Kevin Beard
Risk Management With
Customer Focus
Introduction To Risk
Discuss Risk/QMS Relationship Concepts
Introduction to Risk/QMS in AS9100c
– Additional & Sanctioned Training to Be Provided
By OPMT
Case Studies & Audience Participation
Introduction To Risk
 How Do We Currently View Risk In AS9100b
– Customer Requirements
– Other Parts of Std.???
 How Many Have Read AS9100c
 What Do We See As The Difference
– Structure??
– New Individual Requirements??
– Underlying Concept that Applies Across the Standard??
 Why Are We Discussing Risk Today
–
–
–
–
Complex Concept
Difficult to Understand
Difficult to Explain to Customers
Therefore, Difficult to Audit
What is Risk?
A risk is a potential future event that could result
in adverse and unplanned consequences.
– A risk is NOT a Problem, an Issue, or a Crisis!
 Risk is a measure of the potential inability to achieve
overall program objectives within defined cost, schedule
and technical constraints.
(Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003)
What is Risk?
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
What is Risk?
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
Risk Management Processes
 Risk Planning
– The step of developing and documenting comprehensive and interactive
strategies and methods for identifying and tracking risk areas, training,
developing risk mitigation plans, performing risk assessments to determine
how risks have changed, and planning/obtaining adequate resources.
 Risk Identification
– The step of discovering and defining all risks inherent in your program or
project.
 Risk Assessment
– The process of analyzing and prioritizing program and process risks against
cost, schedule and/or performance criteria.
 Risk Handling
– The step that identifies, evaluates, selects, and implements actions in order
to reduce risk likelihood or consequence to an acceptable level.
 Risk Monitoring
– The step that systematically tracks and evaluates the performance of Risk
Handling actions against established metrics throughout the acquisition
process.
The Risk Management Process
- Risk PDCA -
Act
Plan
Check
Do
What is Risk?
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
Product & Technical Risks
 Complexity of Design
 Criticality of Product for End Use
 New or Unproven Process or Technology
 Organizational Capability to Design or Build
Product
– New or Unproven Process to Organization
– New Technology to Company
 Items or Requirements That are Candidates for
Risk Management Processes
 Others??
What is Risk?
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
Risk Based Decisions & Behaviors
 Identification
– Discovering and defining all risks inherent in your program, project,
process, or task.
 Communication
– Communicating Risks to all Relevant Individuals and Processes
 Risk Understanding
– Understanding the Risks and How they affect your Function or Process
 Decision Making (Risk Based)
– Making Choices on application of ‘Individual Options’ and ‘Process
Options’
 Risk Behaviors
– Knowledge of Identified Risks
– Knowledge of Process Options
– Application of Identified Risk Topics to ‘Process Options’
Requirements & Risk Based Decisions
How
Communicated
Operational Options that Need Risk
Oriented Decisions associated with
Critical Requirements
•Design Approach
•V&V Approach
•Monitor & Insp. Approach
•Supplier Oversight
Where
Identified
RFQ
What
Decisions
Proposal
Contract
Design
Manufact.
Integrate
Product
Delivery
Monitoring and Inspection Activities
Communication of
Supplier Requirements
-Key Characteristics-
Purchasing
Suppliers
All Requirements are not created equal
AS 9100 – 3.1 Terms and Definitions
Risk - An undesirable situation or circumstance
that has both a likelihood of occurring and a
potentially negative consequence.
Variable Risk Application Approach
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the
organization’ (7.1.2)
Type
Project
Production
Service
Size
Large
Medium
Small
Product
X
X
X
Process
X
X
X
People
X
X
X
How Does Risk Approach Vary?
– Organizational Application of Risk Can Vary Based on Situation, Customer,
Product Line, etc.
– Audit Approach & Questioning Will Need to Vary Also.
Theory Applied
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
AS 9100 – 7.1.2 Risk Management
The organization shall establish, implement and maintain a process
for managing risk to the achievement of applicable requirements,
that includes as appropriate to the organization and the product
Processes
Behaviors
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout
product realization,
d) identification, implementation and management of actions to mitigate
risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.
Risk Impacts – P.P.P.
