Analysis of the Effectiveness of Quality Management Tools Aimed at Risk-Management of Organizations

Risks are often associated with negative situations that can lead to threats to the continued performance of an organization. To reduce, analyze and evaluate, various methods and systems of risk management appeared, which in recent decades have become the goals of enterprises and have formed whole systems of risk management included in the main direction of modern management. In this paper, the main methods, as well as modern models of risk management, are considered, and the method for assessing and analyzing risks of an enterprise is developed. Due to flexibility and simplicity of the applied tools for creating a theoretical method, it can be integrated and adjusted to any organization’s requirements.


Introduction
The growing competition among organizations in one area or another entails risks associated with the achievement of their goals. The word risk is interpreted in different ways, but it is generally understood as a collection of random events that pose a threat to the performance of an organization. Risks are often associated with negative events or barriers in organizations that need to be prevented or minimized. Risk business models, in turn, are aimed at quantitative and qualitative assessments of potential losses, unexpected losses and catastrophic losses for an organization. However, risks are not always associated with negative consequences for an organization; in business context, risks have another meaning. Risks can also have a positive impact on the development of an organization, as they can bring opportunities. According to James Lam, risk is a variable that can cause deviation from an expected out-come, and as such may affect the achievement of business objectives and the performance of the overall organization [1]. He noted that in order to understand his definition, it is necessary to concretize seven fundamental concepts: Exposure, Volatility, Probability, Severity, Time Horizon, Correlation, and Capital.
The above concepts influence systematic risk in an organization and interact to measure the organization's specific levels of risk. These measures are aimed at managing potential consequences of risks and are often referred to in the literature as risk management. Risk management is a single process that includes identification, control and measures to reduce the consequences of perceived risks. It includes a modular cycle of interconnections, documenting information, controls, early risk detection mechanisms, and continual improvement. Roland Müller gave the following definition to the concept of risk management: 'Risk management is a constant and systematic registration of all types of risks that impede effective work of an organization. It includes analysis and identification of priority risks of an organization, establishment and implementation of appropriate strategic measures to minimize or avoid these risks' [2]. He also had his own components to achieve effective risk management in an organization. They consisted of developing a strategy, ensuring safety and security. The risk management of an organization, in his opinion, had to include all three components, which had to effectively interact with each other. Figure 1 provides an illustration of how these components interact. An organization's risk management covers prevention and minimization of the following categories of risks: − systematic and current risks; − risks with high uncertainty; − risks associated with a threat to the safety and health of others; − political and social risks; − financial risks; − environmental risks. [3,4] The presented categories can be considered collectively, or separately when developing methods for their minimization. The popular risk assessment tools include quality management tools, since often the quality of a product depends on the number of inconsistencies in its manufacturing processes. Reduction of the inconsistencies caused by deviations from the expected outcome can serve to reduce or prevent the consequences of risks. The purpose of this work is to develop an integrated theoretical method for assessing and minimizing the consequences of potential risks, based on quality management tools. To achieve this goal, in the course of work, the following tasks will be considered: 1. to study the existing models of risk management; 2. to point out the most effective methods of risk assessment; 3. to develop a theoretical method for assessing risks.

Classification of risk management models
Over the past decades, the concept of risk management has evolved from creation of new concepts of financial risk management, to entire risk management systems in an organization. The first systems created in the field of risk management were credit risk management systems in banking systems, the development of which began in the 70s of the last century. By 2000, full-fledged risk management systems had already appeared in the organization, which included not only economic risks, but also other types of risks. The development stages of risk management are shown in Figure 2.

ISO 31000:2018 Risk Management -Guidelines
The international standard ISO 31000:2018 Risk Management -Guidelines is designed for effective risk management in an organization. The purpose of this standard is to integrate the risk management system into the already existing management systems in the organization. This standard makes it possible to effectively manage existing risks in the organization and provides tools for these processes. Figure 4 shows the principles of risk management in the organization where this standard is based [8].

ISO 22301 Business Continuity Management
A Business Continuity Management System (BCMS) is aimed at identifying and eliminating existing and future threats to organizations, ensuring the efficiency of processes during emergencies, and increasing the resilience of organizations' business processes. This standard is aimed at implementation in organizations regardless of the size, type and sector where they are located. It enables organizations to identify and manage potential violations. Most often, this standard is used to identify violations in the business processes of organizations and enables the organization to prepare solutions for these occurrences before they appear. Figure 5 shows a diagram of interaction of the basic principles, on which the business continuity management system is built. [9].

Analysis of existing risk assessment methods
This section will consider the main methods of analysis and risk assessment and their features.
The static method is used to determine the possibility of a given risk and to establish potential consequences of the risk to the organization. The degree of risk can be determined based on indicators of the average expected value and variability of the possible outcome. [10] The method of expert assessments is widely used in organizations for risk analysis based on the experience of narrow specialists in the field under study. The analysis begins with compilation of an exhaustive list of risks for all stages of the project. Each expert working separately is provided with questionnaires containing a list of primary risks, and it is proposed to assess the likelihood of their occurrence, guided by a special rating system [11].
The analytical method of constructing a risk curve is the most difficult, since the underlying elements of game theory are available only to very narrow specialists. A subspecies of the analytical method is more often used -the model sensitivity analysis. [12] The cost-benefit method is used to identify potential processes at risk. Cost overruns can be caused by one of four key factors (or a combination of them): overriding cost underestimation, changes in design frameworks, performance differences, and an increase in initial cost [13].
Combined methods include two or more methods for analyzing and assessing risks in organizations. Such methods allow a more detailed study of existing risks in organizations and minimize their consequences.

