Editor’s note: Tim Lozier will be a guest on Quality Digest Live this Friday, Oct. 18, 2013, at 11 a.m. Pacific
During the past few years, risk management continues to be a topic of interest. There are plenty of benchmarking trends that point to risk. We see it in enterprise strategic initiatives. We see it being incorporated into standards and regulations. And yet, I think that for many, the concept of risk remains an enigmatic and elusive concept.
In many companies leaders are so concerned with day-to-day operational issues, that conducting risk assessment and management, although strategically significant, is perceived to be something that will be done way off in the future. This is far from the reality—in fact many companies are already addressing risk in one way or another, but don’t know it.
Risk management is everywhere, and is not some lofty strategic element that is limited to top-floor executives making enterprisewide decisions. Risk management is like any other tool in the compliance process—it is another method for streamlining your business. The developers of the International Organization for Standardization (ISO) management standards such as ISO 9001 have seen this for many years, and are looking to push risk management elements into several standards.
ISO standard |
Risk management elements |
ISO 31000 |
–Guidance for risk management in any organizations |
ISO 14971 |
–Guidance for risk management in medical devices |
ISO 14001 and OHSAS 18001 |
–Identify and assess every risk |
ISO 13485 and ICH Q10/Q9 |
–Medical device and pharma: Explicit reference to risk management |
ISO 27000 |
–Primary focus is risk, taking into account threats, vulnerabilities, and impacts |
ISO 9001 |
–No direct reference, but stay tuned—the 2015 revision has extensive risk management elements planned |
Risk management is a means of looking at potential hazards, assigning a weight to those hazards, and taking steps to control them. Below is an example of the risk management process flow:
Companies are looking for ways to incorporate risk management and risk assessment into their operations. There are many ways to look at risk, and each industry has developed different risk-based tools for their specific business needs. Here’s a sample set of risk tools:
Risk matrix. Perhaps the most common risk assessment tool is the risk matrix. It’s a grid that’s quick, easy, and colorful. It’s designed to make risk levels evident to everyone involved in an operation. In the matrix are two (sometimes three) levels of risk plotted on a graph—usually severity and probability (or likelihood). Each risk level is assigned a number and within the graph you plot a formula to calculate where the two numbers intersect (usually multiplication). Then, you assign a color to the level of risk—red, yellow, or green in a simple format. Some will use more colors depending on the complexity of the result.
The purpose is to define a risk level based on two levels and build guidance into the results to help foster a decision based on the calculation. However, be careful to vet your risk matrix; sometimes you may get results that are mathematically sound, but do not fit in the context of your operations. To mitigate this, you need to vet the matrix using real-world examples (historical data), to ensure that your results are actually the right result. Some tweaking may be required, but once you’ve vetted the graph, the risk matrix is a powerful risk assessment tool.
Failure mode and effects analysis (FMEA). FMEA is a design or process method that breaks down a product or process to its individual components and conducts a “what if?” scenario to identify failure points and control these potential failures at the most base level. Once the product of process is rolled back up, the risks are identified and mitigated.
Decision tree analysis. The decision tree method for risk assessment is one many will use without even knowing it’s a risk assessment. With this method you are given an input (adverse event) and you use the decision tree to help determine the outcome of that event. They can be built in a way that will help you to come to the right decision and provide guidance on that decision. This is an effective method of risk assessment, especially since it allows the user to follow a path, usually through question and answer trees (e.g., if this, then this; if yes, than this)
Decision trees are powerful because they can be embedded directly into the operational processes. Without having a diagram and mathematical context like the risk matrix, you can build them directly into the system as part of the process. This is especially good when assessing the effectiveness of a process revision in a change-management context, or determining when you need to report something to a regulatory agency, or even if you are determining if an adverse event needs to be opened up as a corrective action.
Hazard analysis and critical control points (HACCP). Commonly used in the food industry, HACCP breaks a process into steps and conducts a hazard analysis on each step (i.e., what could go wrong, and how can we control it?) For each hazard, a control is implemented and a risk is mitigated.
Bowtie risk methodology. You may think, “Well we don’t have that many critical events, so we really don’t have a history of risk.” In this case, the bowtie is a great method for assessment of risk in low-occurrence events. Although you may have very little data on potential critical events, the undesired effect of these events can be so catastrophic that you can’t afford to sit and wait for it to happen.
Unlike the previous tools, the bowtie is considered a proactive risk assessment tool in that it looks to mitigate risk before it happens. This model looks at the undesired effect, which is usually something bad (e.g., loss of life) and builds controls as barriers to prevent that event from occurring.
Here’s how the bowtie risk method works. You have an undesired event in the center and you analyze the impact of that event. You are effectively building a scenario in which that event might occur and putting preventive controls in place to mitigate the risk of it actually happening. Similarly, you want to build recovery controls to minimize the impact if the event does occur. This is a risk method designed to assess low-occurrence events that pose serious consequences. Airlines use the bowtie frequently, because the emphasis is not on the risk of an occurrence, it is more on the measurement of how effective the control is. This is an attractive option because it is easy to read and translates well to all areas of the organization.
Risk register. Risk management and risk assessment are designed as means for measuring and making decisions to affect compliance. But content is king in risk management. As you measure risk and take actions, you are building a history of risk within your organization. This is valuable data that can help you fine-tune operations based on the history of risk.
The risk register is designed to do this. It is literally a library of hazards that takes risk data from all events, whether job safety, incidents, accidents, and any adverse events. It is a centralized location that will give you visibility into the risk within all operations.
Risk trending is a critical component of risk management, and this needs to come from historical data. You can build a risk history from various operational areas and report on the trends for that area. Now, not all operational areas will be the same in terms of how you assess the risk, but the risk Register provides a common location for the data from your operations to show how risk management has evolved over time, and allows you to analyze and trend on where high risks are, what areas need more oversight, and how you can improve operations, using risk as the benchmark for overall compliance.
People ask, "Why risk management? Quality management and EHS processes work just fine, and we report on CAPAs and incidents, and job safety well enough.” Well, reporting at the operational level works, but when you want to report across industries, it becomes necessary to normalize data for making aggregate decisions. Risk management is that universal language.
Some final thoughts
Risk management requires people; it is not automatic. The tools mentioned in this article will only help you with risk assessment process. The real risk management happens when people make decisions. Assemble a risk team, a cross-functional group that can sit and review the different risks, and weigh those risks using risk tools to come to a decision.
Risk is universal in terms of the enterprise focus. Not all people speak quality and not all people speak safety—but everyone speaks risk. When rolling data up to the enterprise level, normalizing operational processes in terms of risk helps to create a universal language that can be used to make better decisions.
And that’s why risk management is continuing its charge through the compliance industry. The tools outlined in this article, in addition to others (e.g., Fault tree and HAZOP), are prime examples of how compliance processes, whether used in quality management, EHS management, and more, are using risk as a core benchmarking metric for decision making in the enterprise.
Any organization is looking to foster continuous improvement—it drives the business to be more efficient and operate in a more streamlined and compliant manner. When we talk about building risk management into continuous improvement initiatives, we can see filtering complaint data by their risk, to ensure that the most critical events are handled first.
Comments
R.I.S.K.
RISK = Remain In the Same Karma.
Add new comment