Documente Academic
Documente Profesional
Documente Cultură
E-mail lnformation@emeraldinslght.com
Customer helpdesk:
Tel +44 (o) 1274 785278; Fax +44 (o) 1274 785204;
E-mail support@emeraldinsight.com
Web www.emeraldinsight.com/ customert:harter
The three phases and the s teps in the process are presented in Figure l.
With respect to the first risk, the assessment task is to understand what is at risk
70 and what events could potentially cause harm or benefits. The risk recognition phase
has two parts:
(1) context establishment, which defines what is at risk; and
(2) risk identification, which covers the identification within the established
context of uncertain events that could cause harm or benefits, their
associated causes and their potential consequences.
Once the risks have been identified, the next stage is to understand the nature and level
of the risks, so that they can be managed in an appropriate manner. This risk
prioritisation phase has two parts. This first is risk analysis, which is based on
likelihood and consequence. Likelihood depends on the probability of occuiTence and
the frequency of activity. The consequence can be measmed in many ways, such as
effects on results or on the enablers of results. The second is risk evaluation. After an
analysis has been undertaken, risks· are evaluated against an appropriate
risk-acceptance criterion to give a ranking, for example "low" (tolerable), "medium"
(which should be as low as reasonably practicable), and "high" (intolerable). Risk
assessment is then made and can take place either quantitatively or qualitatively using
techniques such as the facilitated workshop.
Once a risk assessment has been completed, the risk profile of an organisation can
be determined. This shows the scale and complexity of risks faced and depicts the
number of risks for each level. It is a representation of the risk exposure of the
organisation, which ideally equates to the risk capacity (the maximum resource that
.§"
prioritisation
:::::
=
E Evaluate Risks
(')
<
;;·
E :;:
0
Figure L u yes
Risk assessment process
(Standards Australia and
Standards l\ew Zealand,
R;,k}
management no
2004a, b) Treat Risks
the organisation is willing to put at risk) and risk appetite (the amount of risk the Quality and risk
organisation is willing to take).
The next stage in the process of risk management is the management of the
management
risks which have been identified and prioritised. The way risks are managed can
again be categorised in different ways. Perhaps the simplest of these is the "four
Ts" (European Foundation for Quality Management, 2005), shown in Figure 2.
The "four Ts" model sets out four ways of dealing with unacceptable risks: 71
• tenninate - cease activities related to the risk (e.g. giving up smoking avoids
associated health risks);
• treat - add control measures or contingency plans to manage the likelihood and
consequence of events (e.g. wearing a hard hat reduces the consequences of being
hit by a falling object): additional control measures or contingency plans become
pa1t of the management system.
• tolerate - accept the risk; and
• transfer - move the impact of risks to another entity (e.g. insurance).
A fifth approach to managing risk (i.e. a fifth "T", we might call "trade-off''), which is
often used by the financial sector, is risk neutralisation. This is the offsetting of 1isks
against each other, so they cancel each other out (e.g. pooling and hedging are both 1isk
neutralisation methods).
The EFQM, true to its more quality-orientated background, stresses two final stages
which are passed over somewhat faster in some other models (e.g. the Treadwell
Commission (Committee of Sponsoring Organisations, 2004) and the AUNZ standard
(Standards Australia and Standards New Zealand, 2004a, b)). These stages are the
review and learning and improvement stages. They involve comprehensive monitoring
so that the review system is based on facts and reviews the entire system to draw out
the learning points and to drive continuous improvement. Most approaches also
emphasise that the risk management system should be linked to punishment and
reward systems (e.g. transgressors should be punished strongly).
This whole process has been developed by the European Foundation for Quality
Management (2005) into what they describe as a risk assurance management system.
They argue that this is needed to ensure that planned Iisk management activities are
implemented as intended and that lessons learned drive fmther improvements. Risk
assurance management systems are, in general, constructed around a continuous
improvement loop. An example of a generic risk assurance management system as
suggested by the European Foundation for Quality Management (2005) is given in
Figure 3.
72
Figure 3.
Generic risk assurance
management system
Source: EFQM (2005)
Based on this analysis, it is concluded that risk management is clearly in1portant for
many organisations. To help them, a number of comprehensive risk management
models, systems and procedures have been developed. However, there are other ways
in which quality management experience and expertise might be able to assist. T hese
are now examined.
It is therefore hardly surprising that operational risks have long been seen as
dangerous in non-financial circles, but recent events have shown that their power has
also been realised in the financial world. For example, the banking supervisors
assumed in 1999 on the basis of surveys that no less than 25 percent of current
regulatory capital was needed to allow for operational risk (Basel Committee on
Banking Supervision, 1996). However, not every operational loss should be seen as a
risk; only the unexpected ones - and the unacceptable ones. Only those losses are
designated as risks, which exceed the expected losses that have already been factored
into the price. If an organisation accepts the risk of a new supplier it does so on the
proviso that the new supplier is providing goods or services at lower costs. The added
risk that comes from lack of experience of the supplier should be covered by the
savings in the cost of supply.
