A PIX DESANTISThis two-part article focuses on risk management of facilities and equipment. It describes how a risk-based approach to facilities and equipment management fits into an integrated, effective quality systems structure. The principles discussed are equally applicable to all quality systems. Facilities and equipment represent a broad range of risk to product quality and are one of the key quality systems commonly identified in the pharmaceutical manufacturing industry. Continue reading


As we cruise through post-recession there is one big concern on employer’s minds: retention.

Big companies and small companies are starting to see how the market has turned. Statistically, Monster job boards reported that 82% of surveyed employees have updated their resumes this year and 59% said they are passively looking for another role.

While compensation is always a factor in retention, it isn’t the end all. Most of the people I interview are looking for career advancement and flexible work hours. Sometimes it’s just not practical to throw more money at employees and often that isn’t what’s bugging them anyway.

Some job seekers want more of a challenge and think they are topped out in their current role. Some start looking aggressively if they aren’t connecting with their manager. People leave jobs for a variety of reasons.

Here’s what you can do to make them want to stay:

1.  Get rid of hidden agendas

There is nothing more refreshing than a boss that gives a directive and tells you why. Employees want to understand how their job fit into the bigger picture or they lose motivation.

2.  Formal Mentoring Programs

Many women in today’s workforce long to get into leadership, but need a solid mentor to help them navigate. Junior level employees benefit from having an on staff mentor to show them the ropes. Cost effective, mentors bring maximum ROI to organizations While I know that this sounds like one more thing on the to-do list, it’s worth the effort.

3.  Map Career Path

Many companies say they are growing, but they don’t promote from within. Before taking any new job ask, “When was the last time you promoted someone from within?” Pay attention to the level of position and how often a company promotes. If you want to retain, don’t have your employees guessing what the next step is because it’s likely they will find the next role someplace that recognizes their talent and scoops them up

4.  Internal Recognition

As cheesy as this sounds, there is nothing like the top executives in an organization sending an email to a well-deserved employee in regards to their performance. It allows the person to know their job matters and that what they do each day really does matter.

Curious about how to calculate retention rates in your company and see where you are at? Check out this link https://answers.yahoo.com/question/index?qid=20070723120306AAFz76x


Elizabeth Lions
Author, “Recession Proof Yourself!”
”I Quit! Working For You Isn’t Working For Me”
806 283 8811


Tony BendellDear friends we live in depressing times. Our media is full of failing and failed organisations. From the Financial crises to the BBC, from the IRS or the Veterans Health Administration to the UK Houses of Parliament, all around us is the evidence that our systems and safeguards are failing to protect the stakeholders from the slings and arrows of outrageous management, and an ever more demanding and volatile environment. Clearly, modern life has an enormous dependence on the integrity of human systems. Continue reading


Q+E proposes to develop a 5-day CERM Cyber Risk (CERM – CR) Workshop focused on the NIST RMF and NIST 800 guidelines. The workshop will be available for students and graduate students and also for continuing education for IT, engineering, and security professionals. It will be deliverable first in classroom training and then online. It will be based on Q+E’s existing CERM course materials. CERM – CR will utilize NIST RMF and NIST 800’s. Q+E will customize the workshop with recent CIP examples, case studies, and illustrations.  Q+E also will introduce Critical Security Controls, ISACA COBIT 5, ISO 27001, ISA/IEC 62443 (ISA-99), and other cyber risk frameworks.

Certified Enterprise Risk Manager – Cyber Risk Components (CERM – CR)
CERM – CR is composed of three key elements:

  • Cyber Enterprise Risk Management (1 day).
  • Cyber Risk Management Frameworks (2 days).
  • Cyber Risk Assurance (1 day).

CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk Management (see page 6), Cyber Risk Management Frameworks (see page 7), and 3. Cyber Risk Assurance (see page 8).  The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

Q+E has cybersecurity experience in five Critical Infrastructure Protection (CIP) sectors.  CERM – CR will offer CIP cyber security risk mitigation examples and case studies from chemical sector (CFATS), electric (NERC CIP), and other CIP sectors.

