Risk Management

Handbook for
Suppliers FCA
FAQs – Frequently Asked Questions

The answers and explanations presented herein are complementary to

the manual requirements

2nd review – 2020/08/30

RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

 Supplier Quality Engineering - LATAM

General questions:

1. Question: the scope of the manual provides exemption, by the FCA, of some
organizations in meeting the requirements. How do I know if my organization is
exempt?
Answer: it is the responsibility of FCA to formally inform exempt organizations. If you
understand that your organization meets the exemption criteria (provides products
considered low risk) and has not received an exemption communication, take the
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

initiative and propose your exemption to the FCA.

2. Question: does the Risk Management Handbook for Suppliers have content
equivalent to the ABNT NBR ISO 31000: 2018 Risk Management - Guidelines??
Answer: No. The aforementioned standard has a greater business scope in relation to
the content of this manual, which focuses on the risks of products and the processes
that produce them. However, the manual can be considered as a complement and
further development of the standard, just as it is a complement to the IATF 16949:
2016 standard in the aspects of risk management.

Questions by requirement groups:

5.1 Organizational Structure and Product Risk Manager (PRM)

1. Question: How should the organizational structure for risk management be
formalized? Is it necessary to develop a procedure for this?
Answer: formalization must follow the Organization's standardization system, which
can use procedures, flowcharts, organizational charts or other forms to describe the
structure. The important thing is that this formalization includes the description of the
risk process, in addition to the formation and operation of the Risk Committee,
ensuring continuity and effectiveness in risk management activities..
2. Question: what is the recommended hierarchical level for the members of the Risk
Committee? Should they be managers?
Answer: this is an Organization definition. The choice must fall on professionals who,
regardless of their positions, have authority, responsibility, competence and the
minimum time availability to carry out the Committee's activities.
3. Question: What level of knowledge should the PRM have on the topics of product civil
liability, legislation on safety and consumer protection, specific legislation on the
Organization's products and risk management methodology?
Answer: PRM is required to have basic knowledge of these topics, using internal or
external experts in case of need for further study to direct the Risk Committee's
activities. The required knowledge of the PRM, especially in legal matters, does not
exempt the organization from having specific competences in its legal area.
4. Question: the Risk Committee, PRM included, can be corporate?
Answer: the composition of the Risks Committee must portray the organizational
structure of the production unit (plant), therefore, the functions present in the unit
must compose the committee. Occasionally, fully corporate functions (example:
Quality Suppliers Engineering - SQE) may appoint representatives from outside the
plant. A fundamental factor to be considered is the necessary capacity of the
committee to deal with events that require its immediate action, which limits a
corporate-only composition.
5. Question: Annual risk management evaluation reports must be sent to FCA?

2
 Supplier Quality Engineering - LATAM

Answer: sending is not required, only making it available when requested by the FCA,
usually during SQE visits.
6. Question: Annual risk management evaluation must be approved and signed by FCA
(SQE)?
Answer: FCA will only sign the report when the audit is performed by it. In first-party
audits (internal audit) this signature and approval is not required.
7. Question: does the HIGH RISK / MEDIUM RISK rating in the risk management
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

evaluation, constitute a failure? In addition, what would be the consequences?

Answer: the objective of evaluating the risk management process is to point out the
existence of any gaps (or opportunities for improvement) in meeting the requirements
and, if they exist, to propose their elimination (or use) with appropriate actions within
reasonable terms for the control / minimization of the resulting risks. It is not a matter
of passing or failing, but of correcting and improving.
8. Question: can annual evaluation be integrated with other audits such as ISO 9001 or
IATF 16949?
Answer: if it is convenient for the organization, yes.
5.2 Product and Manufacturing Process Controls
1. Question: the requirements set out in section 5.2 are very similar to the requirements
set out in the Fiat Chrysler Report Characteristics Management Manual. Is there not a
repetition?
Answer: the Fiat Chrysler Report Characteristics Management Manual was canceled
with the publication of this 3rd edition. Section 5.2 was inserted in the present manual
precisely to accommodate some of the requirements of the canceled manual.

