found to be lacking when it came to driving change and continuous improvement. The risk-based approach is likely to be much more effective in allowing organisations to become stronger, fitter businesses.

Taking a risk-based approach means:

  • Determining the risks and opportunities
  • Planning actions to address them
  • Implementing them in a quality management system
  • Evaluating their effectiveness

All this ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

Though we commonly understand risk to be negative, risk-based thinking has a more positive slant in that it provides opportunities for improvement and enables businesses to make strategic decisions. Applying a robust quality management system is another important aspect.

"Quality management is currently going through a state of metamorphosis," says Kate Krachai, director of leading quality management consultancy Quality Context. "Quality professionals must change the opinion of those in organisations that view quality as simply improving compliance. It's more than that – it can empower a business by reducing risk. Even better, a good quality management system not only enables you to reduce risk, but also take risks.

"Reducing risk to take more risks may sound counter-intuitive, even paradoxical, but that’s where the power of quality can be. By considering compliance risks you can drive a business forward by giving it the power and control to take educated risks."

Determining risks and opportunities

But how do you determine your risks and opportunities and the appropriate level of action to address them?

Well, you need to determine your objectives before you can identify things that might get in the way of you achieving them.

You must consider:

  • Issues that may affect your organisation's values, culture, knowledge and performance
  • How these issues may impact your ability to deliver products and services that meet customers' needs and any regulations that may apply
 
Look at them both from an internal perspective – strategies to achieve your policies and objectives; your relationship with your staff and stakeholders (including partners and suppliers) – and an external perspective – issues arising from political, economic, social and technological changes within the sector.

 

Analysing and prioritising your risks and opportunities

ISO 9001 defines a risk as "the effect of uncertainty on an expected result". So:

  • an effect is a deviation from the expected – positive or negative

  • risks are about what could happen and what effect it might have

  • risk also considers the likelihood of an event occurring

Though the revision to ISO 9001 doesn't formally say you must do a full risk assessment or maintain a risk register, it does say you must monitor, measure, analyse and evaluate the risks and opportunities. There are various methods to approaching risk-based thinking – which method is appropriate to you is determined by the context of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. by regularly reviewing documentation, keeping clear records of training and competence, recording sufficient data for analysis and continual improvement).

In contrast, many busy quality teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow functionality allows you to assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee that critical actions never go ignored.

 

 

Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

  • Avoiding risk
  • Eliminating the source of the risk
  • Changing the likelihood or consequences (likelihood and impact)
  • Sharing the risk
  • Retaining risk by informed decision
  • Even taking risk to pursue an opportunity

When you're planning your own actions, again, you must consider the context of your organisation. Planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than if you were mitigating the risk of the wrong sandwiches being ordered for the staff vending machines.

Similarly, the risk of an economic downturn in a country with which your organisation has little trade or links is minor compared to a recession in the country in which you solely trade and operate. Understanding your organisation and its strategic direction is essential if you're going to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the appropriate employees. This ensures actions to address risks are completed via a closed-loop process.

Checking the effectiveness of the actions – do they work?

In simple terms, checking whether actions to address risk are effective means asking "Do they work?". There are various ways you can do this, including:

  • Audits and internal reviews
  • Analysing KPI
  • Project evaluations

One important thing to bear in mind is making sure you having the right data available to make informed decisions. By improving how you aggregate risk data, you can make much stronger, better judgments. And this leads to you becoming more efficient, making fewer losses, and ultimately increasing profitability.

Many organisations now employ KPI dashboards such as EQMS Dashboard so they can have real-time, instant access to management information. Having an overarching view of the key performance indicators you've set, you can track your performance in critical areas and make informed strategic decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notification confirmations gives you the ability to 'take the temperature' of your organisation, analyse trends and demonstrate that your organisation has a 'culture of compliance'.

Moving forward

The concept of risk has always been implicit in ISO 9001 and many organisations take a risk-based approach intuitively. But the 2015 revision of the standard makes it more explicit and encourages organisations to build it into their entire management system.

