Source: QP- Quality Progress Magazine | May 2016
Author:Lance B. Coleman Sr., author of Advanced Quality Auditing: An Auditor’s Review of Risk Management, Lead Improvement and Data Analysis (ASQ Quality Press, 2015)
In 50 words or Less
- In today’s world, a significant part of organizational value is created through globally diverse suppliers.
- Risk management is therefore an increasingly important aspect of executive-level decision making.
- Conducting a successful supplier audit using lean tools can be a way to identify, assess and mitigate organizational risk.
Manage organizational risk through supplier audit programs
RISK ELIMINATION. Risk management. Risk mitigation. These phrases ate an increasingly important part of the lexicon of executive-level management as organizations strive to succeed in a business environment with global competition, geographically diverse suppliers and new technologies.
In this new globally expansive marketplace, more than 50% of value creation is achieved outside an organization’s walls—in other words, through its supplier. This, too, is where the majority of product realization risk lies, but a robust supplier audit program can help manage this.
Up-front planning requires determining supplier selection and classification criteria. An initial supplier assessment or survey may provide data for that decision. Finally, a decision based on risk versus reward must be made about whether to use one source or more than one supplier.
After a supplier has been accepted by an organization, supplier monitoring and reporting (internally to management external to the supplier) includes:
- Audit results.
- Receiving inspection results.
- On-time delivery.
- A supplier corrective action request (SCAR) history that includes nonconforming materials received.
- A supplier rating.
The supplier management process steps, shown in Figure 1, are:
- The inputs to the supplier management process, which include a supplier’s risk classification after acceptance to the approved supplier list, plus on-time and quality performance histories that are ongoing after acceptance.
- The process itself, which includes multiple activities such as audits, inspection, testing, document review, data collection and recording.
- The output, a risk-based decision on whether to maintain the status quo, make adjustments to a supplier rating, discontinue a supplier or add an additional supplier. A sample risk classification table is shown in Table 1. Some important factors to consider when determining supplier classification according to risk are:
- Complexity of the process or product. The more complex a product or process, the more likely something can go wrong during production. Risk escalates if there is a history of problems with a product or process.
- Criticality of the product. Failure or unavailability of the product may lead to end-user or even public health issues. Two business-related examples of criticality of the product might be having a long lead time, and the impact it has on other products if it fails and affects the process (such as being unable to continue production ) by not being available. Is the organization particularly vulnerable to a certain type of failure? Is there difficulty detecting an issue before it travels downstream? If so, risk increases.
- Newness of the product. According to ISO 31000:2009—Risk. Management and ISO 9001:2015, uncertainty brings risk. Uncertainty resides within anything new. A new product or a product that is dissimilar from anything the supplier has previously produced will have a higher risk attached to it in production and design.
- Supplier history. Supplier quality, on-time delivery, audit results and recently issued (as defined by an organization) supplier corrective action requests should all be taken into account.
Conducting the audit
As with any audit, detailed planning is crucial for success. In addition to reviewing previous audit results, receiving inspection and test records, and any recent SCARs, successful planning requires auditors to look not only outside their stations but also outside their walls. What does that mean?
It means auditors should look beyond quality records and review other types of records that could affect an organization:
- Warning letters or other citations from regulatory bodies that are part of the public record.
- On-time /in-full delivery record.
- Informal correspondence between a supplier and customer that may discuss issues or concerns that were not formally documented.
- If the supplier to be audited is used by any of an organization’s other sites, whether it has any issues, concerns or follow-up that should be addressed.
- Remembering that the customer-supplier relationship should be a partnership. This is regardless of whether there are concerns about the supplier’s quality management systems (QMS) that it may need assistance with or welcome feedback during the audit. Another important aspect of audit planning is selecting the team members. More so with supplier audits than for internal audits, it is important to select a cross functional audit team that includes the right subject matter experts (SME) when necessity.
When auditing a supplier, an auditor is more likely to come across a process he or she is totally unfamiliar and will be less likely to receive candid responses around known process issues. It is helpful at this time to have the proper SME help soft through data and responses to help make sense of it all.
Teaming with supply chain professionals brings a whole different logistics and operational perspective to the overall supplier assessment. Management supplier risk means looking at “big Q” quality during an audit—in other words, quality of systems and controls, not just quality of product.
It is also critical to remember that even though you are the customer, you are also a guest in your supplier’s facility and should behave as such. Auditors should be fair in their presentation, follow site rules and engage with the auditee politely and nonpunitively.
Any deviation from acceptable behavior runs the risk of alienating the auditee, ruining rapport, and making it difficult to acquire the information and support needed to conduct a successful audit.
