Risk Management Handbook For Suppliers FCA

Risk Management
Handbook for
Suppliers FCA
3rd Edition: May 30, 2020
RISK MANAGEMENT HANDBOOK FOR SUPPLIERS FCA

Quality Engineering Suppliers - LATAM
COMPANIES ATTENDING THE PROJECT PREPARATION TEAM
APTIV: Julio C. Santos.

BOSCH: Bruno Neri, Rodrigo Jannuzzi.
CSN: Alexandre Pimentel, Carlaine F. Souza, Rafael Lara.
CONTINENTAL: Alexandre Bruni V. Alves, Mariana Chiaro.
MAHLE: Alexandre Carmanhani, Renata Gomes.
MAXION WHEELS: Andre Buoro, Fernanda Cagnin, Luiz Lopes, Lucas Souza.
ZF: Alberto Kawano.
INTERACTION PLEXUS: Carlos C. Romano, José G. Albieri, Giuseppe L. Viceconte, Paulo

Cesar. V. Haffner, Wadson Kaizer.
FCA / QUALITY: Charles Lima, Daniel Deslandes, Davi L. Freitas, Larissa Amorim.
FCA / HQE: Marcos Silveira, Alef Pedrosa, Alessandro Nonaka, Christiano Oliveira, Denilson
Cunha, Edgar Felipe, Elmo Junior, Luciano Silva, Luiz Peixoto, Marcos Silveira, Maria Simone
Pereira, Mauricio Barreto, Reginaldo Teixeira, Wagner N. Medeiros, Walkyr Passagli.
FCA / VSRC: Edson Silva, Emerson Alves.
PROJECT VALIDATION
FCA / HQE: Jasson Azevedo

FCA / VSRC: Emerson Alves
INTERACTION PLEXUS: Paulo Sérgio Giusti, Giuseppe L. Viceconte, Paulo Cesar. V.
Haffner.
REVISION 01
MAVLIG CONSULTORIA EM GESTÃO: Gilvam Ferreira

QUALYPRO CONSULTORIA & TREINAMENTO: Claudemir Oribe
REVISION 02
FCA / HQE: Anderson Castro

INTERACTION PLEXUS: Giuseppe L. Viceconte
MAVLIG CONSULTORIA EM GESTÃO: Gilvam Ferreira
QUALYPRO CONSULTORIA & TREINAMENTO: Claudemir Oribe
Special thanks to Luiz Henrique Valadares Silva (STOLA DO BRASIL) for the formatting of
Annexes A and D
2
Contents
1. Preface
2. Purpose
3. Scope
4. Terms and definitions
5. Risk Management Requirements

5.1 Organizational Structure and Product Risk Manager (PRM)
5.2 Product and Manufacturing Process Controls
5.3 Risk Prevention in Product and Manufacturing Process Changes
5.4 Product Risk Mapping
5.5 Traceability Management and Record Control
5.6 Suppliers Risk Management
5.7 Problem-solving Management
5.8 Knowledge and Skills Management
6. Risk Management Evaluation
7. Attachments
3
1. Preface
The most basic risk concept is familiar, as the daily activities expose us to a series of risks,
which we have to live and learn with.
By approaching a little more of the theory, the risk is frequently defined as the combination
between probability of occurrence of a damage and its severity. ISO 31000 defines risk as an
effect of the uncertainty in the objectives. Objective is what we define constantly, whether in
our personal life, in daily processes or in the service and transformation activities.
The daily characteristics intrinsic to the risk concept combined with the statistical nature of all
the processes which we deal with, brought the acknowledgment of risk management as a
valuable element in business management.
Reaching a common agreement of the application of risk management among the several
stakeholders in a given process is very difficult, as each stakeholder has different perceptions
on the potential damages, and assigns different probabilities to each potential risk, and
different degrees of severity to each one.
Within this context, and considering the diversity of the stakeholders, we considered that the
protection of manufacturing processes and products, via objective management of compliance,
should be considered as primordial.
A well-built approach for Risk Management may assure the quality of processes along the
supply chain, and the final quality of the product for the customer, as it provides means to
identify and control potential quality risks in the development and manufacturing phases. In
addition, when crisis management is required, the quality risks management may optimize the
decision-making process.
Current context
Today, we have clear concepts and common sense on the importance of Risk Management.
The experience shows us an instability and trend to risk, which may surprise us.
Why does the scenario become more critical? Which external and internal factors may
influence the probability, severity of risks and skills of the organizations to deal with them?
4
Social
Education Economical
External
Factors
Regulatory Investments
Technology
Figure 1 – Some external factors, risk trend influencers
To evaluate the current context and its influence on the risk scenario, figure 1 shows some
factors external to the organizations. Let’s think briefly on some of these factors.
An unstable scenario impairs the decision on investments in industrial processes, increasing

the risks of obsolescence, causing poor controls, non-predictive maintenance strategies,
causing more reactive than preventive positions.
In this scenario, the investments are postponed or displaced to more promising markets.
Technologies become outdated and do not more represent the state-of-the-art in terms of risk
prevention, and critical processes are maintained with high dependence of labor for the
decision process.
The social scenario, with reduction of employment rates, has direct consequence for loss of
knowledge, also increasing the tension in the operational environment, thus requiring much
more from the managerial systems, attention and discipline for risk mitigation.
Within this context, the educational level is also affected in the medium- and long-terms.
Therefore, the capability to absorb training contents, loss of technological mastering and
reduction of the reaction capability required before crisis management, are all emphasized.
By other hand, it is notorious the normative development, which brings guidelines,

