Risk management and Failure Mode Effect Analysis
Before speaking about identifying and assessing risk, this YouTube highlights the value of Risk management and Failure Mode Effect Analysis (i.e. FMEA ):
Naturally, an actual change is required in order to minimize the likelihood or effect of a risk. One pit fall is to do nothing and hope for nothing to happen. Others include overdoing the mitigation (thus reducing resources form the end objective), or only looking at/doing too little (despite Murphy’s law). Before going down any of these routes, pause and think.
Both risk management and FMEA aim to anticipate events and increase the chances of success. While used in different contexts or situations, they have a lot in common for the identification and assessment of risks (or failure points). To limit duplication, we’ll only use risk in the remainder of the article. Each step is dependent on the quality of the previous step(s). A good assessment will provide valuable insight into the overall risks and the biggest exposures. Too little can lead to high consequences. Too much are means and resources not used to add value. Without undermining the effort or good work done, we often tend to only focus on the top end of a spreadsheet.
Identifying
There exist several methods are available including:
- Objectives-based risk identification: Starting with the objective of the project or organization, events that can influence the outcome are identified.
- Scenario-based risk identification: Starting with Alternative scenarios, influencing factors or events are risks leading to change scenarios.
- Taxonomy-based risk identification: This is based on a breakdown. For a project, that could be a Work Breakdown Structure. For a process, that could be a Routine, Process Map or SOP (i.e. Standard Operating Process). For a product, that could be a BOM (i.e. Bill Of Materials).
- Common-risk checking: Industries or function have available checklists. For example, ISO (I.e. International Organization for Standardization ) or COBIT (isaca.org )
- Risk charting: To complement above methods by listing resources, threats, or other potentially influencing factors.
Risks are unknown events that influence the outcome. They are potentially negative or positive. As you go through the identification exercise, risks and opportunities are worth capturing. Avoid dedicating a lot of effort and means for small influence on the outcome. However, there is something to gain by putting the effort to minimize negatives risks or to maximize opportunities.
Assessing
The objective of the assessment is to determine where the greatest risk and opportunities are. That will be useful for the analysis and planning in order to optimize the dedicated means. There are different ways to assess the risks. A basic High-Medium-Low or more advanced CARVER (see reference below) are a couple of examples. For here, we’ll use the method used in the FMEA. It uses three factors to determine the exposure:
- Probability (What if <event>…) – If you are lucky, there are historical statistics. In practice, this is often a judgement call. Either way, the higher the likelihood, the higher the exposure.
- Impact (…then <impact>…) – The impact can range from “stop operations” to “no change to operations”. The exposure will increase with the severity of the impact.
- Control (… detected by <control>) – The reliability and the predictability will factor into the exposure. A reliable measurement or indicator that precedes the event will reduce the exposure. An unreliable indicator makes it difficult to anticipate or react accordingly.
The assessment’s quality will increase with the diversity of the input and the iterations. Getting different perspectives from team members and stakeholders increases the experience and knowledge put in. Adopt a way that makes the dialog and contribution easy for everyone. And progress and on-going changes, it will evolve over time. An analogy is a picture within a video.
Taking a step back from the individual assessments, the overview enables to identify the greatest exposures. It could be individual risks or a sub section of the identified risks. For example, testing and implementing are likely to have a high exposure for a development project. Finding the balance, that will optimize resources to reach the result, becomes more systemic and efficient. That is the focus that will help for the response planning.
We haven’t covered the complete risk management cycle here. There is the response planning and the monitoring which we’ll save for a future article. We have covered the first steps that provide the later with a good starting point. To highlight each step, we used Goal Nabber’s FMEA feature. To practice or discover more possibilities, you can sign up for a free trial here.