How effective an organization manages risks can be the difference between success and failure. The effectiveness of how risk management works relies on the information feeding into it, a commitment to continuously improve deficiencies, and how well the tools are applied. Adequate time is required for risk management which is an integral part of planning.
So why are managing risks important? Managing risks can help an organization by:
- Maintaining compliance and new ISO 9001 standards (continuous improvement and Plan, Do, Check, Act are a key part of ISO 9001).
- Proactively preventing problems and failures that can potentially cause delays, increase costs, and decrease quality while putting customers and businesses at negative risk.
- Taking advantage of opportunities to help benefit the organization.
According to the Project Management Institute’s (PMI) PMBOK 5th Edition, the Risk Management process consists of:
- Planning Risk Management
- Risk Identification
- Qualitative risk analysis
- Quantitative risk analysis
- Developing risk responses
An emphasis on continuously identifying and monitoring risks is paramount in proactively handling potential problems that may cause a threat to businesses and customers.
While it may not be possible to prevent every issue, it is important to reduce or eliminate negative issues having the most impact according to the Risk Management Plan. Once a plan is devised and risks have been identified (using interviews, brainstorming, Delphi technique, etc.), they are qualitatively evaluated and prioritized as high, medium, or low impact by multiplying their probability of occurrence by a numerical level of impact that is defined and clearly distinguishable. Subsequently, quantitative risk analysis is performed to calculate the impact of top-ranked risks as determined in qualitative analysis with an impact measurable such as cost. Risk characteristics having high impact and high probability of occurrence are assigned as the highest prioritized risks, whereas risks having low impact and low probability of occurrence are assigned the lowest priority. How risk averse the environment is can influence this.
A combination of tools such as SWOT analysis, Pareto charts, brainstorming, risk probability & impact matrix, and root cause analysis tools can be utilized to identify, categorize, and prioritize risks (the top 20 percent of the problems cause 80 percent of the issues).
Considering negative risks, it is very important to take into consideration those risks having either high impact or high probability of occurrence. With an event having low impact and high probability of occurrence, it should not be accepted and ignored. It is good practice to prevent or reduce a high probability of occurrence. Similarly, risks having high impact and low probability of occurrence should not be accepted either, where it is good practice to prevent them by minimizing their impact. For example, a low impact event in manufacturing having more frequent stoppages can cause delays, errors, and more defects which can lower quality significantly, causing a high impact issue. Also, an event with high impact and low probability of occurrences such as a natural disaster or a power outage can cause havoc. Just imagine if hospitals didn’t have generators in case of an outage.
In risk response, the strategies for handling negative risks or threats are:
- Avoidance
- Transfer
- Mitigation
- Acceptance
Usually, steps are taken to minimize negative risks to prevent problems.
In responding to positive risks or opportunities, the strategies are:
- Exploit
- Enhance
- Share
- Accept
With positive risks, there may be opportunities to take advantage and gain benefits to increase successes.
Acceptance is common with both positive and negative types of risks having both low impact and low probability. Concerning negative risks, a watch list can be created to monitor these risks as they occur (passive) or resources can be allocated to deal with the risk if it happens (active). With positive risks, there is no action taken to pursue them, however, if the risk occurs, it can be taken advantage of.
Accepting risks can become a problem if there are errors made in evaluation and decision making. Well-defined processes and procedures help mitigate gray areas to guide better decisions and reduce errors.
In statistics and hypothesis testing, Alpha and Beta risks are taken into consideration when there is the possibility of error to accept or reject the null or alternative hypotheses. For example, Alpha risk (type I error) occurs when there is a decision to accept a significant difference when there is actually no difference, while Beta risk (type II error) occurs when a difference exists and there is a decision to accept that there is no difference. The importance of avoiding Beta risk is passing on a product that will fail or become defective to the customer. Additionally, if a product is rejected when it should be accepted, it can cause issues such as increased costs, delays, and waste. An effective risk management system relies on consistent and correct decisions.
There are proactive and reactive ways in dealing with negative risks.
- The proactive way emphasizes on preventing issues before they become out of control. Responses such as Avoidance, Mitigation, and transferring risks may be used.
- The reactive way deals with issues as they happen or fail. These risks are unforeseen or accepted.
For example, preventive maintenance keeps machines running to ensure a continuous flow of product by mitigating stoppages, defects, and waste. Conversely, performing no preventive maintenance opens up the opportunity for stoppages, breakdowns, and defects due to allowing for increased variation. Prevention helps reduce variation by maintaining a controlled state.
While it is important to identify risks on a continuous basis, the processes and systems used in identifying and preventing the issues are extremely important. It is essential that they are continuously improved to correct deficiencies so they are more reliable. The risk register and other project documents should be utilized and updated regularly. People using the processes, procedures, and systems need adequate training and understanding to ensure correct utilization, integration, and enhancement of these tools and systems.
Prevention of high priority negative risks can save time and money while enhancing quality. In order to obtain an effective risk management system, the feedback within systems should function where the outputs feed into the inputs of other relevant ones. Also, the monitor and control of processes rely on the feedback and integrity of data. It is important to understand that high impact / low probability and low impact / high probability events require responses to reduce both impact and probability of occurrence. An organization’s commitment to effective risk management starts with the adoption of continuous improvement.
Bio:
Professional quality experience within a variety of industries that include pharmaceutical drug development, personal training, manufacturing, restaurants, and healthcare. My desire is to utilize my well-rounded experience, education, and unique skills to help businesses and organizations of all types overcome challenges to meet and exceed their goals.