methodologies and foundations capable of providing the instruments required for Risk
Management.
Significant growth is also observed in the regulatory mechanisms, by regional organization of

the controller bodies and their global interconnection.
The international legal cooperation may be understood as a formal way to request from other
country any legal, investigative or administrative measure required for a concrete case in
progress. The effectiveness of justice, in a scenario of intensification of relations between the
nations and their people, whether within the business, migratory or information scope, requires
more and more a proactive and collaborative State. Legal relations are not more processed
only within a single Sovereign State; on the contrary, it is necessary to cooperate and request
5
the cooperation of other States to meet the claims for justice from the individual and the
society.1
We may conclude that, by one hand, if the companies and their products are more intensely
monitored by regulatory and consumer protection bodies, by the other hand, they are within a
context that brings greater criticality and trend to risk, if we consider the social-economic
instability and limitations for investments.
Model/
Flow/
Protocols
Decision Governance
process
Strategic
Systems Objectives
Internal
Knowledge Factors Structure
Principles
Functions
and values
Resources Responsibiliti
es
Figure 2 – Factors internal to the companies, which are determinant in trend/ severity to risk
The internal scenario of the organizations is also full of factors that influence risk management
in a crucial way. The way by which the business management is organized determines how
the factors shown in figure 2 influence risk management, whether in a positive or negative way.
The existence of governance, with structure, function and responsibility focused on risk
monitoring, is a fundamental pillar for risk management. This governance shall reflect the
company principles and values, and meet the strategic objectives.
With a basic governance structure, an organization may define better the processes, resources
and monitoring and analysis forms, resulting in decision processes more robust and suitable
to the needs.
Then, operational models, flows and protocols are defined, thus assuring practical involvement
of all the organizational levels.
1
Available at: http://www.justica.gov.br/sua-protecao/cooperacao-internacional
6
This internal structuring process is based on the management of knowledge, which is the most
valuable asset of the institutions in planning, verification and maintenance of processes and
products conformity, and consequently in the management of risks inherent to the operations.
An effective risk management may lead to better and more founded decisions, providing to
certification and regulatory bodies greater trust in the ability of an organization to dealing with
potential risks, reflecting directly the perceived value, and thus the business sustainability.
By considering the complexity and adverse situation of the external values, and recognizing
the importance of internal factors at companies and in the supply chain, FCA proposes this
guide as a path towards excellence in risk management.
Script for thought
This manual has the aim of offering systematic approach for quality risk management.
It shall be perceived as an independent foundation or resource, in spite of supporting other

supporting other initiatives of corporate Quality Management, complementing existing quality
practices, requirements, standards, norms and other guidelines for management of the
automotive chain.
Based on the structure of this work, FCA has the initial purpose of inviting you for a thought
script on the trend of your organization to risk, its skills and abilities in the determination,
analysis, prevention and monitoring of risks, and the awareness of the several organizational
levels in terms of risk impacts, and the consequent need for their management.
Then, reserve a fraction of your time in the following issues, and be motivated to drill down the
concepts represented herein.
2. Purpose:
Developed by FCA and a group of automotive Suppliers to be guide for implementation of Risk
Management in the Organization, and a complement of IATF 16949 (see requirement 0.3.3 -
Risk Mindset), this Manual has the purposes below:
 Establish requirements to be met in order to enable identification, analysis, evaluation and
treatment of risks related to products and processes.
 Provide a tool for periodical analysis of the effectiveness of risk management derived from
the fulfillment of the manual’s requirements.
7
3. Scope
The fulfillment of the requirements in this manual is mandatory for all FCA Direct Materials
Suppliers (hereinafter named as “Organization” or “Organizations”), and their verification shall
meet the conditions stipulated in the own manual.
FCA may, at its discretion, exempt some Organizations from the fulfillment of these
requirements in function of the types of products supplied by these Organizations (products
considered as low risk). When applicable, this exemption will be formally notified by FCA to
the interested Organizations.
The risks object of this manual’s content are related, ultimately, to the ones derived from
processing and utilization of the products supplied to FCA, and which make up the vehicles it
produces, considering their whole lifetime. These risks may be related to statutory and
regulatory, personal safety and environment protection aspects. Hereinafter, these risks are
named as “product risks”.
The requirements of this manual are complementary, and do not supersede, the ones of IATF
16949 and other FCA standards.
The present requirements are applicable, in cascade, to the Organizations´ Direct Materials
Suppliers.
8
4. Terms and Definitions
Risk analysis: Understanding of risks’ nature and their characteristics, considering

uncertainties, risk sources, consequences, probabilities, etc. Risk analysis focuses on the
quality of the information used and provides input to risk evaluation.
Risk evaluation: Comparison between the risk analysis results (information generated) and
the risk criteria established, prioritizing risks and indicating decisions.
Break point: refers to the separation between past and future conditions. Usually, it refers to
the point of introduction of modification in a product or manufacturing.

