Quality is a function of Risk

I was recalling the statement, "Quality = f (Risk)," in one of my PMP training sessions and one of them asked how quality relates to risk. The premise behind this thought was on the iron-triangle thinking that quality is controlled by scope, schedule, and cost! It seems like we have a lot of work to do still in understanding about risk and its impact!  

As this person was in semi-conductor space, I reasoned risk is like the hard-wired interrupt that takes precedence over soft logic in the way microprocessor operates. That got the attention. So, I continued to make a connection on the immediate topic of the "Cost of Quality" we were discussing and reasoned out the importance of risk.

Dr. Sriram Rajagopalan's rendition of Quality is a function of Risk

In the diagram above, I have presented the cost of quality made up of two important branches. These are the cost of conformance to avoid risks happening in the first place and the cost of non-conformance to address risks that have happened. 

• To avoid risks as part of the cost of non-conformance, the best approach is to practice the "wisdom of the ages" saying, "Prevention is better than cure!" Here we take proactive steps to ensure quality planning (as part of the Quality trilogy) includes preemptive measures. This involves building quality using quality assurance (QA) with process oriented and proactive steps to train people, have multiple documentation (caters to multiple modes of learning), the appropriate equipment required and the required amount of time to do things correctly (e.g.: right-sizing stories to fit into the timebox, risk driven development methods to prioritize). 
• The next step is to evaluate how well our controls are working by performing quality audit on the work (PM/PO owns the quality audit). Here, quality control (QC) comes from the delivery team that comes in with reactive and product-oriented methods like testing (product testing), inspection (Gemba Walks), etc. 
• Now, if the errors are released such as not missed compliance or security considerations or misinterpreted requirements, or other forms of requests like change request or enhancements are noted, depending upon the triaging process, these could be show-stoppers disallowing the user to realize the intended benefit thus risking value delivery. So, rework may be required, or products may be discarded (prototyping or physical products) as scrap. These corrective actions are adding more time and cost and increase the opportunity cost of people unavailable for improving the benefit in the current project (working on newer functionality) or other business initiatives. Time may translate further into budget risks as available funding may be depleted to pay for contractors and infrastructure.  
• Finally, if these internal errors were not caught and were released to the customer, they become escaped defects! This impacts now the customer's value delivery life cycle as our faulty products may be used in their product assembly or our faulty code may be impacting their applications built. These translates into liabilities for the company, Warranty claims (ongoing free support, recall for the products at our expense) and perhaps even the business lost to competitors. 

As you can see, there are various forms of risks that interface the quality assurance, quality control, and escaped defects side of the equation with some additional risks foundational to the entire quality function in the company through its projects, program, and portfolio functions. The sooner they are addressed (as noted in the green color), the lesser the expenses are. As time passes through this cost of quality function from left to right, the intensity and visibility of risks through corrective and preventive actions (CAPA) to the business is high (as noted in color gradient going to red). 

So, am I not correct to say, "Quality = function(risk)"? Share your thoughts.