Potential nonconformities (the things that could go wrong that haven’t happened yet) should give rise to preventive action, and of course corrective and preventive action are cornerstones of quality management.

Ask the question: Are there any other risks to the business that have not yet been identified?

For anyone involved in quality, this specific request usually leads to deep reflection, because there is always the gut feeling that something has been left out, some risk unidentified.

Work out what these risks could be, then perform a risk analysis, determining and separately rating the likelihood and severity. Suitable templates for this exist in AS 4360 (see Risk Management Matrix).

This shows a fairly simple process for categorising and dealing with risk.  The circular risk management flowchart is simple and very similar to the ‘Plan-Do-Check-Act’ cycle associated with continual quality improvement. Therefore it is not necessary to conduct risk management separately from quality system processes such as corrective/preventive action and management review.

If there are concerns about the need for extra resources to handle more tasks, one should bear in mind that a maturing quality system will already have saved time from the efficiency it brings. Although resources are not limitless, there are bound to be important things that should be checked which are not being checked. What less important items could be rationalised? 

A common reaction by middle management is that this sort of thing should come from senior management; however senior management can only make decisions based upon the advice of their people. Those with extensive practical experience within the organisation are usually in a better position to make such a contribution.

A serious risk should be recorded and corrective/preventive action implemented. Review of these corrective actions should occur in management meeting, clearly demonstrating continual improvement.