Risk Management With Risk Management With Customer FocusCustomer Focus
Kevin Beard
Introduction To Risk Introduction To Risk
Discuss Risk/QMS Relationship Concepts
Introduction to Risk/QMS in AS9100c– Additional & Sanctioned Training to Be Provided
By OPMT
Case Studies & Audience Participation
Introduction To RiskIntroduction To Risk
How Do We Currently View Risk In AS9100b– Customer Requirements– Other Parts of Std.???
How Many Have Read AS9100c
What Do We See As The Difference– Structure??– New Individual Requirements??– Underlying Concept that Applies Across the Standard??
Why Are We Discussing Risk Today– Complex Concept– Difficult to Understand– Difficult to Explain to Customers– Therefore, Difficult to Audit
A risk is a potential future event that could result in adverse and unplanned consequences.– A risk is NOT a Problem, an Issue, or a Crisis!
Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule and technical constraints.
(Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003)
What is Risk?What is Risk?
Risk Management Processes
What is Risk?What is Risk?
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
Risk Management Processes
What is Risk?What is Risk?
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
Risk Planning – The step of developing and documenting comprehensive and interactive
strategies and methods for identifying and tracking risk areas, training, developing risk mitigation plans, performing risk assessments to determine how risks have changed, and planning/obtaining adequate resources.
Risk Identification– The step of discovering and defining all risks inherent in your program or
project.
Risk Assessment– The process of analyzing and prioritizing program and process risks against
cost, schedule and/or performance criteria.
Risk Handling– The step that identifies, evaluates, selects, and implements actions in order
to reduce risk likelihood or consequence to an acceptable level.
Risk Monitoring– The step that systematically tracks and evaluates the performance of Risk
Handling actions against established metrics throughout the acquisition process.
Risk Management ProcessesRisk Management Processes
The Risk Management The Risk Management ProcessProcess
- Risk PDCA -- Risk PDCA -
Risk Management Processes
What is Risk?What is Risk?
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
Product & Technical RisksProduct & Technical Risks
Complexity of Design
Criticality of Product for End Use
New or Unproven Process or Technology
Organizational Capability to Design or Build Product– New or Unproven Process to Organization– New Technology to Company
Items or Requirements That are Candidates for Risk Management Processes
Others??
Risk Management Processes
What is Risk?What is Risk?
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
Identification– Discovering and defining all risks inherent in your program, project,
process, or task.
Communication– Communicating Risks to all Relevant Individuals and Processes
Risk Understanding– Understanding the Risks and How they affect your Function or
Process
Decision Making (Risk Based) – Making Choices on application of ‘Individual Options’ and
‘Process Options’
Risk Behaviors– Knowledge of Identified Risks
– Knowledge of Process Options
– Application of Identified Risk Topics to ‘Process Options’
Risk Based Decisions & BehaviorsRisk Based Decisions & Behaviors
Proposal Contract Design Manufact.ProductDelivery
Integrate
Purchasing
All Requirements are not created equal
Monitoring and Inspection Activities
Operational Options that Need Risk Oriented Decisions associated with Critical Requirements
•Design Approach
•V&V Approach
•Monitor & Insp. Approach
•Supplier Oversight
RFQ
Suppliers
Communication of Supplier Requirements-Key Characteristics-
Requirements & Risk Based Requirements & Risk Based DecisionsDecisions
Where Identified
How Communicated
What Decisions
AS 9100 – 3.1 Terms and DefinitionsAS 9100 – 3.1 Terms and Definitions
Risk - An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.
Variable Risk Application ApproachVariable Risk Application Approach
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)
Type Project Production Service
Size Large Medium Small
Product X X X
Process X X X
People X X X
How Does Risk Approach Vary?– Organizational Application of Risk Can Vary Based on Situation, Customer,
Product Line, etc.
– Audit Approach & Questioning Will Need to Vary Also.
Risk Management Processes
Theory AppliedTheory Applied
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
AS 9100 – 7.1.2 Risk ManagementAS 9100 – 7.1.2 Risk Management
The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout product realization,
d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.
Processes
Behaviors
Risk Impacts – P.P.P.Risk Impacts – P.P.P.
7.1.2 Risk Managementc) identification, assessment and communication of risks throughout product
realization,d) identification, implementation and management of actions to mitigate risks
that exceed the defined risk acceptance criteria,
Product Process People Capability
Consequence & Likelihood
FMEA
Critical Safety Items
Requirements Evaluation
Process FMEA
Process Requirements Evaluation
Competency Levels
Prod/Proc Proficiency
Supplier Capabilities
Communication Customer/User Needs
IPTs
Specification & Drawings
Design Critical Items
Key Characteristics
CM Processes
Task Specific Training
Task Specific OJT
Supplier Interaction
Plan, Implement, Control
Mandatory Insp. Points
Design Review
Inspection Approach
Product Audits
Production Planning
Config Control Boards
Process Audits
Configuration Audits
Job Assignments
Metric Analysis
Technical Audits
Supplier Oversight
AS 9100 – 7.1.2 Risk ManagementAS 9100 – 7.1.2 Risk Management
7.2.2 Review of requirements related to the producte) risks (e.g., new technology, short delivery time frame) have been identified
(see 7.1.2).
