This is an original article written by Dan Brown, President of DB Performance Solutions.
Why Risk Matters
In business ”RISK” is a scary word. We have risks if we move forward and risks if we remain still. No matter what industry you are in, you are guaranteed to run into risks. As a business leader, how do you know when to take a risk and when not to take a risk? The answer is pretty straight forward - analyze and then manage your risks - which is certainly easier said than done!
Fortunately, there are a multitude of tools to help businesses manage their risks. For some industries, having a formal risk management program is a requirement and the guidelines are dictated. For others, the answer is not as easy and it is up to management to define the process.
To guide program implementation, the International Organization for Standardization (ISO) published ISO 31000:2009: “Risk management - Guidelines on principles and implementation of risk management” (available as ANSI/ASSE Z690 in the US, find it at www.asq.org). This document provides general guidelines on risk management that can be used across most industries. ISO 31000:2009 includes very effective guidance, including making sure the outputs of your risk management system:
- Create value – Risk management must be a “value adding” not “value reducing” activity.
- Be an integral part of organizational processes – Not an afterthought, but designed into how the business is conducted.
- Be part of decision making – You must make decisions based upon facts not assumptions.
- Explicitly address uncertainty – No risk is known in full before something happens. State the “knowns“ and “unknowns” in your risk analysis. As time goes by you will learn facts that change many of the unknowns to knowns so ensure to keep your risk analysis current.
- Be systematic and structured – You need a structured approach to ensure it is consistently applied.
- Be based on the best available information – Remember, you must make decisions based upon facts not assumptions.
- Be tailored – Your risk is unique to your products and your operations. An off-the-shelf fix will not be effective.
- Take into account human factors – We are not machines. Human factors can dramatically increase or decrease risk.
- Be transparent and inclusive – Everyone must understand the risk management process and see how it is applied and utilized. If it is kept in a confidential folder in the CEO’s office, it will lose all credibility.
- Be dynamic, iterative and responsive to change – Risk management is a living process. As our companies, products, and processes change – so do our risks.
- Be capable of continual improvement and enhancement – Your first pass through the process will not be perfect. You will get better at it the more you do it. Don’t wait for perfection to begin the process.
It is important to note that a formal risk management program includes more than conducting a one-time Failure Mode and Effects Analysis (FMEA) that is only pulled out during periodic audits. An FMEA is important, but it barely meets the requirements of a formal program and it clearly misses the mark on intent. An FMEA only serves to identify risks. It does not manage them. It also fails to identify risks beyond the FMEA scope of Design or Processes. Companies must also ensure that the scoring criteria are relevant to their operation and understood by the individuals preparing and using the FMEAs. As a snapshot in time, it may not cover changes that occurred since it was prepared.
So the important question becomes, “what is the best tool to use?” The answer is “it depends” on the type of risk you are looking to identify and mitigate. Essentially, every risk management program includes defined processes to IDENTIFY risks, PRIORITIZE them, apply appropriate resources to REDUCE or ELIMINATE the high priority risks, and then provide FEEDBACK into the identification process to improve the next cycle. Yes, cycle since this process, like most, is unfortunately never ending.
Risk Identification…Getting Started
The first step in building a robust risk management program is to understand if your process(es) for risk identification include all sources of risk. Things to consider when identifying risks include:
- Your customers and their expectations – both stated and unstated,
- Your supply and delivery chain,
- Your computer and communications systems,
- Your employees, equipment, processes and capabilities,
- Product design and/or mechanisms for understanding customer expectations,
- Power outages or facility shut-downs,
- Natural disasters, such as earthquakes, fires, floods, tornadoes, hurricanes and blizzards,
- Your key markets, innovation stream, and competitors (other interested parties), and
- Effective succession strategies.
All of these have different risks that create different problems. Proper risk identification looks at all of the concerns. Are you a component supplier? If so, have your customers properly defined and provided you with all of their requirements? Are you sure about that? Are you the design-owner subcontracting components? If so, can your chosen supplier meet all of the requirements you have specified? Have you clearly specified all of your requirements? Do you understand their processing well enough to know what questions to ask them?
If you have a high level flowchart of your operation, you already have a very useful tool for risk identification. If you do not have this, now is the time to create one! For every box on your flowchart, ask your team, “What can go wrong here?” “How will we know if it does?” “What do we do if it happens?” Identify the answers to these questions in the right margin of your flowchart and you have a ready-made risk management tool at your disposal. You must review it often to ensure it remains current.
Other risk identification tools include: SWOT Analysis, FMEA, HACCP (Hazard Analysis and Critical Control Points – discussed further below), Cause-Effect Diagram, Five Whys, SWIFT Analysis, Preliminary Hazard Analysis, and Fault Tree Analysis. Identifying your risks is the easy part. The hard part is figuring out what you are going to do about them, and that is the most important part of a Risk Management program.