2. Question: the adoption of a 10% improvement target for the O.E.E. wouldn´t be
inconsistent, since this percentage would be too ambitious (or infactible) for
productive systems with high O.E.E. (eg 95%) and insufficient for production systems
with very low O.E.E. (e.g. 45%)?
Answer: yes, certainly. This percentage is a first target to be considered, which can
and should be adjusted according to the reality of the processes under analysis. The
Organization may propose different target to FCA, with due justifications.

3. Question: if a particular Report characteristic has its conformity controlled by more

than one control modality, should all of them be described in the form Appendix C
(columns M to V)?
Answer: only the determining modality (most robust) must be indicated in “MAJOR
MODE OF CONFORMITY ASSURANCE” column for the respective characteristic.
The other modalities should not be included in the mapping.

4. Question: when considering that a quality control method for assuring Report
characteristic is “compliant”?
Answer: the quality control method is considered compliant when it meets one of the
conditions below:

a) It fits one of the methods defined as mandatory in requirement 5.2.B.1 (page

15 of the manual), namely: Error Proof Devices - DAPE, fully automatic
inspection or mixed automatic inspection. Or...

3
 Supplier Quality Engineering - LATAM

b) Not falling under one of these modalities, having been previously presented
and agreed with the FCA. Or...

c) Be accepted by the FCA as an acceptable option when submitting Annex B for

approval. In this case, the classification “not compliant” becomes “compliant”.

5. Question: I am unable to apply one of the three methods of quality control considered
mandatory in Report characteristics which are generated in suppliers (buy products).
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

How to proceed?
Answer: the assurance of conformity needs to occur at some point in the product
manufacturing process, not necessarily in the Tier 1 facilities. In this case, the
assurance of conformity occurs in the process where the Report characteristic is
generated, that is, at the supplier. Therefore, the mapping of the Report
characteristics object of Appendix B must be extended to the Tier N responsible for
assuring the characteristic conformity.

5.3 Risk Prevention in Product and Manufacturing Process Changes

1. Question: How long should documents related to changes in the product / production
process, including the “Change Request” form approved by the FCA, be retained?
Answer: according to the FCA LATAM Specific Requirements Letter (item 7.5.3.2.1 -
Retention of records), these documents must be retained for 15 years. Standard
07740 establishes that these documents must be retained while the respective
products remain in production and until they are removed from the FCA spare parts
catalogs. Due to this documentary disagreement, it is recommended to adopt the
solution specified by standard 07740.

2. Question: what to do when there is a need for an emergency change that cannot
follow all the flow required?
Answer: no change, however urgent, can do without an adequate risk analysis and
prior FCA agreement. What can occur is the acceleration or even dismissal, by
agreement between the parties and as long as justified, of part of the rites of the
approval process. In this case, institutional mechanisms (I.A.A. Interim Approval
Authorization - FCA 08090 standard) already exist for the proper management of
these events.

3. Question: in order to be considered approved, the “Change Request” form (Annex C)

must be submitted and signed by all related FCA functions (Supplier Quality
Engineering, Plant Quality, Product Engineering and Purchasing)?
Answer: the only function that always subscribe is Suppliers Quality Engineering. The
other functions will only be involved in the evaluation and approval of the change
request as defined below:
FCA Plant Quality: when the requested change requires validation tests under its
responsibility.
FCA Product Engineering: when the requested change is related to the product
design (specification change) and / or when it requires validation tests under its
responsibility.
FCA Purchasing: when the requested change affects manufacturing capacity,
costs, prices, investments, manufacturing resources owned by FCA or any
contractual clause.

5.4 Product Risk Mapping

4
 Supplier Quality Engineering - LATAM

1. Question: my organization supplies FCA with a wide range of products. It is not

possible to map all of them at the same time. Where to start?
Answer: start mapping for the most significant products in terms of functional
importance, volumes supplied and longer expected service life. Leave products with
products close to the end of its lifespam, low volumes and less functional importance
to the end of the line.