7.4.1 Purchasing processf) determine and manage the risk when selecting and using
suppliers (see 7.1.2).
8.5.3 Preventive actionNOTE Examples of preventive action opportunities include risk management, error proofing, failure mode and effect analysis (FMEA), and information on product problems reported by external sources.
8.2.4When the organization uses sampling inspection as a means of product acceptance, the sampling plan shall be justified on the basis of recognized statistical principles and appropriate for use (i.e., matching the sampling plan to the criticality of the product and to the process capability).
AS 9100 – 7.1.2 Risk ManagementAS 9100 – 7.1.2 Risk Management
Does Risk Apply in Other Parts of the AS9100 Standard– Explicit?
– Implied?
How does this apply throughout the AS9100 standard– Processes?
– Decisions/Behaviors?
– 4.1 General Management System Requirements
– 7.1 Product Realization Planning
– 7.3 Design & Development Lifecycle Processes
– 7.5 Production & Service Provision
– 8.1 Measurement, Analysis & Improvement
Potential Impacts – Large CompaniesPotential Impacts – Large Companies
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)
Prog/Proj
Eng. Supplier Mgmt
S&MA Individual Tasks
Others
Risk Resp. Assignment X X X X
Risk Definition X X X X
ID, Assess, Comm. X X X X
Implement & Management
X X X X X
Acceptance X X X X X
How Do Risk Responsibilities Vary?– Program – Cost, Schedule, Technical
– Engineering – Design, Technology Capability, Others
– Supplier Management – Supplier Capability, Cust/Supplier Interface, Others
– S&MA – Independent Oversight (Processes, Suppliers, Etc.), Others
– Individuals – Application of Risk to Option Decisions
Potential Impacts – Small CompaniesPotential Impacts – Small Companies
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)
Sales, Contracts
Prod. Planner
Purch Manuf Inspector Other
Risk Resp. Assignment X X X X X
Risk Definition X X
ID, Assess, Comm. X X X
Implement & Management X X X X X
Acceptance X X X X X
How Do Risk Responsibilities Vary?– Sales & Contracts – Understanding of User Needs/Requirements &
Comparison of User Needs To Organizational Capabilities– Production Planner – Applying “Appropriate” Methods Associated with Risk
to Meeting User Needs & Requirements– Purchasing – Vendor Capability, Risk/Criticality Communication, Others– Manufacturing – Applying “Appropriate” Methods – Inspector – Independent Verification– Individuals – Application of Risk to Option Decisions
Risk Case StudiesRisk Case Studies
What Have We Covered?– General Discussion on Risk Theories
– Relationship to AS9100c Standard
Time to put your Auditor Hats Back On
Case Studies– Risk Associated With Product
– Risk Associated With Processes
– Risk Associated With People
Product Risk in Lower Tier Product Risk in Lower Tier OrganizationsOrganizations
In Your Pre-Audit Planning, You Find that the Organization’s Customer provided the Organization with a PO on a very challenging task that includes providing a product that is more complicated than other products previously manufactured.
•What Additional Questions Would You Pursue in Pre-Audit Discussions•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)How Are Risks Communicated (7.1.2 c)What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
Product Process People
What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts??
ProcessProcess Risk in Lower Tier Risk in Lower Tier OrganizationsOrganizations
Product Process People
What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts??
In Your Pre-Audit Planning, You Find that the Organization’s Customer provides the organization with a PO that includes a task that you do not have the capability for. You outsource this task to a vendor that you have never used before.
•What Additional Questions Would You Pursue in Pre-Audit Discussions•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)How Are Risks Communicated (7.1.2 c)What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
People Risk in Lower Tier People Risk in Lower Tier OrganizationsOrganizations
Product Process People
What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts??
In Your Pre-Audit Planning, You Find that the Organization’s Customer transferred a large contract to this organization. The organization had to increase your workforce by 20% and add shift work. In your last audit your recall that the Organization was Working at/near capacity.
•What Additional Questions Would You Pursue in Pre-Audit Discussions•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)How Are Risks Communicated (7.1.2 c)What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
Risk Management Processes
Theory AppliedTheory Applied
Risk Mitigation Behaviors within
a process
Product & Technical
Risks
Special What???Special What???
