Prevention is the best way
Risk management is the process of identifying, evaluating, prioritizing and treating risks in order to minimize the negative impacts.
Some experts define a risk as an uncertain situation, condition or event that involves exposure to danger, loss, harm, injury or any other threat. Risk management is the tool to avoid occurrence or to minimize the effects if the risk occurs and the negative effects appear.
In many cases however, a risk may not necessarily lead to negative effects but can also be converted into an opportunity.
There are many formal risk management techniques but I like the principles described in the ISO31000. Since I have used it, I will base this post on such standard.
Context
Risk management can be used for all kinds of risks, for all kind of companies, for personal and private activities, etc. The main differences of its use are: the context and risk types.
Context is a word that describes, as per the ISO9001, the environment, circumstances, factors, parts and relationships, products, value-streams, players (like customers, suppliers, competitors, government offices, unions, industry chambers, etc.) in which a certain organisation performs its activities. The context is unique for a company or a person. ISO defines it as the business environment or a combination of internal and external factors that can have an impact in the organization.
For example we can think on a small family business: a bakery. The context will cover the type of business, goals, physical location, environment, services, customers, suppliers, business processes, neighbors, authorities, etc.
Risk types
As we said at the beginning, a risk can be anything that can lead to unexpected results. Depending on your activities and the context, there can be thousands of different risks you could face but, to keep this post as simple as possible, we will clasify the risks in general groups:
- Safety related: like accidents in different degrees of severity.
- Natural disasters: like earthquake, flood, hurricanes.
- Business risks: financial, strategic risks – market, etc-.
- Operational external risk: political, legal, competition, suppliers.
- Operational internal risk: Machine breakdowns, fraud, theft, strikes.
- Manufacturing: process risks like those normally covered in the FMEA.
Risk management process
Risk Management – Process
The process of risk management is a cycle or a repetitive process like the PDCA (Plan-do-check-act). I personally use the risk management as one of the axis of the quality management system and therefore I integrate it for the whole organization. Every business process applies the technique to its context and all related activities shall be considered.
Every business process has its individual inputs, activities, outputs (supplier-input-process-output-customer), goals, methods, controls, resources and therefore, the involved risks may vary from process to process. The IT processes or purchasing, maintenance or sales may have different exposure to different risks.
However, we can use the very same analysis and treatment process regardless of those differences. There are basic steps in the risk management process:
Process steps
Risk identification: what can happen? what can go wrong? For the risk identification, for example, in a business process, I use either a SIPOC structure or a process turtle. A SIPOC is a graphic description of how the process works and considers Suppliers-Input-Process-Output-Customer factors. A process “turtle” is matrix that summarizes all important factors, activities and resources of a process with blocks or sections for performance indicators, procedures, machines, people, etc. and considers all possible risks in every area and resource related to the process.
I will cover the SIPOC and Turtle in the next articles and provide you with examples and forms to download.
Risk analysis: Once the risks have been identified, we can think of the effects or consequences if the risks occur. How bad can the impact be? Reach? Affected areas? What is the probability that the risk occurs? If it happens, can it be contained, minimized, isolated, shared, transferred, etc? You will have to analyze all risks that you have identified.
Risk evaluation and prioritization: You have now a good idea of what the risks are and how bad the consequences can be. As we do in many other quality processes, we need to focus now on the worst cases. If I had limited resources (like money or time) and could “treat” only one risk at a time, which one would I have to consider first? Perhaps something not very serious but with high probability of occurrence or rather something critical with very low probability of occurrence?
In order to make the best possible decision, all risks should be evaluated in the same way and then ranked. For doing this there are many possibilities: numerical scores, high-medium-low, etc. What I normally use is a mixed scale similar to the FMEA evaluation system. The factors to be considered are:
- Severity. The degree of criticality or magnitude of the consequences if the risk occurs.
- Likelihood of Occurrence. Probability of occurrence. How probable is it to happen?
