Unstrange Bedfellows: The Relationship Between Risk Management and Quality Management

With the inclusion of “risk-based thinking” in ISO 9001:2015, never before has the quality management profession spent so much time talking about risk management. Suddenly, every ISO 9001 and quality consultant is claiming instant, overnight expertise in risk management, although when pressed you discover they know little about it other than how to fill in a Failure Modes Effect Analysis (FMEA) form.

The truth is that, like quality management, risk management is a career-path discipline, a complex and complicated field of study of its own.  One can, after many years of study, obtain a doctorate in risk management. Reading ISO/TC 176’s publications on ISO 9001:2015, however, you would think it’s so simple, that anyone can do it. Routinely, however, TC 176 claims risk management is “as easy as crossing the street” and it supporters have claimed “you do it every time you step out of the shower.” It’s an insult to the risk management profession, of course, but most risk managers are too busy fighting their own internal battles to worry about what the quality profession says about them.

More frustrating is the retconning of history that ISO has employed, insisting that “risk has always been implicit in ISO 9001.” It’s patently false, but since one can say any proactive measure whatsoever technically, kinda-sorta works to prevent risk, it’s easy to pull the wool over people’s eyes about it. Think about it, they say: preventive action sought to prevent problems, and preventing problems is what risk management is all about! By this inane measure, every time a babysitter put a band-aid on a kid’s skinned knee to prevent infection, she was performing full-fledged risk management. If that sounds ludicrous, remember, this is exactly the posture that ISO and TC 176 are taking, except instead of a babysitter and a bruised knee, they say it’s all as easy as deciding how to cross a street. Here is TC 176 on the subject:

Objective: I need to safely cross a road to reach a meeting at a given time.

It is UNACCEPTABLE to be injured.

It is UNACCEPTABLE to be late.

The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury.

It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high.

I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time.

I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time.

While the rest of us wish the guy who wrote that would actually be struck by a car, it means every time a dog crosses the street, he was employing full-blown, ISO-style risk management. Good dog, Fido!

As a result, the quality profession — which seems to take all its intellectual cues from ISO these days — views risk management as a subset of quality management, since risk management is used to improve quality, as so:

For the few risk managers I have spoken to who know about ISO 9001, they recoil, and insist that quality management is actually a subset of risk management, since they utilize quality management concepts in order to reduce risk. So their worldview looks something like this:

This view is never better illustrated than by the sudden obsession ISO has with risk management, which was brought through the evangelical efforts of a single Australian risk manager, Kevin Knight, who convinced the ISO Technical Management Board (TMB) that all ISO management system standards must address risk management in some form. The TMB bought that argument, and has since imposed risk into all its standards, but only because of Knight’s efforts. Had someone else gained access to the TMB — say an expert in configuration management, financial management, or counterfeit control — then ISO would not be saying anything about risk at all, instead saying “configuration management/finance/counterfeit part control has always been implicit in the ISO 9001 standard.” You can plug in any form of management you like, and ISO can make the argument that it was, in one shape or form, addressed at least tangentially in earlier versions of ISO 9001. After all, it wasn’t too long ago that the statisticians had the favor of ISO, and ISO 9001 was all about statistical process control. Now, the victim of ISO’s fickleness, it’s hardly mentioned, and “statistical techniques” have been demoted from a full clause to an optional “Note.”

The reality, however, is that the two disciplines occupy different spaces, and are peers, with neither subsuming the other. It is simultaneously true that risk management may be used to improve quality, and quality management may be used to prevent risk; but that is the result of the two separate fields of study having some overlapping qualities, as illustrated here:

Within the quality management toolbox, there exist many approaches, techniques, sciences and methods, all being used collectively for the purposes of improving quality. Those tools include configuration management, quality control, quality assurance, statistics, and — yes — risk management. Within the risk management toolbox exists an equally diverse set of tools, including quality management tools, but with a host of other approaches that would be alien to the typical quality manager. Remember, risk management is a discipline practiced largely within financial and insurance institutions, and not just manufacturing or production environments.

Consider this: we in the quality profession would object if suddenly the risk managers of the world began taking the jobs of quality managers, writing books on quality management, and declaring sudden, overnight expertise of the quality profession. Why, then, is it acceptable for quality managers to suddenly claim mastery over risk management?

It’s ironic that this posture comes after the quality profession has been effectively usurped by a tiny handful of risk managers with a limited agenda (the Knight gang), and we have been so pliable as to allow them to alter the industry-wide narrative about quality management. The proper response, however, is for neither profession to claim dominance over the other, since they exist rather nicely as side-by-side peers.