7.1.2 Risk Management
c) identification, assessment and communication of risks throughout product
realization,
d) identification, implementation and management of actions to mitigate risks
that exceed the defined risk acceptance criteria,
Product
Consequence
& Likelihood
Plan,
Implement,
Control
People
Capability
FMEA
Process FMEA
Competency Levels
Critical Safety Items
Process Requirements
Evaluation
Prod/Proc Proficiency
Customer/User Needs
Design Critical Items
Task Specific Training
IPTs
Key Characteristics
Task Specific OJT
Specification & Drawings
Mandatory Insp. Points
CM Processes
Production Planning
Supplier Interaction
Job Assignments
Design Review
Config Control Boards
Metric Analysis
Inspection Approach
Process Audits
Technical Audits
Product Audits
Configuration Audits
Supplier Oversight
Requirements Evaluation
Communication
Process
Supplier Capabilities
AS 9100 – 7.1.2 Risk Management
7.2.2 Review of requirements related to the product
e) risks (e.g., new technology, short delivery time frame) have been
identified (see 7.1.2).
7.4.1 Purchasing process
f) determine and manage the risk when selecting and using
suppliers (see 7.1.2).
8.5.3 Preventive action
NOTE Examples of preventive action opportunities include risk
management, error proofing, failure mode and effect analysis
(FMEA), and information on product problems reported by
external sources.
8.2.4
When the organization uses sampling inspection as a means of
product acceptance, the sampling plan shall be justified on the basis
of recognized statistical principles and appropriate for use (i.e.,
matching the sampling plan to the criticality of the product and to the
process capability).
AS 9100 – 7.1.2 Risk Management
 Does Risk Apply in Other Parts of the AS9100 Standard
– Explicit?
– Implied?
 How does this apply throughout the AS9100 standard
–
–
–
–
–
–
–
Processes?
Decisions/Behaviors?
4.1 General Management System Requirements
7.1 Product Realization Planning
7.3 Design & Development Lifecycle Processes
7.5 Production & Service Provision
8.1 Measurement, Analysis & Improvement
Potential Impacts – Large Companies
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)
Prog/
Proj
Eng.
Supplier
Mgmt
S&MA
Individual
Tasks
Risk Resp. Assignment
X
X
X
X
Risk Definition
X
X
X
X
ID, Assess, Comm.
X
X
X
X
Implement &
Management
X
X
X
X
X
Acceptance
X
X
X
X
X
Others
How Do Risk Responsibilities Vary?
–
–
–
–
–
Program – Cost, Schedule, Technical
Engineering – Design, Technology Capability, Others
Supplier Management – Supplier Capability, Cust/Supplier Interface, Others
S&MA – Independent Oversight (Processes, Suppliers, Etc.), Others
Individuals – Application of Risk to Option Decisions
Potential Impacts – Small Companies
Varying Applicability to Different Functions
Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)
Sales,
Contracts
Prod.
Planner
Purch
Manuf
Inspector
Risk Resp. Assignment
X
X
X
X
X
Risk Definition
X
X
ID, Assess, Comm.
X
X
X
Implement & Management
X
X
X
X
X
Acceptance
X
X
X
X
X
Other
How Do Risk Responsibilities Vary?
– Sales & Contracts – Understanding of User Needs/Requirements &
Comparison of User Needs To Organizational Capabilities
– Production Planner – Applying “Appropriate” Methods Associated with Risk
to Meeting User Needs & Requirements
– Purchasing – Vendor Capability, Risk/Criticality Communication, Others
– Manufacturing – Applying “Appropriate” Methods
– Inspector – Independent Verification
– Individuals – Application of Risk to Option Decisions
Risk Case Studies
 What Have We Covered?
– General Discussion on Risk Theories
– Relationship to AS9100c Standard
 Time to put your Auditor Hats Back On
 Case Studies
– Risk Associated With Product
– Risk Associated With Processes
– Risk Associated With People
Product Risk in Lower Tier Organizations
Product
Process
People
What Are Risks & Impacts??
What Are Risks & Impacts??
What Are Risks & Impacts??
In Your Pre-Audit Planning, You Find that the Organization’s
Customer provided the Organization with a PO on a very challenging
task that includes providing a product that is more complicated than
other products previously manufactured.
•What Additional Questions Would You Pursue in Pre-Audit Discussions
•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)
•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)
How Are Risks Communicated (7.1.2 c)
What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
Process Risk in Lower Tier Organizations
Product
Process
People
What Are Risks & Impacts??
What Are Risks & Impacts??
What Are Risks & Impacts??
In Your Pre-Audit Planning, You Find that the Organization’s
Customer provides the organization with a PO that includes a task
that you do not have the capability for. You outsource this task to a
vendor that you have never used before.
•What Additional Questions Would You Pursue in Pre-Audit Discussions
•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)
•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)
How Are Risks Communicated (7.1.2 c)
What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
People Risk in Lower Tier Organizations
Product
Process
People
What Are Risks & Impacts??
What Are Risks & Impacts??
What Are Risks & Impacts??