Similarly, an organisation may accept that because of its style of hire and fire it may
run a high risk of minor theft. This reflects its capacity to take on risks and its attitude
to risk. But it may find it totally unacceptable that such a policy leads to a higher risk
of leakage of confidential information to competitors.
So, operational risks are common and can be dangerous. T he reason why quality
management experience and e>..'J)ertise may be useful is because, in contrast to many
other types of risk, the causes of operational 1isk are seen to lie largely vvithin the
organisation - and therefore within the organisation's own power to eliminate (Geiger,
2000). These risks are often the results of poor management of key processes by the
organisation and its staff. Quality management has spent many years developing tools
and techniques to manage processes and therefore can play a key role in helping to
manage these 1isks. Examples of tools and techniques are:
• making processes more transparent (e.g. by service blueprinting or service
mapping; Shostack, 1987);
• identification of critical points in processes; and
• development of measurements in relation to those critical points.
Other tools that have been developed are, for example, poka yolle systems, robust
designs of products and processes, failure mode and effects analysis, fault tree
analysis, process decision program charts, etc.
Antonovsky (1987, p. 19) suggests the three components are intertwined but separate
and build into a way of viewing how the patterning of life experiences may affect
responses. He believes the most significant feature of a strong "sense of coherence" is
the variety and number of coping sb·ategies available. The "sense of coherence" is not a
specific style of coping. It works because it enables one to select that mode of coping, or
those resources, which seem to be approp1iate to the particular stressors that one faces.
Behaviow- itself cannot be predicted, although the quality of behaviour can. Quality and risk
Antonovsky's (1987) measure of sense of coherence has proved its predictive value, management
having been used by nearly 150 researchers around the world. It has been used to
investigate a wide variety of stressful situations, such as responses to natural disasters
(Kaiser et al., 1996), coping with a partner's dementia (Baro et al, 1996), adaptation of
army families to relocation (Bowen et al., 2003), and the Joss of a family member
Larsson et al(l994). This "sense of coherence" concept brings some predictability to the 83
way individuals meet unpredictable negative circumstances. This acceptance of such - - - - - - - -
circumstances means it could be a useful instrument to enable organisations to select
and develop individuals who will not be overwhelmed by the possibly strongly
negative outcomes of the continually changing, unpredictable business environments
desc1ibed above.
Conclusions
Risk management is a cunent business buzzword. There are widely accepted and
acceptable models and approaches to help executives manage this area. The key steps
have been outlined in this paper - risks must be recognised, prioritised and then
managed.
But, despite all the hype, no one pretends that risk management is easy. In this
context this paper asks and attempts to answer three questions.
(1) What can quality teach risk management?
(2) What can r isk management teach quality?
(3) What must both risk and quality management still learn?
We answer these questions by looking at the three types of risks that have been
identified.
The first type are the predictable risks that organisations !mow they face. These are
probably the most straightforward types of risk to manage, but the whole process
depends on a clear distinction being made between risks caused by pure chance and
risks which have, in quality tenns, special causes. This is often not easy, but it has
been a fundamental first step in the quality approach since Shewhart's original work in
the 1930s (Shewhati, 1931). The distinction is important, since only for those risks not
caused by chance can databases and statistical models be built which can then be used
to enable organisations to decide the size of risk they are willing to accept.
The second type of risks are more difficult to manage. They are the risks that an
organisation knows it might run, but whose causes are essentially idiosyncratic and
caused by chance and thus do not lend themselves to a fonnal statistical approach.
Many important risks, patiicularly in the operations area, fall into this category. We
have suggested that quali ty can help manage this type of 1isk in two major ways. First,
the risks may be unpredictable but past experience suggests that they are often likely
to be related to the weak management of key processes. And quality management has
much knowledge of how to manage such processes effectively. Second, since such r isks
can and do occur anywhere and at any time in an organisation, their management
cannot just be left to top management and a few specialists. Rather, awareness of the
possible importance of risks, and commitment to their management, needs to be
widespread throughout the organisation. This, in most organisations, would require
TQM major organisational and cultural change. And here again, quality management has
18,l years of experience in implementing similar major organisational change processes.