Prioritization of Risks
How do you know how much risk management is enough? Knowing how much is enough begins with understanding not all risk is created equal. Some risks are acceptable, some risks are not. You must rank and prioritize your risk mitigation activities. Decide for your company how much of an investment you will make in risk management. Too little and you will end up on the wrong side of a product liability lawsuit. Too much and you will go bankrupt and produce nothing. As a business leader, it is your obligation and liability to draw those lines.
The food industry has a highly effective risk management strategy called “HACCP” or “Hazard Analysis and Critical Control Points.” The key word here is “critical” control points. You can control each and every step and each and every part, but to do so is so costly in resources and is wholly impractical. Products today are no longer handmade by skilled craftsmen who labor over each step knowing lives are on the line with the results of their work. Products are mass produced by individuals who rarely see the whole picture and understand the complete process. Therefore we need teams of individuals who collectively possess that “big picture” perspective.
So where does this leave you today? You must look at all of the processes and determine the last point at which no further control can impact a feature, attribute or risk potential. That step becomes the “critical control point” and is where you must have a strategy to ensure the potential risk is either eliminated (if possible) or at least mitigated. Even if you are not in the food industry, this concept can (and should) be a key component of your risk management processes.
Another model is the one used by ISO to determine the changes made to the ISO 9001 standard in 2008. This simple matrix compared the beneficial impact of the change to the resources required to implement the change – an Impacts/Benefits Matrix. Horizontally, it determined if the change had a “High,” “Medium” or “Low” benefit to the company. Vertically, it determined if the change required a “High,” “Medium” or “Low” amount of resources and effort to effectively implement. Where benefit is low and cost is high – do not do it. Where benefit is high and cost is low – definitely do it. In between is where the harder decisions must be made. This is where having facts and clearly established decision criteria will make your job easier.
A twist on this same tool has Severity of Impact on one axis and Potential for Occurrence on the other. You determine the ratings to apply in identifying the relative risks of potential events. Pareto Analysis is another common prioritization tool.
This is the hardest step to perform and the most difficult to provide general advice. The reason is simple: risk is not a “cookie cutter” concern. No two risks are the same and no single tool is best to fix all risk. Common tools include: Strategic Planning (Management); Control Plans; Team Based Problem Solving (8-D); Poke-Yoke (Error-Proofing); Training and Employee Awareness; Guarding/E-stops/Safety Seals; On Site Supplier Audits; Design for Reliability; Design for Maintainability; Design for Manufacturability
Additional risk management activities can include: redundant facilities in different areas of the country, alternate suppliers, validated production processes, increasing inspection and testing, feasibility studies, design of experiments, statistical process controls, process capability studies, six sigma, lean manufacturing, preventive maintenance, predictive maintenance, off-site data storage, paper and electronic documents, security protocols, liability insurance, workman’s compensation insurance, fire and flood insurance.
Again, no management activity is effective without a feedback mechanism. Internal corrective actions, rework, warranty claims, customer complaints, internal and external audits, and management reviews all provide useful feedback tools to ensure that your risk management process is effectively meeting your needs. An excellent activity is changing the focus of your “Management Review” meetings to a “Risk Management Review” meeting. Use all of the same inputs, but view the data through a “risk” lens and use that to assess where you will allocate resources for the greatest impact to your company.
There are plenty of resources who will offer good advice, but no one outside of your organization can really tell you what you must do to manage your risks. Keep in mind that for every risk, there is a means to mitigate it if it is cost effective to do so.
Legal & Ethical Considerations
No discussion of risk management is complete without a consideration of legal and ethical concerns. Risk management is your best proactive shield from lawsuits. While events will occur, what you do today before a problem occurs will dramatically influence how you are perceived when the day of a liability trial occurs. If you have been open and honest about trying to identify and control risks whenever encountered, you have a record of “due-diligence.” This will greatly reduce any award a lawyer could obtain for their client.
Preventive Action & Risk Analysis
Nearly every company struggles with risk management. Struggling is okay, but ignoring it is not acceptable. Every risk management action is true Preventive Action! You will only get better the more often you do it. Remember, the goal is to add value, not cost! In the end, effective risk management will save you money. Your corporate liability insurance costs may be reduced, your failure rates can be reduced and your customer satisfaction (and retention) should improve. Remember these are all preventive actions – fixing problems before they arise, which is always cheaper than fixing them after costly mistakes.
Interested in learning more about risk management and how to successfully implement a risk management program, contact IMEC at firstname.lastname@example.org or 888-806-4632.