2. Question: it is necessary to develop a Risk Matrix for each product or product family?
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

Answer: the Risk Matrix is an infinite Excel spreadsheet, where all products can be
mapped into a single document. The advantage of creating a single spreadsheet is
the possibility of ranking the products (or product families) by the ORI. To facilitate the
visualization of the set of information in a very long document due to the various
product deployments, you can hide the unfolded lines or filter the visualization of only
the finished products (numbered 1, 2, 3 ... in column B).

3. Question: when the reality found in the evaluation of any risk factor in the matrix does
not exactly match the description of the scoring table, can I use intermediate scores?
Answer: No. The matrix does not allow the insertion of scores other than those
predefined. In this case, use the score immediately higher.

4. Question: I have a lot of suppliers and mapping their risks will take a lot of work and
time. How to prioritize?
Answer: the purpose of the mapping carried out using the Supplier Risk Matrix is to
feed column “I” of the Product Risk Matrix. Therefore, the prioritization of the latter
guides the prioritization of the first.

5. Question: is there a defined frequency for updating risk matrices after the first
elaboration?
Answer: there is no defined frequency for this update to take place, however, a good
practice is to update the matrices soon after significant events, new developments,
product / process changes and with a fixed periodicity to absorb updates of logistics
and quality performances. Like an FMEA, the risk matrix is a living document.

6. Question: is it possible to treat products under development and products under

production in the same matrix? Wouldn't it be better to create separate matrices for
these two realities?
Answer: it is possible to treat these two universes in the same matrix, as well as to
use two different matrices. This is an organization choice.

7. Question: how to assess process and performance risk factors for new products,
whose production processes and qualitative / logistical performance are not yet
known?
Answer: by estimate or analogy with similar products and processes. As the
development process progresses, the estimated scores are replaced by the actual
ones.

8. Question: for products under development, is it possible to consider the occurrence of

changes in the assessment of the risk factor “Change Management” in the Product
Risk Matrix?
Answer: No. If the product is under development (a score other than 1 on the risk
factor “Type of Project / Technology (column H), the score on column “M”must,

5
 Supplier Quality Engineering - LATAM

necessarily, be 1. The opposite is also true: if column “M” has a score other than 1,
column “H” must necessarily be scored 1.

9. Question: what levels of suppliers should be considered in the Suppliers Risk Matrix?
Answer: it starts from the premise that a given level in the supply chain is directly
related to (and has an ascendancy over) only the level immediately below. Therefore,
Tier 1 evaluates Tier 2, Tier 2 evaluates Tier 3, and so on
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

10. Question: If I have more than one supplier for a given product input, what score
should I consider to insert in column “I” of the Product Risk Matrix?
Answer: all suppliers of the product considered with their respective ORI can be
inserted in the matrix, to have an idea of the whole. Only the highest ORI is
considered to migrate to the higher levels of the deployment and only this will be
considered when calculating the product ORI.

11. Question: If a particular supplier has an ORI greater than 7.5 (high risk), but the ORI
of the product in question is less than 5 (low risk), should the supplier still have his
degree of risk treated?
Answer: if the product's ORI was below 5, this means that the supplier's high ORI
inserted in column “I” was diluted by the low score of the other risk factors. Even so,
the supplier must be approached to minimize its risk factors, not least because the
other risk factors of the product may rise, neutralizing this dilution. What changes is
the priority. In this case, the treatment need not be immediate.

