Where does the circle begin?
Can you recall those presentations in which a company's vision of the management processes are visualized in the form of a Deming circle? The presenter leads you through such a picture in which it becomes clear that there is a self-repeating process and where you get closer and closer to process nirvana: things are getting better, the quality of the managed environment is improving, we are in control. And yes, that is exactly the objective of the Deming method: quality improvement through permanent control: checking against the planning and adjusting in case of deviations: You start by defining a plan, then you implement it, check it’s performance and improve it. After that you start again with the creation of a plan, so the whole process is repeated:
Figure 1 - Basic model
These are, in short, the steps in the quality improvement process as described by Deming and as implemented in many process management projects. And it's well known in my area of expertise, Information Security, since the traditional ISO27001 model (and its predecessors) was built on this PDCA cycle.
Deming has acquired this approach through his involvement in setting up the quality systems in Japan in the 70s and 80s of the last century to kick-start the industrial revolution; Japan wanted to deliver good quality at a good price. Concepts like TQM, EFQM, INK etc. started to appear and the whole world changed into a quality-conscious heaven on earth. And everyone is now building on the Deming Circle.
The nice thing about the model is that it is so logical, it is a control loop, just like a thermostat, it’s a clear concept: you set the temperature, the thermostat sends the signal to the central heating system. The thermostat constantly measures whether the temperature in the room corresponds to the set value, and if the temperature gets too low, the thermostat sends an adjustment signal to the central heating system. It's simple: you set the standard and constantly check if that standard is being met.
But in practice the Deming Circle theory works very differently from what is envisaged in this model. Is this model complete? Where does the process start? Where does the circle start? And where does it end?
These questions are actually not so strange. The concept is simple, the concept is just fine and Deming helped improve the world. But it is not that simple to project the model onto reality, or to model reality onto the model. There are several reasons for this. The most important one is that any model is nothing more than a simplified visual representation of an idea. And ideas should not be interpreted literally. You should think about them and consider what the implications are for you and your environment. You should not put such an idea into practice. Practice is unmanageable. And also, a model is never complete. It is a simplified representation of a reality or an idea. You can see that in Deming's model as well.
For example: The last phase of Plan-Do-Check-Act (if we start, as usual, with Plan...) is a strange one. You would expect that in the Act phase, based on the result of the test in the previous phase, a decision is made whether or not to implement an adjustment of the Plan. But what that actually means is that you either decide to adapt the Norm (a change in the Plan) or you influence the operation (a change in the Do). The latter action is not shown in the model! If you follow the arrows literally, a failure that is identified in the Check phase means that according to the arrow, based on the Act analysis, you have to adjust the plan or adapt the standard. That's great: if you don't meet the standard, you adjust the standard until it matches the reality... What that means may be nice for the compliance check-mark, but not for Mr. Deming. So that's not how it works and that's not how he intended it to work. So I will add the Act-Do arrow to the model:
figure 2: Adjusted Do
I have also regularly seen presentations where Plan is articulated by the term Policy, or 'Laws and Regulations'. In that case, the arrow from the Act means that in case of deviation, you have to follow the law, but to change it. That, of course, is not how it is meant to be. The model is not that sequential.
And what do you do in the model if no deviation is found during Check? Does the process stop? On what basis do you then Act or even Plan? What would happen if there were no arrow between Act and Plan? Wouldn't that just be a regular sequential workflow?
Why we are always trying to close the circle is not clear to me, especially that which matters in long term programs, such as explaining a vision of the security management process for example.
My first two conclusions:
But then where does the circle begin? Can you only Act when you have the whole Plan-Do-Check phase behind you and can you only make new plans when the old ones have to be adjusted? Asking the question is answering it. You don't steer once, you steer permanently. You don’t just set the standard once in the process and then steer and control only once. There can also be a succession of events and transactions which each in turn make it necessary to start a new process cycle immediately, even before the previous cycle of events is completed (whatever 'completed' is). If you start from that premise, there is not just an ongoing process, but rather of a flow, a predefined, pre-programmed method of working, which enables structured steering. In fact, there is no mandatory sequence. There is no beginning of a cycle. This cycle begins constantly. But it doesn't only start where you think it will according to the name PDCA.
Let's explore this further. Where does this circle begin, or better, where can this process start? As the model is visualized now, it is an internally focused process. The triggers for each of the phases is the arrow from the previous PDCA phase. And that means that if there is no output from one phase, there is no trigger to start the next phase and the flow just stops. So, no trigger, no process. That’s just too simple. We should be able to identify external triggers.
Let’s examine per phase whether, in addition to the internal trigger, an external trigger can also be identified. Let's define an event based on which we are going to start the process, for instance the start of an annual budget cycle. That suddenly makes it much more interesting, because then the reassessment of, for instance, financial management becomes a regular part of the continuous operations management process.
领英推荐
Plan: next to the internal trigger (i.e. originating from the Act phase), can we identify an external trigger to make a new or modify an existing plan? Yes: Strategy changes, or changes in the external environment of an organization can lead to renewed plan making. Think of a policy change, a reorganization, the appearance of a competitor or a change in external laws and regulations. Such changes will have to be evaluated and lead to making new or adjusted existing plans.