- Prevention/Containment possibilities. Can the occurrence be prevented? If the risk occurs, can the impact be contained, isolated, etc? Normally you can only choose either prevention or containment for a certain risk and you will have to answer the questions: how easy is it to prevent or contain? At which cost? Do you need to react in a certain way if the risk occurs (during containment)?
With these three parameters, you will obtain a value or score for every risk that you can then use to set priorities. As you can imagine, those with the higher scores should be treated first (with a higher priority).
Risk treatment: Depending on the risk type and its value and “priority” we can try to eliminate it, isolate it, minimize its effects or avoid its occurrence or, assume we cannot avoid it and prepare a reaction or protection (damage sharing, containment, etc.)
Monitoring/ review: In regular intervals or as needed, we should take a look at the risk register, values, priorities and actions. Based on experience, results, simulations of cases, drills, etc. we can re-evaluate and assign new priorities. This triggers a new cycle exactly as the PDCA process.
Details on risk treatment
Risk treatment
Depending on the context and nature of the risk, there are different treatment options. We will mention them here and see an example related to safety at the job floor.
1. Elimination
It sounds easy but in many cases it is might not be quite easy. In the next example we will consider something simple: An old machine or device was removed and the electrical connections were left as you see them in the image.
Once the risk has been identified, you can easily isolate the wires and fix them, for example, in a distribution box.
2. Isolation
When the risk cannot be eliminated, it may be isolated. If it is confined, the chance of occurrence may be reduced to the minimum. Please note that the severity was not changed, only the occurrence is reduced.
3. Minimization
Known as well as risk reduction it can be any action to either reduce the severity (if the risk occurs) or the likelihood of occurrence, i.e. sprinklers can help reduce the impact of a fire and stop/extinguish it before it spreads and causes more damage. Other possibilities are the “transfer” of a risk for example by outsourcing a dangerous activity/process. Even an insurance policy might be a way to minimize the impact of an accident, at least financially.
4. Retention / Protection
Some risks cannot be prevented nor treated but they are still there, for example, the risk of an earthquake. So, we need to “assume” or to “retain” the risk as it is. We can only prepare a plan to react when the event occurs and install alarms, emergency exits, train people in rescue and first aid, etc.
Some experts consider for minor risks “protection” as the last form of treatment, for example a helmet or safety glasses. Some other consider protection as “risk reduction”.
For me, protection is indeed the last level of treatment for certain risks, for example the use of safety glasses preventing eye wounds.
However, in an earthquake you cannot protect all your employees with an armor. Only a contingency or emergency plan can help contain the impacts to a certain degree. It is the very last treatment option for such kind of risks but can be pretty effective.
Monitoring/ Review
Just like in any other process, in risk management we need to periodically review the records and re-evaluate the risks, priorities and effectiveness of the actions. If despite of the planning and execution of all the activities, events happen and the risks effects become reality, the contingency or reaction plan must be used. Afterwards the effectiveness of the actions must be evaluated and if necessary, changed or adapted. We can learn from experience and improve accordingly.
When you use this process of risk management for the first time, you may have little knowledge about certain risks and consider their severity, occurrence or treatment possibilities by making assumptions because you don’t really know. But as time goes by and you see which risks occurred, which were prevented and/or treated properly, you will be able to improve the whole process. Information is power.
In time, if you apply this technique properly, you will identify risks better, assess the risks factors more accurately and hopefully, turn many of them into great opportunities.
Regards.
Do you need some extra guidance?
Don’t worry. I know how difficult it is to implement a complex process and therefore I am glad to offer you the tool I use. In the excel file you will find the whole evaluation and treatment process split into several tabs which can help you out with your risk management. Please note that the evaluation matrix can/should be changed to be adapted to your context and process. Use what I prepared as a guideline but please define parameters ad-hoc to you. Feel free to download the file and use it to your convenience.
I wish you have a lot of success!
0 Comments