The communication established during the audit is kike a two-way street. As a supplier auditor, you also should be receptive to identifying any gaps in desired behavior on the part of your organization:
- Does your organization respond to inquiries and approval requests in a timely fashion?
- Does your organization communicate drawing and specification changes effectively and efficiently?
- Are your requests reasonable?
Don’t forget to revisit opportunities for your organization to better help a supplier. Don’t just put opportunities into your report and forget about them. Follow up to see whether the issues were addressed or at least assigned to someone as action items.
What if your supplier doesn’t have a formally defined QMS of has a system that is not well documented? You might focus more on process audits to assess effectiveness and effectiveness and efficiency. You could still structure your audit around the most applicable standard.
For example, ISO 9001 or any of the sector-specific quality management standards such as ISO 13485 (medical devices), ISO /TS 16949 (automotive) and AS9100 (aerospace).
Even when you can’t enforce the requirements set forth by a particular standard, they still provide excellent guidelines regarding key elements to look for when assessing how and how well your supplier functions.
Classification of findings should be based on risk. One example of such classification is shown in Table 2. A finding classification will take into account the possible impact of the finding in conjunction with the likelihood of recurrence. Two other important factors to consider are the ability to detect the issue f it occurs and the vulnerability of the auditing organization to this issue.
Reaction to a supplier having repeat findings depends on risk. The findings themselves should first be classified according to risk. Just the act of having repeat findings points to a concern with the supplier’s root cause analysis, corrective action and customer focus aspects of its QMS. This leads to a higher risk of receiving faulty product from that supplier.
The two ways to think about repeat findings are whether they systemic or chronic.
- Systemic—identified over the course of a single audit and repeating throughout various aspects of an organization’s QMS. One example might be lack of training records across various functional areas.
- Chronic—Issues found to repeat over time, whether corrective action is in place. One example might be the same audit finding found during three straight audits. Another might be found during a single audit by looking at records and seeing an issue repeating over a period of time without being identified or resolved.
In either case, escalations of the finding classification may require some type of intervention to permanently address the issue.
Depending on resources, the criticality or uniqueness of the supplier, and the supplier’s willingness to improve, you could work with the supplier to improve the systems that allowed the repeat findings to occur.
Another option is to consider downgrading a supplier’s rating within your supplier monitoring and evaluation system.
In other words, ask how great is the animation in continuing to use this supplier?
Depending on the severity of the issues that are repeating, this downgrading could lead to any or all of the following options:
- More frequent audits
- More extensive audits (more days and people).
- Issuance of a formal SCAR.
- A higher acceptable quality level (AQL) on supplier products inspected.
- Selection of an alternative or new supplier.
Risk-based thinking example
For an example of how to apply risk-based thinking to an audit, consider the following scenario, which actually occurred. Company ABC has a supplier XYZ, which has successfully produced a part for 20 years and at various times outperforming competing suppliers. According to new supply chain guidelines, supplier XYZ was included on the year’s audit schedule because it had never been audited previously.
Based on past performance, everyone assumed the audit would go swimmingly, but this was not the case. Two noncompliances around calibration and one related to records maintenance were raised during the audit.
If this has been a new supplier assessment, the supplier would have been rejected, but supplier XYZ had consistently had one of Company ABC’s best quality and on-time delivery records. What to do?
It’s important to look at the type of risk at this point. Neither noncompliance directly affected product or product realization nor, based on recent and past history, the risk to product was deemed low. But risk to the QMS—or the ability to monitor the effectiveness and efficiency of the company quality and determine the root cause should something go wrong—was high.
So, despite supplier XYZ’s excellent historical production record, the supplier’s ability to detect and respond effectively could be negatively impacted by these findings if something did go wrong in the future.
All three were classified as major, and supplier XYZ was downgraded from “approved” to “conditionally approved” status on the approved supplier list. From the perspective of Company ABC, orders could still be placed with XYZ—as long as the findings were responded to with effective corrective action within a six-month window, and XYZ passed a follow up audit.
Lean risk management
Lean risk management is not lean and it is not risk management. Rather, it is a melding of the two for greater effect. Risk comes from uncertainty, and uncertainty comes from the unknown and hidden. One simple of lean risk management is using lean tools as a part of an audit to uncover the waste (process inefficiencies) produced in the hidden factory that exists in most organizations. Process mapping and value stream mapping are good ways to ascertain effectiveness and efficiency and to identify bottlenecks. Swim lane diagrams are a treat way to visualize and evaluate the handoffs between functional groups in a shared process. For an example of how an audit incorporating lean can transform a more traditional compliance audit, let’s compare auditing a medical device company’s receiving process in a more traditional conformance driven manner versus auditing by also including value stream mapping. First, let’s look at a case when auditing less complex processes. Based on my experiences with similar areas, an auditor can start by imagining what activities must take place, drawing a flowchart of activities without reading any procedures and asking what questions remain. Leave decision blocks incomplete until the reaction to a given scenario is known. For an example, see figure2.
