Deming wheel and Risk based thinking


Continuing on discussing the changes on different management systems by embeding the risk management processes in the organization processes and day -to-day activities.  it is now manadated by different management systems that the organizations become  risk based guided decision making  organizations.

In this article, I will discuss the Risk‐based thinking, PDCA and the process approach

Plan, Do, Act and Check, these concepts together form an integral part of the ISO 9001:2015 standard. Risks that may have impact on objectives and results must be addressed by the management system.

Risk‐based thinking is used throughout the process approach to:

  • help in taking decisions on how risk (positive or negative) is addressed in establishing the processes to improve outputs and prevent undesirable results.
  • help in defining the extent of planning and controls planning needs (based on risk)
  • help in improving the effectiveness of the organization integrated management system

P – Plan : set the objectives of the system and processes to deliver results (“What to do” and “how to do it”)

D – Do : implement and control what was planned

C –  Check : monitor and measure processes and results against policies, objectives and requirements and report results

A – Act : take actions to improve the performance of processes

PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.

Deming wheel processes ISO Processes Brief Explanation
PLAN Define the context of the organization The organization should identify its responsibilities, relevant interested parties and their requirements, needs and expectations.

Gather, analyze and determine external and internal responsibilities of the organization to satisfy the relevant requirements, needs and expectations of the relevant interested parties.

Monitor and communicate frequently with these interested parties to ensure continual understanding of their requirements, needs and expectations.
Define the scope, objectives and policies of the organization Based on the analysis of the requirements, needs and expectations establish the scope, objectives and policies that are relevant  for the organization’s integrated management system The organization shall determine the scope, boundaries and applicability of its management system taking into consideration the internal and external context and interested party requirements.
Top management should then establish objectives and policies for the desired outcomes.
Determine the   processes in the organization Determine the processes needed to meet the objectives and policies and to produce the intended outputs. Management shall determine the processes needed for achieving the intended outputs. These processes include management, resources, operations, measurement, analysis and improvement
Determine the sequence of the processes Determine how the processes flow in sequence and interaction. Define and describe the network of processes and their interaction. Consider the following:
The inputs and outputs of each process (which may be internal or external).
Process interaction and interfaces on which processes depend or enable.
Optimum effectiveness and efficiency of the sequence.
Risks to the effectiveness of process interaction. Note: As an example, realization processes (such as those needed to provide the products or services delivered to a customer) will interact with other processes (such as the management, measurement, procurement in the provision of resources). Process sequences and their interactions may be developed using tools such as modeling, diagrams, matrices and flowcharts.
Define people who take process ownership and accountability Assign responsibility and authority for each process. Top Management should organize and define ownership, accountability, individual roles, responsibilities, working groups,  authority and ensure the competence needed for the effective definition, implementation, maintenance and improvement of each process and its interactions.
These individuals are usually referred to as the Process Owners.
Define the need for documented information Determine those processes that need to be formally defined and how they are to be documented Processes exist within the organization. They may be formal or informal. There is no catalogue or list of processes that have to be formally defined.
The organization should determine which processes need to be documented on the basis of risk‐based thinking, including, for example:
The size of the organization and its type of activities.
The complexity of its processes and their interactions.
The criticality of the processes.
The need for formally accountability of performance.
Processes can be formally documented using a number of methods such as graphical representations, user stories, written instructions, checklists, flow charts, visual media or electronic methods including graphics and systemization.
Effective and organized processes can then deliver consistent and accountable operations and the desired objectives and results which can then be improved.
Define the interfaces, risks and activities within the process Determine the activities needed to achieve the intended outputs of the process and risks of unintended outputs  Determine the risks to conformity of products, services and customer satisfaction if unintended outputs are delivered.
Determine the activities, measures and inherent controls required to transform the inputs into the desired outputs.
Determine and define the sequence and interaction of the activities within the process.
Determine how each activity will be performed.
Ensure that the management system as a whole takes account of all material risks to the organization and users.
Define the monitoring and measurement requirements Determine where and how monitoring and measuring should be applied. This should be both for control and improvement of the processes and the intended process outputs. Identify the validation necessary to assure effectiveness and efficiency of the processes and system.
Determine the need for recording results Take into account such factors as:
Monitoring and measuring criteria.
Reviews of performance
Interested parties’ satisfaction.
Supplier performance.
On time delivery and lead times.
Failure rates and waste.
Process costs.
Incident frequency.
Other measures of conformity with requirements
DO Implement Implement actions necessary to achieve planned activities and results The organization should perform activities, monitoring, measures and controls of defined processes and procedures (which may be automated), outsourcing and other methods necessary to achieve planned results
Examples of resources include
Human resources.
Financial resources
Define the resources needed Determine the resources needed for the effective operation of each process
CHECK Verify the process against its planned objectives Confirm that the process is effective and that the characteristics of the processes are consistent with the purpose of the organization The organization should compare outputs against objectives to verify that all the requirements are satisfied.
Processes are needed to gather data. Examples include measurement, monitoring, reviews, audits and performance analysis
ACT Improvement Change  the processes to ensure that they continue to deliver the intended outputs Act on the findings to ensure improvement of process effectiveness.
Corrective action as a result of process failure should include the identification and elimination of the root causes of the problems.
Problem solving and improvement typically follows the essential steps of:
define the problems or objectives
collect and analyze the data on the problem and relevant processes
select and implement the preferred solutions
 evaluate the effectiveness of the solutions.
incorporate the solutions into the routine Even when planned process outputs are being achieved and requirements fulfilled, the organization should still  seek to improve process performance, customer satisfaction and reputation.

Enterprise Risk Management definition

The term of Enterprise Risk Management “ERM” is being discussed these days a lot. (Traditional) Risk Management by itself is not new. However it has been evolved. The main difference between both is that the traditional risk management is considering risk to be managed separately , each business unit, department or project by itself as silos. Another point , in traditional risk management , the assessment, identification of risk is taken bottom up until it is summarized up in the management level.

As said, this has been evolved to form the new concept of Enterprise risk management which take a wider view of risk to include the whole organization or cooperation. Another point, Enterprise Risk Management start from up to bottom, as it starts on the strategic level by the corporate objectives and strategic directions. The game changer here is changing the mind set to focus on what could impact the organization from achieving its strategic goals. This can be achieved by creating Key Risk Indicators (KRIs) that are linked to the organization goals and objectives. These KRIs are monitored closely to ensure the organization decision makers that their decisions are still within the organization risk appetite.

I will give some details on the basic concepts of the ERM in later articles, while in this article I will only focus on different definitions of the Enterprise Risk Management.

ISO31000:2009 has defined the Risk Management as “Coordinated activities to direct and control an organization with regard to risk” and defined Risk itself by “Effect of uncertainty on objectives” where the effect is a deviation from the expected positive and/or negative.

COSO broadly defines enterprise risk management (ERM) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

According to the Project Management Institute’s PMBOK . Project risk is defined by PMI as, “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”