The Nuts and Bolts of Risk Management

When considering any effort toward performance improvement, you should always start by looking at the organization’s principles and culture, and making sure these are aligned so they not only permit positive changes to occur, but also ensure that the changes will be sustained over the long run. By “principles and culture,” I mean things like respect for people, fostering a no-blame environment, and reducing wastes such as excess inventory and duplicative systems that destroy flow across value streams.

Once the right principles and the right culture are in place, the quality improvement practitioner will want to move on to the tools that will guide and support performance excellence. There’s no shortage of tools to assist in pretty much any improvement job necessary, from 5S to root cause analysis to leader standard work and dozens more.

This process, of starting with the broad strokes of principles and culture before zeroing in on the tools, applies particularly well to understanding and managing risk. Organizations deal with risk constantly, and whether they identify it as such, risk management is an extremely important consideration for those occupying the executive suite. Prudent actions include assessing ever-changing conditions within and among markets, supply partners, competitors, and macroeconomics, to name just a few. Deciding how and when to launch new products or services, move forward on mergers and acquisitions, or rebrand will depend in large measure on an organization’s response to and tolerance for risk. All of these considerations directly involve top management.

ISO 9001:2015 now stipulates that organizations must include “risk-based thinking” in their scope of work. The standard doesn’t require formal risk management, and it’s intentionally not prescriptive in nature; in other words, it’s up to the registered organization to determine how to implement risk-based thinking, and what evidence will be presented during an audit to support that. With that in mind, and depending on the “context of the organization”—another new phrase appearing in ISO 9001:2015—there are several tools that should be considered when applying risk-based thinking to your processes. Let’s look at some of these individually.

Hoshin kanri. Generally translated from the Japanese as “a methodology for strategic direction setting,” this technique is a way of aligning the organization’s mission with tactical actions. It starts with senior managers breaking the mission down into broad strategies. Those then drive more specific objectives, from which middle management derives goals to help reach those objectives. Small teams are ultimately responsible for achieving those goals, which they do by assigning action items to individuals. Looking at the process from the bottom up, individuals complete action items that fulfill goals. Teams reach their goals, which meet objectives. Middle managers achieve objectives, and those in turn help senior managers (and the organization in general) to successfully implement the strategies supporting the overall mission. Hoshin kanri is a great method for organizational alignment, and well-aligned organizations are able to avoid surprises and minimize risk.

Poka-yoke (mistake-proofing). The mantra of “can’t instead of don’t” offers a powerful way of thinking about (and eliminating) risky processes and procedures. Originally conceptualized by Shigeo Shingo, the core insight of poka-yoke is that mistakes are pretty much inevitable in work done by human hands. To eliminate errors before they happen, it’s necessary to engineer a process so that it simply can’t be done in an incorrect or improper way. The most effective way to do this is through contact. For example, a die is designed in such a way that it physically can’t be placed into a fixture incorrectly or backward. A dedicated poka-yoke system that covers all possible processes within an organization is a tremendous step toward controlling risk, because catching mistakes before they are even made eliminates the opportunity for faulty, dangerous, or unsatisfactory product reaching customers.

FMEA. Failure mode and effects analysis (FMEA), originally designed by reliability engineers in the U.S. military more than 50 years ago, offers a comprehensive look at designs, processes, systems, and functions. FMEA is a systematized group of activities intended to recognize and evaluate potential failures and associated risks, including the effects of those failures. It also identifies actions that could eliminate or reduce the chance of the potential failure occurring, or otherwise mitigate the associated risk. An FMEA is a “living document” that itemizes the potential risks of an entire value stream. It considers 1) the severity of a potentially adverse event; 2) the probability of such an event occurring; and 3) the probability that the event will go undetected through established procedures. Each of these categories is assigned a number on a 1–10 scale, with 10 being the highest (i.e., the worst or most dangerous outcome). A risk priority number is established by multiplying the three resulting numbers. The highest risk priority numbers demand the most immediate attention, and the FMEA document allows the user to first look at the current state of a process, and then the future state, to see how improved procedures, systems, or poka-yoke devices can lower that risk priority number.

Root cause analysis. This time-honored tool is closely linked to the 5 Whys process, in which the practitioner, faced with a process breakdown that has led to a quality escape, must gently but firmly ask questions about the process that generated the error. Always remember that this must be done in a respectful way. The object is not to point fingers and assign blame, but to quickly and efficiently get to the root cause of the issue with the intention to completely understand its functions and dependencies. Once the wayward process is completely understood, then that process can be redesigned and error-proofing procedures put into place. I can’t emphasize enough how important it is to not make this a scapegoating mission. If people feel that the root cause analysis exists simply for the purposes of blame and termination, then they will do their utmost to hide the truths that you are seeking. As a consequence, the root cause analysis will fail, and the deep problems, which are likely cultural or systemic in nature, will just fester and get worse.

All of these tools offer valuable insights when thinking about risk and mitigating potentially harmful outcomes for customers, employees, or other stakeholders. I am presenting a free, 90-minute webinar on this topic, titled “Risk Management: Tools and Techniques” on Tuesday, April 5, 2016, at 1 p.m. Eastern, 10 a.m. Pacific. During this webinar, I will delve deeper into these tools (and others) and take your questions about ways to implement them in your particular organization. Click here to get more information and to register for the webinar.

Everyone who registers to the webinar is also eligible for a $100 discount on the on-demand training videos available at www.360performancecircle.com (including my 30-part series, Creating and Sustaining Lean Improvements).

About The Author