Get ready yet another blow to the integrity of the quality management profession, as it once again scrambles for the attention of corporate executives in move that reeks of desperation.

If you haven’t heard it already, a new buzzword is cropping up in the quality profession, but one which is easily lost between the dozens of others. It’s “QRM,” and stands for “quality risk management.” It’s far more nefarious than insipid, despite the innocuous innocence it implies.

First, let’s go back a bit. As I have written at length about, including in Surviving ISO 9001, prior quality gurus like Deming, Juran and Crosby said nothing at all about risk management, as they understood it was a separate discipline. This does not mean they rejected it, nor did they take a stance to compete with it. It was merely something that was done across the hall, and may or may not have Venn-diagrammed itself to overlap with quality management. If anything, it was a friendly co-passenger on the voyage towards overall business improvement.

Next, take a look at earlier editions of the quality standard ISO 9001. Here is how the literal words on paper appeared in the 2000 edition:

ISO made it clear that ISO 9001 was a quality management standard, and did not address risk management. A companion publication issued officially by ISO in March of 2001, entitled “Guidance on the Documentation Requirements of ISO 9001:2000” goes on to say exactly nothing about “risk” at all. At that time, there was never any doubt that risk management and quality management were entirely different concepts, and so ISO never felt the need to explain this in detail.

Then came Nigel Croft and TC 176, who faced a mandate by the ISO headquarters in Geneva to include a paragraph on “risk” written by the ISO Technical Management Board, a shadowy group of largely unknown actors who are answerable to no one. Faced with the choice of rejecting ISO’s mandate and having TC 176 disbanded, Croft and his gang of self-serving consultants not only agreed, they saw an opportunity to make a profit. Croft dreamed up the term “risk-based thinking” as a branding tool, and BSI cooked up a press release that promoted the falsehood that “risk has always been implicit in ISO 9001.

Remember, that last part is a lie, as the evidence above shows. Risk was never “implicit” in ISO 9001, it was overtly excluded as something the standard would not discuss.

Croft and his cronies then quickly rebranded themselves as “risk management” experts, and started selling related consulting services. Ka-ching.

The Emperor Has No Clothes, But Who Cares?

One of the greatest failings of the quality profession is that its practitioners are often criminally incurious. We are, to use a mixed animal metaphor, lousy with lemmings.

Quality professionals are all too willing to buy into whatever the latest fad is, whatever the latest management book says, or whatever garbage gets spewed by dubious organizations like ASQ or CQI. Then, they not only fail to ask skeptical questions about what they read, they accept it blindly and reject critical analysis of it.\

Quality professionals actually seek out “thought leaders” — one of the creepiest concepts yet invented — rather than try to develop their own independent thinking skills.

The fact that all of this flies in the face of the quality profession’s main tenet — that decisions be made through analysis of objective data — escapes them. It is just easier to have someone else do the thinking for you.

Within ten minutes of BSI’s phony press release — and ISO’s official republishing of it — quality “experts” were claiming, with a straight face, that “risk has always been implicit in ISO 9001.” Apparently, not a single one of them ever read the versions prior to the 2015 edition, yet were claiming to be gurus. It was sufficient to accept as fact a lie published by ISO and its cronies.

The consultants — often the worst of an already intellectually-diminished profession — pounced.  ASQ darling and serial spammer Greg Hutchins rebranded his entire consulting and publishing machine to claim that he invented the concept of risk management within the quality profession. US ISO 9001 author Lorri Hunt gave a presentation announcing that “risk-based thinking” would be the “biggest boon to consultants ever,” and promptly started selling expensive seminars on the subject. ASQ and CQI fired up their coal-fired publishing machines to churn out hundreds of articles on risk management, suggesting expertise on a thing they had otherwise been silent on for decades.

If You Don’t Love Me, I’ll Have to Kill You

But non sufficit orbis, and all that, so aggrieved quality managers wanted more. The ISO 9001:2015 drafts soon injected additional text into clause 5.1 “Leadership,” demanding that — as part of a standard intended for third-party conformity assessment audits — top management of companies had better damn well start treating the quality managers better, or they’d lose their certificate. So things like this gem were inserted into the standard:

Top management shall demonstrate leadership and commitment with respect to the quality management system by ensuring the integration of the quality management system requirements into the organization’s business processes.

