It is one of the odd truths of life that no matter how well we plan to do everything right, the world doesn’t always listen. Frequently this leads to a small problem, but sometimes it precipitates a major problem for a company. This is where risk analysis comes in: it provides a structured opportunity to think about the potential risks to your company while you still have time to do something to prevent or minimize it.
Risks can be all kinds of things, both internal and external. If a process isn’t followed properly, it could result in a defective product and an unhappy customer; worse, that defective product could hurt someone. Sloppy financial controls could result in bad cash flow. Understaffing can reduce on-time deliveries. External risks can come through the economy, competitors, the weather, and random bad luck.
Some risks can be caused by many specific issues, which may be tough to disentangle. An understaffed process, which can lead to an inability to meet orders, could be caused by too few employees being hired because HR didn’t know how many were needed, because no one approved the hires, because not enough candidates were available, by insufficient skills among the employees being hired, by employees not lasting through the training and probation periods, or by too many employees quitting or retiring. All of these need to be sorted out, because reducing the risk of understaffing requires different responses for each problem. If the problem is the training period, then hiring more people won’t solve the lack of trained people.
Some issues can cause more than one risk. Insufficient staff can cause poor-quality products, late deliveries, unsafe conditions leading to higher injury rates, and attrition due to worker burn-out. Each risk must be addressed separately so that appropriate controls can be put in place. For instance, watching the attrition rate won’t tell you if you have bad product going to customers.
When thinking through possible risks, remember the human component. Even the best operating procedures don’t always work in every circumstance and even if they do, they aren’t always followed. How can you catch deviations from a procedure before it causes a problem?
Risk management includes
- *analyzing potential risks
- *quantifying risks by severity and possible failure rates
- *evaluating existing controls that will prevent or detect the problems
- *ranking the risks
- *recommending action to mitigate each risk
- *taking action on the highest-ranked risks
- *monitoring risk performance
- *reviewing the process regularly
Start with one product or process for risk analysis, rather than trying to do the entire company at once. If you are serious about it, get help from someone who knows what they are doing so that you don’t get overwhelmed by the process or miss an entire category of risks.
Thanks to Mark Shyne of MMEC for a great presentation.