How does robust process management help you control risk?
First, why is this important? Because every manager needs to help control risk for the organization. Since 2015, ISO 9001 has emphasized risk-based thinking to build more robust quality systems. While a few managers may be asked to take calculated risks, most managers are fully engaged by reacting to issues already present.

This constant reacting forces managers to think fast all the time.[1] Thinking fast allows our hard-wired human biases to take over: seeing what we want to see, taking short cuts that create other issues and detour us, fixing only symptoms, etc. We need to shift our thinking to a slower mode and use questions.

A questioning attitude is part of what makes a good quality manager (or auditor, or engineer.) You see this attitude more often in experienced employees. They have been around and know that a question at the right time is better than 100 statements. Not all questions are useful, but asking no questions is a pathway to disaster. This means judgement is needed after the question is asked, and logic/ systems thinking[2] will help weed out the poor questions.

A method we use to reduce risk is to deny the existence of a specific risk. You see this all the time. Health care workers who smoke, experienced drivers who speed, bosses who brush aside concerns, we all do it. Some of us have been doing it so long we have built up a robust process of denial. Statements like “it has worked well for years” or “if it isn’t broken, don’t fix it” support this denial. It becomes a habit, part of the work culture. If denial is part of the culture, we often do not even notice it!

One way to find hidden risk to ask, “how can this fail?” There is a tool we use in quality management called Failure Modes and Effects Analysis, FMEA for short.[3] This uses an act of imagination by asking how a process or product may fail under common and/or atypical usage. This is a hard step to take, and you need the questioning attitude mentioned above to do it well. You may have other resources to identify modes of failure: if you have had past problems, look them up. Ask your long-term employees (especially those lower in the organization who are closer to the real work) and see what they remember. If you have a “lessons learned” file, use it! Also, there are creative thinking techniques that allow an FMEA team to anticipate a wider variety of problem situations. Missing a failure mode that occurs later can be costly.

FMEA will help you find and fix the worst future risks. It uses a prioritization matrix to find the most severe, the most common, and least controlled issues. Having a long but prioritized list lets the matrix sort out the ones you need to worry about. Then, work the list and mitigate issues from the worst downward until you feel you have done enough.

Next, you need to apply robust Root Cause Analysis (RCA)[4] on a regular basis to get at deep systematic causes of surfaced problems. We often stop problem investigations when we find physical causes, but the problem comes back when a different physical cause is driven by an unanticipated system cause. (Let us not even mention “human errors”, that is another article!)

This ongoing RCA effort may lead to improvement loops, like Plan-Do-Study-Act (PDSA.)[5] Some people know this from Six Sigma’s define-measure-analyze-improve-control (DMAIC.) PDSA goes a step beyond DMAIC by using a continuing loop. Once the fix is in place, you start the loop again. Six Sigma projects do not always continue the improvement. They are too often seen as projects with a beginning, middle and end.

Applied by empowered employees, PDSA loops let you grow your way out of problem swamps, using low cost and intelligently applied mistake proofing. The application of the Japanese idea of small- step improvement kaizen (not the American ‘tear- it- up- and- fix- it’ kaizen blitz events) allows continual process improvement with less disruption and reduced financial investment.[6]

There are few quick answers, and most quick fixes are probably wrong for your situation. Applied common sense and logic are the mature way to drive improvement. Any manager may do this, but a qualified quality manager will certainly do it. To see what a qualified quality manager should know, see the ASQ Certified Manager of Quality/Organizational Excellence body of knowledge.[7]

Finally, I believe there might be a problem with using the phrase ‘quality management.’ Traditionalists may disagree, but our concepts do evolve, and so should our language. ‘Quality control’ became ‘quality assurance’ then ‘quality management.’ As quality planning links to quality control, and then to quality improvement, we look more and more at process planning, process control and process improvement. What will happen if we start using the term ‘process management’ to refer to the activities we have been calling ‘quality management’? It is worth a thought.
[1] Kahneman, D. (2015). Chapter 1 "The Characters of the Story". In Thinking, fast and slow (pp. 24-30). New York: Farrar, Straus and Giroux.
[2] Senge, P. M. (1990). Chapter 4 "The Laws of the Fifth Discipline". In The fifth discipline: The art and practice of the learning organization (pp. 57-67). New York: Doubleday.
[3] Stamatis, D. H. (2003). Failure mode and effect analysis: FMEA from theory to execution. Milwaukee, Wisc., WI: ASQ Quality Press.
[4] Okes, D. (2019). Root Cause Analysis, Second Edition: The Core of Problem Solving and Corrective Action. Milwaukee, WI: ASQ Quality Press.
[5] Imai, M. (1997). Chapter 1 "An Introduction to Kaizen". In Gemba kaizen: A commonsense low-cost approach to management (pp. 4-7). New York, NY: McGraw-Hill.
[6] Duffy, G. L. (2014). Chapter 2 "Continuous versus Breakthrough Improvement". In Modular kaizen: Continuous and breakthrough improvement (pp. 15-25). Milwaukee, WI, WI: ASQ Quality Press.
[7] ASQ. (2019). CERTIFIED MANAGER OF QUALITY/ORGANIZATIONAL EXCELLENCE [Brochure]. Milwaukee, WI: Author. Retrieved July 09, 2020, from
17 Replies
Hi Douglas Wood‍ 

This is the most impressive bibliography I have seen for a myASQ post.  Congratulations on such a well-researched paper.