Critical
Key
Special
Characteristic
Requirement
Items
3 Terms and Definitions3 Terms and Definitions
3.2 Special requirements
Those requirements identified by the customer,
or determined by the organization, which have high risks to being achieved thus, requiring their inclusion in the risk management process. Factors used in the determination of special requirements include product or process complexity, past experience and product or process maturity. Examples of special requirements include performance requirements imposed by the customer that are at the limit of the industry’s capability, or requirements determined by the organization to be at the limit of their technical or process capabilities.
3 Terms and Definitions3 Terms and Definitions
3.3 Critical items
Those items (e.g., functions, parts, software,
characteristics, processes) having significant effect on the product realization and use of the product; including safety, performance, form, fit, function, producibility, service life, etc.; that require specific actions to ensure they are adequately managed. Examples of critical items include safety critical items, fracture critical items, mission critical items, key characteristics, etc.
3 Terms and Definitions3 Terms and Definitions
3.4 Key characteristic
An attribute or feature whose variation has a significant effect on product fit, form, function, performance, service life or producibility, that requires specific actions for the purpose of controlling variation.
NOTE Special requirements and critical items are new terms and, along with key characteristics, are interrelated. – Special requirements are identified when determining
requirements related to the product (see 7.2.1). – Special requirements may then require the identification of
critical items. – Design output (see 7.3.3) may then include identification of
critical items that require specific actions to ensure they are adequately managed.
– Some critical items will be further classified as key characteristics because their variation needs to be controlled.
Special Requirements, Critical Items Special Requirements, Critical Items & Key Characteristics& Key Characteristics
Key Characteristics Simplified– Communication of Criticality Between Engineering &
Production
– In House Production or Outsourced Production
Special Requirements & Critical Items Simplified– Communication of Criticality Between
Customer & Organization (SR)Engineering & Engineering (CI)
– In House Engineering or Outsourced Engineering
Common Expectations– Consideration for Use of More Rigorous Controls in Process
– Risk Based Approach to Identification, Analysis and Communication of Customer and Product Requirements
Proposal Contract Design Manufact.ProductDelivery
Integrate
Purchasing
All Requirements are not created equal
Monitoring and Inspection Activities
•Communication & Understanding of Risks•Risk Based Decisions and Actions in Individual Processes
Operational Options that Need Risk Oriented Decisions associated with Special Requirements
•Design Approach
•V&V Approach
•Monitor & Insp. Approach
•Supplier Oversight
RFQ
Suppliers
Communication of Supplier Requirements-Key Characteristics-
Special Requirements, Special Requirements, Critical Items & Key Critical Items & Key
CharacteristicsCharacteristics
Identification of Special Requirements
Identification of Critical Items & Key Characteristics
7.1 Planning of Product Realization7.1 Planning of Product Realization
7.1 Planning of product realization
The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system (see 4.1). In planning product realization, the organization shall determine the following, as appropriate:
a) quality objectives and requirements for the product;
NOTE Quality objectives and NOTE Quality objectives and requirementsrequirements for the product include consideration for the product include consideration of aspects such asof aspects such as
− − product and personal safety,product and personal safety,
− − reliability, availability and maintainability,reliability, availability and maintainability,
− − producibility and inspectability,producibility and inspectability,
− − suitability of parts and materials used in the product,suitability of parts and materials used in the product,
− − selection and development of the software that contributes to the function of the selection and development of the software that contributes to the function of the product, andproduct, and
− − recycling or final disposal of the product at the end of its life.recycling or final disposal of the product at the end of its life.
f) configuration management appropriate to the product, its context and environment;
g) the identification of resources to support the use and maintenance of product.
The output of this planning shall be in a form suitable for the organization's method of operations.
Identification & Communication
7.2.2 Review of Requirements Related to Product7.2.2 Review of Requirements Related to Product
7.2.1 Determination of requirements related to the productThe organization shall determinea) requirements specified by the customer…….b) requirements not stated by the customer but necessary for specified or
intended use, where known,c) statutory and regulatory requirements applicable to the product, andd) any additional requirements considered necessary by the organization.
NOTE Requirements related to the product can include Special NOTE Requirements related to the product can include Special RequirementsRequirements
7.2.2 Review of requirements related to the productThe organization shall review the requirements related to the product. This review shall be conducted prior to the organization's commitment to supply a product to the customer …… and shall ensure thata) product requirements are defined,c) the organization has the ability to meet the defined requirements,d) special requirements of the product are determined, andd) special requirements of the product are determined, ande) risks (e.g., new technology, short delivery time frame) have been e) risks (e.g., new technology, short delivery time frame) have been
identified (see 7.1.2).identified (see 7.1.2).