Special characteristics: these are product characteristics or manufacturing process
parameters, which may, in case of nonconformity with specifications, affect safety or the
compliance with regulatory requirements (adjustment, function, performance, requirements or
subsequent processing of the product). Except when otherwise indicated, the special
characteristics of FCA products are the ones classified as Report, Critical and Important (see
FCA 9.01102/10 standard) and PQC-S, PQC and CPC (see FCA FPW.PEN053 – Powertrain).
Risk classification: way to organize the risks identified.
DAPE (Errorproof Device): also known as “PokaYoke” or “ErrorProof”, prevents or detects
product nonconformance, thus preventing their continuity in the manufacturing process flow.
Risk management structure: Set of components that provide foundations and organizational
arrangements for conception, implementation, monitoring, critical analysis and continuous
improvement of the risk management throughout the whole Organization.
Under control failure: these are failures predicted and expected, which have identification
and mitigation actions defined (e.g. internal scraps and reworks provisioned in the control plans
and with reaction plan defined, expected external failures – e.g. porosities in cast parts
supplied as-cast, failures within the targets agreed with the customer, etc.). This category of
failures requires adoption of continuous improvement actions.
Out of control failure: these are failures unexpected and unacceptable, such as
nonconformities which detection is not expected in the control plans, failures detected in audits
of finished products released for shipment to the customer, failures in the customer out of the
targets defined, failures in safety products, etc. This category of failures requires immediate
containment, correction and anti-recurrence actions.
Organizational knowledge management: this is an integrated system, which has the aim of
developing knowledge and collective competence to expand the intellectual capital of the
organizations and the wisdom of people, in addition to simple storage of data or information.
This collective knowledge includes experiences, skills, data and information, work process best
practices, organizational culture, everything within a context of sharing, transfer and
application of this knowledge.
Risk management: Activities coordinated to manage and control an Organization in terms of
risks.
Risk identification: Risk search, recognition and description process.
9
Fully automatic inspection: quality control performed by automatic equipment, also with
automatic product loading and unloading, as well as its destination in case of nonconformity
detection. There is no human interference in this kind of quality control process.
Semi-automatic inspection: quality control performed by automatic equipment, with loading
and/or unloading and/or destination of defective products performed by human operator.
Lessons learned: knowledge acquired from failures or hits, and that can be used to prevent
repetition of failures, or to assure retention of hits.
Homogeneous lot: amount of homogeneous products formed by elements manufactured
under the same conditions. For non-complex (single element) products, the lot homogeneity is
determined by the uniformity of the manufacturing process and homogeneity of the raw
materials used. For complex products, in addition of the determinant factors above, it shall be
established the priority and “qualifying” element and/or component, and which homogeneity
qualifies the lot homogeneity.
Risk mapping: determination/recognition of current risks in the process, using predefined
methodology (see risk identification)
Risk mitigation: actions to reduce or remediate the impacts from occurrences of risk situations
Risk prioritization: way to classify and determine risks that shall be handled first over the
remaining ones.
Special process: this is the manufacturing process which results cannot (or hardly can) be
verified directly in the products produced. In this case, monitoring of these processes is vital
to assure product conformity. Except otherwise indicated, the special processes considered in
this manual are heat treatment, plating, painting, metallurgical welding, electrical-electronic
welding, molding and casting.
Quality records: all and any records related to activities that affect, whether directly or
indirectly, the product quality. The quality record may refer to the confirmation of execution of
an activity (setup, inspection, etc.), or to the activity result (results from controls,
measurements, etc.).
Risk: Effect from uncertainty in the objectives.
Risk treatment: Selection and implementation of actions to modify risks, which may comprise:
 action to prevent risk by the decision of not starting or discontinuing the risk-originator
activity;
 assume or increase the risk, to pursue an opportunity;
 removal of the risk source;
 change of probability;
 change of consequences;
 risk sharing with other part(ies) (including contracts and financing of risk, insurance for
recall campaign, etc.); and
 risk retention by conscious choice.
10
5. Risk Management Requirements
5.1 Organizational Structure and Product Risk Manager (PRM)

(IATF 16949 - 4.1, 4.2, 5.1.1, 5.1.1.2, 5.1.1.3, 5.1.2, 5.3.1, 5.3.2)
Purpose:
Define a structure that assures implementation, execution and continuous improvement of the
risk management process, by its monitoring and critical analysis of the results achieved, and
also define the role of the Product Risk Manager (PRM).

Requirements:
A) Organizational Structure
1) The Organization shall define an organizational structure for risk management, which
considers, among other activities, the creation of a Risk Committee formed by
multidisciplinary team, minimally composed by representatives of the Sales, Product
Development, Manufacturing Engineering, Manufacturing, Quality and Purchasing/Supplier
Quality Engineering. The Risk Management process, including the Risk Committee
proceedings, shall be formally described in the Organization’s management system.
2) The Risk Committee shall be assigned with authority and responsibilities for:
a) Implement actions for full compliance with the requirements of the present manual,
assuring management of product risks from the onset of the development process to the
end of its lifetime.
b) Assure that the processes for quotations, feasibility analysis, quality planning and
Technical Review meetings with FCA, including product and process change reviews,
consider the product risk factors.
c) Assure that, in the Product Development process, the Special Characteristics of the
product and the manufacturing process are identified, agreed with FCA, and duly
handled in terms of assurance of its conformity.
d) Evaluate systematically the results and trends of the performance indicators of products
and manufacturing processes (O.E.E. Included - see section 5.2 later), identifying
potential product risks.
e) Monitor, identify and manage events related to product risks, maintaining the top
management of the Organization informed, and when applicable, FCA and Suppliers.
f) Stop the manufacturing and expedition of products in situations where product risks are
identified, acting quickly and effectively for complete normalization of these situations.
g) Be responsible for the product safety process, provisioned in item 4.4.1.2 of IATF
16949:2016 standard (Product Safety).
h) Promote the internal disclosure in the proper levels, full knowledge and awareness of the
civil and criminal liabilities related to potential failures of the Organization’s products,
consequences from Recall Campaigns of the circulating fleet and the need for funding
to support these activities (insurance, reserve fund, etc.).
11
i) Assure the coverage of this handbook requirements to other units from the Organization
that develop, manufacture and supply products to FCA.
B) Product Risk Manager (PRM)
1) The Risk Committee shall be coordinated by the Product Risk Manager (PRM), assigned by
the Organization’s board, and that holds the following minimum competences:
a) Be a manager / senior professional of the company.
b) Know the products manufactured by the Organization, their requirements, function and
application, and their manufacturing processes, in addition to FCA requirements.

