Your Reliability Engineering Professional Development Site
We get this question weekly and sometimes daily it seems.
Why? ISO has not defined Risk Based Thinking? And, this is a hugely important question because ISO has elevated RBT to the same level as PDCA and Process in the Final Draft International Standard (FDIS) of ISO 9001:2015.
One of the things we know is the marketplace hates a vacuum. Someone will develop a product or service to fill in the vacuum. This is exactly what we did with RBT. [Read more…]
ERM is a relatively new concept. There is a robust discussion among experts what it really means. Common ERM elements in most definitions include: [Read more…]
We have conducted hundreds of risk assessments in a number of sectors from homeland security to pension funds to Parks and Recreation departments. We have a number of hard lessons learned. These are some common mistakes we have made and seen: [Read more…]
ISO 31000 is 23 pages long, but these pages provide an entry level Enterprise Risk Management (ERM) guideline.
Why is this important?
An organization develops ISO 31000 ERM capabilities to provide a structured, consistent, disciplined, and achievable approach to risk management that facilitates Risk Based Thinking throughout the organization. Risk Based Thinking is composed of 1. Risk based, problem solving (RB – PS) and 2. Risk based, decision making (RB –DM). Both RB – PS and RB – DM are the basis for all management and supervision. We discuss this in our new book: ISO 31000: Enterprise Risk Management.
Interestingly, we wrote a 230 page book packed with loads of information for a 23 page standard. And oh by the way, we could have written another 200 pages. [Read more…]
Risk assessment is a critical element of ISO 31000 risk management framework. Risk assessment provides the requisite evidence based data and information for Risk Based Thinking, specifically risk based problem solving and risk based decision making. Using the appropriate risk assessment for the organization can determine how to treat and manage specific risks. [Read more…]
ISO 31000 is going to be used more often as more ISO certified companies adopt Risk Based Thinking. However, ISO 31000 can be challenging. Why?
Interestingly, the descriptive nature of the ISO 31000 standard may well be its strength, but may also be its weakness. The standard without the proper guidance of a risk practitioner maybe come discretionary and even arbitrary.
ISO 9001:2015 has Risk Based Thinking requirements. Note ISO 31000 was developed in 2009 and is not harmonized with the new annex SL standards and ISO 9001:2015. [Read more…]
Risk is an interesting concept because there are a number of definitions and interpretations. And this bears on quality because the lack of consistency can make deployment difficult.
Two elements to risk can be seen in the below definitions. There is upside risk and there is downside risk. Some risk definitions have this and others don’t. [Read more…]
Guest Post by Umberto Tunesi (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Mens Sana in Corpore Sano (A Sound Mind in a Sound Body).
It could also be translated that quality of life is more important than the span of life, the number of years you live.
Or that medicine’s task is not to add years to your life but the life to your years.
And it might also be that such a formula for life – originally a Juvenal’s wish or prayer – is much more ancient than its Latin transcription. [Read more…]
Guest Post by Umberto Tunesi (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Or, why we are not listened to?
Why don’t we listen to those who – justifiably – cry wolf?
Be others or ourselves, it does not matter.
The output of this regrettable way of thinking often results in a “chronicle of a death foretold”. What do I mean? [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
You’ve completed your project’s Risk Management Plan and now you can move forward with project execution because all of the project’s risks have been identified what can go wrong? Well plenty. It’s easy to get caught up in weekly (daily) reviews of the identified risks, tracking status (are the boxes going green, yellow, oh no red?). [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
What’s the risk of not addressing a risk? What happens on a project when a risk is identified and not addressed/mitigated? There may be reasons not to correct it, e.g low probability of occurrence and minimal impact, but how do we document and track this decision? And if we’re delaying an implementation how do we insure the risk is addressed at a later date, e.g. next version release? How do we insure that if an audit takes place the project team can clearly explain the reasons for the decision? Is this even acceptable? [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
You’ve no doubt read about Google’s driverless car and the effort at the state level to gain permission for its use on public roads.
There are the obvious concerns and risks with operating a driverless car, though Google does have someone sitting behind the wheel, just in case. Of course, can a person just along for the ride respond fast enough to a problem? This becomes one of the risk areas needing to be addressed before full adoption of driverless vehicles. Integrated with Intelligent Transportation Systems (ITS) we’ll see vehicles and roads sharing data with each other to produce safer travel and relief of congestion. [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
I usually write about risk as related to projects, but several of the comments I received on my article on “Can Your Pacemaker be Hacked” made me realize that we are all faced with risk management in our personal lives.
Continuing on the medical topic, think about how many options you’re faced with when your doctor recommends a procedure, whether adding a pacemaker, replacing a joint or a prescription drug.
Hopefully you have a doctor that you trust and knows you, but how would you respond to the doctor recommending a procedure? If we use a risk process then we’d have to consider the possibility of the identified risk occurring, the impact on our life(style), the benefits of mitigating the risk.
To support our decision we could get a second opinion, do on-line research or check with family/friends that have had the same procedure. Then just like a manager assigning a risk we’d have to review the data we collected and make a decision. The advent of Electronic Medical Records should make life easier, but also lead to more challenges for managing/securing data. [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Hack a pacemaker? Is this a real problem?
Some recent experiments have been able to hack a pacemaker and other medical devices including an insulin pump. The weakness of these systems was the analog sensors attached to the body to gather information. These analog inputs bypass the internal security and are converted directly to digital signals.
From a risk perspective is this something medical device manufacturers , insurance companies and the medical professionals need to worry about? It was part of a conversation at the Black Hat @Design West Conference where considerable discussion was held on building defensive walls. [Read more…]
Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
After writing several articles about topics related to medical devices and big data, thought I’d explore a new area, risk and space tourism.
Though I will include one interesting note about medical devices, on the October 20th episode of 60 Minutes former VP Dick Cheney admitted that he had the external programming capability for his defibrillator turned off to prevent it from being hacked. So, even as people question the possibility of this occurring we have a real world example of the steps taken to prevent this from happening. Think risk mitigation. [Read more…]