ISO Risk Management and Zero Defect Concept
•
1 like•435 views
This document contains information about David S Smart, including his experience and areas of expertise. It lists that he has over 40 years of experience in management consulting, auditing, and various ISO standards including information security, quality, health and safety, and outsourcing. It also mentions that he has over 8 years experience coaching and mentoring managers and directors. It provides his contact information at the bottom.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to ISO Risk Management and Zero Defect Concept
Similar to ISO Risk Management and Zero Defect Concept (20)
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
ISO Risk Management and Zero Defect Concept
- 1. v
- 2. David S Smart Management Consultant, Business Coach & Mentor My ISO experience spans more than 40 years as a Manager, Auditor and Consultant, specializing in information Security, Quality, Health & Safety, Environmental, Medical device, Laboratory, Outsourcing and Asset management systems; senior management consulting and optimization of Client resources. My coaching and mentoring experience covers over 8 years assisting managers and directors to achieve their business goals and also develop the associated skillsets to achieve them ++44 (0)1592 890270 david.smart@homecall.co.uk www.smartmentoring.co.uk linkedin.com/david.smart twitter.com/david.somerville.smart fb.com/david.smart503092
- 4. WHAT IS RISK? According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected.
- 7. ZERO DEFECT EXAMPLES Zero defects aim in a manufacturing process Zero tolerance to domestic abuse Zero tolerance to alcohol
- 8. BANKING ON US WORKED EXAMPLE
- 9. LINKING ZERO DEFECT CONCEPT WITH RISK ASSESSMENT PROCESS Worked Example: Sustainability of supply of goods and services to “Bank On Us”
- 10. RISK ASSESSMENT CRITERIA - EIGHT HEADERS Regulatory compliance Financial indicators Exit strategy Business continuity Information security Reputational risk Service risk Country specific risk
- 11. HEADER ONE – REGULATORY REQUIREMENTS Question 1 – What method do you use to keep your legislation up-to-date? Sources: • Lawyer • Trade journal • Paid subscription • Internet trawl • Competent person
- 12. HEADER TWO – FINANCIAL INDICATORS Question 1 – How often are cash-flow projections checked? Frequency: • Weekly • Quarterly • Annually • Never
- 13. HEADER THREE – EXIT STRATEGY Question 1 – What is your exit strategy? Options: • Family succession • Management buy-out • Management buy-in • Trade sale • Buy-in management buy-out • Stock market floatation
- 14. HEADER THREE – EXIT STRATEGY Question 1 – What is your exit strategy? Options: • Family succession • Management buy-out • Management buy-in • Trade sale • Buy-in management buy-out • Stock market floatation
- 15. HEADER FOUR – BUSINESS CONTINUITY PLANNING Question 1 – How is your business continuity plan tested? Methods: • Walk through • Simulation exercise • Penetration test
- 16. HEADER FIVE – INFORMATION SECURITY Question 1 – How many security breaches have you had this year? Number of breaches:: • Less than 50 • More than 50 • Over 100
- 17. HEADER SIX – REPUTATIONAL RISK Question 1 – How are you testing your reputation in the marketplace? Data collection method: • Face-to-face interviews • Postal surveys • Telephone surveys • Social media comments
- 18. HEADER SEVEN – SERVICE RISK Question 1 – What are your customer retention rates? rate: • Less than 20% • Between 20% & 40% • More than 50%
- 19. HEADER EIGHT – COUNTRY SPECIFIC RISKS Question 1 – Do you source your products using affair trade policy? Measure: • Pay a minimum wage • Pay more than the minimum wage • Provide health care for your employees
- 20. RISK ASSESSMENT CALCULATION TABLES
- 24. Vendor Rating Program Company Name: Bank on us Date: Oct-11 Risk Category Regulatory Compliance 1. Which method do you use to keep your legislation up-to-date? Method Likelihood Consequence Result Control measure REN - Table 2 Lawyer 1 0 0 Embedded 1 0 Trade journal 2 0 0 Recognised 2 0 Paid subscription 1 0 0 None 4 0 Internet trawl 3 0 0 Recognised 2 0 Competent person 1 0 0 Embedded 1 0 Total 0 2 How is it ensured that all stakeholders are kept up do date with legislation? Method Likelihood Consequence Result Control measure REN - Table 2 email attachment 2 0 0 Recognised 2 0 Hand delivery 2 0 0 Recognised 2 0 Telephone call 3 0 0 None 4 0 Doc. management system 1 0 0 Embedded 1 0 Total 0 3. What follow-up actions do you take to ensure the legislation is understood by stakeholders? Method Likelihood Consequence Result Control measure REN - Table 2 Walk the line 1 0 0 Embedded 1 0 Set a questionnaire 2 0 0 Recognised 2 0 Manager is responsible 3 0 0 None 4 0 Total 0
