What is Needed?

The Risk Assessment process will require input from across the firm in terms of the operations of key responses but also inputs into what quality risks the firm has.  Below are some quick observations for firms to consider. 

​

Responses

Responses will include policies, procedures and controls which are in place (currently) but may also require new or enhanced policies and procedures to be put in place.  A logical starting point will be to create a simple inventory of the responses in places as a starting point for understanding our current quality system.  Remember, responses under SQMS 1 are likely to go beyond the scope of the previous SQCS 8 standard.

​

Risks

SQMS 1 requires firms to identify their “Quality Risks”. All risks may not reach the definition of quality risks, however, as all objectives are expected firms should ensure that they identify at least one quality risk for each objective.

​

Remember instead of thinking:

“We don’t have any quality risks because we have best in class policies”,

 

You need to think,

“If we didn’t have these policies what would be

the risk for our firm in achieving these quality objectives”.

 

Finally, don’t assume you have all the policies in place today, you may have some parts of policies but challenge if the policy is complete and remains appropriate for your firm as it operates today. 

​

Objectives

The standard identifies “expected” objectives and there are roughly 29 objectives that firms must put in place.  Although firms can add additional objectives, it is likely that smaller practices will keep to the “expected” objectives only and therefore the number of objectives gives us a real idea of the effort to complete the risk assessment. 

What to expect

Your risk assessment will require you to spend time over the coming weeks documenting your risks and responses.  Assuming like most firms you have the majority of your system in place and need to document it appropriately, here is an idea of what to expect and the time commitment.

​

1) Know the standard - Step one, familiarise yourself with the standard and the requirements.  Most have started this journey but make use of the resources out there and provided by different parties.  (Expect to spend 7-15 hours at this).

2) Implementation approach - To get started selecting your implementation approach will be key, whether it is excel or some other manual process (including internally generated documents), expect to spend time identifying, configuring and learning to use the approach.  Some manual and technology solutions may still require you to create your own templates and to pull out the objectives and specified responses from the standard. (Expect to spend 5-10 hours in this step).

3) Executing the risk assessment – Firms have a simple starting point, being our objectives, and assuming we have an inventory of our current responses, we have an idea of the end point.  Your time in the risk assessment will focus on:

• Confirming the expected objectives cover your firm objectives

• Identifying, documenting, rating and signing off your quality risks

• Documenting and capturing your current responses and mapping them to the quality risks

• Identifying and closing any gaps or improvements required to your responses

• Communication, reviewing and signing off the risk assessment. 

• Assuming an hourly allocation for each objective (29 objectives taking 2.5 hours to document risks and responses)  and time for review, reporting, rework and communication (Expect to spend 80-150 hours in this step).

4) Monitoring set up and planning – Your monitoring and remediation comes into effect in 2026, we would recommend as part of the initial implementation (in particular steps 2 & 3 above) firms consider and plan the monitoring approach as the monitoring will directly rely on the outputs of the risk assessment, spending time planning that into your risk assessment documentation is advisable (Expect to spend 10-15 hours in this step).

 

Assuming a mid point for the estimates above, a manual unstructured and unguided approach could require up to 19 days of effort between now and the implementation date. 

How QMCore Helps

Working with our customers, we have identified a number of areas of time savings in implementation and ongoing management of your system of quality management through using QMCore.  This saving can reach up to 30% of the total time bringing the total potential time down from 19 days to 13 days. 

 

QMCore helps firms in their implementation through:

• Bulit in user aids, guidance, videos and content to assist them in their risk assessment journey while also educating themselves and other team members. 

• QMCore includes preloaded risk assessment content including:

  • Objectives,

  • indicative risk library,

  • and specified responses.

• Certain content is read-only, preserving the integrity of the requirements of the standard and giving you’re a clear connection to how you are meeting the requirements.

• Creating and maintaining your risk assessment is streamlined through the simple and intuitive ability to link quality risks and responses to all relevant locations while preserving a single record of the information.  This provides a simple and quick mechanism to make updates and changes as you complete and manage your risk assessment. 

• Our real time configurable dashboard reporting allows firms to understand and report their outputs quickly and easily with no need to generate, cross check and update data as part of the process, instantly streamlining the process.

• In built “one click” reporting to word and excel reporting can also be used to communicate the work to the wider teams. 

 

QMCore’s end to end journey which has been mapped to the requirements of the standard, our clear audit trail and ease of reports provides firms with comfort of being in a “Peer Review Ready” position.