By Paul Harbath, Quality Management Consultant
In AS9100D “Risk Based Thinking” is considered a basic principle of an effective quality system. Last week we discussed how to identify potential risks in your quality management system.
To meet the “Risk Based Thinking” requirement your quality system must retain documented evidence that the following happens regularly:
- Identify potential risks in your quality management system
- Analyze and evaluate the risks
- Mitigate, control and monitor unacceptable risk
This week we will discuss how to “analyze and evaluate” the potential risks you have identified.
There are two broad types of risk assessment/evaluation:
- Qualitative risk analysis
- Quantitative risk analysis
Qualitative risk analysis is the process of prioritizing risks for further analysis by assessing the probability of occurrence and potential impact of each risk. There are simple diagrams like probability/impact matrix, balanced scorecard, expected value and others that can be used to determine the qualitative risk.
Quantitative risk analysis is the process of numerically analyzing the effect of potential risks. Even though there are other methods to create the numerical value of quantitative risk the primary tool is FMEA.
Failure Mode Effects Analysis (FMEA) is a tool that uses the 3 categories to create a numerical value for the potential risk.
The three categories are:
- Severity – If the risk were to happen how severe would it be for you or your stakeholders?
- Occurrence – How often does your team think the risk could potentially happen?
- Detection – How confident are you in your systems ability to “detect and control” the risk if it were to occur?
Each of these three categories are rated using a value from 1-10. The ratings are defined in tables like the one below.
After rating each of the three categories the values are multiplied together to get an RPN (Risk Priority Number) that represents the significance of the risk. In the example below two of the potential risks of not meeting our customers’ on-time delivery expectations are above the acceptable RPN value.
The calculated RPN value represents the numerical value of the significance of the risk. You will define an RPN value that requires mitigation of the risk. In the case above we have defined an RPN value greater than 100 requires evaluation of action to reduce the risk.
The process above can seem complicated but after you have done it once you will find the process relatively easy.
There are many great references on risk management. One of my favorites is the “Risk Management – Memory Jogger”. These references can help you create a formal method for meeting the “Risk Based Thinking” requirements of AS9100D.
In part 3 of AS9100D tips on risk based thinking we will discuss how to mitigate, control and monitor unacceptable risk.
Paul Harbath is an industry expert with over 30 years of hands on experience in helping small manufacturers understand/implement quality management systems and lean/6-Sigma. Paul has a demonstrated ability to connect with the value adding employees by simplifying complex technical issues. Connect with him on LinkedIn.