Annex E - FAQs Risk Management Handbook For Suppliers FCA
Annex E - FAQs Risk Management Handbook For Suppliers FCA
Annex E - FAQs Risk Management Handbook For Suppliers FCA
Handbook for
Suppliers FCA
FAQs – Frequently Asked Questions
General questions:
1. Question: the scope of the manual provides exemption, by the FCA, of some
organizations in meeting the requirements. How do I know if my organization is
exempt?
Answer: it is the responsibility of FCA to formally inform exempt organizations. If you
understand that your organization meets the exemption criteria (provides products
considered low risk) and has not received an exemption communication, take the
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
2
Supplier Quality Engineering - LATAM
Answer: sending is not required, only making it available when requested by the FCA,
usually during SQE visits.
6. Question: Annual risk management evaluation must be approved and signed by FCA
(SQE)?
Answer: FCA will only sign the report when the audit is performed by it. In first-party
audits (internal audit) this signature and approval is not required.
7. Question: does the HIGH RISK / MEDIUM RISK rating in the risk management
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
2. Question: the adoption of a 10% improvement target for the O.E.E. wouldn´t be
inconsistent, since this percentage would be too ambitious (or infactible) for
productive systems with high O.E.E. (eg 95%) and insufficient for production systems
with very low O.E.E. (e.g. 45%)?
Answer: yes, certainly. This percentage is a first target to be considered, which can
and should be adjusted according to the reality of the processes under analysis. The
Organization may propose different target to FCA, with due justifications.
4. Question: when considering that a quality control method for assuring Report
characteristic is “compliant”?
Answer: the quality control method is considered compliant when it meets one of the
conditions below:
3
Supplier Quality Engineering - LATAM
b) Not falling under one of these modalities, having been previously presented
and agreed with the FCA. Or...
5. Question: I am unable to apply one of the three methods of quality control considered
mandatory in Report characteristics which are generated in suppliers (buy products).
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
How to proceed?
Answer: the assurance of conformity needs to occur at some point in the product
manufacturing process, not necessarily in the Tier 1 facilities. In this case, the
assurance of conformity occurs in the process where the Report characteristic is
generated, that is, at the supplier. Therefore, the mapping of the Report
characteristics object of Appendix B must be extended to the Tier N responsible for
assuring the characteristic conformity.
2. Question: what to do when there is a need for an emergency change that cannot
follow all the flow required?
Answer: no change, however urgent, can do without an adequate risk analysis and
prior FCA agreement. What can occur is the acceleration or even dismissal, by
agreement between the parties and as long as justified, of part of the rites of the
approval process. In this case, institutional mechanisms (I.A.A. Interim Approval
Authorization - FCA 08090 standard) already exist for the proper management of
these events.
4
Supplier Quality Engineering - LATAM
2. Question: it is necessary to develop a Risk Matrix for each product or product family?
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
Answer: the Risk Matrix is an infinite Excel spreadsheet, where all products can be
mapped into a single document. The advantage of creating a single spreadsheet is
the possibility of ranking the products (or product families) by the ORI. To facilitate the
visualization of the set of information in a very long document due to the various
product deployments, you can hide the unfolded lines or filter the visualization of only
the finished products (numbered 1, 2, 3 ... in column B).
3. Question: when the reality found in the evaluation of any risk factor in the matrix does
not exactly match the description of the scoring table, can I use intermediate scores?
Answer: No. The matrix does not allow the insertion of scores other than those
predefined. In this case, use the score immediately higher.
4. Question: I have a lot of suppliers and mapping their risks will take a lot of work and
time. How to prioritize?
Answer: the purpose of the mapping carried out using the Supplier Risk Matrix is to
feed column “I” of the Product Risk Matrix. Therefore, the prioritization of the latter
guides the prioritization of the first.
5. Question: is there a defined frequency for updating risk matrices after the first
elaboration?
Answer: there is no defined frequency for this update to take place, however, a good
practice is to update the matrices soon after significant events, new developments,
product / process changes and with a fixed periodicity to absorb updates of logistics
and quality performances. Like an FMEA, the risk matrix is a living document.
7. Question: how to assess process and performance risk factors for new products,
whose production processes and qualitative / logistical performance are not yet
known?
