Quality and cost

Last week I wrote about the Mayo Clinic, and how their most recent Quality Initiative pushed them to the very first rank among the world's hospitals. When I looked for what principles undergirded or enabled this achievement, one of the ones I identified was this:

Mayo chose to focus on Quality first, not cost; and their metrics for Quality were tied directly to patient outcomes. This is the correct way to define metrics: start by defining what results you want to achieve, and then build metrics to support those results. In modern management, metrics drive so much other activity that it is critical to get this part right up front.

Now that's great, but it's fair to ask, How can Mayo afford to focus on Quality before cost? Don't they have bills to pay? For most companies—maybe all—neglecting cost is a quick way to go broke. What's special about Mayo's situation that apparently allowed them to defy this basic law of corporate gravity?  

Of course the answer is that Mayo didn't literally neglect cost. In fact, the article that I summarized last week (ASQ's "Journey To Perfect: Mayo Clinic And The Path To Quality") makes clear that an earlier quality initiative in the 1990's was in fact canceled for reasons of cost. What happened since that time (apparently) was that Mayo reëvaluated their approach, and began to address costs intentionally, and consistently with their mission. This intentionality shows up in several ways.

For example, Mayo has pushed to standardize practices across its multiple facilities. As my post last week pointed out, the criterion for selecting which practice to choose (among various alternative ways to do the same thing) was generally based on data about patient outcomes. But the mere fact of standardizing at all lowered costs. And cost is one factor tracked (among many others) in the massive data collection that Mayo hosts about all its surgical activities.

Mayo's approach to paying physicians is equally intentional. Physicians are compensated with salary only—no bonuses or special treats. The goal is "to remove financial incentives to do more than is necessary or less than desired for the patient." Of course the salaries are structured so that physicians with more experience earn commensurately more, and the various specialties are compensated competitively with peer institutions. And an additional benefit of this structured, salary-only compensation plan is that it makes it easier for Mayo to find and correct inequities, in order to avoid pay discrepancies based on non-relevant factors like race or sex. But the core motivation is to reduce the risk of corrupting the patient experience.

The key, though, seems to have been when Mayo realized "that patient-centered care is a win for financial outcomes. Quality was not simply continuous improvement; it was the vision and mission of the organization." In other words, while an awareness of costs matters internally (in order to keep the books balanced), cost is not a market-differentiator externally, at least not for the Mayo Clinic. Patients don't come to Mayo to get their x-rays done cheaper. They come to Mayo to get their care done better. Patients seek out the Mayo Clinic because they want its Quality.

Can other businesses do the same thing? Yes and no. To some extent, Mayo benefits from the economics of health care. The proliferation of so many different insurance models for health care means that almost nobody pays the "list price" for any given medical procedure, and so those prices mostly are not posted or even visible. Often enough, a patient won't even know the price for any but the most routine care until after the care has been provided. And health care is simply a different kind of good from candy bars or movie tickets. If movie tickets cost too much, people may try to stream the movies at home for less or simply forgo seeing them at all. But someone who needs an important medical procedure is much less likely to forgo it because of the cost. For all these reasons, cost is a weak market differentiator in the health care industry.

All the same, companies with a reputation for Quality can thrive in any industry even if their products cost more. I used to work for Bosch, which is a manufacturing company. And manufacturing is an industry where even minor differences in cost can make a huge difference. Bosch's products are never the cheapest ones available; but people buy them eagerly because they know the products are going to work. Every time.

A few months ago, we discussed that—Philip Crosby notwithstanding—Quality isn't really free. Building any kind of Quality System takes time, effort, and money. But in the long run, such a system pays for itself by reducing defects. And if you are good enough, it draws customers from around the world who want to work with you because you are the best.

          

Business continuity and risk planning

We've been talking about risk for a month now, and I'd like to talk now about a different kind of risk management: business continuity. Business continuity is the ability of a business to get back to work after something has interrupted it: hurricane, fire, flood, pandemic, or whatever. In fact that's almost exactly the formal definition. ISO 22301:2019, Business continuity management systems — Requirements, defines business continuity as the "capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption."

Business continuity planning, therefore, is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards. The first time you hear about it, you might roll your eyes: One more overhead task we've got to do before we can get back to work! But it's like any other kind of insurance. You never need it until you do.

As an example, think back to March 2020. The world was beginning to react to COVID-19, and there was a lot of excitement as organizations frantically tried to improvise what to do. But I worked for Bosch at that point, and some years earlier Bosch had required every plant and every office to define (and regularly review) a Business Continuity Plan for how we would respond to various kinds of disruption. One of the entries on the form was "global pandemic." I remember the meetings where we reviewed this plan, and back in the 2010's nobody rated that as a likely risk. But we worked out a plan for it, just to be complete. Then when March 2020 came and other companies were caught flat-footed, our General Manager pulled our plan off the shelf and it already spelled out exactly what to do.