12. Question: I supply a product to FCA that is purchased from an external source
(supplier or another unit of my company) and has no internal processing. Should I
include it in the Product Risk Matrix or in the Supplier Risk Matrix? If at first, how to
consider process risk factors that belong to the manufacturer? If in the second, where
to insert the ORI of the supplier that, as a rule, feeds the Product Risk Matrix?
Answer: although exceptional, such supply situations exist and, as such, must be
handled exceptionally. As a finished product supplied to FCA, this item must
necessarily be included in the Product Risk Matrix, with the following guidelines for
scoring risk factors:
 Columns G, H, M, O and P: score normally, as these factors concern only the
product.
 Column I: import scores from the ORI from the Suppliers Risk Matrix.
 Column J: import scores from column J of the Suppliers Risk Matrix.
 Column K: score 1, as the relative risk factor is already included in the score
imported into the previous column.
 Column L: import score from column K of the Suppliers Risk Matrix.
 Column N: import score from column L of the Supplier Risk Matrix.
The Supplier Risk Matrix should be prepared normally.

5.5 Traceability Management and Record Control

5.6 Suppliers Risk Management

1. Question: the risk factor “dependence level on the main customer” can only be scored
based on information obtained from the supplier itself. What to do if he refuses to
provide this information or, if he does, how to check its reliability?

6
 Supplier Quality Engineering - LATAM

Answer: the best way to obtain this information is to explain to the supplier its use in
risk mapping, including making it clear that he, the supplier, should also apply the
same methodology to assess the risks of his suppliers. If the information still cannot
be obtained, enter an estimated score based on the information and knowledge you
have from the supplier. In case of an error of estimate, the impact will be small on the
ORI due to the low weight of this risk factor.

2. Question: I receive a consigned product from FCA, which is transformed and / or

FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

incorporated into the product that my organization produces and supplies. I consider
that I have no responsibility for compiling the Supplier Risk Matrix for the supplier of
this product, with which I do not maintain commercial relations. How to obtain the
score to complete column “I” of the Risk Matrix of the final product?
Answer: in this specific case, the score to be inserted in column “I” in the Product Risk
Matrix for this consigned component is the ORI score of this component obtained in
the Product Risk Matrix of the respective supplier. In this case, request this score
from your FCA SQE, who is responsible for obtaining it from the supplier.

5.7 Problem-solving Management

1. Question: can the 8D form provided for in FCA 08018 be used to meet requirement
5.7.A.1?
Answer: No. This form fulfills the role of synthesizing the conclusions of a problem
solving process to inform the FCA. A problem solving methodology is more than filling
out a form, requiring a much more complex and complete approach. For this, there
are several methods already developed and applied.

5.8 Knowledge and Skills Management

1. Question: what is the difference between the content of section 5.8 of the manual and
the knowledge management usually practiced by companies?
Answer: the focus. The requirements in this section address the management of
organizational knowledge with a focus on risk management. For example, the risk
factors addressed in the mapping deal with preventive and predictive maintenance,
process capacity, quality control modalities, among others. In order for these factors
to have their risks minimized, it is necessary that there is knowledge in the
organization that provides competencies to treat them properly in order to minimize or
eliminate their possible negative impact.

7
 Supplier Quality Engineering - LATAM

Questions related to the Risk Management Evaluation checklist (Annex A):

1. Question: What are the scores for the 25 requirement subgroups depicted in the
“Checklist” scoring matrix for, as they are not used for any calculation?
Answer: the indication of the subgroup score serves only to indicate in which of them
there are requirements that did not reach the score 5.

2. Question: from the moment the first requirement among the 54 existing ones is
FAQs - RISK MANAGEMENT HANDBOOK FOR SUPPLIER FCA

scored, the RISK CLASSIFICATION cell is already filled. Wouldn't this classification
be incomplete, since the result of the evaluation of the other requirements is not yet
known?
Answer: it is assumed that this risk classification is valid information when the
assessment is completed or, at least, ongoing. This can be seen from the number of
scored subgroups or the sum of the number of scored requirements (see cells just
below the RISK CLASSIFICATION cell).

3. 3. Question: will FCA evaluate the organization's risk management? If so, how often?
Answer: the FCA's requirement is that the Organization adapts its risk management
process to the handbook requirements. The way in which FCA will verify compliance
with these requirements will be defined on a case-by-case basis and, if necessary,
can be done via a second party audit using Annex A for evaluation.