That is nothing less than a demand that the Quality Manager be given access to the C-suite. Having failed for (literally) generations to get the discipline of quality assurance properly recognized by corporate leaders, some aggrieved quality managers at TC 176 figured they’d force the issue by inserting it into a standard that would then be enforced by an army of third-party conformity assessment auditors who would then withhold valuable ISO 9001 certification from any arrogant executive who refused.

So now we have QRM. Ironically, the term appears to have popped up first in the pharmaceutical industry, which is also where the first few instances of the term “risk-based thinking” came from, although entirely outside the quality sphere. Nevertheless, CQI just launched an article on QRM which mentions the term in passing, as if it’s already an accepted thing that everyone should be already fully cognizant of.

(In an even more irritating and nefarious turn, the article’s author Veronica Cavendish-Stephens deleted my comments to her article on LinkedIn, which were related to the points I now have to make on my own site, where she can’t delete them.)

The only thing more catnippy to lazy quality professionals than official ISO press releases (however false) are acronyms. If you brand something “LSS” or “CMQ/OE” or “SPC,” they will jump on it like cats an open tuna can. (I kept my animal metaphor un-mixed that time.)

So now, within seconds of CQI’s totally made-up article, no doubt thousands of quality professionals are claiming expertise in “QRM” — a thing that, like risk-based thinking — doesn’t actually exist. There are no standards on QRM, no accepted norms, no courses of study, no books of knowledge.

It’s another attempt to dupe quality managers into opening their pocketbooks to buy cans of air.

The solution is simple: quality managers need to apply to themselves the things they demand of everyone else: to act based on data, and not emotional tugs or fake press releases. Be skeptical. Be objective. Be independent thinkers.

Maybe cancel that CQI prescription, too. Because this QRM thing is going to get much, much worse — and expensive — before this is over.

You were warned.

UPDATE 29 October 2020. The author of the CQI article just can’t get out of her own way in her pursuit to make things worse.

First Veronica Stephens deleted comments I made to her posts on LinkedIn where she promoted the CQI article. In those comments, I indicated that “QRM” isn’t a real discipline, and that it was another attempt by quality professionals to overtake the c-suite. A shorter version of the article above, basically.

Not content with censoring me on LinkedIn, Stephens then contacted me and asked that I delete entirely my own article from the Oxebridge website. Stephens claims that because the FDA used the term “QRM” in a 2006 published paper, that means it exists as a formal discipline that she can now allege is a real thing in 2020. (Fact check: the FDA paper wholly contradicts modern ISO notions of risk, entirely contradicts ISO’s definitions of risk, and speaks only about drug manufacturing, not the quality profession as a whole.)

I refused to delete my article, obviously, but offered her a chance to suggest any factual corrections. She did not. When I then tried to make my point in private messages on LinkedIn, she cut me off and blocked me.

Hours later, her consulting partner Brittany Auchincloss appeared on LinkedIn to make personal attacks, calling the article a “mis-informed and a nasty post.” I assume that Stephens arranged to have Auchincloss step in for her.

Just to make things even worse for herself. Auchincloss then posted this snippet which just stands on its own as an example of complete internet batshittery:

Prior to that, the usual “oh, look, we’re risk management experts now” ASQ guys Duke Oakes and Greg Hutchins did likewise. Hutchins is dead-set on reminding everyone that he trademarked “Future of Quality: Risk” in 2000. Because trademarking something automatically makes you the expert on it. Right.

The takeaway here is that these would-be architects of QRM:

  1. Failed to do any “risk assessment” of acting like jackasses by demanding censorship, engaging in attacks, and blocking critics rather than having a normal discussion,
  2. Can’t defend their claims in a logical manner, and
  3. Are jackasses, which I said already.

I just want to make one more point clear to these morons. Because the US FDA — a national drug oversight body that has no international authority — published a “thing” called QRM back in the early 2000’s does not suddenly alter the world’s quality assurance profession. The FDA also publishes documents related to hypodermic needles, but it doesn’t make every Quality Manager in the world a heroin addict.

Related note: Auchincloss-Stephens is a consulting firm which announced a week ago that it got ISO 13485 certified. That certification is for medical device manufacturers, not consultants. So, something doesn’t smell right here….


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation