In today’s world most organizations face a multitude of potential risks which include cyber-attacks, data breaches, system failures, service disruptions, and natural disasters, just to name a few. An organization can attack the biggest threats, and then take actions to implement the best measures to manage those risks at acceptable levels.
In risk management, the first step is to identify potential risk factors before proceeding with any decision. The reason why risks often catch organizations off guard is that they failed to acknowledge their existence in the first place. As such, organizations are unprepared to handle the potential of any risk becoming a reality.
Many organizations already have mature Enterprise Risk Management (ERM) processes in place. Essentially, companies with quality/environmental systems certified to standards such as ISO9001, have been relying on risk management to protect their products and processes.
Many methods and tools are available for analyzing risk, but to succeed organizations must know how to get the most out of those tools and methods. The problem is that some organizations stop the process after completing risk analysis and fail to implement the information.
There are many tools available, but the most widely used risk assessment tool is the failure mode and effects analysis (FMEA), which helps identify potential failure modes with the design, process or function, and the related causes and effects. Identifying the potential failure modes involves assessing the hazard and what can go wrong. Assessing the cause means understanding how it can happen and what broke down. The effect is the impact and harm it will have.
After determining the potential failure modes, effects, and causes, an organization should not jump directly to confirming the risk controls have been implemented. The risk requirements must be documented into the product or process.
The conversion from understanding the risks to confirming the appropriate risk control determines where the implementation failed. It’s relatively easy to confirm verification, but it’s harder to ensure complete integration into the products and processes.
Some organizations go straight to risk control and don’t consider the processes used to support the control. Implementing risk control into a product, for example, should be driven by the product requirements. This is what drives the implemented behavior (e.g., risk control) in the product and ensures the design includes elements to contain the risk.
These product requirements are incorporated as part of the product history and are consulted as the product changes. Inserting the design features, behaviors, and characteristics (e.g., risk control) into the product requirements allows for a broader and more sustainable risk implementation that will last throughout the product’s life cycle.
Ultimately, reducing product risk is achieved by implementing these design features, behaviors and characteristics. The strong connection between risk, product requirements (e.g., input) and product (e.g., output) allows for a more complete verification confirming the risk control is implemented and effective.
The same is true for processes and functions. Risk controls should be integrated into the process or function requirements. During the initial discussion of a process or function, a risk assessment should be performed. The results should be used as an input into the process or function requirements, along with other process and function needs, such as performance or reliability.
After all the requirements have been developed and implemented, a process validation activity should be performed to confirm the process has been implemented successfully and the risk controls are effective.
As someone who has been involved with such programs, I can attest that jumping from identification to risk control without documenting the risk requirements into the process or product doesn’t provide a complete process stream to ensure continued success at eliminating risk over the life of the product or process.
Risk management is an ongoing process that doesn’t end with risk identification or even mitigation. To minimize the organization’s risk exposure, it’s crucial to monitor the risk landscape on an ongoing basis.
For best practice, it is advised that organizations consult their quality organizations with help facilitating their FMEAs, or other tools and techniques. They have the training and expertise to properly guide the organization.
It’s also advisable to include internal and external (if feasible) shareholders in risk communications at each step of the risk management life cycle. If a risk changes or a new risk emerges, everyone can be kept informed so they can work towards a common solution to protect the organization from harm. And don’t forget to revisit all risk management policies regularly to keep them up-to-date and relevant.