A PIX DESANTISThis two-part article focuses on risk management of facilities and equipment. It describes how a risk-based approach to facilities and equipment management fits into an integrated, effective quality systems structure. The principles discussed are equally applicable to all quality systems. Facilities and equipment represent a broad range of risk to product quality and are one of the key quality systems commonly identified in the pharmaceutical manufacturing industry. Continue reading

Cybersecurity Risk Management Workshop

Did you know that Small & Medium-sized Businesses (SMB) are targets in 75% of cyber attacks? Is your cybersecurity approach based on a set of defensive tools and procedures you have cobbled together over time? Is this approach adequate for dealing with today’s cyber risks? How do you know? Are you finding you are being more reactive than proactive? How can you do something about it?

This 3 hour workshop will address the basic steps to prepare your organization for implementing cybersecurity risk management. It will present a proactive methodology for defining and assessing your cybersecurity risks and then describe a mechanism for developing a plan to deal with them. We will look at the Federal (NIST) Cybersecurity Framework, developed with industry, as it defines a process and procedures for developing a cybersecurity system for an organization.

You will learn how to: 1) describe your current cybersecurity posture; 2) determine your target state for cybersecurity; 3) identify and prioritize opportunities for improvement using a risk management approach; 4) see how to assess progress toward the target state and organizational capability; and 5) how to improve communications among internal and external stakeholders.

  • Analyze your current cybersecurity approach. What are your objectives and critical assets. The five Core cybersecurity functions – Identify, Protect, Detect, Respond, Recover. Identifying the key cybersecurity process activities required to manage your cybersecurity risks. How to perform a cyber risk assessment and select your key risks and controls.
  • Assesse your cyber risk management capabilities. How rigorous and sophisticated your capabilities need to be for your cybersecurity risk management activities.
  • Define your cybersecurity risk Profile. What activities are needed to reach your cybersecurity goal(s). Manage cybersecurity risk in each of the Core cybersecurity Functions and Categories. What Functional Subcategories have you implemented already and what others are needed to be implemented. By documenting your current state and the desired target state of specific cybersecurity activities, you reveal the gaps that need to be addressed to meet your cybersecurity risk management objectives. And to enable assessment of progress against meeting those goals.

Date: Wednesday, June 3, 2015
Location: Room 160, Phoenix Convention Center – South Building Hall G.
Visit us in AmCon at Booth 419 (http://www.amconshows.com/phoenix-az/)
Registration fee: $199 (includes FAQ handout on NIST Cybersecurity Framework)
Register online: www.regonline.com/cermphoenix2015

Speaker: Ed Perkins CIA CERM is the developer of Certified Enterprise Risk Manager® – Cyber Security™ certificate and is an expert on the NIST Risk Management Framework.  Ed consults in enterprise risk management; performance and risk auditing; IT Governance; process automation; project management; and holds a Certified Internal Auditor (CIA) designation. He has over 30 years industry experience, in computer operations, operating systems, embedded systems, software development , chip architecture development, design automation, program and project management, design services management, technical writing, and internal auditing. He has managed high visibility / high risk IT programs, and led cross-functional teams and industry work groups.  He can be contacted at: edp@CERMAcademy.com.

Risk-based Auditing for ISO 9001-2015 Workshop

The forthcoming ISO 9001-2015 revision redefines quality as a risk-based endeavor. This will impact how you define, operate and certify your quality system.

By attending this 3-hour workshop which will cover the implications of ISO 9001-2015 for companies you will:

  • Understand the risk language of ISO 9001-2015 and ISO 31000
  • Know how to plan a Value Added Audit™ (VAA)
  • Know how to conduct the required level of fieldwork to assure your business objectives
  • Know how to write a value added audit report that meets your management’s requirements and the ISO 9001-2015 requirements

The VAA manual is a step by step guide for planning, conducting and reporting risk based, process audits. Each person who registers for the workshop will receive the 400 page Value Added Auditing manual for risk based auditing, an $89 value.

Date: Tuesday, June 2, 2015
Location: Room 160, Phoenix Convention Center – South Building Hall G.
Visit us at AmCon in Booth 419
Registration fee: $199 (includes VAA book)
Register online: www.regonline.com/cermphoenix2015

Speaker:Greg Hutchins PE CERM is the principle engineer with Quality + Engineering (Q+E) – Critical Infrastructure Protection: Forensics, Assurance, Analytics® firm. Q+E provides cyber governance, risk, and compliance services to companies. Q+E is also the developer of Certified Enterprise Risk Manager® certificate and Greg is the author of quality, risk, and supply management books, including Value Added Auditing®. His latest book ISO: Risk Based Thinking – 2015, has just been released. Greg can be contacted at gregh@cermacademy.com.


