A Framework for Risk Management

Making or supporting decisions involving product or system reliability is fraught with uncertainty. Is it reliable enough? Will failures occur prematurely? Are failures dangerous?

Uncertainty is risk.

In recent years more organizations and international standard bodies have focused on risk management. Identifying, analyzing, and mitigating uncertainty in a systematic manner.

There is not a set way for every organization to organize a risk management process. The ISO 31000 standard does describe a framework for the implementation of risk management within your organization.

The ISO 31000 Enterprise Risk Management Framework

Management commitment

As with any major initiative or program, having senior management involvement is critical. The commitment is not only for approval of a program, it is for active discussion, review, assessments, and improvements.

The commitment is not only for approval of a program, it is for active discussion, review, assessments, and improvements.

A risk management program serves the board of directors and senior management as they make policy and major decisions. Their intimate involvement is essential in the creation and operation of the enterprise risk management system within the organization.

Design of the framework (Plan)

The initial step, and often revisited is to tailor a risk management process that meets the needs of the organization and all stakeholders.

Implement risk management (Do)

Exercise the process by identifying risks, conducting risk analysis, and mitigating risks as appropriate.

Monitor, reporting, review (Check)

Gather the data to determine the effectiveness, efficiency, and economics of the risk management program.

Update and Improve the Framework (Act)

Use the information on the health of the process to identify what is working well and what needs improvement.

A Risk Management Process

Like any business process, the risk management process is a set of activities.

The details describing how the organization manages risks. The framework provides an outline for essential elements for the process, yet permits each organization to craft a process suitable for their unique culture and situation.

In general, a risk management process will include the following elements:

1. Recognition and identification

Risks exist whether or not we are aware of them. Taking steps to scan for potential risks permits the organization to address the risk appropriately.

2. Analysis, evaluation, and ranking

There are many risks facing any organization.

Some require significant investment to understand and avoid, while others present only a minor inconvenience at most. Understanding the risks, then prioritizing which require attention focuses resources to best meet business and customer objectives.

3. Avoidance, mitigation, or response

Dealing with risk may take different approaches depending on the situation.

Avoiding a risk may involve changing plans or design, or effectively interrupting the chain of events leading to undesired outcomes. You have control to alter the presences of the identified risk.

When unable to avoid or eliminate a risk you may be able to temper or reduce the severity of the risk. Take the sting of unwanted outcomes out.

If A occurs instead of result B (very bad outcome) alter the design or system such that result C (not so bad outcome) occurs instead.

In some cases the risk may not have a viable means to avoid or mitigate, thus we will have to accept the consequences if the potential outcome occurs.

For each risk identified and deemed necessary to address make a conscious decision and take action to avoid, mitigate or accept.

It is our response to risk that improves our ability to manage the uncertainty about us.

4. Allocation of resources

In order to implement the above elements, it takes time, materials, and funding. Who has the authority to allocate expenditure of resources to manage risk? This is a common management function, here focused on risk management.

5. Contingency or response planning

What happens if? There are two parts to this element: Identifying triggers requiring a response, and the appropriate response given a specific set of triggers.

When an undesired outcome is unfolding there may not be sufficient time or resources to think through an appropriate response.

A bit of prior planning increases the chance of just the right response to the situation.

6. Monitoring and reporting

This is the oversight function. The risk management process may have a range of forward and backward looking measures, yet tailored to the overall risk management objectives.

7. Review and process improvement

Regular consideration of the risk management process enables the routine adjustments necessary to keep the process functioning well.

The organization and the world around it change as do the presenting risks. Maintaining and improving the risk management process is a necessary and ongoing element.

One way to organize the elements of a risk management plan is to consider the architecture, policy, and protocols.

Risk architecture

• Roles and responsibilities
• Communication plan
• Reporting plan

Risk management policy

• Strategy
• Appetite
• Attitudes
• Philosophy

Risk protocols/procedures

• Guidelines
• Rules and procedures
• Methodologies
• Tools
• Techniques

Reliability Engineering and Risk Management

You may have already identified how reliability engineering fits within an enterprise risk management system.

Beyond the uncertainty of future product performance, warranty expenses, reliability performance impacts profitability, brand loyalty, and more.

Understanding how reliability information, including a clear understanding of reliability risks, helps senior management to individual engineers make better (less risky) decisions allow you to integrate reliability within the risk management framework.

Make reliability part of every decision.

Do you have a risk policy? How well is your reliability engineering work integrated into your organization’s enterprise risk management program?