It seems everyone is talking about risk management, whether it’s about financial investments, political strategies, or quality management. Like other quality initiatives, it may be regarded as simply another “quality program du jour”, but a well-managed risk management program helps focus improvement effort on the truly important issues, resulting in more effective and efficient means of maintaining and improving quality.
Each industry seems to promote different methods for risk management; FMEA in the automotive industry, HACCP in food and pharmaceuticals, HAZOP in chemicals, and ISO 14971 in medical devices, but each method contains similar methods for analyzing risk. Regardless of the method, potential hazards or risks are identified and evaluated to determine a cause or failure mode, and each hazard or risk is assigned a measure of criticality and a measure of the frequency of occurrence (some methods add a third measurement of failure detection). After considering the combined risk for an uncontrolled or failure state, controls methods are devised to mitigate risk, and the combined risk is re-evaluated. Risks that are above a specified threshold are subjected to further analysis to determine methods to reduce risk to an acceptable level.
Unfortunately, some organizations do not actually practice effective risk management. Instead, they go through an exercise of analyzing risk with and without controls, making impressive risk charts, wiping the sweat off their brows following the work, and simply pulling out the file whenever an auditor asks for it.
But an effective risk management program should be a living process. In programs I have managed, I’ve made it a policy to have each risk management file reviewed on at least an annual basis. Changes to risk analysis should be made using data collected from sources such as customer complaints, audit findings, industry white papers and articles, public reports, and other data sources (perhaps even an idea from a blog!). New control strategies are then developed to address previously unidentified or significantly changed hazards and risks.
Finally, managing risk is not necessarily easy, but it is rewarding. Perhaps the best comment I ever heard following some intensive sessions was from an individual who said, “I thought this would just be another exercise in bureaucracy, but I have to admit I know more about our product and processes than I ever knew before.”
What about you? Have you used risk management and has your experience been favorable? Share your thoughts with us.
March 13th, 2008 at 11:13 am
There is a popular misconception that risk management is oomplicated and bureacratic; it is not or need not be. Essentially it is a simple proposition whose complexity and administration is dictated by the nature of the project and the people involved. at its simplest risk management involves:
Identifying risk: Counteracting risk; Acting when risk happens:
and for all of this to happen - Monitoring at all stages.
Typically this means drawing up a risk Profile which by balancing the probability of something going wrong against the probable effect, helps to identify the main problem areas.
A good risk manager will try to develop contingency plans that reduce either the probability or the effect of such factors, and in so doing remove them from the danger zone.
March 10th, 2009 at 4:14 pm
In my experience, outside the auto industry, engineers and managers are willing to accept mediocre FMEA risk assessments, partially because risk management takes time to do right, and partially because the engineers and managers do not know what an FMEA done right looks like.
I agree that risk management isn’t necessarily easy, but it doesn’t have to be extremely difficult either. FMEA’s are nothing more than the documentation of thorough engineering practices.
Unfortunately, until we stop accepting mediocre risk assessments, many organizations will find it to be an exercise in bureaucracy.