CERM® Academy AmCon Phoenix Workshops

The ISO is on track to release ISO 9001-2015 this Fall which calls for companies to modify their Quality Management Systems for ‘risk based thinking’. Do you understand what this is and what it may mean?

Did you know that Small & Medium-sized Businesses (SMB) are targets in 75% of cyber attacks? Is your cybersecurity approach based on a set of defensive tools and procedures you have cobbled together over time? Is this approach adequate for dealing with today’s cyber risks? How do you know? Are you finding you are being more reactive than proactive? How can you do something about it?

To learn how to answer these questions, come to the AmCon Design & Contract Manufacturing Show in Phoenix June 2-3, and attend the CERM Academy Seminars and Workshops:

Meet face-to-face with some of the finest job shops and contract manufacturers from throughout the U.S. and Canada. See the latest in manufacturing’s cutting-edge technologies. From prototype to production parts – find sources for all your custom manufacturing needs

AmCon Phoenix Design & Contract Manufacturing Show, June 2-3, 2015
Phoenix, AZ Convention Center – South Building Hall G
Details & Registration: http://www.amconshows.com/phoenix-az/

Show Hours:
Tuesday, June 2, 9:30 a.m. – 3:30 p.m.
Wednesday, June 3, 9:30 a.m. – 3:00 p.m.

Free Admission, Free Attendee Parking, Free Seminars
Attend Free Seminars given by industry professionals.

Continue reading


CERMAcademy will be participating on the June 2-3 AmCon Design & Contract Manufacturing Expo show in Phoenix. Visit us in Booth 419.

2:00 – 3:00 PM

Room 160

Preparing for New ISO Risk Based Thinking

Greg Hutchins/Bill Walker/Ed Perkins


ISO is on track to release ISO 9001-2015 this Fall which calls for modifying your Quality Management System for ‘risk based thinking’. Do you understand what this is and what it may mean? Is your organization prepared for an increase in Quality Management System registration and audit costs than what you paid in the past? Why are the costs increasing? Besides yourself does your CEO, CFO, COO and President fully understand the changes coming to AS9100 (AEROSPACE & DEFENSE), ISO 9001 (INTERNATIONAL STANDARD), ISO 31000 (RISK MANAGEMENT), ISO 19011 (AUDITING MANAGEMENT SYSTEMS-LIKE RISK), ISO 27001 (CYBER SECURITY), FAA (New Airline Risk Requirements), requirement that ALL FEDERAL OFFICES have a RISK MANAGEMENT PROGRAM, plus other standards?

Continue reading


March 24, 2015

12:00pm – 1:30pm

Room 402

Risk Management, Cyber Security & ISO 9001:2015

Greg Hutchins/Bill Walker/Ed Perkins

Quality Plus Engineering         www.CERMAcademy.com

Is your organization prepared for any increase in registration costs than what you paid in the past? Why are the costs increasing? Besides yourself does your CEO, CFO, COO and President fully understand the changes to AS9100 (AEROSPACE & DEFENSE), ISO 9001 (INTERNATIONAL STANDARD), ISO 13485(MEDICAL), TS16949 (AUTOMOTIVE), TL9000 (TELECOMMUNICATIONS), ISO 31000 (RISK), ISO 19011 (AUDITING MANAGEMENT SYSTEMS-LIKE RISK), ISO 27001(CYBER SECURITY), FAA (New Airline Risk Requirements), requirement that ALL FEDERAL OFFICES have a RISK MANAGEMENT PROGRAM, plus other standards? Is ISO 9001-2015 the driving force behind the changes? Are you using COSO? Do you need to understand and comply with the new Federal Cyber Security Framework? Which is better FMEA or HEAT MAPS? Which of the above RISK MANAGEMENT documents does your organization not know about or understand what these requirements mean and how they will affect the bottom line?

Where do I find the answers to the above questions plus more? Where can I ask questions and learn more about what is happening and going to happen? Can I afford the changes? Can I survive and stay in business because of all the changes and cost increases?