Integrated methodology for assessing and preventing potential risks based on quality management tools
To increase the effectiveness of quality management methods for assessing risks, they must be adapted to the real conditions of use. Integrated methods of using quality management tools enable one to clarify and adjust the stages of the analysis, as well as supplement them with new stages. This approach enables an organization to take into account all features of processes when developing methods for assessing and analyzing risks. [14] The first stage consists of determining weighting coefficients of risk indicators by the ranking method, using expert assessments. Subject to all the necessary procedures and rules for conducting an expert survey, its error is within 5-10 %, which is comparable to the methods of technical measurement. The staff is asked to identify the most common risks in the organization, and then rank them according to the degree of influence on business processes, while the place of risk in this case is called the rank, and the risk weights are calculated using formula 1: (1) where Gij -score (rank) of the j-th indicator, given by the i-th expert; n -number of experts; m -number of 'weighted' indicators.
The experts are invited to put their own assessment of the risk impact on processes in the organization from 1 to 5, where 1 corresponds to -does not affect, and 5 corresponds to -has a very strong effect. Further, according to the estimates, the risk weights are calculated, the higher the ratio, the greater its impact on business processes in the organization. Table 1 shows an example of a calculation table for determining weighting coefficients by the ranking method. After calculating the coefficients, experts identify the most significant risks with the highest weighting coefficients, according to which the types and consequences of potential FMEA failures will be analyzed in the future.
FMEA is an analytical methodology used to provide confidence that potential issues throughout the process are addressed and investigated. It is an essential part of the risk management process for continuous improvement. Responsibility for FMEA analysis rests with a cross-functional team of experts with the knowledge required to conduct the analysis. When analyzing processes that lead to risks, the team can use the flow map of the overall process and move on to detailed flow maps. Classically, FMEA is a method that determines the severity of the consequences of types of potential failures and provides measures to mitigate the risk. In this case, the calculation of the priority risk number (PNR) is performed only for nonconformities, the methodology of which is shown in Figure 6 [15]. Severity is the value associated with the most serious effect for a given failure mode. Table 2 shows the recommended criteria for assessing the significance of S. Major damage Can lead to spoilage of 100% of manufactured products. Product line or shipment may stop 8

Significant damage
Can lead to spoilage of some part of manufactured products. Deviation from the normal process operation 7 Moderate damage Up to 100% of manufactured products can be sent for enhancement. 6 Part of manufactured products can be sent for enhancement. 5 Up to 100% of manufactured products can be sent for on-site enhancement before further processing 4 Part of manufactured products can be sent for on-site enhancement before further processing 3 Minor damage Minor process, operation, or operator inconvenience 2 No damage No discernible consequence 1 Occurrence (O) is the likelihood that a particular cause of failure will occur. The rank of probability has a relative importance and Table 3 shows the recommended criteria for assessing the significance of O.  Detection (D) -the rank corresponding to the best detection measure listed in the Detection Measures column. This criterion is a relative value within the framework of a specific FMEA analysis; to achieve a low rank, preventive work is carried out to improve the planned detection measures. The recommended criteria for evaluating detection are given in Table 4.  10 Almost impossible Unlikely to be detected at all stages Probability of detecting a type of failure and/or error is low (random checks) 9 Very remote Finding the problem after the process ends Detection of failure type is possible after completion of the process by the operator using organoleptic methods

Remote
Finding a problem at the source Failure type detection is possible with the operator during the process using organoleptic methods or after the process is completed by means of alternative control 7 Very low Finding the problem after the process ends Detection of a type of failure or error at the end of the process by the operator using quantitative control or automatic built-in control that alerts the operator of non-compliance 6 Low Finding a problem at the source After completing initial definitions of the types and consequences of failures, causes and types of management, including the ranks of significance, occurrence and detection, the Risk Priority Number (RPN) is calculated.

RPN = Severity(S) x Occurrence(O) x Detection(D)
In practice, this number is not often counted as more significant processes may have a low RPN, so it is not recommended to use the RPN cutoff to make decisions about whether to take action. The final result is documented in the form of a protocol, which is shown in Table 5. [16]. Thus, the use of flexible quality management tools enables the expert team to simplify the process of assessing and analyzing risks and shorten the time frame. The simplicity of the tools makes them easy to work with, allowing them to be tailored to specific process requirements.

Conclusion
Risks are an integral part of an organization's business processes; without them there would be no room for growth. The main goal of risk management in organizations is to reduce risks to an acceptable level at which the organization can continue to operate. However, risks will not always have negative consequences, but they must always be taken into account. In the course of the study, effective international models of risk management are considered, which have proven their efficiency thanks to the successful risk management systems of organizations. The analysis of existing methods of risk assessment is carried out and the most effective methods are pointed out, on basis of which a theoretical methodology for assessing and preventing risks with the use of quality management tools is developed. This methodology is easy to use and does not require large financial investments on the part of the organization, but nevertheless has a long-term perspective and efficiency in application.