c) Hold qualification for civil liability by the product, safety- and consumer defense-related
laws, and specific legislation for the Organization’s products.
d) Hold knowledge on risk management methodologies (identification, analysis, evaluation
and treatment).
e) Be integrated to global technical and Compliance interfaces of the Organization.
C) Internal Audit and Critical Analysis

1) The Organization shall assure internal audits carried out by qualified internal auditors, at
least once a year, to evaluate the compliance to these handbook requirements (use Annex
A - Risk Management Evaluation).
Note: qualified internal auditor is the professional holding qualification for conduction of
internal audits in any management system (ISO 9001, ISO 14001, IATF 16949...), and that
has attended the course Risk Management Requirements for FCA Suppliers (content of this
manual), provided by institution accredited by FCA.
2) The results of these audits, as well as indicators and information provided by the Risk
Committee, shall be used as inputs in the Top Management Monthly Review.
Note:
Figures 3, 4 and 5 below are examples of a typical structure for risk management in an
Organization.
Goals,
strategies,
Board guidelines
Risk
Risk management
Committee process,
monitoring,
Leading roles,
professionals, Risk handling
teams
Figure 3 - Concepts of the leading system for risk management
12
Board
Risk Quality
Committee Management
Departm Departm Departm Departm Departm

ent 1 ent 2 ent 3 ent 4 ent 5
Figure 4 – Example of organizational structure for risk management

START
Monitoring of results and

Monitoring of internal
indicators of the risk Monitoring of external
failures of the product and
management process failures of the product
process
No Risk
identified?
Yes
Risk handling
Reporting and
feedback lessons
learnt
Figure 5 - Example of flowchart of Risk Management activities.
13
5.2 Product and Manufacturing Process Controls (IATF 16949 – 4.4.1 and 8.5.1)
Purpose:
Assure that the manufacturing and control processes are capable to assuring the product
conformity.
Requirements:
A) Technical Documentation of Product and Process

1) A systematic procedure shall be established for indication of special characteristics in the

technical documentation of the product (drawings, standards and others, including
technological drawings), in order to clearly indicate the presence of these characteristics.
Specifically for drawings, these indications shall be present in the title block, drawing body
and beside each characteristic thus classified (see FCA standards applicable, indicated in
the end of this section).
2) The technical documentation of the process (Work Instructions, Flowcharts, Parameter
Sheets, Control Plans, Layouts, etc.) shall contain clear indication of the special
characteristics, by apposition of specific symbols in the first page, and close to the
characteristic description. This indication shall be deployed in all the manufacturing process
steps that affect, directly or indirectly, such characteristics.
3) Quality records (see requirement 5.5.B.1) involving special characteristics shall have similar
indication as presented in the requirement 2 above.
Note: the Organization may use proper symbology for the indications required above, provided
that a correlation table between this symbology and that defined by FCA is set.
4) It shall be prepared a List for each product classified as CF1D (or product family, provided
that homogeneous), containing all the existing Report characteristics, as well as their
deployment, especially the way their conformity and traceability are assured. This List, filled
according to the Annex B of this manual, shall be submitted to FCA for information and
approval, and resubmitted when there are changes/updates.
5) Operations that have impact on the generation of Report characteristics, including the quality
control ones, shall have specific identification by apposition of the Report symbol in an
ostensive and visible way in the place where they are executed.
B) Assurance of Special Characteristics Conformity

1) Characteristics classified as “Special” shall be controlled in order to assure 100% of their
conformity and traceability. For characteristics classified as Report, the conformity shall be
assured by the mandatory use of the following quality control methods: Errorproof Devices
- DAPE, fully automatic inspection or semi-automatic inspection. Other methods shall be
previously and formally agreed with FCA.
2) Non-controllable characteristics in the product, or that require destructive tests (e.g. layer
thickness, core hardness, tensile strength, etc.), shall have their conformity assured via
control of process parameters determining these characteristics (temperature, time,
pressure, speed, etc.) with ongoing monitoring and self-regulation of effective parameters
or alarms upon the occurrence of deviations from specifications.
14
C) Manufacturing Capacity
1) The Organization shall manage the capacity of its manufacturing systems, by systematic
determination and monitoring of O.E.E. (Overall Equipment Effectiveness).
2) A ranking, based on the O.E.E. results of all the manufacturing systems of the Organization
shall be established, and improvement plans for those with worst classification shall be
prepared, with expected minimum gain of 10% (ten percent) in this indicator. The
improvement plans shall be presented and shared with FCA, including eventual
justifications for improvement percentages below the minimum value set.
Related FCA standards:

 CS.00003: FCA Drawing Title Block
 9.01102/10: Criteria for Classification of Products and their Characteristics
 9.01120: Report characteristics
15
5.3 Risk Prevention in Product and Manufacturing Process Changes (IATF 16949
– 8.5.6, 8.5.6.1, 8.5.6.1.1, 8.7.1.1)
Purpose:
Prevent the materialization of risks caused by product and/or manufacturing process changes
by initiative of the Organization.
Requirements:
A) Change Management Process (see FCA SQ.00012 standard - Forever Requirements)