How do you plan for business continuity?

I want to proceed in three steps. In this post I'll review the basics of risk handling, keeping in mind some of the salient points we've discussed in recent weeks.* In my next post I'll talk about why your business continuity planning has to be driven from the very top. And then in a third post I'll describe how to embed it into the organization as a living practice instead of a show for the auditors. 

When I describe basic risk handling, I usually start with a concrete example that everyone can imagine. Think of the Safety Committee in a grocery store. They think of all the ways somebody could get hurt, and then define measures to keep it from happening. If someone breaks a jar of spaghetti sauce in Aisle 3, put up a “Wet Floor” marker and mop it up. Don’t put heavy things on high shelves. And so on. 

Sometimes they identify a risk that’s not very likely: What if a customer brings his dog and the dog bites somebody? Yes, you want to know what risks you face; but you can’t prevent everything. So you rank your list in order of importance. Plan for the ones that really matter, and let the rest go. In general your ranking should consider at least two things:

• How likely is the risk?
• And how bad will the impact be if it happens?

In the simplest case (there are ways to make this a lot more complex!) you ask each question about each risk and answer with Low, Medium, or High. Then you use these two scores to assign a priority to each risk as follows:

Priority = Likelihood x Impact

	High	Medium	Low
High	High	High	Medium
Medium	High	Medium	Low
Low	Medium	Low	Low

On this scale, for example, “getting bitten by a customer’s dog” probably ranks Low for likelihood but High for impact, giving a composite priority of Medium.

(You can see that this rating method is similar but not identical to the one we saw for evaluating risk in audits: there we said priority = {number of nonconformities} x {severity}. The overall approach is very flexible.)

Then address all the important ones: this means at the very least all the ones where priority = High, but consider the others too to see if there is something you can do where the balance between effort and outcome is reasonable.

"Addressing" a risk means:

• If possible, prevent it. 
• If you can’t prevent it, take steps now to mitigate the impact when it happens.
• Also, consider how you will respond when it does happen: those are your contingency actions. 
• To make sure this gets done, assign the risk to an Owner, and assign a deadline by when the actions have to be in place. Then be sure to follow up that they really are.
• And remember that root cause analysis of a risk can help you find the most effective approach.

What about the risks you choose not to address? They stay on the list anyway. And your priority ratings aren’t static. From time to time—at least once a year, if not more often—review your list to see if things have changed. 

• As you take mitigation steps, for example, the impact of some risks will drop and so their priorities will change. 
• The priority of others might rise, depending on changes in the outside world. Think how low most companies rated the likelihood of "global pandemic" in 2019.
• Check whether your contingency plans are still correct and current. Is that still the best way to handle this risk, if it comes about? 
• Are the responsibilities all assigned to the right people? Are your supplies all in stock and up to date?
• Assign actions as needed, and follow up to ensure the actions are closed on time.  

In other words, your risk handling becomes a living system.

So even if a risk falls below your threshold and you don't address it right now, keep it on the list. Then the next time you review the list—next quarter, next year, or whenever—you can think about it again. And as long as it stays on the list, you won’t forget.

__________

* What follows in the rest of this post borrows heavily from a post I wrote more than a year and a half ago about basic risk management. But I have updated my remarks by taking into consideration the last month's sequence of articles. You will find links throughout.

            

What do you buy, when you buy a Tesla?

I thought I was all done writing about the place of customer requirements in Quality, but last week I saw an article that put an interesting spin on the subject. Publishing in Fast Company, Anne Marie Squeo wrote, "Tesla owners didn’t buy a car: We bought a set of beliefs Elon is trashing." Of course my first thought was, Wait, I thought Teslas were cars. But then I read her article and began to see her point.

Fundamentally, Squeo is writing about branding; and she makes the point that a brand can have a value or weight of its own, independent of this or that product carrying the brand. And of course this is true. Brands can imply a lot, and those implications can often stretch far beyond the domain where the brand nominally lives. Squeo identifies a number of attitudes and beliefs that she finds common among Tesla-owners—attitudes and beliefs that have nothing to do with cars or even transportation per se, but which are so common that she sees them as clear elements of the Tesla brand. People who disagree strongly with these attitudes and beliefs, she adds, are really not likely ever to buy a Tesla. 

By the same token, for example, when I was a kid Cadillac was a brand that implied the very best of everything, not just cars. If you were part of a group trying to fix a problem and someone said, "We don't need a Cadillac solution," he meant that the solution didn't have to be perfect so long as it was good enough. The implication was always that the "Cadillac solution" would indeed have everything you could ask for, but it would also be very expensive. And of course GM worked to reinforce that association in the mind of the public.

