The Integration between Quality Management and Risk Management Systems

After discussing the basic definition of the term ‘Integrated Management System’ and its benefits here, in this article, I will discuss the integration between quality management and risk management systems. In specific, I will examine the rationales behind this integration.

Quality Management: More than an ISO 9000 Standard

The quality management knowledge area was founded with the efforts of different quality gurus. Miller (1996) argued that the most important gurus are Deming, Juran, Crosby and later Feigenbaum. These experts put different definitions and principles for managing quality as per the following (Suarez 1992; Miller 1996):

  • Deming argued that the quality should be defined from customer’s stand point, including the current and the future needs, and popularised the PDSA (Plan, Do, Study and Act) Cycle that was built based on different problem-solving concepts including the statistical methods of Shewhart (Moen & Norman 2010). Additionally, Demining proposed 14 points that the management should address to ensure customers’ satisfaction;
  • Juran defined quality as “fitness for purpose” and developed the famous Juran’s trilogy which provides a systematic approach to manage quality in products and services. The three quality processes under this trilogy are: “quality planning”, “quality control” and “quality improvement‘;
  • Crosby defined quality as “conformance to requirements” and developed 14 steps to quality management that emphasized on the management’s role as well as the entire organization;
  • Feigenbaum developed the concept of “Total Quality Control” and established the principles of the TQM.

Achieving the desired quality level needs an effective and efficient management system to manage the different phases of quality management for a product or service, starting from setting the specifications up to the monitoring the quality during the actual use. A Structured Analysis and Design Technique (SADT) formalism for a quality management life cycle is shown below.P 1.jpgA major anchor of any discussion related to quality management is the work by ISO, which is an international body of different national standards bodies dedicated to setting standards that cover a wider range of business aspects such as quality management, risk management and environmental management to name but a few (ISO 9001 Standard 2015, p.v). The two important standards for the scope of this research are the ISO 9000 family for quality management and ISO 31000 for risk management.

Under ISO 9000 family, quality management is defined as “activities used to direct, control and coordinate an organization as regards [to] quality” (Barouch & Kleinhans 2015; ISO 9001 Standard 2015, Within this context, it is important to address the four key areas in any quality management system which are: quality planning, quality control, quality assurance and quality improvement (George et al. 2005) in addition to a pre-requisite step which is defining the quality policy (ISO 9000 Standard 2005, p.9).

According to ISO 9000:2005, which is part of the ISO 9000 family standards and includes the fundamentals and vocabulary, the differences between the four areas of a quality management system  are that (ISO 9000 Standard 2005, p.9):

  • Quality planning incorporates setting the relevant quality objectives and plans;
  • Quality control includes how products and services are fulfilling the quality requirements;
  • Quality assurance focuses on providing a confidence that the quality requirements are implemented;
  • Quality improvement is about ensuring that the good efforts are sustained and are increasing with time.

A PDCA representation for ISO 9001:2015 is shown in the figure below.P 2

Risk Management: More than a Gut Feeling 

Risk management is an abundant knowledge area that is not new. People used to manage risks by intuition, experience or just a gut feeling, however, the increase in complexity in the business environment and the push from several financial firms to a systematic approach to managing risks led to the emerging of different risk management standards and frameworks (Williams et al. 2006).

Risk is defined as an “effect of uncertainty on objectives” (ISO 31000: 2009, p.1). Although the definition is simple, there are different approaches to classify and manage risks. To shed some light on the uncertainty concept first, Emblemsvag (2011) highlighted that ‘uncertainty’ is a function of ‘fuzziness’ and ‘ambiguity’ and the later one is a function of ‘discord’ and ‘non-specificity’. The detailed breakdown is shown below.P3.jpgRisk is expressed by a combination of ‘likelihood’ and ‘impact’. The first term represents the chance or the probability that something will happen and the second one refers to the consequence of an event whether it has a positive or a negative effect (ISO 31000 Standard 2009, p.1). Accordingly, a risk can be an ‘opportunity’ with a positive impact or a ‘threat’ with a negative one (Project Management Institute 2009, p.9).

Watson (2011) argued that an important part of risk management is developing a ‘hierarchy of information’ to split out the ‘assumptions’, ‘issues’, ‘threat’ risks and ‘opportunity’ risks. In this way, any subsequent risk analysis and communication will be more accurate as any piece of information is used only once in the set, and data duplication with any associated miss-assessment is avoided.

The body of literature is filled with different classifications for what could constitute a risk, for example, the Australian Standards and New Zealand Standards, AS/NZS 4360 for Risk Management, differentiate between ‘sources of risks’ and ‘areas of impact’. Sources of risks can be commercial, economic conditions, natural events and technology issues to name but a few, while areas of impact can be tangible such as costs and performance, or even intangible such as reputation and goodwill (AS/NZS 4360 1999, p.31). However, Watson and Ramsay (2000) argued that there are only three types of risks which are  (Watson & Ramsay 2000):

  1. Generic risks that are pre-existed in the business environment and managed by preventing the causes of the risks;
  2. Systemic risks which are the variations within the system itself which are defined by their influences and managed by providing controls for these variations;
  3. Discordant risks which represent the deviation from the plan and can be defined by their impacts and/or causes, therefore they are managed by looking at both, the potential casuals and potential impacts so as to reduce them.

