#9 – NISO AND NICE RISK ANALYSIS – JIM LAMPRECHT

Why would an international standard require companies to perform risk analysis?

NISO
The same question was asked a few years ago with the ISO 9000 series of standards but here at least one could supposedly claim that a quality system would theoretically improve the overall quality of a product still, one could ask the same question:  why make it a requirement to do business after all, for centuries the “market” had been and continues to be a semi-efficient process whereby inefficient and/or below average performing companies are eventually eliminated.

I have initialized the words semi-efficient because we all know that in reality, some average but cash rich companies are often capable of acquiring more creative or innovative companies.  I am well aware of the many standard answers that have been provided over the years regarding the benefits of ISO 9000 certification and, whereas it is true that many companies may have initially benefited from the development and application of a rigorous quality system, many have not and many more have abandoned their efforts to maintain their certification.

I wrote NISO a dozen years ago to try to counter the ISO 9000 frenzy.

BENEFITS OF RISK ANALYSES
So I ask myself would the world of consumers be better off if companies were to be required to conduct risk analyses during their yearly or quarterly plans? Would the conduct of risk analyses help companies, consumers or both? Or would it mostly help the ISO registrars?  Other questions could be asked such as: how does one know if a good risk analysis has been conducted? Here are some of my observations.  I am sure many of these observations must have been made by others long ago.

One must distinguish between risk analysis based on probability analysis derived from historical data and the risk analysis based on the subjective probability routinely proposed during FMEAs.  The first type of risk analysis is based on simple probability theory and has been developed to a high level of sophistication decades ago by insurance companies.  And yet, it is worth noting that insurance companies are no longer satisfied with probability theory to assess a driver’s risk.

Many companies would like to have a monitoring device inserted in all cars.  Such devices would monitor many parameters including average speed, acceleration, intensity of braking and so on.  Many companies have the appropriate information to conduct probability-based risk analyses to assess or estimate their warranty cost and yet, it has been my experience that this information does not prevent companies from still rushing products to market before all risks have been properly identified!

The second type of risk analysis based on subjective probability was also developed around 50-60 years ago and has proven to be useful, so I am told, in the assessment of why something has gone wrong or, in the case of design FMEA, in reducing or even eliminating the probability of an unfortunate event from occurring.

I believe that industries that have benefited from the use of risk analysis including for example the nuclear industry, the food industry, the automotive and avionic industries have applied the technique for several decades and their motivation to do so was probably influenced, not exclusively however, by yet another industry: the legal sector.  I have not mentioned the medical sector because I do not know to what extent FMEAs are practiced in the medical-hospital sector. But even if FMEAs were to be conducted by the medical profession, the unpleasant truth is that it would be very difficult (but not impossible) to prove that a potential risk to a patient’s health or life had been deliberately ignored.

The pharmaceutical industry has a long history of assessing the risks (for there are many) associated with drugs.  But even then I think there is some irony in the process of assessing risk as practiced by the pharmaceutical industry.  Some years ago, a friend of mine reported that after taking a certain medication he experienced some serious numbness in his legs and fingertips even to the point of losing control unable to hold on to a glass or even getting out of his car without stumbling or falling.  As he told me his story I told him that my mother had experienced similar symptoms taking a particular drug and when I mentioned the name of the drug he confirmed that it was the drug he was taking.  A few weeks later my friend called me back to tell me that after talking to several of his friends he had discovered five or six identical cases of people taking the same drug and experiencing the same symptoms.  Armed with his information he decided to call a National Health center in Atlanta to share his information about this dangerous drug.  To his amazement he was told that such symptoms could not associated with this particular drug BECAUSE the pharmaceutical company HAD NOT REPORTED SUCH SYMPTOMS!  In other words these risks could not exist because they were never reported!  The drug in question was eventually taken out of the market but only a year or a year and a half later.

LIMITATIONS OF RISK ANALYSIS
The limitation of risk analysis are quiet obvious in this case and point to two fundamental problems.  The first problem is that in some cases, the scope and/or extent of risk associated with a product, is defined by the producer.  This producer’s risk may or may not be equal to the consumer’s risk and in fact in the above story, the producer’s risk was clearly inferior or lower than the consumer’s risk.  But even if one could successfully demonstrate that an error in risk assessment had been performed one would have to battle an army of lawyers to try to prove one’s case.

The second limitation of risk analysis as demonstrated by the above story is that risk assessment cannot anticipate what have been referred to in the financial world as the Black Swan effect; the rare even that occurs once in a rare while also known as outliers that are beyond the four or even five standard deviations level.  These one in hundred or two hundred year events, the very type of events that are beginning to occur in the field of so-called extreme climate events, are unfortunately generally not considered by standard risk analysis either because they are not foreseen or, if they are foreseen, the preventive measures are much to costly to implement. Can you really plan for what has yet to occur and may not occur for another couple of hundred years?

FUNDAMENTAL QUESTIONS
Some fundamental questions still remain.  Would a more detailed risk analysis been helpful to the pharmaceutical company?  Trial runs are already very expensive to conduct so why not use the approach favored by the software industry long ago—debug your software to a certain level and let the consumer discover the remaining bugs that are cleaned-up with various releases.  This process is still being practiced to this day and may well be the most cost effective way of doing it.  The stakes are much higher with the release of new drugs but the principle seems to be very similar—risk analysis up to a cost effective point.

In the field of geopolitics, various experts are supposedly assessing the various risks of terrorism associated with certain regions throughout the world.  Was the risk associated with recent events in Mali and in Algeria correctly assessed by experts?  Did the gas company operating in Southern Algeria near the Libyan border conduct a risk analysis of its preparedness to terrorist attack?  Probably not but it is likely that the consortium of companies operating in Algeria routinely conducts risk analysis associated with various operational malfunctions; will the scope of risk analysis be expanded and could it even anticipate the next risk?  How can one defend against a missile attack launched from several miles away?

KEY QUESTIONS OF ISO RISK ANALYSIS
Risk analysis is certainly beneficial to certain companies that operate in a relatively safe environment (geopolitically safe) but should all companies be required to conduct risk analysis?  What type of risk analysis?  Who will benefit from these risk analyses?  How can one assess/audit whether or not a company is doing not only the right kind of risk analysis but also enough risk analysis?  These are difficult questions to answer but saying that we live in a riskier world is not enough.

 

Leave a Reply

Your email address will not be published. Required fields are marked *