- 25. THANK YOU FOR YOUR TIME DURING THIS PRESENTATION Email: d.smart18@yahoo.co.uk Website: smartmentoring.co
Editor's Notes
- My ISO experience goes back to the days of BS5750 where I was lucky enough to be part of a large project team putting in BS5750 into two large manufacturing plants back in 1979. I registered as a consultant with PERA after being made redundant twice in 3 years when I set up my consultancy practice as Smart Quality Systems. Credibility was a problem I had, so I joined a large American consultancy firm working on Corporate projects throughout Europe for 3 years which gave me exposure in Europe and also broader consultancy experience apart from quality. I worked in North America for around 9 years on projects with mostly SME’s broadening my experience even further by working on other ISO Standards. In 2008 I came home and set up Smart Mentoring to complement my ISO skills. I feel often companies do not fully understand the benefits that ISO systems can bring to a Business. They focus too much on the marketing side (Badge up on the wall mentality) using them as a bolt-on systems without looking at the bottom line savings that can be made by improvements in their internal processes by better resource utilisation
- Risk definition: This definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don't always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, we need to reduce uncertainty as much as possible. Uncertainty (or lack of certainty) is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete
- We generally see risk on the negative side as the following examples demonstrate: Health – Cancer Environment – oil spills Car – Injury But there is also a positive side to risk. Which is taking an opportunity when it is presented to us Depending on your appetite to risk you will either be adverse to risk and tend to stick within your comfort zone of be risk seeking and be willing to come out of your comfort zone and take a chance believing that the bigger the risk the larger the reward
- Zero Defects (or ZD) was a management-led program to eliminate defects in industrial production that enjoyed brief popularity in American industry from 1964[to the early 1970s. Quality expert Philip Crosby later incorporated it into his "Absolutes of Quality Management" and it enjoyed a renaissance in the American automobile industry—as a performance goal more than as a program—in the 1990s. Although applicable to any type of enterprise, it has been primarily adopted within supply chains wherever large volumes of components are being purchased (common items such as nuts and bolts are good examples). As you can see by the examples its use has now spread to the service industries. In my example one – Zero tolerance to domestic abuse is used by the social services to help prevent domestic violence and in the second example the police use it to cut down on alcohol consumption in public places
- We are going to use a bank (Bank On Us) as an example of how they might determine whether their vendors are going to be able to supply the goods and services they need to in turn supply their services to their customers. I have taken a service industry as we all use the services of a bank and understand the basic processes. However this approach could be used in any sector by changing the assessment criteria.
- These were the headers selected by the bank themselves to measure the sustainability of supply. These headers were then broken down into questions along with asset of criteria to assess them against
- I have just taken one question to illustrate the method, there can be as many questions as you want. However a note of caution keep your questions to the key ones and not get “paralysis by analysis "syndrome. We then have five sources where we can get the information from. The risk assessment team in the bank then go on and ask the question to the vendor and do their own assessment e.g using the internet to gather their own information. After collating and analysing the data from both sources the team allocate the numbers in the spread sheet which calculates the risk exposure number. Let us assume the vendor says they do an internet trawl and the bank’s team come to the conclusion that this method is not as effective as the others, then they will calculate a higher level of risk exposure than if they felt the vendors method was more secure. The subsequent control measure (s) will in turn be more stringent than if the team felt comfortable with the vendor’s measures.
