The issue of quality systems and their relative technical norms originates in the 1980s and focuses on the quest for organizational systems appropriate for ensuring company performance vis-à-vis product quality and customer satisfaction.
Alessandro Mazzeranghi - MECQ S.r.l.
A laudable attempt that in the subsequent years (the 1990-2000 decade) sees its field of application extended to the environment and to safety. But, unfortunately, these systems become an arguable factory of certifications which - through no fault of the auditors but rather of companies who retain them frills useful only to beguile customers - yield no real value in terms of the efficacy and efficiency of company processes. In some cases, all that is attained is a mere production of useless paperwork (forms, registrations, etc.) but which requires in any case time and effort to compile. And often, it contains data that are not 100% true.
In this decade, instead, different phenomena emerge: the attitude of some companies that reap benefits from behaviors contrary to ethics and to the law - a conduct that had been going on for years all over the world, but which came dramatically to light in the 1990s in some European countries - pushes both the countries and the main companies "customers of other companies" to demand that organizations be managed so as to prevent such illicit behaviors. If such management (organization/model/system) exists and is "concrete", the company will not be blamed for the illicit actions committed by its collaborators. The patterns are different according to geographical area, but the theme is the same: ensuring and demonstrating a concrete prevention activity. And the issues? Motley, and they span from safety in the workplace to the correct management of financial resources, to the prevention of terrorism.
So what happened? Due to the hurry and to the lack of time to reflect, companies charged different internal departments with the task of developing systems (operating procedures & instructions) capable to preventing the offences and incorrect behavior that fall under their own competencies.
Also, some companies have reasoned autonomously, treating the problem of industrial and company risk (hence we are not speaking about offences but rather of situations that could strongly damage the com-pany), and choosing to develop (again!) organizational models aimed at prevention.
The situation. The situation in some companies borders on the absurd: so many systems to prevent risks and to guarantee good company operation end up slowing down companyactivities and result in loss of efficiency. Furthermore, the systems become new power centers and so some of the people will feel invested with a fundamental mission, and hencelack flexibility.
But no fear: companies are similar to living organisms and they know how to disregard that which is not useful. But this is a momentary consolation. If risk prevention systems are ineffective, companies remain exposed to the very thing they wanted to avoid.
The developments. For years now, in the realm of quality, environment and safety management systems, we've heard talk of systems integration and of an approach through processes. But this activity - even though laudable - remains external to the "company as a system", partly because such systems exclude some fundamental fields such as the administrative one. What's more, if superficially implemented, some systems based on norms and aimed at continuous improvement lose that valence of risk prevention that the company demands today.
So let's start over, but on the right foot! If I reason by way of risks, it is clear that when I try to regulate the company's operations, some individuals will receive a large number of parallel but independent norms (one for each risk). But since the company operates by processes, these norms will have to be added to the description/regulation of the processes. If the company has already described its processes, all it has to do is verify them and add control sections or points.
Let's proceed in order:
- once the company processes have been defined (even on a general level, without necessarily a precise mapping);
- we can proceed with the identification of the risks that may be inherent in such processes. (Fig. 1 - page 140)
The risks are those that the company (the entrepreneur, the board of directors or the company partners) decides to prevent (we can also work progressively: initially, only a few particularly significant risks are prevented, then other less relevant ones; in all of this, all one has to do is proceed rationally, establishing from the very beginning the idea to subsequently implement the model). Usually, the company's prevention objectives are expressed in a document called Code of Ethics, through the official commitment of the company not to behave unethically or in a way that is potentially dangerous for those who are internally or externally concerned.
At this point, the real implementation of the model begins:
- first of all, processes are mapped out (or the existing mapping is assessed) and a check is performed that all the activities are identified and assigned to a supervisor;
- then, the control elements for risk prevention are added.
Process mapping yields procedures that must be as simple and schematic as possible. The activities should not be described in this part. Perhaps, only where necessary, they will be the subject of separate operative instructions. It is instead important that all the persons in charge of certain activities be designated, as well as the instruments (if any) to be used and the records to be compiled to highlight the fact that the activities have indeed been performed.
Hence, every process will be described in a sole procedure that will contain everything that has been established for the prevention of the risks that the company wants to protect itself against. In this way, duplications, contradictions and loss of efficiency are avoided. And what if someone wants to certify the model/system with respect to a voluntary norm? Besides adding more or less useful elements to the ones listed above, it will be up to the certifying body to consider the parts of the model as a whole that answer the requirements of the applicable norm. (Fig. 2)
Conclusions (opportunities). The implementation actions of models aimed at risk prevention are like insurance: if something should happen, the company is in any case protected. But activities pertaining to company organization are also something that is directly useful: they allow clarifying the actual organization of the operative areas, they reduce inefficiencies, confer greater credibility vis-à-vis customers and enhance the value perceived by investors and by the financial world.
Of course, if in these pages we have given the impression that an organizational risk prevention model is easy to implement, it is only due to the brevity of the article.
In reality, it entails a strong commitment, in particular on the part of the company's higher echelons.
It is important to always remember that the model is that of the company. It is not something that is taken from the outside and imposed.