In Your Pre-Audit Planning, You Find that the Organization’s
Customer transferred a large contract to this organization. The
organization had to increase your workforce by 20% and add shift
work. In your last audit your recall that the Organization was
Working at/near capacity.
•What Additional Questions Would You Pursue in Pre-Audit Discussions
•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)
•Area Where Risks Might Be Identified (7.1.2 c)
•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)
How Are Risks Communicated (7.1.2 c)
What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)
•Onsite Audit
•Types of Questions You Would Pursue
•Types of Issues/Findings That May Develop
Theory Applied
Risk
Management
Processes
Product &
Technical
Risks
Risk Mitigation
Behaviors within
a process
Special What???
Characteristi
c
Critical
Items
Key
Requirement
Special
3 Terms and Definitions
3.2 Special requirements
Those requirements
identified by the customer,
or determined by the organization, which have
high risks to being achieved thus, requiring their inclusion
in the risk management process. Factors used in the
determination of special requirements include product or
process complexity, past experience and product or
process maturity. Examples of special requirements include
performance requirements imposed by the customer that
are at the limit of the industry’s capability, or requirements
determined by the organization to be at the limit of their
technical or process capabilities.
3 Terms and Definitions
3.3 Critical items
Those items (e.g., functions, parts, software,
characteristics, processes) having significant
effect
on the product realization and use of the
product; including safety, performance, form, fit,
function, producibility, service life, etc.; that require specific
actions to ensure they are adequately managed. Examples
of critical items include safety critical items, fracture critical
items, mission critical items, key characteristics, etc.
3 Terms and Definitions
3.4 Key characteristic
An attribute or feature whose variation has a significant
effect on product fit, form, function, performance, service
life or producibility, that requires specific actions for the
purpose of controlling variation.
NOTE Special requirements and critical items are
new terms and, along with key characteristics,
are interrelated.
– Special requirements are identified when determining
requirements related to the product (see 7.2.1).
– Special requirements may then require the identification of
critical items.
– Design output (see 7.3.3) may then include identification of
critical items that require specific actions to ensure they are
adequately managed.
– Some critical items will be further classified as
key characteristics because their variation
needs to be controlled.
Special Requirements, Critical Items
& Key Characteristics
 Key Characteristics Simplified
– Communication of Criticality Between Engineering &
Production
– In House Production or Outsourced Production
 Special Requirements & Critical Items Simplified
– Communication of Criticality Between
 Customer & Organization (SR)
 Engineering & Engineering (CI)
– In House Engineering or Outsourced Engineering
 Common Expectations
– Consideration for Use of More Rigorous Controls in Process
– Risk Based Approach to Identification, Analysis and
Communication of Customer and Product Requirements
Special Requirements, Critical Items
& Key Characteristics
•Communication & Understanding of Risks
•Risk Based Decisions and Actions in Individual Processes
Identification of Special
Requirements
RFQ
Proposal
Operational Options that Need Risk
Oriented Decisions associated with
Special Requirements
•Design Approach
•V&V Approach
•Monitor & Insp. Approach
•Supplier Oversight
Identification of Critical
Items & Key Characteristics
Contract
Design
Manufact.
Integrate
Product
Delivery
Monitoring and Inspection Activities
Communication of
Supplier Requirements
-Key Characteristics-
Purchasing
Suppliers
All Requirements are not created equal
7.1 Planning of Product Realization
7.1 Planning of product realization
The organization shall plan and develop the processes needed for product realization. Planning of
product realization shall be consistent with the requirements of the other processes of the quality
management system (see 4.1). In planning product realization, the organization shall determine the
following, as appropriate:
a) quality objectives and requirements for the product;
Identification &
Communication
NOTE Quality objectives and requirements for the product include consideration
of aspects such as
− product and personal safety,
− reliability, availability and maintainability,
− producibility and inspectability,
− suitability of parts and materials used in the product,
− selection and development of the software that contributes to the function of the
product, and
− recycling or final disposal of the product at the end of its life.
f) configuration management appropriate to the product, its context and environment;
g) the identification of resources to support the use and maintenance of product.
The output of this planning shall be in a form suitable for the organization's method of operations.
7.2.2 Review of Requirements Related to Product
7.2.1 Determination of requirements related to the product
Understanding
The organization shall determine
a) requirements specified by the customer…….
b) requirements not stated by the customer but necessary for specified or
intended use, where known,
c) statutory and regulatory requirements applicable to the product, and
d) any additional requirements considered necessary by the organization.