1) The Organization shall define and implement a change management procedure for product
and manufacturing process, integrated with the Risk Management process and that assure
the fulfillment of fundamental requirements of the Customer, established in the standard
mentioned in the title of this section, especially:
 Identify product and manufacturing process change needs
 Identify, analyze and evaluate potential related risks
 Communicate and achieve agreement of the Customer for the change desired
 Perform change validation activities, including Customer’s approval
 Make the change effective, assuring traceability
2) The change management process shall cover the situations below:
 Change of product, including components and materials
 Change of raw materials and/or their sources
 Change of Supplier and sub-supplier
 Change of manufacturing process, including layout, location, facilities, equipment,
tools, quality control means, packaging and storage systems
 Change of control plan
 Other changes that may pose risks to the product
B) Submission to FCA
1) The change management process shall use the “Change Request Form”, according to
Annex C of the present manual, to make preliminary analyses of the changes desired.
2) This document, validated internally by the Risk Committee of the Organization, shall be
notified and submitted to the Customer to achieve agreement, with minimum advance of 90
(ninety) days of the expected implementation date.
3) The Organization shall wait for prior agreement of the Customer to proceed with the change
activities and their formal approval, according to the existing processes (Full Approval
(Qualification, Benestare, PPAP, ...)), for implementation.
16

To perform the change validation and implementation activities for product and manufacturing
process, in addition to the aforementioned SQ.00012 standard, the Organization shall consider
the content of the following FCA standards:
 9.01102: Supply Quality
 9.01103: Product Quality and Conformity Certificate
 07740: Qualification of Externally Purchased Production Parts (Buy)
 FPW.IFP059: Approval Process for Production Parts Purchased Externally

 SQ.00009: Safe Launch Plan (SLP)
 SQ.00010: Advance Quality Planning (AQP) & Production Part Approval Process
(PPAP)
 08090: IAA Management for Buy Components, and others applicable
Figure 6 below shows the flow for change management of product and/or manufacturing
process, under the risk management view.
START END
Identify product and/or

production process Register breakpoint
change needs and assure traceability
Change Request
Form
Identify, analyze and
assess eventual
Implement change
related risks (Risk
Committee)
Yes
Risk No No
acceptabl Change
e? validated?
Change Request Yes

Form
Notify and submit to

customer Validate change
Customer
No
Proceed with change
agrees?
activities
Yes
Figure 6: Example of Change Management flow
17
5.4 Product Risk Mapping (IATF 16949 – 6.1 and 6.2)
Purpose:
Risk mapping has the purpose of identifying, analyzing, evaluating, classifying and prioritizing
risks in order to define countermeasures for their complete prevention or mitigation, as well as
their management over time. Figure 7 demonstrates this logic.
RISK IDENTIFICATION, ANALYSIS,

EVALUATION, PRIORITIZATION
ROBUSTNESS
PROCESS
CONTROLS
PRODUCT
EQUIPMENT
FUNCTIONAL CLASSIFICATION
CHANGE MANAGEMENT
TECHNOLOGY TYPE
RISK CLASSIFICATION TIER N QUALITATIVE PERFORMANCE
LOGISTIC PERFORMANCE
PRODUCTION CAPACITY
RISK PREVENTION AND MITIGATION
Figure 7 - Risk Matrix Flow: configuration dynamics
Requirements:
A) Products Risk Identification, Analysis and Evaluation

1) The Risk Management process shall provide systematic elaboration and update of a Product
Risk Matrix, according to Annex D of this manual – see figure 8 with a filled out example –
which consider product-related factors deployed in components and respective
manufacturing processes, and performance. This matrix shall enable:
 Evaluation and objective classification of the risks identified and analyzed
 Prioritization of risks to provide their treatment (prevention and/or mitigation)
B) Prioritization of Product Risks

1) The Overall Risk Indexes (ORI) shall be classified and prioritized according to the following
criteria:
ORI CLASSIFICATION REQUIRED ACTIONS

Unacceptable risk, requiring the definition of measures
> 7.5 to 10 HIGH for elimination of the risk condition, mitigation plans and
contingency actions.
Acceptable risk, provided that its factors are submitted to
> 5.0 to 7.5 MEDIUM
ongoing and systematic monitoring.
1.0 to 5.0 LOW Acceptable risk
18
Figure 8 - Example of Product Risk Matrix filled in
19
C) Risk Treatment
1) Risk treatment shall be performed in a planned way and according to routine established by
the Risk Committee and PRM, considering:
 The definition of risk prevention / elimination actions and / or the possible mitigation of
their effects, if they materialize
 Implementation of the actions defined
 Systematic monitoring of the action plan, risk indicators and performance indicators
related to risks
 Review of the results achieved
 Proposal of enforcement actions or improvements applicable
Figure 9 below illustrates the flow of treatment of the risks identified, classified and prioritized
in the Risk Matrix.
START
IDENTIFY
ANALYZE
ASSESS
(CLASSIFY, PRIORITIZE AND PLAN ACTIONS)
IRG ≤ 5 LOW 5 < IRG ≤ 7.5 IRG > 7.5