To address the full picture of risk management, companies may adopt an Enterprise Risk Management (ERM) approach. Contrary to a quality management system, which is usually combined with ISO, the discussion about ERM comes from an enormous range of institutes, scholars and parties. In a recent detailed literature review in this area, Bromiley et al. (2015) analysed the different approaches and definitions of ERM and provided a new definition as “the integrated management of all the risks an organization faces, which inherently requires alignment of risk management with corporate governance and strategy” (Bromiley et al. 2015).

The huge number of approaches to ERM does not neglect the fact that these approaches are actually similar. The Risk and Insurance Management Society (RIMS), an international non-profit professional association dedicated to providing a professional platform for risk management issues and concerns, conducted a detailed comparison between six ERM-approaches, which were:

  1. ISO 31000: 2009;
  2. OCEG “Red Book” 2.0 (Open Compliance and Ethics Group);
  3. BS 31100: 2008 (British Standard);
  4. COSO:2004 (Committee of Sponsoring Organizations of the Treadway Commission);
  5. FERMA: 2002 (Federation of European Risk Management Associations)
  6. Solvency II: 2012

The report concluded that the six of them share similar characteristics more than differences (Risk and Insurance Management Society 2011).

Rationales behind Integrating Quality and Risk Management

The closer look at the integration between those two management systems might bring few surprises. A mature body of knowledge that carries different arguments about not only the advantages of such integration, but also many conceptual frameworks that might help in that journey.  This confirms with Popescu and Dascalu (2011) who argued that the quality management system and the risk management system are not mutually exclusive; they complement each other.

Many scholars addressed the relationship between quality management and risk management, and argued that the integration will add value to both areas.  The need for this integration is best understood when reviewing the limitations in the traditional quality management and risk management thinking.

For the quality side, the traditional PDCA Cycle is best applicable for a relatively stable business environment, for which the cycle had been subjected to several amendments such as the proposed one by Dervitsiotis (2004) and Free (2012). Dervitsiotis argued that under a state of an unstable system, PDCA cycle is best replaced with the Complex Adaptive System (CAS) Cycle that consists of four steps namely, ‘unfreeze’, ‘explore’, ’emerge’ and ‘guide’ (Dervitsiotis 2004), while Free argued that AREIR (Anticipate, Recognize, Evaluate, Implement and Review) cycle is best suited such a turbulent condition (Free 2012). It is worthy to mention that Free had referred to the PDCA Cycle as the Deming Cycle mistakenly, as the cycle that was promoted by Deming is called the PDSA (Plan, Do, Study, Act) Cycle (Moen & Norman 2010).  The two approaches are shown below.P 4

P 5Moreover, a recent detailed literature review on the main criticism for the traditional quality management was developed by Barouch and kleinhans (2015) who concluded that the main areas of concerns are: the design of the quality management itself and the implementation process. More importantly, they found that the traditional quality thinking lacks flexibility and hence may hinder the innovation process in the company. In addition, the mechanistic approach of quality management, i.e. work should be formally structured under rigid work instruction, might not fit in a complex and dynamic business environment (Barouch & Kleinhans 2015).

On the risk management side, the limitations come from the traditional demand of looking at risk as a regulatory issue, which often involved sophisticated modelling and highly technical approaches, rather than as a value-creating activity (Abidi & Joshi 2015). Moreover, this dependence on modelling the historical data is misleading and sometimes data is either not available or invalid due to the frequent changes in the business environment, and neglects the role of the management’s experience in understanding the real risks. As a result, modelling can produce a false relief that risk is under control since it follows a scientific approach (Borison & Hamm 2010).

With respect to the above limitations, many scholars advocate for the integration between the two knowledge areas. Harris and DeMarco (1998) argued that “risk management is quality control philosophy’” which confirms Popescu and Dascalu (2011) who viewed them as “two sides of the same coin”; quality is about measuring how good the company is in satisfying customer’s requirements, while risk is about measuring the potential for deviation from the requirements (Popescu & Dascalu 2011).

Additionally, when looking at the core philosophy of quality management, the failure prevention approach, or even the failure’s likelihood reduction approach, is also a risk prevention principle, so a structured quality management system will allow the company to ensure consistency in their products and services and hence lead to reducing risks (Costantini & Zanin 2015).

Moreover, quality management and risk management are both dealing with problems that have resulted from uncertainty, either from internal or external causes. As a result, they tend to translate the uncertainty via probability and statistics (Costantini & Zanin 2015). On the first hand, expected quality failure that is covered by warranty and liability is a form of managing the risk of producing out-of-specification products. On the other hand, applying preventive measures to manage risk will also help in improving quality (Costantini & Zanin 2015).