The phrase “hard document requirements” documented procedures required by ISO 13485:2003 (the most current version of the medical device-specific quality management standard at the time of an audit when the flowchart in Figure 2 was used).
The next step is to read the relevant standard operating procedures (SOP) and work instructions to provide more detail.
This is my preferred method because brainstorming beforehand—what questions need to be asked and what actions accounted for –can highlight opportunities in the system if those questions aren’t answered after the work instructions and SOPs have been read and the flowchart details filled in. after the relevant documents are reviewed, as a minimum the following questions must be asked to assure conformance with requirements:
- What is the requirement?
- What do our documents say?
- Do we do what we said we would do?
- Are our records complete and consistently filled out from one record to the next?
When incorporating lean thought into an audit process, we start to look at where value is found in the process being audited. In other words, does a particular process or process step add value from the perspective of the customer—whether internal or external? The following are some questions to ask:
What is the value proposition? In other words, is this process something a customer would pay for? If not, the process should be eliminated if possible and streamlined if not possible. In the case of receiving inspection, while important from the standpoint of helping to manage the risk of defective material or components entering the manufacturing pipeline, there is no value from the customer’s perspective. The customer is not buying an inspection service, so the receiving inspection process should be streamlined as much as possible.
This is done by adjusting sampling levels (the AQL) based on the past quality history of a given supplier and any change in the risk level based on changing the AQL. This also can be accomplished by designating certain outstanding suppliers as “dock-stock” for certain products that don’t go through receiving inspection at all but are sampled from inventory periodically per organization procedures.
What is the cycle time of this process? Learn how long this process takes, whether it could it be done more quickly and whether resource allocations are appropriate to the task.
How does the cycle time compare with takt time—the customer consumption rate?
How efficient is this process? Learn the yield for this process and how it compares to expectations and to similar process. One example of the yield for an inspection process might be the number of pieces inspected per person per hour.
What are the value-added and nonvalue-added steps? Determine whether any nonvalue-added process steps can be eliminated, combined or shortened, or any value-added steps can be optimized.
To visually depict value-added and nonvalue-added steps as well as cycle time, the value steam map shown is Figure 3 is a useful tool. A value stream map is a high level process map that shows value-added, no value-added, lead time. Cycle time, and step or process yields.
Using a value stream ma in conjunction with a process map and process flowchart allows a total capture of the activities in a given area. Typically, however, high level value stream maps are used to take a micro view of an area within an organization in an attempt to see where value lies.
By looking at cycle and lead times, the value stream map in figure 3 also takes into account scheduling and the next step in the manufacturing process: production. In a less-mature QMS, it is quite possible that through value stream mapping, the auditor might be capturing this important information for the first time.
By incorporating lean into an audit process, in this case through the use of value stream mapping, we can now not only assess conformance but also assess the effectiveness and efficiency of an existing process. Depending on the audit goals, an auditor might use a process map, flowchart, value stream map or some combination of them.
Even though compliance should be the focus of any supplier audit due to the limited resource and time typically available and the need to manage risk, looking for improvement opportunities is almost as important in the long term.
Strengthening a supplier and helping it improve its QMS is an important way of mitigating supplier risk for your organization because it is a win-win for everybody. This is the case if the audit is conducted thoroughly and if the supplier response from the perspective of root cause analysis and corrective action is robust.
Coaching can guide a supplier through the root cause analysis and corrective processes to arrive at an appropriate solution to an identified problem without providing the answer. Elimination a of root cause—or system weakness—of an issue will by default strengthen the supplier.
Identifying opportunities for improvement—those things that are not nonconformance’s but that can and should be done better—can help a supplier improve. So can sharing of nonproprietary or nonconfidential industry vest practices around issues discussed over the course of an audit.
Finally, also try to capture any obvious supplier training need during an audit. These too can be cited as opportunities. Enhancing the skills of a supplier will give it the opportunity to provide better products to your organization.
Fully incorporating risk-based thinking within all aspects of the supplier audit process provides new tools and methods for auditors to use in conjunction with the tried and true, and will lead to a more robust supplier audit program, thereby helping to reduce organizational risk along a supplier chain.