The purpose of CERM – CR is to certificate professionals in cybersecurity risk management problem-solving and risk-based decision-making founded upon the CERM Cyber Lifecycle Learning Model shown in the figure below. The model has three :

1. CERM – CR certificate; 2. CERM – CR webinars; and 3. CERM – CR resources.









At the conclusion of the integrated CERM – CR workshops, participants can apply to take a certificate exam and receive the CERM – CR certificate.  CERM – CR will have a 3 hour certificate exam of 100 questions covering the three integrated cyber workshops below:



CERM Cyber Risk Integrated Workshops

Percentage of Test Items

Cyber Enterprise Risk Management


Cyber Risk Assurance


Cyber Risk Management Framework


CERM – CR will eventually migrate to three certificate levels as well as sub-certificates addressing specific NIST 800 guidelines such as encryption (800 – 21) and industrial control systems (800 – 82).  The CERM – CR certificate levels would indicate:

  • Participant has covered a Body of Knowledge and has passed an objective certificate exam attesting to having achieved minimum qualifications.  CERM – CR risk, NIST RMF, and industrial competency knowledge and skills will be covered in the exam.  Q+E plans to develop a question bank of cyber risk questions so CERM – CR certificates can be completed online.
  • Specialty credentials and sub-certificates, such as CERM – Industrial Control Systems would affirm advanced cyber knowledge and specific domain expertise.
  • CERM – CR Fellows would be nominated by peers in recognition of their contributions in cybersecurity risk management.



Q+E logoValue Added Auditing is a Q+E process and risk based manual for conducting operational, IT, cyber, and supply management assessments.  The objective of the manual is to enhance 1. Risk-based problem solving and 2. Risk-based decision making.  Value Added Auditing can be used as a ‘how to’ primer or reference for the following assessments:

  • ISO 9001, ISO 14001, and other ISO management system assessments that focus on continual improvement and achieving business objectives.  The book is harmonized to ISO 19011:2011.
  • Critical Infrastructure Protection (CIP) assessments including risk assessments, vulnerability, NERC CIP compliance, cyber security, resilience and CIP assessments addressing Presidential Policy Directive (PPD-21) – Critical Infrastructure Security and Resilience.
  • Business assurance assessments including compliance, maturity, capability, and benchmarking.
  • Internal auditing (Yellow Book/Red Book/Quality) providing independent and objective assurance that an organization can accomplish its business objectives.
  • Supplier auditing that may involve forensics, assurance, and analytics.
  • Risk based Information Technology (IT) audits including ISO 27001, COBIT, ITIL, HIPAA, PCI, FISMA, and SOX assessments.
  • Assurance and opinion audits based on international standards.
  • Risk assurance assessments ensuring an organization can meet its governance, risk, and compliance (GRC) objectives.
  • Agreed Upon Procedure (AUP) engagements including reporting findings based on reviewing specific procedures.

Value Added Auditing is the primary text for the Risk Assurance element of the Certified Enterprise Risk Manager® certificate program.  Visit www.CERMAcademy.com.

Untitled1US Department of Homeland Security (DHS) certified Value Added Auditing as a ‘Qualified Anti-Terrorist Technology’ under the Safety Act as a critical elements of Critical Infrastructure Protection: Forensics, Assurance, Analytics®. 


T. Dan Nelson - Screen Shot 2013-09-06 at 8.16.28 PMBy the late 80s, it became apparent that Japanese cars were in many ways superior to their American counterparts. They were often more reliable and durable and they got better gas mileage. They were of superior quality. They often still are.

To what do the Japanese attribute their success? The teachings of W. Edwards Deming. The Japanese listened to Deming when Americans would not. Continue reading


The words “risk” or “risks” have been sprinkled throughout the 2015 revision of the ISO 9000 standard.  Although some “requirements” will be easy to satisfy using well-established process monitoring or capability techniques other references to risk are so vaguely stated as to be open to a myriad of interpretations and thus become meaningless.  Having read and re-read the current references to risk spread over several paragraphs I wonder if it would not have been better to address risk in one paragraph at the beginning of the standard.  I have “cut and paste” all of the current references to risk and included brief comments.  BTW: This isn’t the complete list of uncertainties (also called risks) in the standard.