Answer: by estimate or analogy with similar products and processes. As the
development process progresses, the estimated scores are replaced by the actual
ones.
5
Supplier Quality Engineering - LATAM
necessarily, be 1. The opposite is also true: if column “M” has a score other than 1,
column “H” must necessarily be scored 1.
9. Question: what levels of suppliers should be considered in the Suppliers Risk Matrix?
Answer: it starts from the premise that a given level in the supply chain is directly
related to (and has an ascendancy over) only the level immediately below. Therefore,
Tier 1 evaluates Tier 2, Tier 2 evaluates Tier 3, and so on
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
10. Question: If I have more than one supplier for a given product input, what score
should I consider to insert in column “I” of the Product Risk Matrix?
Answer: all suppliers of the product considered with their respective ORI can be
inserted in the matrix, to have an idea of the whole. Only the highest ORI is
considered to migrate to the higher levels of the deployment and only this will be
considered when calculating the product ORI.
11. Question: If a particular supplier has an ORI greater than 7.5 (high risk), but the ORI
of the product in question is less than 5 (low risk), should the supplier still have his
degree of risk treated?
Answer: if the product's ORI was below 5, this means that the supplier's high ORI
inserted in column “I” was diluted by the low score of the other risk factors. Even so,
the supplier must be approached to minimize its risk factors, not least because the
other risk factors of the product may rise, neutralizing this dilution. What changes is
the priority. In this case, the treatment need not be immediate.
12. Question: I supply a product to FCA that is purchased from an external source
(supplier or another unit of my company) and has no internal processing. Should I
include it in the Product Risk Matrix or in the Supplier Risk Matrix? If at first, how to
consider process risk factors that belong to the manufacturer? If in the second, where
to insert the ORI of the supplier that, as a rule, feeds the Product Risk Matrix?
Answer: although exceptional, such supply situations exist and, as such, must be
handled exceptionally. As a finished product supplied to FCA, this item must
necessarily be included in the Product Risk Matrix, with the following guidelines for
scoring risk factors:
Columns G, H, M, O and P: score normally, as these factors concern only the
product.
Column I: import scores from the ORI from the Suppliers Risk Matrix.
Column J: import scores from column J of the Suppliers Risk Matrix.
Column K: score 1, as the relative risk factor is already included in the score
imported into the previous column.
Column L: import score from column K of the Suppliers Risk Matrix.
Column N: import score from column L of the Supplier Risk Matrix.
The Supplier Risk Matrix should be prepared normally.
6
Supplier Quality Engineering - LATAM
Answer: the best way to obtain this information is to explain to the supplier its use in
risk mapping, including making it clear that he, the supplier, should also apply the
same methodology to assess the risks of his suppliers. If the information still cannot
be obtained, enter an estimated score based on the information and knowledge you
have from the supplier. In case of an error of estimate, the impact will be small on the
ORI due to the low weight of this risk factor.
incorporated into the product that my organization produces and supplies. I consider
that I have no responsibility for compiling the Supplier Risk Matrix for the supplier of
this product, with which I do not maintain commercial relations. How to obtain the
score to complete column “I” of the Risk Matrix of the final product?
Answer: in this specific case, the score to be inserted in column “I” in the Product Risk
Matrix for this consigned component is the ORI score of this component obtained in
the Product Risk Matrix of the respective supplier. In this case, request this score
from your FCA SQE, who is responsible for obtaining it from the supplier.
7
Supplier Quality Engineering - LATAM
2. Question: from the moment the first requirement among the 54 existing ones is
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA
scored, the RISK CLASSIFICATION cell is already filled. Wouldn't this classification
be incomplete, since the result of the evaluation of the other requirements is not yet
known?
Answer: it is assumed that this risk classification is valid information when the
assessment is completed or, at least, ongoing. This can be seen from the number of
scored subgroups or the sum of the number of scored requirements (see cells just
below the RISK CLASSIFICATION cell).
3. 3. Question: will FCA evaluate the organization's risk management? If so, how often?
Answer: the FCA's requirement is that the Organization adapts its risk management
process to the handbook requirements. The way in which FCA will verify compliance
with these requirements will be defined on a case-by-case basis and, if necessary,
can be done via a second party audit using Annex A for evaluation.