Recently, ISO 9001 standard had been subjected to a new release in 2015. ISO 9001 is a system based on the PDCA Cycle but it also has a risk based- approach. The PDCA cycle is needed to ensure consistent steps in managing the resources to determine business opportunities and work on them, while the risk management is used to help the company to identify the factors that might result in a deviation from the objectives, and put the preventive controls in place accordingly (ISO 9001 Standard 2015, The risk management was included in the previous ISO 9001 versions implicitly, where the standard requires the identification of preventive actions for nonconformities (ISO 9001 Standard 2008, p.14), but with the new version, risk management comes as explicit requirements (ISO 9001 Standard 2015, p.ix).

Before concluding this discussion, it is worthy to highlight the quality thinking in some of the risk management tools and vice versa. For example (Popescu & Dascalu 2011):

  • FMEA (Failure Mode and Effect Analysis) that is used in the design phase of a process or a product is actually, under the quality knowledge area, an analysis of the potential failures and their effects in order to establish proper controls, i.e. mitigate the risk or, even better, eliminate it.
  • Process Capability Analysis which is used to determine if the process is in a state of statistical control or not, and hence how capable is it to satisfy customers’ requirements, and is therefore basically a statistical analysis for the likelihood of achieving those requirements.
  • Six Sigma as a process improvement philosophy that aims at reducing the variations in the process, which also means reducing the risk of deviation from the objectives.

Finally, among many scholars who discussed the relationship between quality and risk management, Williams et al. (2006) analysed how each area can contribute to the success of the other one, and emphasized on the role of adopting new types of leadership skills, which they called a ‘sense of coherence’ in order to be able to manage the two systems within a turbulent environment.

As a conclusion, the above argument indicates that the integration between quality management and risk management is not a new phenomenon. In another post, I will illustrate how I examined this kind of integration in order to achieve Business excellence in a highly VUCA (Volatile, Uncertain, Complex and Ambiguous) environment.


Abidi, S. & Joshi, M., 2015. The VUCA company – kindle edition 1st ed., Delhi: Jaico Publishing House.

AS/NZS 4360, 1999. Standard AS/NZS 4360: 1999: risk management. Available at:

http:// NZS 4360-1999 Risk management. pdf. Last viewed August 2016.

Barouch, G. & Kleinhans, S., 2015. Learning from criticisms of quality management. International Journal of Quality and Service Sciences, 7(2/3), pp.201–216.

Borison, A. & Hamm, G., 2010. How to manage risk (after risk management has failed ). MIT Sloan Management Review, 52(1), pp.51–57.

Bromiley, P. et al., 2015. Enterprise risk management: review, critique, and research directions. Long Range Planning, 48(4), pp.265–276.

Costantini, A. & Zanin, F., 2015. The influence of total quality management on risk identification and non-financial performance measures: An Italian-based empirical analysis. International Journal of Management Cases, 17(4), pp.73–87.

Dervitsiotis, K., 2004. Navigating in turbulent environmental conditions for sustainable business excellence.pdf. Total Quality Management, 15(5-6), pp.807– 827.

Emblemsvåg, J., 2011. Augmenting the risk management process. Risk management trends, pp.1–26.

Free, M., 2012. Adapting the Deming cycle to the management process. Production Machining, 12(7), pp.17–18.

George, S., Thomas, C. & Weimerskirch, A., 2005. Process improvement and quality management in the retail industry 1st ed., Wiley.

Harris, T.B. & DeMarco, M., 1998. A new paradigm for risk management. Derivatives Quarterly, 4(4), pp.7–17.

ISO 31000 Standard, 2009. ISO 31000: Risk management principles and guidelines.

ISO 9000 Standard, 2005. ISO 9000: Quality management systems- fundamentals and vocabulary.

ISO 9001 Standard, 2015. ISO 9001: Quality management systems- requirements.

ISO 9001 Standard, 2008. ISO 9001: Quality management systems- requirements.

Miller, W., 1996. A working definition for total quality management (TQM) researchers. Journal of Quality Management, 1(2), pp.149–159.

Moen, R.D. & Norman, C.L., 2010. Circling back: clearing up the myths about the Deming Cycle and seeing how it keeps evolving. Quality Progress, 43(11), pp.22–28.

Popescu, M. & Dascalu, A., 2011. Considerations on integrating risk and quality management. Annals of “Dunarea de Jos” University of Galati, 1(1), pp.49–54.

Project Management Institute, 2009. Practice standard for project risk management 1st ed., Newtown square- Pennsylvania: Project Management Institute Inc.

Risk and Insurance Management Society, 2011. An overview of widely used risk management standards and guidelines. , pp.1–11.

RIMS Standards Report. March 2010. Available at:

Suarez, J.G., 1992. Three Experts on quality management. TQLO, (92-02).

Watson, R., 2011. Risk Reduction by Better Communication within the “Business – Project” Environment. In PMI Nordic. Stockholm.

Watson, R. & Ramsay, C., 2000. Focusing project risk management to enhance business performance. In 4th Annual Risk Symposium. pp. 1–11.

Williams, R. et al., 2006. Quality and risk management: what are the key issues? TQM Magazine, 18(1), pp.67–86.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s