Business risks are ever-growing worldwide, reflecting widespread political, economic and social uncertainties. ISO 9001:2015 makes it mandatory for you to adopt a risk-based approach, so that you improve customer confidence and satisfaction, assure a consistency of quality of goods and services, and establish a proactive culture of prevention and improvement. Every organisation should see risk-based thinking as an opportunity and a step in the right direction.

 

What you should do now

Download our datasheets to learn more about how our EQMS software can help your organisation adopt a risk-based approach.

 

ISO 9001 Software CTA

 

Tags: ISO 9001:2015, Risk Based Thinking

Audit, Risk and Document Management Webinar Information

Posted by Michael Ord on Fri, May 03, 2013

 Qualsys recently hosted a webinar where quality managers from across the globe joined us to explore the EQMS system capabilities and to answer questions. To download the webinar slides please click on the image below. 

 

EQMS Webinar Slides

 

Thank you to those who attended our first public (free) webinar of the year; we had people from the US, Ireland, UK and Russia.

For those who missed it, I was joined by Simon Wells, EQMS Training Manager, who gave an overview of the exciting new features for

  • EQMS Audit Manager - schedule audits, checklists, findings, reporting
  • EQMS KPI Dashboard 
  • EQM Document Manager - SharePoint, Outlook and Office Add-ins
  • EQMS Risk Manager

Simon also shared best practice tips and shortcuts in what will be a monthly 'buffet' style webinar; with 30 minutes look at the EQMS product, quality managment issues, and lessons from the many corporate clients that Simon's team trains each month.

Download EQMS Webinar slides - April.pdf

 

Simon Wells, Qualsys Simon Wells, Qualsys Training Manager
 

The next free webinar will be on Wednesday 29th May at 13:00 GMT.

It will focus on:

 

 

Attend Free Webinar

Tags: Quality Management Software, Audit Management Software, Document Management, Risk Based Thinking

Horse-meat scandal: Quality & Risk lessons (News Round-up)

Posted by Michael Ord on Fri, Feb 01, 2013


Michael Ord

Michael Ord, Business Development Manager at Qualsys, reviews latest news from around the web re the Horsemeat scandal.


Tesco, Burger King, The Co-operative, Silvercrest, Dalepak, Aldi, Lidl…


As the list of retailers and suppliers tainted by the Horsemeat scandal continues to grow, so does the realisation that fast moving, complex supply chains are almost impossible to police - it's not just an issue in food but across every industry sector.

Just as technology and social media speed up the possibilities for innovation, fulfilment and communication, they simultaneously create problems for the Supply Chain Management, Quality Managers and Compliance Departments.

The opportunities are greater, but so is the business risk, in terms of brand, consumer health and financial liabilities.

As Silvercrest have found this week, it takes years to build a brand and only one supply chain incident to potentially destroy a company. 

Horsemeat in the News – Lessons for Quality and Compliance Departments.

Quickly searching the internet, there is a hurricane of news stories highlighting the key issues around the Horsemeat scandal.

We will highlight a few good articles from a compliance and quality management point of view.

Burger King ‘Cover Up’?

horsemeat

Fancy a burger?

The Daily Mail
reports on Burger King's 'cover-up' over horse meat scandal.

Playing to the health-consciousness of their readership, they lead on the potentially harmful anti-inflammatory drug ‘Phenylbutazone’ which is used by horses and is not legal in the food chain:

  • “As chain dumps millions of 'unaffected' patties, Labour warns of cancer-causing drug found in UK abattoirs
  • Horses slaughtered in UK last year tested positive for phenylbutazone
  • Anti-inflammatory drug is banned from human food chain
  • Burger King has ended its deal with Irish firm ABP's Silvercrest plant
  • Managers told to mark boxes of burgers from firm with an 'X'
  • But staff instructed not to remove the meat until replacements arrive
  • Some products on its menu may be unavailable until new supplier is found”

The Daily mail continues:

“Burger King burgers, such as its best-selling Whopper, were made by the Irish meat processor Silvercrest, which is part of the ABP Food Group.