Join Greg Hutchins, Ed Perkins and Bill Walker as we do a panel discussion on RISK MANAGEMENT requirements, CYBER SECURITY and ISO 9001-2015. ISO 9001-2015 is scheduled for release in September 2015. Are you prepared for the impact and costs that this document release will have?

Here is your opportunity to find out what is happening, how it will affect your bottom line and determine what training is recommended. Who needs to be trained first and then next?

At the conclusion of this FREE SEMINAR there will be a drawing for a FREE COPY of VAA (VALUE ADDED AUDITING) Manual which is the Standard Manual of Risk-Based, Process-Auditing.   This manual is 383 pages, written by Greg Hutchins and sells for $89.00 plus $6 plus shipping and handling.

If you plan to attend this FREE SEMINAR on Tuesday March 24, 2015 starting at 12:00 Noon until 1:30 please RSVP Here and email to billwalkerrm@gmail.com to ensure that you will obtain the FREE handouts and have a place to sit.


As we cruise through post-recession there is one big concern on employer’s minds: retention.

Big companies and small companies are starting to see how the market has turned. Statistically, Monster job boards reported that 82% of surveyed employees have updated their resumes this year and 59% said they are passively looking for another role.

While compensation is always a factor in retention, it isn’t the end all. Most of the people I interview are looking for career advancement and flexible work hours. Sometimes it’s just not practical to throw more money at employees and often that isn’t what’s bugging them anyway.

Some job seekers want more of a challenge and think they are topped out in their current role. Some start looking aggressively if they aren’t connecting with their manager. People leave jobs for a variety of reasons.

Here’s what you can do to make them want to stay:

1.  Get rid of hidden agendas

There is nothing more refreshing than a boss that gives a directive and tells you why. Employees want to understand how their job fit into the bigger picture or they lose motivation.

2.  Formal Mentoring Programs

Many women in today’s workforce long to get into leadership, but need a solid mentor to help them navigate. Junior level employees benefit from having an on staff mentor to show them the ropes. Cost effective, mentors bring maximum ROI to organizations While I know that this sounds like one more thing on the to-do list, it’s worth the effort.

3.  Map Career Path

Many companies say they are growing, but they don’t promote from within. Before taking any new job ask, “When was the last time you promoted someone from within?” Pay attention to the level of position and how often a company promotes. If you want to retain, don’t have your employees guessing what the next step is because it’s likely they will find the next role someplace that recognizes their talent and scoops them up

4.  Internal Recognition

As cheesy as this sounds, there is nothing like the top executives in an organization sending an email to a well-deserved employee in regards to their performance. It allows the person to know their job matters and that what they do each day really does matter.

Curious about how to calculate retention rates in your company and see where you are at? Check out this link https://answers.yahoo.com/question/index?qid=20070723120306AAFz76x


Elizabeth Lions
Author, “Recession Proof Yourself!”
”I Quit! Working For You Isn’t Working For Me”
806 283 8811


Tony BendellDear friends we live in depressing times. Our media is full of failing and failed organisations. From the Financial crises to the BBC, from the IRS or the Veterans Health Administration to the UK Houses of Parliament, all around us is the evidence that our systems and safeguards are failing to protect the stakeholders from the slings and arrows of outrageous management, and an ever more demanding and volatile environment. Clearly, modern life has an enormous dependence on the integrity of human systems. Continue reading


Q+E proposes to develop a 5-day CERM Cyber Risk (CERM – CR) Workshop focused on the NIST RMF and NIST 800 guidelines. The workshop will be available for students and graduate students and also for continuing education for IT, engineering, and security professionals. It will be deliverable first in classroom training and then online. It will be based on Q+E’s existing CERM course materials. CERM – CR will utilize NIST RMF and NIST 800’s. Q+E will customize the workshop with recent CIP examples, case studies, and illustrations.  Q+E also will introduce Critical Security Controls, ISACA COBIT 5, ISO 27001, ISA/IEC 62443 (ISA-99), and other cyber risk frameworks.

Certified Enterprise Risk Manager – Cyber Risk Components (CERM – CR)
CERM – CR is composed of three key elements:

  • Cyber Enterprise Risk Management (1 day).
  • Cyber Risk Management Frameworks (2 days).
  • Cyber Risk Assurance (1 day).

CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk Management (see page 6), Cyber Risk Management Frameworks (see page 7), and 3. Cyber Risk Assurance (see page 8).  The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

Q+E has cybersecurity experience in five Critical Infrastructure Protection (CIP) sectors.  CERM – CR will offer CIP cyber security risk mitigation examples and case studies from chemical sector (CFATS), electric (NERC CIP), and other CIP sectors.