Under- standing
Identification & Communication
7.3.1 Design and Development Planning7.3.1 Design and Development Planning
7.3.1 Design and development planning
Where appropriate, the organization shall divide the design and development effort into distinct activities and, for each activity, define the tasks, necessary resources, responsibilities, design content, input and output data and planning constraints.
The different design and development tasks to be carried out shall
be based on the safety and functional objectivessafety and functional objectives of of the product in accordance with the product in accordance with customer, customer, statutory and regulatorystatutory and regulatory requirements. requirements.
Under- standing
Design and Development Outputs & Design and Development Outputs & Verification/ValidationVerification/Validation
7.3.3 Design and development outputs
The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release.
Design and development outputs shall
e) specify, as applicable, any critical itemsspecify, as applicable, any critical items, including any key characteristics, and specific actions to be taken for these items.
7.3.6 Design and development validation
Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where known.
7.3.6.2 Design and/or development verification and validation documentation
At the completion of design and/or development, the organization At the completion of design and/or development, the organization shall ensure that reports, calculations, test results, etc., shall ensure that reports, calculations, test results, etc., demonstrate that the product definition meets the specification demonstrate that the product definition meets the specification requirements for all identified operational conditions. requirements for all identified operational conditions.
(7.1.2.e – Acceptance of Risk)(7.1.2.e – Acceptance of Risk)
Decision
Decision
Identification & Communication
7.5.1 Control of Production and Service Provision7.5.1 Control of Production and Service Provision
7.4.2 Purchasing informationPurchasing information shall describe the product to be purchased, including where appropriate
e) requirements for design, test, inspection, verification, use of statistical techniques for product acceptance, and related instructions for acceptance by the organization, and as applicable and as applicable critical items including key characteristicscritical items including key characteristics,,
7.5.1 Control of production and service provisionPlanning shall consider, as appropriate
− establishing, implementing and maintaining appropriate processes establishing, implementing and maintaining appropriate processes to to manage critical items, including process controls where key manage critical items, including process controls where key characteristicscharacteristics have been identified, have been identified,
8.2.4 Monitoring and measurement of product
When critical items, including key characteristicsWhen critical items, including key characteristics, have been , have been identified the organization shall ensure they are controlled and identified the organization shall ensure they are controlled and monitored in accordance with the established processes.monitored in accordance with the established processes.
Decision
Identification & Communication
Decision
SR/CI Case StudiesSR/CI Case Studies
What Have We Covered?– General Discussion on SR/CI Theories
– Relationship to AS9100c Standard
Time to put your Auditor Hats Back On
Case Study– SR/CI - Space
Products Product Meets Requirements Reliability program requirements Critical items control & management Mission/Product Assurance Processing induced hazards
RiskRiskRiskRisk
Behaviors
Risk Identification
Analysis & Prioritization
Elevation of risk (communication)
Mitigation Decision Making
Human factors skill / training
Processes
Program plans
Structured Independence Processes
Mission Assurance Plan (MAP)
Defining of risk controls
AS9100 Standard
Realization Process Risk Planning
Contracts
Design
Procurement
Manufacturing
Inspection
Why do we think this change to the standard was made?
Risk Management ProcessesRisk Management Processes
– To Much QMS Focus on
Compliance To QMS RequirementsCost & Schedule
– Need Additional Focus on Risk & Risk Based DecisionsProcessProduct
Potential Impacts To OrganizationsPotential Impacts To Organizations
Processes– Program Management– Engineering– Purchasing– Supplier Management– S&MA– Others
Procedures– Project & Design Lifecycles– Procurement– S&MA, SR&QA, Product Assurance, Etc.
People– Identification and Communication of Risk– Understanding Options Within Processes, and
Associated Decision Options – Application of Risk in Decision Making Process
Challenges (i.e. Implementation Risks)Challenges (i.e. Implementation Risks)
CBs & Auditors– Understanding the Varied Potential Applications of Risk in a QMS,
Process, or Product lifecycle– Educate Yourselves on the Broadness of Risk Applicability in a QMS– Develop Sensible But Meaningful Approaches to Auditing Risk– Plan for a Successful Role out of a Risk Audit Approach– Communicate with Audit Staff & Other Affected Parties– Communicate with Your Customers on
Applicability of Risk within their QMSBalanced Application of Cost, Schedule & Risk within an
Organizations QMS.Ensuring Processes Identify and Communicate Risks &
Appropriated Decisions are Made to Ensure that Risks are Handled
– Ensure Consistency to Mitigate Confusion
Not Covered in This Presentation– Risk & Project Management– Risk & Configuration Management
Questions ??Questions ??
Critical
Key
Special
Characteristic
Requirement
Items
Risk