4.4.2 Process approach

The organization shall: d)  Determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective; What is the meaning of “unintended output”?  Nonconforming product?  Unintended output from a process can either be: reprocessed (chemical industry), scrapped or sold at a discount.  The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved (the analogy would be a process operating at 4.5 sigma vs. 5 or higher.)  The lower the ppm the lower the risk of producing “unintended output” but one must not forget that depending on the industry (airline, nuclear, medical vs. pencil manufacturers or other similar industries), these risks have different  end-user impact and/or costs.  Fortunately this is recognized in the last line of 6.1 5.1.2 Leadership and commitment with respect to the needs and expectations of customers Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed; This can be achieved by establishing process capabilities for each process from manufacturing  and/or assembly to packaging and product delivery and/or installation.  The computation of a simple Cp or Cpk index would help management quantify their process risk.  The objective would be to achieve the highest economically feasible capability for each process thus minimizing the risk of producing so-called “unintended output.” 6.1 Actions to address risks and opportunities When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 (4.2  Understanding the needs and expectations of interested parties)  and determine the risks and opportunities that need to be addressed to  a) assure the quality management system can achieve its intended outcome(s),  b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction, c) prevent, or reduce, undesired effects, and d) achieve continual improvement. The word “risks” in the above context is at best difficult to interpret given the requirements stated in a) – d).  For example,  how does one determine the risks and opportunities to assure the quality management system can achieve its intended outcomes?  The intent has always been to insure that the quality management system is effective and this is verified via the audit process; the insertion of the word “risk” does not help any and confuses things.  Nevertheless these risks can be quantified by simply looking at nonconformance percentages (per process and at final output) but this is already established via the use of process capability measures! The organization shall plan: a) actions to address these risks and opportunities, and b) how to 1) integrate and implement the actions into its quality management system processes (see 4.4), and 2) evaluate the effectiveness of these actions. Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction. Good to know and a wise decision but this could well be seen as an escape clause by many companies. 8.3 Operational planning process In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate, b) actions to identify and address risks related to achieving conformity of goods and services to requirements; This seems to be nothing more than a repeat of what has already been stated! 8.5.1 Development processes In determining the stages and controls for the development processes, the organization shall take account of: e) the determined risks and opportunities associated with the development activities with respect to  1) the nature of the goods and services to be developed and potential consequences of failure, 2) the level of control expected of the development process by customers and other relevant interested parties, and 3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction. This is already done in some industries (automotive and avionics) but is not likely to be documented for all to see.  Who will document these risks for future lawyers to see?  If a company acknowledges that there is a small risk (lets say one in a million chance) that something wrong COULD happen, lawyers would say that the company knew that there was a risk and is therefore liable.  You can’t have zero risk and no one will want to pay the cost of developing a product with zero risk.  This idea to either quantify and/or document risk for all to see is unrealistic from a legal point of view; of course lawyers will love it.. 8.6.5 Post delivery activities  The extent of post delivery activities that are required shall take account of a) the risks associated with the goods and services,  This sounds like a rephrasing of warranty cost analysis; major companies have done this for a long time but I don’t know about small to medium size companies. 9.1 Monitoring, measurement, analysis and evaluation  The organization shall take into consideration the determined risks and opportunities and shall: This is vague but there are important issues to address relating to inaccurate measurements or insufficient measurements.  Gage R&R addresses many if not most of these issues and I don’t see how adding the word risk brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk. 9.2  Internal Audit The organization shall:  a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits; Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure; this would be challenging to quantify and assess.  Potential risks would also have to be assessed! Even more challenging. 10.2  Improvement The organization shall improve the quality management system, processes and goods and services, as appropriate, through responding to: c) changes in identified risk (see 6.1); One could do FMEAs to show that the RPN (Risk Priorty Number) has decreased as a result of a process change not difficult to do but full of uncertainties since FMEAs are based on subjective assessment.  All of this work can give the illusion that all is well or that things are getting better until the famous Black Swan (unforeseen outlier) shows its ugly head thereby demonstrating that risk analysis is by definition a risky business! Note:  Reference italicized clauses of ISO 9001 (2015) are (C) ISO and are used within the context of “Fair Use” for public review of the standard.