Critically, a brand can become a good in its own right, something that customers will pay for. Customers who bought a Cadillac expected it to be expensive, and would have scorned it if it weren't; because in fact the very expense—and the social cachet they hoped to acquire by being able to afford it—was part of what they wanted out of the car.

One consequence, though, is that if the brand has a value all its own then you have to take care of it. Recognize that the integrity of your brand is part of the value proposition that you offer your customers*, and build guardrails in your Quality Management System to keep it intact. In an earlier post, I described how the Bosch corporation responds with swift and visible action to violations of the Bosch Code of Business Conduct or the principle of legality; and Bosch responds this way in part because a reputation for ethical and legal business behavior is a fundamental component of the Bosch brand. The company literally cannot afford to let violations slide if there is any risk that the brand might be sullied.

The alternative is that you can make a conscious decision not to bother. This is the situation that I discussed four weeks ago with respect to Boeing. Boeing has chosen to use a certain amount of its institutional weight to push the spread of the AS9100 aerospace quality management system standard, but has not chosen to get a third-party certification of their own. In the abstract, this decision might be construed as a risk to the brand, because it generates confusion: Which is it? Do you support AS9100, or don't you? That precise point is the subject of Chris Paris's criticisms of Boeing, as I described in the earlier post. What allows Boeing to make the decision they have made is a calculation that the risk to their brand doesn't mean much risk to their business, since there is only one other company on the planet (Airbus) which constitutes any kind of credible competition.

In short: once your brand acquires a value in its own right, you have to take account of it. Either put measures in place to protect your brand, or make a conscious decision not to bother. What you cannot afford to do is to ignore the question, and to treat your brand inconsistently by accident.

It is interesting that, in the rest of Squeo's article, this is exactly what she accuses Elon Musk of doing. She argues, that is, that Musk's actions since buying Twitter harm the brand identity she had earlier described for Tesla, and that he seems to be causing this damage negligently, as if unaware that there is any issue. I have no idea what's going on in the mind of Elon Musk, so I have to recuse myself from that part of the discussion. I always think it is worthwhile to check out alternative hypotheses—maybe Musk is pivoting on purpose from one brand identity to another, rather than doing anything by accident—but it is always possible that Squeo has it exactly right. Perhaps Musk is genuinely unaware that the Tesla brand has (or had) a value independent of the specific cars sold with that logo, so that he failed to implement any safeguards (including restrictions on himself) to protect that value.

But if that's what is happening, don't try this at home. If your brand has an independent value, take care of it. 

__________

* For example, during your Context of the Organization (COTO) analysis. You can consider it along with other non-product requirements, as discussed here.

     

Requirements: theirs and yours

Quality is often defined as "meeting customer requirements" or "meeting customer expectations." (Longtime readers may recall that I discussed that definition along with others in this early post last year.) But in a post a couple weeks ago, when discussing how to handle ethical questions in your organization, I described the Bosch Product Development Code, an element of the Bosch Code of Business Conduct which states clearly that "Legality and the Bosch values take precedence over customers’ wishes." How can this be Quality? If Quality means "meeting customer requirements," what grounds does any company have for saying that other considerations are more important?

Image by Edar from Pixabay

At one level, this is easy. Any responsible company will review orders before accepting them, to make sure they can actually fulfil what is asked. (ISO 9001:2015 requires such a review in section 8.2.3.) If this review reveals customer requirements that the company is unable or unwilling to fulfil, the latter is generally within its rights to reject the order. The order might be impossible, or it might be illegal, or it might just be a bad fit for the kind of work the company does best: in any of those cases, the right response is, "I'm sorry but that's not for us."

This highlights why it is inadequate to define Quality merely as "meeting customer requirements." Your organization likely has rules or considerations of its own that also have to be taken into account. These organizational considerations are the boundary conditions inside of which you operate. But critically, they count as requirements, and they have to be considered along with the other requirements that come externally, from the customer. Then you evaluate whether the whole package is something you can achieve or not.

Another way to describe your organizational requirements is that they are part of the Context of your Organization (COTO), and they should surface during your COTO analysis. But this means that your COTO analysis is in essence a requirements review for the organization. That is to say, ... well, we all know what a requirements review is for a product: you get the right people together in a room, and you generate a list of everything the product has to fulfil. You work through the list to ensure that it is consistent, that it complies with all applicable regulations or boundary conditions, and that it is achievable.

But that's exactly what you do in your COTO analysis: you identify all the interested parties who want something from you, list what they want, itemize any other issues you have to address, and then figure out what you are really going to do. In the end, your final list of constraints that form the framework of your management system has to be consistent (or else different departments will pull in different directions, guaranteeing failure); it has to comply with applicable regulations (if only to ensure nobody goes to jail); and it has to be achievable (or else, again, you guarantee failure). In other words, your COTO is the requirements list for your organization.