The inclusion of Kahneman and Senge, two influential authors, enhances your case substantially.

An experienced practitioner with deep experience and broad knowledge may appear to have a quick response, but it is the effect of a high level of familiarity to speed up the slow thinking, if that makes sense.  Thoughtful and deliberate responses should be the target.
Nice article Doug.  Robust is the right word. Robust means to me both effectiveness and value return.

I like the we now consider, name, track and learn from risk based thinking.  Too many times before I saw companies implementing QA preventive practices as if they are on a menu of common practices. 

Now we make potential risks transparent and apply QA practices (design for six sigma, process capability, training, internal audits, human factors management, error proofing; and QC vigilance) that drive PDSA continual QA improvement.  

One tool I will add to this discussion is the Process Turtle Diagram. Used often by auditors, it can be modified to add risks AND opportunities as an additional element (the “6Ms” are typically used). Making this diagram an integral part of process documentation will deploy risk management throughout the system of processes and engage frontline personnel in this important aspect of a robust QMS. 

In the interest of brevity, I did not mention Hans Rosling's book Factfulness. He echos Kahneman, and adds some key advice for better thinking. 
I like the process turtle diagram. There are many 'tools' we know in quality that are powerful aids in general business process management. I did not mention Nancy Tague's book 'The Quality Toolbox' but it is an excellent reference book. Some who have taken the CMQ/OE exam have told me it is as helpful and the CMQ/OE Handbook (gasp!). 

I like to think many of the classic tools such as FMEA are not 'done' yet. I believe there are many ways to add to exiting tools to extend their value beyond their usual stopping points.
Grace Duffy
111 Posts
I agree with my colleagues that this is a well thought out and written message. Thank you, Doug. I like the idea of using the term "process management" as an evolved reference for "quality management." I  would be interested in hearing from others whether "process management" is as inclusive a mental image as "quality management." Doug references my Modular Kaizen, continuous and breakthrough improvement text in his endnotes. I spend a good bit of time in the text discussing the value of well designed processes and the management required to implement and sustain/improve them. I am also aware of the importance of the human side of quality that is not always reflected in our focus on process. Most process activities can be quantitatively measured and managed. The human side of performance improvement is more ambiguous. ASQ Bodies of Knowledge address both the process and the human factors, as reflected in the Baldrige Performance Excellence Model and the CMQ/OE Body of Knowledge which Doug wisely references. I have read differing perspectives on the inclusion of human factors within the discipline of process management. 

What do others think?  
OK, here is a question I would love to hear back on:

Has anyone seen what they consider "best practice" in managing risks and opportunities; or establishing a robust culture of "risk based thinking"? 

Yes, we can do risk matrices and FMEAs, but what else? What's innovative like we might see in a Baldrige recipient (I researched that but found nothing as it has been sometime, 2012, when a manufacturer received it ). 
The risk based process excellence has multiple approaches for robustness.

Here are my two cents about PFMEA. (Process Failure Mode Effect Analysis)

I used this since 1994 first working for Tier 1 to GM, Ford, Cummins and then worked in General Motors/ Delphi Automotive Systems since 1997.

I have facilitated in developing 500+ PFMEA’s across multiple processes globally in North America, Europe and Asia.

First develop the PFMEA with cross functional team participation for a process. The participant members should include those actually performing the process on the ground. The availability of DFMEA (Design Failure Mode Effect Analysis) as a reference and the part or a prototype under review, if available goes a long way in capturing the RPN (Risk Priority Number) elements.

Second the PFMEA is not a onetime historical documented process. It is dynamic in nature. Anytime we have an occurrence of variance in form of process change or failure in field. The “occurrence” number changes and so the RPN.

Take care in the Covid 19 era and be safe.

Best Regards, 
Girish Trehan 

QMS Lead Auditor/ LSS Consultant VIAA
Partial-Load Professor, Sheridan College 
ASQ Education Chair Section 0402

Mr. King, this is a great question.  My organization is resistant to changes in this regard, having squandered opportunities in the past through single-point decision making.  Segments would embrace the idea, but culture is a top-down challenge.  I'm in the process of completely rebuilding our supply chain management strategy; creating processes and developing training.  I'd love to hear some tried and true techniques and case-specific outcomes.  I'm pretty good at collaborating with the resistance.  It's rare to see such a pointed question that strikes the heart of my own present struggle.

