Risk Management in AS9100: What It Means and Why You Should Care
By Rebecca Jessep, NSF Aerospace Technical Scheme Lead & AS9100 AEA
AS9100:2016, Rev D, has two clauses on Risk Management: Clause 6.1, Actions to address risks and opportunities and Clause 8.1.1, Operational risk management.
This often raises important questions: why there are two clauses on the same topic? What’s in it for me and my organization? How do we do comply with their requirements?
In this article we’ll explain why these clauses point to different activities and how understanding the differences between them can be a competitive advantage for organizations in the Aviation, Space, and Defense industries.
Risk management and the goal of a QMS
Let’s take a step back and consider the overarching goal of AS9100. The Foreword to Rev D states that using this standard “should result in improved quality, cost, and delivery performance.” Also, in the Introduction (Clause 0.1c) it emphasizes that the benefit of implementing a quality management system (QMS) based on AS9100 is “addressing risks and opportunities associated with its context and objectives.”
From this, we can draw two conclusions:
- AS9100, Rev D, invites individuals and organizations to define their business and QMS processes by using both systems thinking and risk-based thinking.
- The goal of doing that is to ensure predictable outcomes, timely delivery of products and services that meet customer specifications, and—ultimately—profitability.
While the second point is fairly straightforward, let’s clarify what systems thinking and risk-based thinking actually mean.
Systems and risk-based thinking explained
The Oxford English Dictionary defines a system as “a group or set of related or associated things perceived or thought of as a unity or complex whole.” Consider an orchestra with various instruments that, when played at exactly the right time, produces a beautiful, flowing, enjoyable sound.
Taking this further, think of an organization and its various departments, each with its function and processes, such as Business Development, Sales, Contract Review, Program Management, Engineering Design & Development, Purchasing, and Manufacturing. Each of them “plays a part” to produce products and services.
The interactions of these functions will produce exactly what the organization, as a system, is intended to produce. At least in theory. In reality, perfection is not guaranteed, and problems will arise. When that happens, systems thinking steps in to evaluate interrelationships and patterns between the different functions in the organization, supporting more effective problem solving. Peter Senge describes systems thinking as “a framework for seeing interrelationships rather than things, for seeing patterns rather than static snapshots.” (Peter Senge, The Fifth Discipline, 2nd Ed. 2006).
On the other hand, risk is defined by the Oxford English Dictionary as “the possibility of something bad happening at some time in the future”. Section 0.1 of AS9100 states that risk-based thinking enables an organization to:
- Identify factors that could cause its processes and quality management system to deviate from the planned results.
- Implement preventive controls to minimize negative effects of risks and to capitalize on opportunities as they arise.
Risk-based thinking, therefore, means thinking ahead for any internal or external situations that may prevent the organization from achieving its goals and objectives, including its financial targets. It involves evaluating risk both qualitatively (evaluating the likelihood and impact of risks on an organization at a general level) and quantitatively (leveraging numerical data to assess the acceptability of a risk event outcome).
Practical examples of risk-based thinking
Now that we understand the concept, let's revisit the two clauses to see how they address different types of risks.
- Clause 6.1: organizations must consider potential risks and opportunities, both internal and external, that could prevent them from achieving their goals and objectives.
- Clause 8.1.1: organizations must consider the actual risks that each business process presents to the organization in a way that could directly affect product and/or service realization.
The evaluation of these risks consists of two separate activities with separate owners.
So, how does one apply these two separate requirements of AS9100, Rev D?
For Clause 6.1, the evaluation is referred to as Enterprise Risk Management. This activity is owned by the leadership team and is continually updated as part of the annual strategic planning and goal-setting process.
The matrix in Figure 1 provides a practical example of how to apply Enterprise Risk Management via a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis. The critical item to note is that its scope covers the risks and opportunities for the organization as a whole: internal and external issues, customers, suppliers, regulatory bodies, legally contracted oversight and management organizations (i.e. Defense Contract Management Agency), employees, and other “interested parties”.
Figure 1: Example of Corporation, Industry, & Market SWOT
In Figure 2, we have an example of how to use the results of the SWOT analysis to address Enterprise risks and opportunities, as required by Clause 6.1.2.
Figure 2: Example Corporation, Industry, & Market Action & Risk Mitigation Plan
The scope of Clause 8.1.1 applies to risks introduced to the organization from each functional business area for:
- Program Management (reference Clause 8.1)
- Sales/Contracts (reference Clause 8.2)
- Design and Development (reference Clause 8.3)
- Purchasing (reference Clause 8.4)
- Production and Service Provision (reference Clause 8.5).
For Clause 8.1.1, the evaluation is referred to as Operational Risk Analysis and is conducted by the respective owners of each functional business area. The result of this exercise can be summarized in an Operational Risk Matrix, similar to the example shown in Figure 3.
Figure 3: Example Corporation Operational Risk Matrix by Functional Business Process
Conclusions
Effective risk management has a direct impact on product quality, cost, delivery, and organizational profitability. It involves both Enterprise Risk Management and Operational Risk Management, which is why AS9100, Rev D, has two separate clauses.
For additional study on this topic, please refer to IAQG’s free resource, Supply Chain Management Handbook (SCMH), 7.3, Risk Management.
AS9100 Series Aerospace Management Systems Certification
How NSF Can Help You
Get in touch to find out how we can help you and your business thrive.