Welcome to my blog for all things related to business quality (processes, systems and ways of working), products and product quality, manufacturing and operations management.

This blog is a mixture of real-world experience, ideas, comments and observations that I hope you'll find interesting.



How to manage risk

Another preventive technique I recently promised to blog about was risk review and analysis. This is an approach used to reduce or manage risk; we aren’t necessarily trying to achieve zero risk (if there’s no risk at all you often get little benefit) although in areas such as safety or security a zero-tolerance approach to risk is necessary.

The risk review can be used in general business management – strategy development, marketing or sales initiatives, new product or service offerings, and so on – through to product development projects that have risk review sessions as part of their project management process. Special, rigorous instances of risk review are used in areas such as Health and Safety management.

I have found the best way to run risk reviews and risk management is as a group activity, i.e. in a workshop meeting, partly to get key people’s buy-in, partly to enhance creativity – bouncing ideas off each other and gaining different perspectives (one person on their own will always miss something) – partly because you will need volunteers, and partly because peer pressure can save you having to continually nag people to do their actions!

I suggest that ‘risk review groups’ meet regularly, e.g. every month. You may only need one group for the whole business, or you may choose to have project or function-specific groups as this can often be a better way of delegating authority and responsibility to those who can really make things happen.

The tool at the heart of the process is the risk register, which is a simple matrix or table. Each row in the table describes a different risk that has been identified. The columns are typically:

1. A reference number (so you can easily refer to that specific risk)

2. Description of the risk

3. Date the risk was first identified (and sometimes the name of the person who first identified the risk)

4. Type of risk, e.g. Technical, Project, Business, Health & Safety; alternatively, this could be changed to what or who is at risk

5. Probability of the risk occurring (e.g. L = <10%, M = 10-30%, H = 30-50%, VH = >50%)

6. Impact on the business or project, etc, if the risk did occur (e.g. L = <1 week delay or £10k, M = <1 month delay or £50k, H = < 3 month delay or £100k, VH = > 3 month delay or £100k)

7. Person who is responsible for managing the risk (this is where you need your volunteers)

8. Mitigating actions that are to be taken, i.e. actions that will eliminate or reduce the risk or its impact

9. Status or progress of each mitigating action

10. You may also find it useful to add an owner, or person/s responsible, against each mitigating action.

Some people also combine 4, 5, and 6 into an overall Risk Severity rating.

At the first risk review meeting in any particular area you work out, using structured creativity techniques such as brainstorming, what risks may possibly affect you, then agree on their type, probability and impact. For each of them, especially the medium/high impact, medium/high probability ones, you again use structured creativity techniques to decide what mitigating actions could be taken then choose the most suitable ones to implement. You may want to apply a hierarchy to the actions; e.g. you may prefer an action that eliminates the risk over one that simply reduces it, which in turn you may prefer over one that merely reports the risk if it occurs.

All High Risk / High Probability risk areas should be formally reviewed at each subsequent risk review group meeting, although for practical reasons it may not be worth reviewing all areas at every meeting. However, the responsible person must monitor his/her risks and warn Management immediately of any increase in the probability or impact of that risk, or of other related concerns. Any new risks should also be identified at each meeting.

The risk review matrix or table is usually reported upwards to senior management or, if this provides too much detail, simple Key Performance Indications can be derived.

A particularly useful measure is to show whether risks are reducing over time, as the mitigation actions start to kick in, or whether they are growing; a simple red / yellow / green traffic light colour code can be effective in drawing attention to risks that have suddenly worsened or don’t seem to be under control.

It is important for risk review and management to be a proactive process; that’s why it’s a preventive technique rather than a corrective one. The mitigating actions in the table should be seen a starting point rather than the only action ever required; the person responsible for managing each risk should continuously monitor their risk area and take further actions to reduce the probability or impact of the risk and report it to the risk review group.

I think you’ll find his approach to be simple, easily understood and effective. The management of risk in this way helps you to become more in control of your own destiny rather than continually responding to events as a knee-jerk reaction!

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>