ABP Foods, through subsidiary companies in Ireland and Yorkshire, made burgers for many more high street names, however it is not yet known if their products were also tainted.”

It remains to be seen whether the health risks are real, but in the eyes of the public, perception is everything.

How can business leaders access real-time data on their suppliers?

In the inevitable enquiry, will they be seen to be compliant with the latest regulations and laws? Only time will tell.

Tesco DNA Testing Programme - a fast, public response

Tesco Everyday Val 2452919c

The Wall Street Journal reports how:

“Tesco has dropped the meat supplier that supplied it with beef burgers tainted with horse meat and will introduce its own DNA testing to ensure contamination doesn’t happen again.”

In addition to changing suppliers, Tesco have an announced a:

“comprehensive system of DNA testing across our meat products. This will identify any deviation from our high standards.

 The supermarket added:

“These checks will set a new standard. It will be a significant investment for Tesco, borne by Tesco. We want to leave customers in no doubt that we will do whatever it takes to ensure the quality of their food and that the food they buy is exactly what the label says it is.”

What is surprising to many, is that ‘until now supermarkets and food processors have not used DNA testing to determine whether food products marked as chicken, pork, beef, lamb or fish contain bits of other animals. Experts say that's because such findings don't affect food safety, only the integrity of labeling.” Source: Huffpost

And with food taste and sensibilities different across the world, what may be acceptable in some countries is not in others – this requires a new level of sophistication from the Quality departments of international organisations. 

Put risk value in contracts following horsemeat scandal

Featured in out-law.com, Supply Chain Management expert Richard Parkinson of Pinsent Masons, has identified Risk Management as a key facet of future contracts.

He argues that “Purchasers and their suppliers should put a value on risk and include it in contracts in case of disputes such as that over horse DNA being found in beef burger“

Companies in all sectors should start by reviewing the terms of contracts, ‘to be clear about the nature of  risk liabilities to which they are exposed,’ organisations should have financial contingencies should anything go wrong in the supply chain. 

With the correct risk mitigation, built into contracts, for example by passing responsibility to suppliers further down the chain: 

“it is possible for retailers and suppliers to recoup at least some of the costs they incur when products are withdrawn from sale because of issues stemming from the supply chain.”

At Qualsys, we are big advocates for ongoing self-audit and testing procedures.

We agree with Richard Parkinson that proactive Supplier Management, and a Quality Management System with real leadership will help "nip in the bud" issues that emerge in the supply process.

More key points from out-law.com,

Companies throughout the supply chain should:

  • Have quality control procedures in place to mitigate the risk
  • Ensure procedures are of an appropriate standard for the industry
  • Obtain suitable insurance

In summary...

Without forensic accounting, it is very hard to put a value on the costs associated with supply chain risks.

Loss to reputation often results from an unforeseen ‘Horsemeat’ style scandal and cannot be forecast, often dealt with reactively.

The DNA Testing programmes like those announced by Tesco go some way to re-building consumer trust, but the intangible cost and supply chain management catastrophe for smaller companies such as Dalepak and Silvercrest will add extra operational cost to already low margins and now declining sales orders.

ISO9001

Quality Management solutions such as EQMS help organisations to meet legal obligations, business needs and ISO9001 quality standards. With each 'horsemeat scandal' the compliance bar is raised higher - and so are the obligations and teeth of the regulators.

In the end, the Beef Trim patties (which contained the horse meat) may sadly decimate a number of meat supplying companies – but the lessons around proactive quality control and supply chain management should reverberate across every industry sector. 

How compliant are you?

Complete ISO9001 Self-check list

Tags: Quality Management Software, EQMS, Compliance Management Software, Document Management, Supply Chain Management, Risk Based Thinking