RISK MEDIUM RISK HIGH RISK
ACTION ACTION PLAN

PLAN
HANDLE
(APPLY ACTION PLANS)
MONITOR
Yes No
SATISFACTORY
RESULT?
Figure 9 - Flow for treatment of risks identified in the Risk Matrix
D) Risk Monitoring
1) The products with risk indicators and performance indicators related to the risks identified
as “HIGH” shall be systematically monitored by the Risk Committee.
2) Occasional changes and/or negative trends identified in these indicators shall be
immediately reported to the respective responsible persons, and included in the daily Fast
Response Process meetings.
20
5.5 Traceability Management and Record Control (IATF 16949 – 7.5.3.1, 7.5.3.2,
7.5.3.2.1, 8.5.2, 8.5.2.1)
Purpose:
The requirements for records and traceability enable, in case of failure (or suspected failure)
of the product, the retrospective analysis of the conditions in which the product was produced,
the quest for failure causes, failure extension (quantity and lots of products involved), thus
providing information for definition of actions to correct the causes and prevent recurrence of
the failure, as well as mitigate its effects, in order to correct the products already produced (in
stock, delivered to the customer, and occasionally in the end users hands).
Requirements:
A) Traceability Management
1) The Organization shall define a traceability management process that assures the individual
identification of each product, in a proper way to enable reverse traceability of the conditions
in which it was produced, controlled and delivered, as well as the homogeneous
manufacturing lot which it belongs to. These identifications shall meet the design
specifications and, when applicable, FCA PF.9.01106 and derived standards, and be
durable and indelible during the product warranty period. Note: for safety products (CF1 or
CF1D), the marking shall be durable and indelible for, at least, 15 years.
2) The product lots shall be provided with identification on each individual package, which is
durable and indelible during the utilization period (including transport and storage) and
capable of enabling reverse traceability of the conditions in which the lot was produced,
controlled and delivered, as well as the identification of the homogeneous manufacturing lot
which it belongs to.
3) The factors defining the lot homogeneity (raw material run, batch, determinant component,
operation, etc.) shall be defined for each product/product family and/or operational process,
thus enabling proper planning of the identification and traceability system.
4) The manufacturing system (including quality control, handling, transport and storage) shall
be planned to delimitate the homogeneous manufacturing lots and their relation with the
product/package identification, enabling correct traceability during the operational
processes, utilization process at the customer, assembly plant, and after-sales processes
(replacement products and technical assistance). Note: in the definition of homogeneous
lots, it shall be also considered the economic aspect, i.e. the quantitative dimension of the
lot considered as homogeneous is determinant for definition of the number of vehicles
affected by the failure of any product related to that lot.
5) Traceability shall also assure that the materials (raw material, components, semi-
manufactured products and finished products, etc.) are identified during the operational
processes in a clear and unequivocal way, with accurate indication of the process phase in
which they are, operations performed and to be performed, as well as link to their originating
lots.
6) The start of a product manufacturing and the introduction of modifications of product,
process, control plan and materials sources shall be subject to clear and unequivocal
traceability, by establishing the respective breakpoints (see requirement A.1, section 5.3).
21
7) The identification and traceability requirements shall be extended to products, materials and
services from Suppliers.
B) Record Control
1) Quality records shall be controlled. Quality records are:
 Documentation of the critical analysis for preparation of the technical-commercial
proposal
 Documentation generated in the product development, validation and approval
process, including Suppliers

 Documentation of the manufacturing process and control plan, including outdated
versions
 Results of manufacturing process parameters monitoring
 Records for confirmation of the execution of mandatory activities for assuring the
product quality and conformity (setup, product inspections, product audit, process
audit, calibration of measurement means, periodical maintenance, monthly critical
reviews by the board, etc.)
 Records of problem solving in process and product nonconformities
2) These records shall be archived and protected against deterioration or loss by natural
phenomena, such as flood, fire or weather action, by the minimum time required in the FCA
9.01102 standard, and shall provide easy access and consultation whenever required.
3) Quality records shall be compatible and have link with the traceability system adopted for
the products.

 PF.9.01106: Traceability of Components
 9.01102: Supply Quality
 9.01120: Report characteristics
22
5.6 Suppliers Risk Management (IATF 16949 – 8.4)
Purpose:
Extend, when applicable, the requirements of the present manual to the Organization’s
Suppliers, and systematize a risk management process throughout the supply chain of direct
materials and service, with criteria for definition of priorities. The figure below demonstrates
this logic.
RISK IDENTIFICATION, ANALYSIS, EVALUATION,

PRIORITIZATION - SUPPLIERS
PRODUCT TYPES
ORGANIZATION
PROCESS RISKS
PRODUCT AND
APQP
PROCESS ROBUSTNESS LOCATION
RISK
EQUIPMENT AND TOOLS DEPENDENCE DEGREE
FINANCIAL HEALTH
QUALITY PERFORMANCE SGQ/SGI
LOGISTIC PERFORMANCE
PRODUCTION CAPACITY
RISK PREVENTION AND MITIGATION
Figure 10 - Risk Management Process - Supplier chain
Requirements:
A) Structure for Suppliers Risk Management

1) The Organization shall define a Supplier Quality Engineering structure (or similar) with
quantitative and qualitative sizing of the professional staff suitable for the dimension and
complexity of the supply chain, and with the purpose of extending the requirements of this
manual to Suppliers.
2) The Suppliers of the Organization shall be selected and qualified in accordance with
objective criteria, which also consider the risks related to:
 Geographical location
 Dependency level of major customers
 Financial health
 Quality Management System maturity
 Product type
 Know How of the Supplier in product/process development
 Capacity and manufacturing processes control
 Resources for maintenance of manufacturing equipment
 Manufacturing capacity installed
23
 Quality performance
 Logistics performance
B) Suppliers Risk Identification, Analysis and Evaluation
1) The Suppliers Risk Management process shall have provisions for systematic preparation
and update of a Suppliers Risk Matrix according to the Annex D of this manual, which
considers factors related to the Supplier, to the product and its respective manufacturing
processes, besides quality and logistic performance (see requirement 2 above). This matrix
shall enable:
 Evaluation and objective classification of the risks identified and analyzed

 Prioritization of risks to provide their treatment (prevention and/or mitigation)
Note: this matrix shall be related to the Product Risk Matrix described in section 5.4
C) Prioritization of Suppliers Risks