In relation to this second type of 1isks, risk management can teach quality the
importance of clear p1ioritisation. A fundamental part of risk management is initial
careful prioritisation of the risks the organisation faces. Time and effort can then be
concentrated where the need and the payoff will be highest. We would suggest that
84 quality can learn much from such an approach. Quality should be far more careful in
prioritising where it spends its resources. It needs to concentrate on the quality risks
that really matter to the organisation. The incTeasing unpredictability of the business
environment, and the subsequent spreading of the lean manufacturing and lean service
approach, have dangers as well as advantages. The big danger is the importance of
time and the subsequent susceptibility of the organisation to disruptions and delays.
Time is key in three areas:
(1) in the innovation process;
(2) in the prevention of poor quality; and
(3) in the rapid solution of any problems that do occur.
Success in all three of these areas is heavily dependent upon relationships both within
the organisation and between the organisation and its key suppliers and customers.
Causes of poor quality used to lie in poor processes and poor design. Now for many
organisations the causes of inadequate quality lie in poor relationships. So the first
p1iority for their managers should be to develop measures of relationship quality and
then the tools and techniques to improve them. This is a challenge for the academic
quality management fraternity.
The third type of risk is the 1isks which organisations do not know they are
running. For many organisations this is probably the most dangerous form of risk.
And because of the increasing uncertainty and unpredictability in many business
environments, it is this type of risk that is probably increasing fastest. And
quality can be of little assistance here because it too must come to terms with this
newly emerging situation. Both risk and quality management need to accept that,
despite the best systems and procedures that can be devised, the essence of risk is
that in an unpredictable world, failw·es and mistakes are bound to occur. So, both
organisations and individuals need to be able to cope in such a situation. It is
suggested in this context that much can be learned from the study of individuals
who have successfully faced major crises in their lives. Ensuring that an
organisation possesses a critical mass of such individuals might make a major
difference in is ability to withstand the inevitable failure and mistakes that are to
come.
So, the overall conclusion is that quality can be of assistance in relation to managing
risks in at least two of the three types of risks that need managing, especially in
relation to predictable risks and operational risks. Quality will be of little assistance yet
towards managing risks that organisations do not know they are running. Quality can
also learn something from the risk management approaches, especially regarding the
impo1tance of clear prioritisation.
References Quality and risk
Antonovsky, A. (1987), Unravelling the Myste1y of Health: How People Manage Stress and Stay management
Well, Jossey-Bass, San Francisco, CA.
Antonovsky, A. (1993), "The structure and properties of the sense of coherence scale", Social
Science and Medicine, Vol. 36, pp. 725-33.
Baro, F., Haepers, K., Wagenfeld, M. and Gallagher, T. (1996), "Sense of coherence in caregivers
to demented elderly persons in Belgium", in Stefanis, C., Hippius, H. and Muller-Spahn, I.F. 85
(Eds), Neuropsychiat1J• in Old Age: An Update, Hogrefe and Hueber, Toronto, pp. 145-56. - - - - - - - -
Basel Committee on Banking Supervision (1996), "Update on work on a new capital adequacy
framework", Basel Committee on Banking Supervision, Basel.
Basel Committee on Banking Supervision (2003), "Advanced measurement approaches for
operational risk: supervisory expectations", Basel Committee on Banking Supervision,
Basel.
Bazerman, M.H. and Watkins, M.D. (2004), Predictable Smprises: The Disasters you Should Have
Seen Coming, Harvard Business School Press, Boston, MA.
Bowen, G.L., Mancini, ].A., Martin, ].A., Ware, W.B. and Nelson, J.P. (2003), "Promoting the
adaptation of militaiy families: an empirical test of a community practice model", Famib•
Relah:ons, Vol. 52 No. 1, p. 33.
Chenhall, R.H. (2003), "Management control systems design within its org context", Accounting
Orga11isatio11s and Society, Vol. 28, pp. 127-68.
Committee of Sponsoring Organisations (2004), "Enterp1ise risk management framework",
Committee of Sponsoring Organisations of the Treadway Commission, American Institute
of Certified Public Accountants, available at: www.aicpa.org
Conti, T. (1997), Organizational Self-Assessment, Chapman and Hall, London.
Coyle, ]. and Schnarr, N. (1995), "The soft-side challenges of the 'virtual corporation"', Human
Resource Planning, Vol. 18 No. 1, pp. 41-2.
Davidow, W. and Malone, M. (1992), "Virtual corporation", Forbes, pp. 102-7.
Deming, W.E. (1986), Out of the Crisis, MIT Centre for Advanced Engineering Study, Cambridge,
MA.
Dunnett, R.S., Levy, C.B. and Simoes, A.P. (2005), "Managing operational risk in banking",
McKinsey Quarte1·ly, No. 1.
European Foundation for Quality Management (2004), EFQM Excellence Model, Ew·opean
Foundation for Quality Management, Brussels.
European Foundation for Quality Management (2005), EFQM Framework for Risk Management,
Ew·opean Foundation for Quality Management, Brussels.
