The tension between risk management and quality management is very much alive at the moment. It has been reported that too often, senior managers fail to set project budgets at a level consistent with the necessary standards of quality, cost and delivery, with the inevitable result that too many projects are at risk and fail on at least one of these requirements.
Risk management starts at strategic level and is linked to the standard strategy tool of a SWOT analysis (strengths, weaknesses, opportunities and threats). The “T” in SWOT refers to threats. Risk arises in connection with a threat to an asset or desired goal, and risk management starts by identifying gaps in the protection which is in place – the vulnerabilities. If there is no vulnerability, there is no risk.
Daniel Kahneman in his recent best seller, Thinking Fast and Slow (2011), discusses the major body of evidence that we all have a propensity to misidentify risk. Many studies have shown that in assessing risk, we give more weight to our emotional attitude rather than the objective evidence of probability. Where a risk and its potential outcome alarms us a lot, we are more likely to overestimate its probability.
A key move in overcoming this bias involves a concept which was first formulated in the seventeenth century by the mathematician, Blaise Pascal. He was the first person to the see the value in multiplying the probability of a risk by the value or loss in the relevant outcome. This product is called the expectation. Thus we may be aware of an outcome which alarms and which we judge might cost £1m. However, the evidence may suggest that the probability is only around 1% or 0.01. The value of the expectation is therefore £10,000.
“Once risks have been identified and assessed, the ways to manage risk fall into one or more of these four major treatments: avoidance (eliminate), reduction (mitigate), transference (outsource or insure) and retention (accept and control)”
Suppose there is a second risk which is valued at £80,000 but where the probability is 20% or 0.2. The value of the expectation is £16,000. This second risk should take a higher priority than the first risk as the value of the expectation is greater. This way of thinking is central to a key tool in managing risk in new product development – failure mode and effects analysis or FMEA as it is usually known.
A good way of avoiding pitfalls in risk management is to follow a reliable standard. ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization.
The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management and it seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes. The latest version of the standard dates from 2009. The ISO 21500 Guidance on Project Management standard aligns ISO 31000:2009 and is intended for a broad stakeholder group including:
- Executive level stakeholders
- Appointment holders in the enterprise risk management group
- Risk analysts and management officers
- Line managers and project managers
- Compliance and internal auditors
- Independent practitioners
“The management process should address methodically all the risks surrounding the organisation’s activities past, present and in particular, future.”
Audit is an important point of connection between risk management and quality management. Any quality management regime will involve an audit programme. Drawing up the audit programme should reflect an assessment of risk and the programme should be formally approved at board level in case the board are aware of extra risks that need to be covered.
The main quality management standard ISO 9001 is being revised and it is likely that risk management will become much more prominent in the requirements. For example, the current draft states:
“The organisation shall determine external and internal issues, that are relevant to its purpose and its strategic direction and that affects its ability to achieve the intended outcome(s) of its quality management system.”
This high level requirement means that organisations should identify threats and weaknesses and actively improve their response to these factors in order to meet the standard.
We define risk as an event with the ability to impact (inhibit, enhance or cause doubt about) the mission, strategy, projects, routine operations, objectives, core processes, key dependencies and or the delivery of stakeholder expectations.
Risk has two components:
- Severity: if harm occurs
- Probability: of harm occurring
Each business situation has to be considered as its own distinctive state of affairs. However, there are common Industry Forum Business Excellence Through Inspired People risk categories such as:
- Lack of people skills and / or resources
- Unexpected absence of key personnel
- Ill-health, accident or injury to people
- Inadequate or insufficient premises
- Denial of access to premises
- Damage to or contamination of premises
Other important risk categories are assets, IT, suppliers and communications. Risk Assessment is defined by the ISO/IEC Guide 73 as the overall process of risk analysis and risk evaluation. This covers a number of essential risk management techniques such as brainstorming, FMEA and scenario analysis.
“…audit is an important point of connection between risk management and quality management.”
Once risks have been identified and assessed, the ways to manage risk fall into one or more of these four major treatments: avoidance (eliminate), reduction (mitigate), transference (outsource or insure) and retention (accept and control).
The business environment doesn’t stand still and key factors are always emerging and developing. Risk management therefore has to be a continuous and developing process which runs throughout the organisation’s strategy and the implementation of that strategy. The management process should address methodically all the risks surrounding the organisation’s activities past, present and in particular, future. In the context of quality assessment for standards like ISO 9000, there has to be real evidence that the risk management process is taking place starting with leadership.
This article was first published in The Lean Management Journal, July 2014