1) The Overall Risk Indexes (ORI) of Suppliers shall be classified and prioritized according
to the following criteria:
ORI CLASSIFICATION DESCRIPTION

Unacceptable risk, requiring the definition of measures
> 7.5 to 10 HIGH for elimination of the risk condition, mitigation plans and
contingency actions.
Acceptable risk, provided that its factors are submitted to
> 5.0 to 7.5 MEDIUM
ongoing and systematic monitoring.
1.0 to 5.0 LOW Acceptable risk
Figure 11 – Classification table - General Risk Index Tier N
Figure 12 below shows an example of Suppliers Risk Matrix filled in.
24
Figure 12 - Example of Supplier Risk Matrix filled in completed
25
D) Suppliers Risk Treatment and Monitoring

1) Risk treatment shall be performed in a planned way and according to routine established by
the Risk Committee and PRM, considering:
 The definition of risk prevention / elimination actions and / or the possible mitigation of
their effects, if they materialize;
 Implementation of the actions defined;
 Systematic monitoring of the action plan, risk indicators and performance indicators
related to risks;
 Review of the results achieved;

 Proposal of enforcement actions or improvements applicable.
The actions above shall consider (among others):
 Adoption of safe quality control plan according to the FCA standard listed below;
 Insertion of the Supplier in a development program monitored by the
Organization;
 Alternative source development to replace low-performance suppliers.
Note: the flow for treatment of risks identified, classified and prioritized in the Suppliers Risk
Matrix is the same as presented in figure 9, Section 5.4.
2) The Suppliers with risk indicators and performance indicators identified as “HIGH” shall be
systematically monitored by the Risk Committee.
3) Occasional changes and/or negative trends identified in these indicators shall be
immediately reported to the respective responsible persons, and included in the daily Fast
Response Process meetings.
Guidelines:
The examples below may summarize strategies and actions to promote the development of
Suppliers in function of their risk classification:
 Increase of frequency of product/process audits in Suppliers;
 Promote training in automotive tools to Suppliers;
 Providing workshops and meetings with Suppliers to present performance strategies
and objectives;
 Promote the dissemination of best practices among Suppliers;
 Establish program for development of Suppliers, considering the transfer of
methodologies applied by the Organization.
 SQ.00009: Safe Launch Plan
26
5.7 Problem-solving Management (IATF 16949 – 10.2.3)
Purposes
The fulfillment of the requirements of this manual prevents, but does not eliminate, the
materialization of risk situations resulting in product failures. The Organization shall provide
methodological, technological and human resources to face these situations and assure return
to normality.
Requirements
A) Methodology Structuring
1) The Organization shall have a Problem-Solving process defined and implemented, which
enables:
 Identification of approaches for each category of problem (product development
problems, internal failures, external failures, nonconformities in product or process
audits, etc.)
 Differentiated handling for “under control failures” and “out of control failures” (see
section 4 - Terms and Definitions)
 Resources required for application of the approaches defined
 Quick investigation and identification of the root cause
 Definition of the problem magnitude (quantity, identification, other products involved)
 Implementation of mitigative, anti-recurrence and comprehensive actions (similar
products and processes, inclusive at other sites of the Organization)
 Incorporation of “lessons learned”
2) The methodology used shall provide detailed record of the cause investigation and the
solution adopted (containment, correction, anti-recurrence measures, lessons learned),
by standard report/form to be handled as “quality record”.
B) Governance and Communication

1) The process management shall provide follow-up and monitoring of the “out of control
failures” problems by the Risk Committee, assuring organizational support for its effective
application.
2) Whenever there are risks considered as significant for the product, the information shall be
escalated to the persons responsible for the area directly involved, for Fast Response
Meeting, and to Organization top management. When there is risk (or suspected risk) of
products already shipped to FCA, it shall be informed promptly and in details.
C) Lessons Learned
1) The handling of “out of control failures” shall be considered closed just if there is a clear
definition of anti-recurrence measures of comprehensive application for the current and
future products, and at all sites within the Organization that supply similar products to FCA.
2) The product development process shall be fed in a clear and formalized way on lessons
learned derived from previous products.
27
5.8 Knowledge and Skills Management (IATF 16949 – 7.1.6, 7.2, 7.2.1, 7.2.2)
Purpose
The following requirements show how to develop an organizational knowledge management process
considering the knowledge that is fundamental to the success of the business and to the
management of the FCA supply chain, in addition to correctly defining the awareness and training
needs.
The figure below shows a logical presentation for management of the organizational knowledge:
Knowledge
Management
Supplier
Chain
Identification
Assessment
Retention
Provision
Update
Process
Product
Awareness / Training / Guidelines

Deployment
Figure 13 – Structuring of the Organizational Knowledge Management
Requirements
A) Identification of Knowledge Needs

1) The Organization shall identify the knowledge required for its good organizational
performance and for minimization of risks related to its processes and products, especially
the ones related to safety products and/or with legal requirements, in addition with the
Suppliers’ risks. This identification shall be coherent with the mapping of processes and the
Product Risk Matrix and Suppliers Risk Matrix, and shall also include the knowledge
required for the professionals directly involved in the technical-operational processes
related with safety characteristics and/or legal requirements, both in terms of execution of
their tasks and the consequences of an eventual product or traceability failure.
2) The knowledge related to the content of the present manual is mandatory for members of
the Risk Committee (PRM included) and recommended for other managers in the
Organization, and shall be acquired by attendance in specific course provided by institution
accredited by FCA.
28
B) Evaluation of the Knowledges Identified