Do: can there be another trigger, besides the Plan initiation, to start or adjust the operation? Yes, but that has already been mentioned: if a standard is not met, process quality management requires adjustment of the operation, without touching the plan itself. But that trigger can only come from the Act process. Other triggers are undesirable, since they would intervene outside the scope of the quality model. My premise is that external triggers to start/change an operation are undesirable, they obstruct the quality assurance that you are aiming for with this process design.
Check: The output of the Do phase will need to be assessed against the standard. This assessment does not take place within the PDCA process itself, but is a consequence of the operation, in which (if all goes well) verification takes place. However, there may also be other reasons for verification of the operation working according to plan. Consider an identified incident, such as a data breach, or an audit report from the operational processes, which leads to the conclusion that something may not be performing according the plan.
Act: You don't just make a decision, you can only do it based on the right inputs. The Check phase provides that input. It is not likely that we will take a decision without adequate safeguards regarding the information that is realized within this model, for example: today is Tuesday, let me go and make adjustments. Adjustment actions in a quality system may not spontaneously take place elsewhere, so external triggers for the ACT phase are not desirable.
Based on this analysis, the circle can really start in two phases: the Plan phase and the Check phase.
Figure 3 - The beginning of the circle
The next question is whether the circle ever ends? That is not obvious, after all we strive for permanent improvement of quality...
But of course there is output from the circle. And it is obvious that the output comes from the two remaining phases: Do and Act.
The Do-phase is actually not an actual operation at all. If that is the case, then in principle there is no separation of duties: the performer of Do can draw his own plan, execute, measure and will conclude that everything is going well. That was not the intention of the model or the concept behind it. The Do-phase is the initiation of the operational execution of activities and the initiation of changes in the operation. So the output is actually the planning, the instructions, the steering aimed at the actual production.
In the Act phase, there is the regular adjustment (both with respect to the planning and the actual operation) as input internal to the model. In addition to the adjustment signals, the Act phase provides the dashboards and reports: the results of the Check phase and the decisions taken on the basis of these results are reported outward for different stakeholders.
Figure 4 – The ending points of the circle
The PDCA cycle is a control model. And the interesting phenomenon arises that it should not be limited to its own internal dimensions. What is unsatisfactory in the model is the modeling of the actual operation, the real Do. Does Do take place within the model itself, or is Do the steering of the operational execution. By considering Do as steering the operation, however, we can make sense of the model.
In some PDCA cycle presentations, a 'Control' phase is sometimes described as well. This is a kind of separate process in which process control with regard to PDCA takes place. And that is a special addition to the model: steering for quality assurance. That is, of course, superfluous: The PDCA model is a quality control model in itself. We do not want additional control in that area, because that would run right through the process. And such an additional process has a disruptive influence on the quality control model.
Having said all this, should we throw the Deming Circle overboard or update it? No, it be far from me to push for this. I only plead for putting things in perspective when it comes to the use of this model. The model is an idea to improve quality in a structured way. It was never intended to be a template to describe a workflow, or life cycle or a model for process management. It is certainly not intended to propagate a vision or strategy. So please don't be cautious when using it...
This article was first published in Dutch in the magazine PvIB Informatiebeveiliging 3/2014. And it's translated because I need it as a reference article and for having a little fun :-)
ICT professional (SAS BI EM DA)
3 年Would prefer naming it Shewhart cycle and explaining the word check with the connotion study. The real intention is learning from what is seen not validating checkpoint from a predefined list. https://www.allaboutlean.com/pdca-history/ Original: ?Design, Produce, Sell, Redesign (not PDCA) Would become. Alternative-1:?Design, Implement, Study, Redesign Alternative-2:?Situation(Study/Design) , Initiatives, Actions, Realisations The danger of bad micromanagement failing projects is coming in with "checklists" / "best practices"
Secco Advies & Coaching. Adviseur voor security & privacy. Coach voor security professionals
3 年Nice explanation. The article on the link below shows a nice view on layered PDCA as well. In Dutch however. And I'm sure André will comment it. ;-) https://123management.nl/0/020_structuur/a231_structuur_01_besturende_processen.html
Improving all your organisational stuff and especially risk management and security | Wine enthousiast, plus Architecture. Plus ... lots.
3 年Possibly of interest: PDCA/Original focussed on little process changes that may OR may not improve quality. Just give it a try, and Check whether it worked ???? ?????????????? ?????????????? of the deliverable -- if not, ditch the minute change and try something ????????. PDCA/today's version, as in the Standards, of the Regulators, et al., etc., is about the Management Control Cycle of old (very old). In order to try to eliminate ?????? ?????? ?????? risks [being too dunce to understand that such isn't life] to your own position, just throw the sum total of all controls that one can think of, into the cage of subordinates. And punish them with audits and otherwise if they fail to be perfect (which the standards are by a 100% margin...). </hyperbole> So, what we have now, is a focus on processes that take a lot of time to change as wholesale as wanted (by...), with no measurement of quality of the deliverables (either goods or services). No, with all Three Lines discussions, not many actually ?????????????? (sic) whether operational risk management has improved i.e., there actually is less risk! (yes, you can claim that easily as it's all so very qualitative; by whom? Self!declared experts, mostly, isn't it?)
Chief Information Security Officer
3 年And we all benefit from your little pleasures André Koot Thank you so much for sharing #PDCAfun #qualitymanagement