Even the most seasoned professionals become comfortable with routines and preconceived mental models of how their worlds and industries work. The latest ISO9001 revision forces companies to engage in operational and quality management system risk framing to consistently challenge preconceptions. Large or small electronic manufacturing service providers now must self-reflect upon threat perceptions, potential opportunity returns, and overall stakeholder value impact. Risk management evokes many potentially unique definitions depending upon interpreter and context. The Casualty Actuarial Society defines Enterprise Risk Management as:

“…the process by which organizations in all industries assess, control, exploit, finance, and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to its stakeholders.” (Matrix Group International, 2012).

The current ISO9001:2015 revision regarding risk and opportunity maintains this spirit. By September 15, 2017, no further ISO9001:2008 certificates will be issued. If not already certified to the 2015 revision, your organization should have already progressed into the middle of a gap analysis or scheduled for recertification.

The International Organization for Standardization (ISO), founded in 1947 and headquartered in Geneva, Switzerland, established an international standard for quality management systems and a “common language” of compliance. While the 1987 to 1994 revision emphasized Inspection and the 2000 to 2008 was structured around Process, the 2015 revision core is Risk and Opportunity with sixteen specific references throughout the new revision. Framing through both risk and opportunity is important since risk possesses a negative, reactionary connotation while opportunity suggests a positive, proactive strategy. Ignoring risks and opportunities equally present potentially damaging performance results. As an Electronics Manufacturing Services (EMS) provider, what are the impacts of compliance for both short and long term strategic execution? The Risk and Opportunities core focus is established in Section 6.1. For many, the general term causes significant worry due to the ambiguity and limitless risk potentials associated with electronics manufacturing. Do not overcomplicate!

The most fundamental definition of a process is:

Both risks and opportunities may emerge during any one or all three process phases. Weeks and months of tireless concentration could be invested attempting to identify thousands of potential risks associated with circuit design, supply chain, quality, configuration management, or any other electronics manufacturing discipline. But the most critical element contained within the new 2015 revision is that defining risk and opportunity is up to each individual organization with considerations influenced through:

• Assurance of the quality management system to achieve intended results
• Desirable effects are enhanced
• Undesired effects are reduced or prevented
• Improvement is achieved

Also, a consideration to the degree of quality management system performance impact must also influence risk classification, identification, and related mitigation contingencies.

Once an organization has determined corporate risks and opportunities, planning is required to address, integrate, and implement actions into the overall quality management system and evaluate the plan’s effectiveness. It is up to each company to determine the most critical risks, codify those risks, establish metrics, and continuously evaluate performance enhancement or degradation. In a successful company, the effectiveness of risk and opportunity consideration occurs through constant formal and informal discussions, key performance indicators, and feedback receptiveness from every organizational level. Note 1 of the new revision cites multiple aspects of risk in potential negative connotations of avoidance, elimination, or alteration to prevent consequences. Note 2 identifies opportunities with potential positive connotations such as new practice adoption, customers, product, and markets along with partnership building and possibilities that are viable and desirable. (ISO 9001:2015, Section 6.1.2). Does any of this already sound familiar? It should. Whether you realize it or not, if your company has achieved and sustained any degree of relative success, then it’s most likely that you already engage in most of these practices as daily operational elements. These are “common sense” fundamental characteristics of a value-added organization and if these elements are not already regarded during strategic analysis and implementation, then your business is struggling at best and at worse, soon ceasing to exist.

Common risks relative to electronics manufacturing involve those both internal and external. Internal risks may include scheduling dynamics resulting from minimal to poor demand visibility, improper resource management including financial, capital, or labor expenditures, unclear or constantly shifting customer schedules, material availability or conditions impacting the ability to fulfill customer expectations. External risks may include rapid technology advancements in both component packaging and assembly, increased market competitiveness or saturation, threat of new entrants, supply chain disruption or extensive lead times. Versatile, successful EMS leadership must develop an almost intuitive sense of risk versus reward and articulate the necessity at each organizational level.

Robert S. Kaplan, senior fellow at the Martin Bower Professor of Leadership Development, Emeritus, at Harvard Business School, and Anette Mikes, assistant professor of accounting and management at Harvard Business School classify risk in the following three general categories:

Category 1. Preventable Risks

These are internal controllable risks of an organization that are avoidable or possible to eliminate. These risks have no potential contribution to a company’s bottom line and are typically controllable through reinforcement of behavioral norms. Ethical practices and standardized operations should minimize this category. EMS providers, like all other organizations, must maintain strict ethical standards and ensure sufficient process mechanistic structures to prevent this risk type.

Category 2. Strategy Risks

Strategy risks are those an organization takes with a benefit expectation. For the EMS, it might involve purchasing excess inventory in order to provide improved customer responsiveness, capital expenditures in anticipation of future market technology advancements based upon positive net present value, or some other specific resource investment in anticipation that overall corporate worth will increase. Decisions cannot by managed through a standard set of rules alone but sufficient leadership must be established so the extreme of potential loss does not cause catastrophic corporate misalignment.

Category 3. External Risks

Electronic Manufacturing Service providers and associated quality management systems, like all organizations, encounter risks beyond control or influence. Force Majeure events, political activity increasing regulations, social norm shifts, and macroeconomic influences are all examples.

The ISO9001:2015 revision forces a continuous reflection, awareness, and cognition of potential risks and opportunities. R.S. Kaplan and A. Mikes (2012) write “…extensive behavioral and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.” (para. 11). For an EMS, leadership must continuously analyze, anticipate, measure, and learn from both internal and external forces shaping both risks and opportunities potentially affecting performance. ISO9001:2015 challenges cognitive bias and demands mental model introspection so organizations maintain a constantly fresh receptiveness to market demands, technological advances, and future industry trends. There are three facets of the dynamic as represented in Figure 2 below.

The Risk and Opportunity model presented in the latest ISO9001 revision is neither revolutionary nor new. Recognition, action, and reassessment are critical not only towards continually improving an organization’s quality management system but advancing value towards the benefit of all stakeholders. Keep it simple and always remember ISO works for your quality management system, your quality management system doesn’t work for ISO!

Reference:
The International Organization for Standardization. (2015). Quality Management System – Requirements (5th Edition). Geneva, Switzerland.

Kaplan, R.S. & Mikes, A. (2012 June). Managing Risks: A New Framework. Retrieved From https://hbr.org/2012/06/managing-risks-a-new-framework

Matrix Group International. (2012). Enterprise Risk Management. Retrieved from http://www.casact.org/area/