And that means that, conceptually, the rejection of this or that customer requirement on the grounds of ethics—or legality, or profitability, or anything else—is no big deal. It's just a case where one requirement conflicts with another. This happens all the time, and the answer is always to analyze the conflict until you figure out which requirement takes priority. That's what you are doing here.  

    

So how DO you talk about ethics?

Last week I wrote about whether ISO 9001 should be revised to address questions of ethics. In reply, Krishna Gopal Misra of Qualitymeter.com published a detailed essay on LinkedIn about the role of ethics in relation to any management system. I am grateful for Mr. Misra's essay, which makes the important point that ethical principles are not so much a part of a management system as logically prior to it. A management system tells you how to organize in order to get what you want; but it cannot tell you what to want. That is the job of your Vision, and thereby of your strategy and policies. Without a Vision, the management system itself is blind,* and the organization is directionless. At that point there is nothing to stop the organization from doing very bad things, and Mr. Misra gives some chilling examples in his essay. 

What should you do instead? If you want to avoid the moral aimlessness that Mr. Misra warns against, how do you talk about ethical principles in your organization if not in the management system? Or to put the question another way, the management system defines a framework for how to run your organization: where in that framework do your ethical principles belong?

They have to come right at the beginning, so that they become ground rules to inform everything else. This means that your ethical principles have to be part of the Context of your Organization (COTO). They have to be among the fundamental requirements that you are in business to satisfy in the first place.

I used to work for Robert Bosch; and while I normally avoid discussing previous employers by name, I always admired Bosch's explicit and stated commitment to ethical behavior. This commitment grew out of the deep personal beliefs of Herr Bosch himself, back when he was still alive and steering the company personally. He once said—in a remark that every Bosch employee must surely know by heart—"I would rather lose money than trust." (If you are interested, you can find a copy of the Bosch Code of Business Conduct at this link here.)

And it has to be more than slogans. In order to be worth anything, a policy of corporate ethics has to be reinforced with action at every turn. Bosch promoted its ethical policies in several ways. One prominent way was through a corporate training program, which required every employee to take classes on specific topics. These classes repeated at stated intervals: some every year, or every two. The longest interval between repetitions was three years. The classes themselves covered topics like recognizing and avoiding conflicts of interests, or respecting the principle of legality in all daily work. Mr. Misra explained that sometimes companies resort to bribing government officials to get what they want; Bosch had a separate class all about how Bosch employees are strictly forbidden to engage in bribery. The instructors even explained that there are some countries in the world where bribery is expected as a normal part of doing business; and they freely admitted that Bosch's strict anti-bribery policies make it harder to compete in those markets. When someone asked "So what are we supposed to do in those countries?" the instructors just smiled and said the only thing to do was to make the products even better, so they would sell despite interference from disgruntled government officials who expected bribes but didn't get them.

No training program will ever turn men into angels. Somewhere along the line, somebody will make a mistake and do something wrong—even at Bosch. When that happens, it is important to take swift and visible action. You may remember back in 2015, when news broke about the Volkswagen emissions scandal (sometimes called "Dieselgate"). Volkswagen had been caught using software to circumvent laboratory emissions testing, so that their cars could be passed by the EPA and sold into the United States even though their NOx emissions in normal driving far exceeded the legal limits. Volkswagen was the company that perpetrated the illegal activities, not Bosch. But Bosch had sold them the software, a decade earlier. (Bosch even warned them not to use the software in the way Volkswagen used it, because that would be illegal.) 

When it became known what had happened, the Bosch Board of Directors addressed Bosch's (apparently peripheral) role in the scandal by issuing a new Product Development Code. This code had several parts; but among other things it prohibited Bosch from designing any product for any customer with features that a reasonable engineer could expect that customer to use illegally. If a customer asks for such features, even if the features themselves are (strictly speaking) perfectly legal, Bosch is now required to reply, "I'm sorry, Mr. Customer, but we can't do that for you. If that's what you want, we don't want your business." To implement this new Code, Bosch required training classes for every employee worldwide involved in product development, product management, project management, engineering, marketing, or sales. Bosch also required explicit changes to the product release process—enforced by an independent Quality organization—to ensure that the Code has been complied with before any product is released to the market. (This news article discusses Bosch's rollout of the new Product Development Code.)

That's what I mean by "swift and visible action." And it was taken, remember, to respond to a scandal where Bosch was only peripherally involved—so that in the future the company can avoid even the appearance of illegal or unethical behavior.

It's not easy, but it's possible. However, to come back to the original point, these commitments belong in your COTO, along with information about the kind of work that you do and who your major customers are. These commitments are part of the content that is managed by the management system, and not part of the structure of the management system itself.     

__________

* This pun was not exactly intended, but I think it is pretty much inevitable in the present discussion.            .