In industry several engineering and analysis methodologies exist for the design of risk management systems, but often they are complex and difficult to understand or apply practically. Risk management seems a daunting task to most people, characterized by complicated statistics in finance and intricate systems modeling in engineering. In this paper I want to share with you the fundamental principles you need to consider in the design of a practical and effective risk management system for your organization, regardless of the methodology you select to work with.
The purpose of risk management is to identify, assess, analyze and manage a company’s risk, be it financial, technical, operational, social or environmental. If your company subscribes to the international ISO Standards of Quality, Environmental, and Occupational Health and Safety Systems, an additional requirement for certification in the updated Standards is risk management. A well-designed, practical and effective risk management system is therefore necessary for business sustainability and responsible leadership.
Risk Management as a knowledge area is sub-categorized into three main activities, namely Risk Identification, Risk Analysis and Assessment, and Risk Mitigation, each categorized by uniquely different activity and action. Ultimately it is necessary to integrate the information and knowledge gained from theseactivities to identify the root- and contributing causes of risk, and to correct or prevent re-occurrence of the event or incident that caused the risk.
The first phase of Risk Identification is possibly the most challenging activity in the process.It is an activity that requires an open mindset combined with knowledge and experience. The purpose of the exercise is to identify all possible events that may or may not occur in the instigation of risk. The inclusion of both probable and improbable events is critical since much risk is inherent in improbable events, such as the unexpected occurrence of a force majeure. Herein lies an important distinction in the field of risk management: an event that is probable, possible and expected is classified as a risk, and it can be assigned a probability and an impact if it were to occur. However, an event that is totally unexpected and improbable, but certainly possible, is classified as uncertainty. It too can be assigned a probability and an impact if it were to occur; but only if it could be identified pre-emptively. The challenge is to have the foresight and knowledge to consider its occurrence in the first place, and to recognize, predict and thereby prevent the impact thereof.
Different methodologies may be employed to facilitate the risk identification process, including formal brainstorming, Ishikawa diagrams (more commonly referred to as fishbone diagrams), event tree analysis, the 5 Why technique, Hazard and Operability Studies (HAZOPs) and Failure-Mode-and-Effect Analysis (FMEAs). FMEAs or FMECAs (including criticality) is most often employed by the process industries, whereas Ishikawa diagrams are employed by the manufacturing and related industries. Ishikawa diagrams were designed originallyby Kaoru Ishikawa in the 1960s, an engineer who pioneered quality management processes in the Kawasaki shipyards in Japan. Ishikawa diagrams are applied to identify the causes of a problem, event or incident and to sort the causes under different categories. When employing Ishikawa diagrams, the most commonly appliedcategories for analysis are the 6Ms used in manufacturing and maintenance;and these are described below:
- Man (physical work, designs, decisions, interference)
- Method (process)
- Machine (means, technology)
- Material (including raw material, consumables and information)
- Measurement (inspection)
- Milieu (environment)
Different industries apply different categories, for example 8Ps used in the marketing and administration industries, and the 4Ss used in the service industry. An example of an Ishikawa diagram applied in manufacturing is illustrated below:
It is highly recommended that risk identification sessions be attended by a diverse team of colleagues from different fields of specialization, and that the sessions are facilitated by a technical expert who can guide and manage the process to ensure that all potential risks are identified. Include as many potentialities as possible in the risk identification session, even if it seems impossible or improbable to occur. There will be opportunity during the following analysis and assessment session to eliminate the irrelevant factors.
The second phase of Risk Assessment and Analysis assumes that the company has an established risk matrix, and if not, it is first required to develop one. A risk matrix is commonly a five-by-five matrix that assigns risk to an event where the Y and X axis elements intersect. The X-axis represents the consequence (impact) of the event or incident, and ranges from insignificant to major. The Y-axis represents the probability or likelihood of occurrence of the event or incident, and ranges from a rare occurrence to almost certainty. The intersection of these elements in the matrix represent the risk rating of the event. Traditionally risk in the matrix is represented by colour for easy and immediate identification: low risk by green, medium risk by yellow, significant risk by orange and high risk by red. The table below is an example of a 5 x 5 risk matrix.
Risk assessment occurs when each event or incident is assessed independently for its risk impact. The probability of occurrenceof the event and its impact / consequence are determined, followed by the calculation of the risk rating represented as the Risk Priority Number (RPN):
RPN = Probability x Consequence
RPN ranges are included in the risk matrix and employed for further risk analysis.The table below indicates how risk ratings are represented in a risk matrix. Once the risk ratings have been determined, adequate and applicable guidelines for risk mitigation may be determined.
It is incumbent on the company to identify relevant consequence types, including consideration of inter alia the impact of schedule, cost, quality and / or technical integrity, safety, occupational health, environment, social or community, and reputation.
Once the risks are assessed, the risks with the highest rating and level receive priority for analysis. The final phase of Risk Mitigation involves root-cause analysis (RCA) which identifies both the obvious and the underlying causes of the event or incident so that specific solutions can be implemented- and the associated risk mitigated, eliminated or prevented. A complete RCA consists of a clear definition of the problem or risk, a thorough analysis supported by evidence, and a specific corrective and preventive action (CAPA) plan for implementing the solutions and monitoring the effectiveness of those corrective actions. For complex and costly problems a thoroughly documented CAPA report is required. If several CAPAs require implementation, the company would need to conduct cost-benefit analysis of each CAPA to allocate limited resources to high-level risks. A standardised layout, logical recording and well considered reasoning are of cardinal importance when the causes and contributing factors of events and risk are to be established and presented.
Risk management requires continual monitoring of the effectiveness of risk mitigation. If the company identified, assessed and analysed its risks with due diligence, and clearly identified the root-causes of the risk with assigned corrective and preventive actions, the company will experience consistent and significant reduction in its levels of risk.