I’ve been in quality a long time and seen its ups and downs. I believe there is now a resurgence or as some say quality renaissance. We think the glory days of quality are starting in 2024 driven by risk.
Hopefully, this piece describes what’s up. And, most importantly how you can position yourself and make money. We call this opportunity risk or upside risk.
The Glory Years
Let’s start at the beginning. Years ago, I was the project manager (PM) building tank farms, high pressure gas lines, and oil terminals. Only one problem in my last job. Problem was our stainless 304 valve flanges were cracking and the project was not making its objectives. Not good. As the PM, I took the hit. Quit. Get fired. Or, take a demotion and fix the problem: start a quality program in the company. My marching orders were get good parts. Up to that time, we bought strictly ‘Made in the USA.’ This was the beginning of my quality journey.
For the next year or so, I started one of the first quality programs in oil/gas in the U.S. using Mil Q 9858 (predecessor to ISO 9001). The year was 1987, start of ISO 9001, Baldrige, and Six Sigma. I started teaching management system auditing to AGA Labs, one of the first U.S. Certification Bodies. Saw the quality opportunity and took the jump to full time quality consulting. In the 1990’s, we did a lot of TQM, Six Sigma, and ISO. Had the best-selling quality books. These were the glory years. Then, quality seemed to go sideways.
Start of ISO Interest in Risk
In 2000, ISO 9001 had just come up with process based compliance. Lots of other things were going on. Relatively low barrier to entry. Certifications were decreasing in North America. Lots of entrants into ISO. Our quality consulting was flattening.
So, we asked what’s the next big thing? In 2000, we wrote several pieces for ASQ premising the future of quality was risk. We started evangelizing risk. We were so fervent that we rebranded our products and engineering to risk.
ISO was similarly challenged. ISO was searching for a new revenue model. What to do? ISO saw its future and started its journey of harmonization of its standards. ISO was prescient and started adding risk to standards.
ISO Risk
There are many definitions of risk. Each definition is acceptable largely based on context and use case. Let’s look at a few definitions based on context. Conversationally, risk is something bad or consequential occurring. This is an OK definition. But, how do you operationalize the definition to make it useful and measurable?
In 2009, ISO recognized this problem. In ISO 31000 risk was defined as the “effect on uncertainty on objectives.” You can now see that uncertainty can impact an organization and how it affects business in terms of meeting its objectives. The challenge is some companies had problems operationalizing this definition. To simplify, we suggested using the risk definition of ‘effect on uncertainty on achieving objectives.’ This little change makes it clear that uncertainty impacts reaching or attaining a business objective.
Another challenge is that ISO defined risk as an upside risk (opportunity risk) and downside risk (harsh consequences). Opportunity risk is often hard to measure and audit against (check adherence).
ISO 9001:2015 Risk Based Thinking
In 2015, ISO 9001 was updated with the concept of Risk-Based Thinking (RBT). This was significant because it impacted more than 1 million certified companies. Great idea. Great timing. However, RBT again challenged companies. How does a company operationalize and audit its thinking? Hard if you haven’t taken Mind Reading 101.
Let’s look at this a little deeper. To plan, conduct, and report an independent audit, the auditor and CB’s needed an audit trail of evidence including artifacts, flowcharts, supporting documentation, interviews, logical decisions, and findings. To some companies RBT was a little vague. This is hugely important since consistency is the hallmark of quality, where definitions are clear and processes are stable, capable and improving. To operationalize RBT, we suggested to our clients thinking of RBT as risk based, problem solving and risk based, decision making. Both of which can provide a certifiable audit trail.
ISO 31000 Risk Management Framework
In 2009, ISO 31000 developed their flagship risk standard. The standard explains the basics of risk assessments. It is a risk framework which provides a useful risk taxonomy in different contexts. The standard became the basis of ISO’s risk based approach to all of their standards.
The framework consists of the following:
- Communication and consultation: Define stakeholder requirements and the level and type of risk the organization is willing to accept.
- Establish context: Define the strategic, operational, and quality objectives the organization wants to achieve.
- Risk identification: Identify the critical risks impeding the organization to achieve its objectives.
- Risk Analysis: Analyze risk in terms of likelihood and consequence.
- Risk evaluation: Evaluate risk in terms of risk appetite or tolerance.
- Risk treatment. Avoid, accept, transfer, or reduce risk to acceptable levels.
- Monitoring and review: Incorporate risk into the company’s governance, assurance, and compliance systems.
- Recording and reporting: Report on the state of reducing risk to meet business objectives.
ISO 31000 is a guideline standard NOT for certification. The challenge is that companies want a risk certification. So what are Certification Bodies doing? CB’s are offering ISO 31000 Certificates of Conformance to their clients.
ISO 19011 Risk Based Audits
In ISO certification, three questions have to be addressed: 1. What management system standard will be used for certification, compliance, or adherence? 2. How will the standard be audited or assured? And 3. Who will conduct the audits?
ISO 19011:2018 answers the second question. ISO 19011 introduced risk based auditing for managing, planning, conducting, and reporting ALL management system audits.
ISO 42001:2024 AI Management System
ISO now wants to become the global voice of risk standardization. In the World Economic Forum (WEF) 2023, ISO evangelized climate risk standardization. In WEF 2024, ISO advocated for AI harmonization, conformity assessment and risk standardization. ISO is also developing an ecosystem of AI standards around ISO 42001, a certifiable risk based AI Management System standard.
So, what’s going on? Risk is the lens for looking at AI. It is also the future of our profession and ISO. Why? Autonomous risk based problem solving and decision making have become prevalent in healthcare access, tenant screening, criminal justice, facial recognition, employment screening, incarceration, insurance and homelessness. AI seems to be omnipresent and omniscient. The challenge is that we often don’t understand how these autonomous decisions are made.
Is Risk the Future of Quality?
The EU is taking the lead on AI risk based regulations which we believe will kickstart the quality renaissance driven by risk. The EU AI Act will vastly increase ISO Quality Management System and Risk Management System certifications. Why? Let’s look at the EU AI Act regulations:
EU AI Act, according to Article 17 (February 6, 2024) requires:
“Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions .. ”
EU AI Act according to Article 9 (February 6, 2024) requires:
“A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.… The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating.”
In the U.S., the Office of Management and Budget requires AI risk analysis and is considering ISO 42001 compliance. Colorado and New York have also mandated risk based auditing of high risk AI systems calling out ISO 42001.
AI has to be fair and safe. As quality professionals, it is our duty and opportunity to be the risk assurance in the middle of humans and machines working and making decisions together.
As a quality professional, risk is going to be in your future. Get ready. It’s going to be a bumpy ride. So, what do you think? Have we made the case that the future of quality is risk? What do YOU think is the future of our profession? We would love to hear from you.