Frey, S.C. Jr and Schlosser, M.M. (1993), "ABB and Ford: creating value through cooperation",
Sloan Management Review, Vol. 35 No. 1, pp. 65-72.
Geiger, H. (2000), "Regulating and supervising operational risks for banks'', paper presented at
the Conference "Future of Financial Regulation", Tokyo, 17 October.
George, M.L. (2002). Lean Six Sigma: Combining Six Sigma Quality with Lean Produch"o11 Speed,
McGraw-Hill, New York, NY.
Grabowski, M. and Roberts, K. (1999), "Risk mitigation in virtual organisations", Orga11isatio11al
Science, Vol. 10 No. 6, pp. 704-22.
International Organisation for Standardisation (2000), ISO 9000:2000 Quality Ma11ageme11t
System Standm·d, International Organisation for Standardisation, Geneva.
TQM Juran, J.M. (1989), Juran 011 Leadership for Quality: An Executive Handbook, The Free Press,
New York, NY.
18,1 Juran, JM. and Blanton Godfrey, A. (1998), Juran 's Quality Ha11dbook, 5th ed., McGraw-Hill,
New York, NY.
Kaiser, C.F., Sattler, D.N., Bellack, D.R. and Dersin, ]. (1996), "A conser.-ation of resources
approach to a natural disaster: sense of coherence and psychological distress",Joumal of
86 Social Behavior and Personality, Vol. 11, pp. 459-76.
Larsson, G., Kallenberg, K., Setterlind, S. and Stanin, B. (1994), "Health and loss of a family
member: impact of sense of coherence", International Jounzal of Health Sciences, Vol. 5,
pp. 5-11.
McAllister, D.]. (1995), "Affect· and cognition-based trust as foundations for interpersonal
cooperation in organizations'', Academy of Management Jo1tmal, Vol. 38 o. 1, pp. 24-59.
Malcolm Baldrige National Quality Award (2005), Criteria for Perfonnance facelle11ce, American
Society for Quality, Milwaukee, Wl.
Mayer, R.C., Davis, j.H. and Schoorman, F.D. (1995), "An integration model of organizational
trust", Academy of Management Review, Vol. 20 No. 3, pp. 709-34.
Mittelstaedt, R.E. Jr (2005), Will Your Next Mistake be Fatal? Avoidi11g the Chain of Mistakes Thal
Ca11 Dest1·oy Your Organisation, Wharton School Publishing, Upper Saddle River, 1].
Newton, P., Paxson, D.A. and Widdicks, M. (2004), "Real R&D options'', biternalio11al Journal of
Ma11ageme11t Research, Vol. 5/6 No. 2, pp. 113-30.
Power, M. (2003), "The invention of operational 1isk", Discussion Paper >lo. 16, Centre for
Analysis of Risk and Regulation (ESRC), London School of Economics, London.
Roberts,]. (2004), The Modern Finn, University Press, Oxford.
Senge, P. (1999), "It's the learning: the real lesson of the quality movement", journal of Quality
and Participation, Vol. 22 >lo. 6, pp. 3440.
Shewhart, W.A. (1931). Economic umtrol of Quality of Manufactured Products, D. van >lostrand,
New York, '.\TY.
Shostack, G.L. (1987), "Service positioning through structura.1 change", Jo1tnwl of Marketing,
Vol. 51 No. 1, pp. 34-43.
Standards Australia and Standards New Zealand (2004a), ASINZS 4360: Australia and New
Zealand Standard 011 Risk Management, Standards Australia, Sydney/Standards
New Zealand, Auckland.
Standards Australia and Standards New Zealand (2004b), Australia New l,eala11d Ha11dbook:
Risk Ma11ageme11t Guidelines Companion to ASINZS 4360. Standards Australia,
Sydney/Standards New Zealand, Auckland.
Viviers, A.M. and Cilliers, F. (1999), "The relationship between salutogenesis and work
orientation'', Joumal of Industrial Psychology, Vol. 25 No. 1, pp. 27-32.
Corresponding author
Ton van der Wiele is the corresponding author and can be contacted at: vanderwiele@few.eur.nl
• An editorial and production policy which encourages accuracy and reduces submission to
publication times
• On-line resources, fo rum s and confe rences to assist you with your research
• Responsible rights managemen t to promote and safeguard the i ntegrity of your work, encourage
citation and wider dissemination
• Liberal reprod uction rights and premium permissions servi ce for yourself and subscribing
organizations to serve th e interests and needs of the scholarly community
• Consideration for nomi nation of the Annua l Awards for Excellence to reward outstanding work
• Emerald • Electronic Management Research Library Database. Emerald is a trading name of MCB UP Ltd.