NOTE Requirements related to the product can include Special
Requirements
7.2.2 Review of requirements related to the product
The organization shall review the requirements related to the product. This
review shall be conducted prior to the organization's commitment to supply
a product to the customer …… and shall ensure that
a) product requirements are defined,
Identification &
Communication c) the organization has the ability to meet the defined requirements,
d) special requirements of the product are determined, and
e) risks (e.g., new technology, short delivery time frame) have been
identified (see 7.1.2).
7.3.1 Design and Development Planning
7.3.1 Design and development planning
Where appropriate, the organization shall divide the design and
development effort into distinct activities and, for each activity,
define the tasks, necessary resources, responsibilities, design
content, input and output data and planning constraints.
Understanding
The different design and development tasks to be carried out shall
be based on the safety and functional objectives of
the product in accordance with customer,
statutory and regulatory requirements.
Design and Development Outputs &
Verification/Validation
7.3.3 Design and development outputs
The outputs of design and development shall be in a form suitable for
verification against the design and development input and shall be
approved prior to release.
Identification & Design and development outputs shall
Communication
e) specify, as applicable, any critical items, including any key
characteristics, and specific actions to be taken for these items.
7.3.6 Design and development validation
Decision
Design and development validation shall be performed in accordance
with planned arrangements (see 7.3.1) to ensure that the resulting
product is capable of meeting the requirements for the
specified application or intended use, where known.
7.3.6.2 Design and/or development verification and validation
documentation
Decision
At the completion of design and/or development, the organization
shall ensure that reports, calculations, test results, etc.,
demonstrate that the product definition meets the specification
requirements for all identified operational conditions.
(7.1.2.e – Acceptance of Risk)
7.5.1 Control of Production and Service Provision
7.4.2 Purchasing information
Purchasing information shall describe the product to be purchased,
including where appropriate
Identification &
Communication
e) requirements for design, test, inspection, verification, use of
statistical techniques for product acceptance, and related
instructions for acceptance by the organization, and as applicable
critical items including key characteristics,
7.5.1 Control of production and service provision
Decision
Planning shall consider, as appropriate
− establishing, implementing and maintaining appropriate processes
to manage critical items, including process controls where key
characteristics have been identified,
8.2.4 Monitoring and measurement of product
Decision
When critical items, including key characteristics, have been
identified the organization shall ensure they are controlled and
monitored in accordance with the established processes.
SR/CI Case Studies
 What Have We Covered?
– General Discussion on SR/CI Theories
– Relationship to AS9100c Standard
 Time to put your Auditor Hats Back On
 Case Study
– SR/CI - Space
Risk
Products
Processes
 Product Meets Requirements
 Program plans
 Reliability program requirements
 Structured Independence Processes
 Critical items control & management
 Mission/Product Assurance
 Processing induced hazards
 Mission Assurance Plan (MAP)
 Defining of risk controls
Behaviors
AS9100 Standard
 Risk Identification
 Realization Process Risk Planning
 Analysis & Prioritization
 Contracts
 Elevation of risk (communication)
 Design
 Mitigation Decision Making
 Procurement
 Human factors skill / training
 Manufacturing
 Inspection
Risk Management Processes
Why do we think this change to the
standard was made?
– To Much QMS Focus on
Compliance To QMS Requirements
Cost & Schedule
– Need Additional Focus on Risk & Risk Based
Decisions
Process
Product
Potential Impacts To Organizations
Processes
–
–
–
–
–
–
Program Management
Engineering
Purchasing
Supplier Management
S&MA
Others
Procedures
– Project & Design Lifecycles
– Procurement
– S&MA, SR&QA, Product Assurance, Etc.
People
– Identification and Communication of Risk
– Understanding Options Within Processes, and
Associated Decision Options
– Application of Risk in Decision Making Process
Challenges (i.e. Implementation Risks)
 CBs & Auditors
– Understanding the Varied Potential Applications of Risk in a QMS,
Process, or Product lifecycle
– Educate Yourselves on the Broadness of Risk Applicability in a QMS
– Develop Sensible But Meaningful Approaches to Auditing Risk
– Plan for a Successful Role out of a Risk Audit Approach
– Communicate with Audit Staff & Other Affected Parties
– Communicate with Your Customers on
 Applicability of Risk within their QMS
 Balanced Application of Cost, Schedule & Risk within an
Organizations QMS.
 Ensuring Processes Identify and Communicate Risks &
Appropriated Decisions are Made to Ensure that Risks are
Handled
– Ensure Consistency to Mitigate Confusion
 Not Covered in This Presentation
– Risk & Project Management
– Risk & Configuration Management
Questions ??
Characteristi
c
Key
Critical
Requirement
Items
Special
Risk