Why implement risk-based thinking?
Are you looking for certification? Undergoing an audit? Just trying to achieve compliance? There are many reasons, but put simply organizations adopt risk-based thinking with the objective of making better decisions — especially when they are operating in a challenging, fast-paced or otherwise uncertain environment. Although the return on investment (ROI) for risk-based thinking is difficult to characterize, most organizations have anecdotes about the (sometimes spectacular) failures and inefficiencies that have come from pretending that nothing unexpected will happen – or by not investing the time or resources required to plan for the unanticipated.
According to Willumsen et al. (2017), this improved decision making can yield many benefits, including:
- Reducing frequency of losses
- Reducing likelihood of losses
- Reducing costs of losses
- Improving response time to unexpected events
- Reducing stress
- Improving communication
- Enhancing organizational learning
- Capturing new opportunities for growth and improvement
Risk assessment and risk management does take time, effort, and money. As a result, some organizations only give lip service to risk — for example, by constructing a Risk Register during annual strategic planning — and then letting it gather dust the rest of the year.
Addressing risk is far more than an assessment or management exercise, though. Time spent contemplating, finding, and dealing with risks also helps you learn about your organizational processes with your colleagues. This shared learning process helps to build and strengthen relationships, and often improves communication. A better understanding of the organization and its processes leads to improved business results. (Kovach & Fredendall, 2013)
The process to adopt risk-based thinking
Risk management is a set of “systematic approaches for organising the pros and cons of a decision alternative” that includes the following general steps: (Aven, 2016)
- Establish the Context. Define the purpose of, goals for and criteria governing the risk management activities in the organization.
- Risk Assessment, which includes:
- Risk Identification. Identify situations or events (including hazards, threats and opportunities) that could affect the organization.
- Risk Analysis. Systematically investigate causes and consequences of these events.
- Risk Evaluation. Assess the likelihood, consequences and significance of the risks.
- Risk Treatment. Address risks and monitor the effectiveness of the treatments.
This process is summarized in Figure 1, from ISO 31000:2018, Risk management – Guidelines:
Figure 1. Risk management process in Clause 6, from ISO 31000:2018
The risk treatment step requires more than just identifying a control and putting it in place, because there are several different ways your organization can respond to a risk. If you’re not identifying or managing any risks, your default choice is to Ignore all risks. Implementing controls (in design, on the production process, or post-sale) helps to Reduce risks, and sometimes even eliminates them. An organization can Share its risks with partners or customers (for example, by cooperatively developing new products or features) or can Transfer risks to other parties, like insurers. Finally, an organization can Avoid risks by adjusting its business model, influencing the competitive environment, or transforming the business to change the nature of the risks. The treatment step is not limited to implementing controls.
The Baldrige Performance Excellence Program (a quality system that shares foundational concepts of ISO 9001:2015, but applies them in a more holistic and more flexible way) presents some ideas for how to leverage the organizational profile to explore risks. Baldrige promotes intelligent risk taking to find routes to transformation:
- Item 1.1—How do senior leaders create an environment for innovation and intelligent risk taking, achievement of strategic objectives and organizational agility?
- Item 2.1—How do you decide which strategic opportunities are intelligent risks to pursue?
- Item 5.2—How does (your performance management system) reinforce intelligent risk taking to achieve innovation, reinforce a customer and business focus, and reinforce achievement of your action plans?
- Item 6.2—How do you pursue strategic opportunities that you determine are intelligent risks?
Risk-based thinking may not solve all your problems, but it will get you thinking more strategically about how to deal with the unexpected. To learn about how software can help, click HERE.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13.
Baldrige Performance Excellence Program (BPEP). (2018). Baldrige Excellence Framework. Available from https://www.nist.gov/baldrige/publications/baldrige-excellence-framework/businessnonprofit
Willumsen, P., Oehmen, J., Rossi, M., & Welo, T. (2017). Applying lean thinking to risk management in product development. In Proc. 21st Intl. Conf. on Engr. Design (ICED 17), Vancouver, 269-278.
About the Author
Nicole Radziwill is Quality Practice Lead at Intelex in Toronto, Ontario. She uses data science and applied machine learning to enhance quality and catalyze innovation in industrial systems. Nicole is a Fellow of the American Society for Quality (ASQ), a Certified Six Sigma Black Belt (CSSBB), a Certified Manager of Quality and Organizational Excellence (CMQ/OE), and editor of Software Quality Professional with a PhD in Quality Systems from Indiana State. She is one of ASQ’s Influential Voices and blogs at http://qualityandinnovation.com.