1) The Organization shall review critically the knowledges identified to define priorities and
enable planning the activities for provision, multiplication, retention and update of these
knowledges.
C) Knowledge Provision
1) The Organization shall define the actions required for provision of the organizational
knowledges considered as critical and priority.
2) This provision shall consider institutional mechanisms, such as internal standards and
manuals, procedures, work instructions and other similar documents, which compose its
intellectual capital.
D) Knowledge Multiplication, Retention and Update

1) The Organization shall define the actions required for multiplication and retention of
organizational knowledges considered as critical for its risk management process, for
continuity and enhancement of this management.
Note: The retention of a knowledge may occur by its multiplication within a minimum number
of people, absorption in documents of the Organization, uninterrupted use and internal
activities for qualification, among other ways.
2) The Organization shall establish actions to verify and provide update of the organizational
knowledges considered as critical for its risk management process.
29
6. Risk Management Evaluation
The verification of compliance with the requirements of the present manual occurs by the
conduction of first and second party audits, as provisioned in the Risk Management Evaluation
checklist, in section 7 – Annexes. This checklist has the same requirements described in the
section 5 of this manual.
The risk management process of the Organization is considered appropriate when the result
of the evaluation is classified as “Low Risk”.
If this classification is not achieved, this shall be object of an adequacy plan to be conducted
by the Risk Committee of the Organization, and presented to EQF FCA.
The classification criteria for the requirements is described in the figure below:
Figure 14 - Score chart and requirement classification
The figure below shows an example of Risk Management Evaluation score matrix completed:
30
Figure 15- Risk Management Evaluation score sheet.
31
7. Annexes
Annex A – Risk Management Evaluation Worksheets
Annex B – Report Characteristics Mapping List
Annex C – Request for Change Form
Annex D – Product Risk Matrix and Supplier Risk Matrix Worksheets

Annex E – FAQs – Frequently Asked Questions
Revision control:
Rev. Date Revision history

4/30/2019 Initial issue
01 8/30/2019 Overall revision
Renumbering of sections and requirements
Inclusion of section 5.2 Product and Manufacturing Process Controls
Revision of requirement descriptions and text simplification
Suppression of section 6.6 WCM – A success example in Industrial
Management
02 3/30/2020
Reformulation of risk classification criteria in Annex A
Inclusion of Annex B Report Characteristics Mapping List
Reformatting of Annex C – Request for Change Form
Simplification and improvement of Risk Matrices in Annex D and
revision of ORI calculation formulas.
32

Risk Management Handbook For Suppliers FCA - 3 Edition

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Handbook For Suppliers FCA - 3 Edition

Uploaded by

Copyright:

Available Formats

Risk Management

COMPANIES ATTENDING THE PROJECT PREPARATION TEAM

APTIV: Julio C. Santos.

INTERACTION PLEXUS: Carlos C. Romano, José G. Albieri, Giuseppe L. Viceconte, Paulo

FCA / HQE: Jasson Azevedo

MAVLIG CONSULTORIA EM GESTÃO: Gilvam Ferreira

FCA / HQE: Anderson Castro

4. Terms and definitions

5. Risk Management Requirements

6. Risk Management Evaluation

Figure 1 – Some external factors, risk trend influencers

An unstable scenario impairs the decision on investments in industrial processes, increasing

By other hand, it is notorious the normative development, which brings guidelines,

Significant growth is also observed in the regulatory mechanisms, by regional organization of

Script for thought

It shall be perceived as an independent foundation or resource, in spite of supporting other

the interested Organizations.

4. Terms and Definitions

Risk analysis: Understanding of risks’ nature and their characteristics, considering

the point of introduction of modification in a product or manufacturing.

5. Risk Management Requirements

5.1 Organizational Structure and Product Risk Manager (PRM)

also define the role of the Product Risk Manager (PRM).

application, and their manufacturing processes, in addition to FCA requirements.

C) Internal Audit and Critical Analysis

Figure 3 - Concepts of the leading system for risk management

Departm Departm Departm Departm Departm

Figure 4 – Example of organizational structure for risk management

Monitoring of results and

Figure 5 - Example of flowchart of Risk Management activities.

A) Technical Documentation of Product and Process

1) A systematic procedure shall be established for indication of special characteristics in the

B) Assurance of Special Characteristics Conformity

Related FCA standards:

A) Change Management Process (see FCA SQ.00012 standard - Forever Requirements)

Related FCA standards:

 FPW.IFP059: Approval Process for Production Parts Purchased Externally

Identify product and/or

Change Request Yes

Notify and submit to

Figure 6: Example of Change Management flow

5.4 Product Risk Mapping (IATF 16949 – 6.1 and 6.2)

RISK IDENTIFICATION, ANALYSIS,

RISK CLASSIFICATION TIER N QUALITATIVE PERFORMANCE

RISK PREVENTION AND MITIGATION

Figure 7 - Risk Matrix Flow: configuration dynamics

A) Products Risk Identification, Analysis and Evaluation

B) Prioritization of Product Risks

ORI CLASSIFICATION REQUIRED ACTIONS

Figure 8 - Example of Product Risk Matrix filled in

IRG ≤ 5 LOW 5 < IRG ≤ 7.5 IRG > 7.5

ACTION ACTION PLAN

Figure 9 - Flow for treatment of risks identified in the Risk Matrix

process, including Suppliers

Related FCA standards:

5.6 Suppliers Risk Management (IATF 16949 – 8.4)

RISK IDENTIFICATION, ANALYSIS, EVALUATION,

RISK PREVENTION AND MITIGATION

Figure 10 - Risk Management Process - Supplier chain

A) Structure for Suppliers Risk Management

 Evaluation and objective classification of the risks identified and analyzed