- This time only four sources have been selected, but if it was a start-up situation you would probably check them daily then a bit less often say after 3 months of trading. Likewise if the company was going through difficult trading times then they would check their cash-flow accrual and projected calculations. It is important to remember the number one reason for a business failing is cash flow. You could be owed a substantial sum of money from your customers but could go bust before you are paid
- There are six ways in which a company can develop an exit strategy. Depending on which option s taken will have major impacts on the bank. Within each option there are sub-categories e.g in option one “Family succession” the sub-categories are is this a first, second, third etc. generation who are going to take the business over. Now depending on how the bank’s team assess the strengths and weaknesses of the family members will determine how closely they will have to monitor the situation
- There are six ways in which a company can develop an exit strategy. Depending on which option s taken will have major impacts on the bank. Within each option there are sub-categories e.g in option one “Family succession” the sub-categories are is this a first, second, third etc. generation who are going to take the business over. Now depending on how the bank’s team assess the strengths and weaknesses of the family members will determine how closely they will have to monitor the situation
- Again the control measures will depend on how the risk management team view the security of their assets. If for example they are outsourcing their customer’s statements then a walk-through would probably not suffice. The bank will have its own IT resource who will probably conduct penetration tests themselves or hire e.g. an ethical hacker to do this on their behalf
- The first question that will need to be asked is “how knowledgeable are thecoutsource3d organisation on assessing the risks the banks info is being exposed to. If for example it takes an ethical hacker two minutes (which is not hard to achieve) then the bank will have to monitor the situation very closely including whether they want to look for a new vendor. Think of the recent breaches we have seen in the news – Talk talk etc.
- Bad news travels faster than good news. We used to say a bad comment will be shared with ten others, now the whole world can hear about us in an afternoon. Social media is a very powerful marketing tool. Corporate social responsibility is high on the list of company objectives, gone are the days when could say the objective of a company is to make money. If we ignore our social responsibilities e.g dump contaminated water into our rivers we won’t be in business long
- A definition on retention rates will need to be agreed first of all e.g A customer who has placed a repeat order with us in the last six months. Again the order size and price might come into the equation. If there are high retention rates then in general the service levels must be good. The banks are a good example of how we used to trust them and harder ever change our account with them to another bank. However after the fiasco when they had to be bailed out changed our loyalty and trust patterns. Marks and Spencer is another example of complacency, it is very unlikely they will be recognised as the number one in both choice of clothing and service levels
- This again is linked into being seen as a good corporate citizen, not encouraging “sweat shops”. Making sure the raw products are obtained from a sustainable source e.g planting 3 trees for everyone chopped down Also looking at the stability of the country, is there rampant inflation, is it a dictatorship, is terrorism a major issue
- Risk identification table 1 There are many ways of doing risk assessments both qualitive and quantitive. We are going to use the most common method as it is easy to understand, but is subjective depending on the knowledge and experience of the risk assessment team when assessing the risk factors There are three categories for the likelihood of the risk occurring ranging from highly unlikely to probable. Along the bottom axis we have the range of consequences of the risk occurring again ranging from harmful to extremely harmful. We have now calculated the likely and consequence score to carry forward to the next table
- Carrying our score from table one this gives us the vertical axis score, we then have to decide what the score is when taking the control measures taken into consideration. You see that the “traffic light principle” has been used here green for “Go” Amber for “Caution” and red for “Stop” Depending on where we land on the matrix will determine which actions to take to monitor the situation
- Table 3 – Risk control measures This table suggests possible actins to take on monitor the risks again using the traffic light principle. We can see that there are two categories for “Green” low and tolerable and two categories for “Red” substantial and intolerable. Possible courses of action along with timeframes for them happening are given Note: Sometimes five categories are used instead of three for the tables either using words to describe them e.g one in a hundred chances of this happening or expressed as percentages i.e. 20% probability of the event happening
- This is part of the spreadsheet I used for “Bank On Us” The text is a bit small to read, so I will talk a little on the content and how it is used There are three questions asked in the category regulatory compliance: - What method do you use to keep your legislation? How is it ensured that all stakeholders are kept up-to date with legislation? What follow up actions do you take to ensure legislation is understood? I have then categorised the risk methods into high medium & low (i.e. 1,2,3) followed by the consequences it would have on the bank. The result is the risk multiplied by the consequence. The next step is to consider the control measure put in place ranging from none to recognised or embedded in the organisation ranging from a score of 1 being low risk (embedded in the organisation) and 4 being high (No control measures in place) The risk exposure number (REN) is then calculated. The final part is to calculate the overall risk category from adding up the RENs for each question which give us the Grand exposure number for the regulatory compliance category The overall score for each category will need to be aggregated and bands introduced to decide whether the vendor stays on the approved supplier list