The purpose of CERM – CR is to certificate professionals in cybersecurity risk management problem-solving and risk-based decision-making founded upon the CERM Cyber Lifecycle Learning Model shown in the figure below. The model has three :

1. CERM – CR certificate; 2. CERM – CR webinars; and 3. CERM – CR resources.









At the conclusion of the integrated CERM – CR workshops, participants can apply to take a certificate exam and receive the CERM – CR certificate.  CERM – CR will have a 3 hour certificate exam of 100 questions covering the three integrated cyber workshops below:



CERM Cyber Risk Integrated Workshops

Percentage of Test Items

Cyber Enterprise Risk Management


Cyber Risk Assurance


Cyber Risk Management Framework


CERM – CR will eventually migrate to three certificate levels as well as sub-certificates addressing specific NIST 800 guidelines such as encryption (800 – 21) and industrial control systems (800 – 82).  The CERM – CR certificate levels would indicate:

  • Participant has covered a Body of Knowledge and has passed an objective certificate exam attesting to having achieved minimum qualifications.  CERM – CR risk, NIST RMF, and industrial competency knowledge and skills will be covered in the exam.  Q+E plans to develop a question bank of cyber risk questions so CERM – CR certificates can be completed online.
  • Specialty credentials and sub-certificates, such as CERM – Industrial Control Systems would affirm advanced cyber knowledge and specific domain expertise.
  • CERM – CR Fellows would be nominated by peers in recognition of their contributions in cybersecurity risk management.



Carolyn Turbyfill Ph.D.

Carolyn Turbyfill, Ph.D.

Live Webinar Feb 6th, 2014 11:00 am – 12:30 pm EST

Duration: 1 Hour 30 Min Credits: 1 PDU Category A – Free PDU
Presented by: Computer Aid Inc IT Metrics & Productivity Institute (Rep 2733)

This webinar will provide an overview of the most current Cybersecurity requirements and standards for Critical Infrastructure Protection.

Presented by: Carolyn Turbyfill – Quality + Engineering

Click to register for Cybersecurity across Critical Infrastructure Protection Sectors (CIPS)

Title:  Cybersecurity across Critical Infrastructure Protection Sectors (CIPS)

Date:  February 6, 2014


On February 12, 2013, an Executive Order on  “Improving Critical Infrastructure Cybersecurity” was issued from the White House:


There are 18 critical infrastructure sectors described in:


These sectors affect your quality of life and even your ability to live.  Evolving standards and regulations for critical infrastructure protection will have a much more immediate effect on your work life if you work in, sell products to, or provide services to any of these sectors.

The exposure of the NSA PRISM project tracking the phone numbers and time involved in any phone call to or from the USA expose difficult tradeoffs between protecting the privacy of consumers and insuring security and safety. Enterprises are both bound to report loss of data that may affect customer security and privacy, and they are also required to provide information to government agencies.

Unfortunately, eternal vigilance is necessary but not sufficient to protect us.  National boundaries, oceans, slow means of travel used to constrain effective government over long distances.  Counties were originally constrained to how far one could ride a horse in a day.   Boundaries based on geographic location, on this planet, provide little protection from physical or logical encroachment. The Internet has made communication to the furthest reaches of the planet almost instantaneous.  Very few enterprises, legitimate or otherwise, take place in just one country. Enforcement of regulations and laws; investigations and criminal activities, can cross the world and multiple national boundaries in seconds.

Changing national, international and localized compliance requirements and regulations, cause confusion about which rules or guidelines are relevant this week. What will change next week, month or year?  While there are many interactions and dependencies between the different CIPS, Cybersecurity is arguably the most common denominator. This webinar will provide an overview of the most current Cybersecurity requirements and standards for Critical Infrastructure Protection.


Dr. Turbyfill is Director of Cyber Security for Quality + Engineering.  Dr. Turbyfill more than twenty years cyber security engineering and aoftware architecture experience in: Security (Cyber and Physical); Enterprise Risk Management; SDLC; Development Methodologies; Enterprise Products and Services; Compliance; Database, Strategy and Roadmaps; management of multiple groups in domestic and international locations; startups and turnarounds.  She is currently writing a book on critical infrastructure protection (CIP) risk management and cyber asymmetric warfare. Examples of her thought leadership can be found at:  http://insights.cermacademy.com/category/technologyrisk/