Mr. Bryant,
I sympathize. I do have a few ideas that may help, if you have not done them already. First, during or after the decision, make a change management plan. List key advantages, roadblocks, alternative approaches, communication approaches. Use 'Stakeholder Analysis' to find out what each key stakeholder might object to. Each person will need a special approach if they are not on board. Convincing may need three things: costs, $ benefits, and a story to make the 'sale.' The books "Influencer" by Patterson et al and  "Persuasion IQ" by Kurt W. Mortensen are good. 

No one likes being blind-sided, so make sure you talk to all the key stakeholders in private prior to publicly rolling a plan out. I had a case where two department heads detested each other and I needed them to agree. I shuttled between them (in private) and collected lists of what they each wanted, then asked each one (privately) if they could agree with a common list, then I got them together and showed them the common list. It worked, and each thought I had performed a miracle getting the other to agree. No miracle, just common sense and consideration.

Changes need to tie to overall strategy, then align with process needs, then meet individual mental maps. You only change mental maps with stories, by the way. Find a story with a protagonist that shows how bad the old way is. Practice telling the story. In a presentation, turn off the projector and just tell the story 'a cappella' before going back to the slide deck.

Also, remember that key players' emotions will affect how they respond. Ask yourself, 'what is person X afraid of?' This is not really engineering, it is about dealing with humans. 
Mr. Trehan,
In your experience, have you seen where a firm sets a 'magic line' for the RPN in FMEA, and says anything worse than this line must be addressed? What were the effects of that policy?
Excellent experience! 
Have you shared your process management experience in any blog, vlog or YouTube channel? 
Hello Mr. Wood,
I observed some of our Tier 1 and Tier 2 did use the threshold RPN’s of 50 or 100 for staged continuous improvement process.
Have a great weekend.

Best Regards, 
Girish Trehan 

QMS Lead Auditor/ LSS Consultant VIAA
Partial-Load Professor, Sheridan College 
ASQ Education Chair Section 0402
Hello Girish;  Thanks for the information on thresholds.  I have heard from clients both 100 and 125 on RPN (with 10-point rating systems for S, O & D on FMEAs.  I like the 125 as it sort of crosses the mid points of the ratings (i.e. 5x5x5 = 125).  But 100 is probably safer, or even lower as you point out based on product criticality and company image/brand value.  I also hear some companies require mitigation if severity is top 2 box (9 or 10) on the rating system; in other words: if the impact is THAT high then "let's mitigate" even if we suspect low occurrence probability and we think we have pretty good detection. "What if we are wrong or overly optimistic? " 

As we say: better safe than sorry (and costly!).
Hello Mr. King,
Good Morning.
You are right lower the RPN better it is, as we have a robust process.
I recommend thresh hold RPN of around 50 or lower to start with.
The three elements of RPN:
  1. Severity is as given; determined by the process team based on safety/ criticality.
  2. Occurrence depends on process capability and/or field failures.
  3. Detection depends on measurement system. Poka Yoke is a great way to reduce detection to 1.
Safety first is in our DNA.
There are no short cuts to safety.

Best Regards, 
Girish Trehan 

QMS Lead Auditor/ LSS Consultant VIAA
Partial-Load Professor, Sheridan College 
ASQ Education Chair Section 0402
Mr. Gankhuyag
Good Evening.
Thanks for your feedback.

I have only written quality booklets for the company circulation with my teams.

Recently I started writing for ASQ Section 0402 monthly newsletter.

I see an ocean of books, blogs and YouTube videos on this vast subject continuously released.

Best Regards, 
Girish Trehan 

QMS Lead Auditor/ LSS Consultant VIAA
Partial-Load Professor, Sheridan College 
ASQ Education Chair Section 0402

A good management system will require risk assessments when needed. Midco International did this in the early stages of the Covid-19 pandemic because we were deemed an essential manufacturer. We did a before preparations and actions and after. We implemented all employees wearing masks, taking everyone's temperature, social distancing and actions to be taken when an employee tests positive for Covid-19. This is just one example of how this works. The 6 P Principle applies to this, Proper Prior Planning Prevents Poor Performance, there it is in a nutshell.
Timothy and Girish,
Is having a threshold for a RPN ever a good idea? My thinking is that you start with the worst item on the list, then move downward the RPN until you run out of time or money. Is is possible that any threshold will make engineers doing the FMEA try to make it under the threshold and skew the analysis. A RPN list from one study is not really comparable to another study. It is primarily a tool for internal comparison to one situation made by one team. I am I incorrect here?