ASQ CQA – 5. Quality Tools and Techniques Part 14

35. 5H Plan Risk Management and Identify Risks

And these five steps are plan risk management, identify risk, analyze risks, plan risk response and monitor and control risks. In this particular video we will be talking about first two steps planning risk management and identifying risks. Let’s start with planning risk management. How do you plan risk management in the organization? When you want to set up risk management in the organization, you need to set up some rules and processes in place.

You need to establish that who’s doing what in regards to risk management and also you need to define the risk related terms for the organization. What does risk mean for your organization, what does low criticality and high criticality, low probability and high probability risk means in your organization. So you need to set up those rules as the first step in the risk management. In the planning stage, you define the rules and responsibilities, who will be responsible for managing risk, who maintains the risk register, who updates that.

So all those things you need to define at the early stage in establishing risk management, you need to establish some tools and templates which you will be using for risk management and then you also need to plan how to do other four activities. So we said that in risk management there are five main steps. So in the first step you define that how other four steps will be done, how your organization will identify risk, how your organization will analyze risk and plan for the risk management and monitor and control risks. So these are the things which you need to do in the first step in the risk management, which is plan risk management.

Once you have done the plan, the plan is in place. Now you want to implement risk management in the organization and for that the next step will be to identify risks. So here you will identify and list down all the risks which are associated with the activity, all the risk which could hamper or which could avoid the target or the objective which your organization wants to achieve. Those risks you want to identify in this second step which is identify risks. Risk identification is a systematic process and this is best done in the group environment in form of brainstorming.

Let’s say if you are doing a project and you want to evaluate what are the risks associated with that, that project could be, let’s say, a new product development, what are the risks associated with this project? So you set up a team and this team does the brainstorming. In the brainstorming you list down all the risks which are identified by this team and people who could participate in that group discussion or brainstorming could be people from management, the employees, the stakeholders, the customer. Depending on the situation, you can select the team which will be doing the brainstorming and listing down all the risks.

So after establishing plan, this is the first important step where you list down all the risks in risk identification. The tools which are used are brainstorming which I have already talked. Other tools in addition to brainstorming you could use are the Ishikawa diagram or the Cause and Effect diagram, flow diagram to understand how things are flowing. The Swath diagram. Swath is the strength, weakness, opportunities and threads. So you make four boxes and in those four boxes in one side you put strengths, then you put Weaknesses, Opportunities and Threads. And then you could use FMEA. FMEA is failure mode and effects analysis.

We will talk about FMEA once we complete this topic of risk management. So these are the tools which you could use in identifying risks. And then the output of the risk identification is the risk register. So risk register is the register where you list down all the risks which have been identified. Now here you have listed down each and every risk what has been identified. So some of those might have the low profile, some might have high probability. Some of these risks which you have identified might have low impact, some might have high impact. And that’s what you will be doing when you analyze those risks in the next step.

36. 5H Analyze Risks

Now we need to set priority to those risks. Some will have high priority, some will have low priority so that we can work on those risks which have high priority. That’s the reason we analyze risk, so that we can focus on only on those risks which are critical or which have high priority. Now, when it comes to analyzing risk, risk analysis is done in two ways. Or there are two types of risk risk analysis. One is qualitative and the second is the quantitative risk analysis. Qualitative is related to quality, quantitative is related to quantity or the number or the precise assessment of risk. Qualitative risk assessment is quick and easy to perform and that’s what we will be discussing here in this lecture. However, these are subjective in nature. So we are not going into precise number. We are just doing the qualitative or the high level overview or the quick overview of the risk.

On the other hand, when it comes to quantitative risk analysis, these are detailed and time consuming and this involves a lot of data and analytics. So we are not covering the quantitative risk analysis in this lecture. Tools for these are for qualitative we use probability and impact matrix. This is what we will be talking about in this lecture. And then when it comes to quantitative, we use techniques such as expected monetary value analysis, Monte Carlo analysis or decision three. We are not talking about these tools here in this video. Let’s focus on probability and impact matrix as a part of qualitative risk assessment. So when we talk of probability and impact metrics, we are looking at two things the probability and the impact of that risk.

What we want to evaluate here is what is the probability or the likelihood of that risk happening and what is the potential impact on the objective of the organization if that particular risk occurs. If we take two events such as, let’s say me going from my home to office and the risk is delay in reaching because of traffic, the probability is high. There is a good chance that something might happen and I might get delayed. So the probability is high, but then the impact of delay in reaching will be minimum, so the impact is low. So this particular example of me traveling from my home to office and getting late in the traffic, the probability is high, but the impact is low. On the other hand, if we take another risk, let’s say we have a plant, manufacturing plant, and then we have identified a risk of earthquake, so the probability of that happening is low, very low.

But the impact of that if that happens will be very high. So this is how you evaluate risk based on these two things, the probability and the impact. Later on, when we will talk about FMEA failure modes and effects analysis, there also we will be using these things such as the probability and impact so there also we will identify risk or what could go wrong. But then we evaluate each of those items in FMEA based on three criterias. The severity which is equivalent to impact, the probability which we have in risk management as well. But then there we even talk about detection, what is the chance of detecting that problem. But here when we talk about probability and impact matrix, we don’t talk about detection. Here we just focus on two aspects of the risk which are the probability and the impact.

So what we generally do in probability and impact matrix is we assign a rating from one to nine, one being low and nine being high. Or we have rating on a five point scale from very low, low, medium high and very high. Or we could have a score of one to five or we could have a score of one to three. This is something which you need to decide in the planning stage. When you are planning risk management. At that stage itself, you need to define that what sort of a system you will be using to quantify the probability and the impact, whether you are using the number from one to nine or whether you are using the point system from very low, low, medium high, very high. So this is something which you need to define at the very beginning in the planning stage. And then once you have identified the probability and impact, both of these will be, let’s say on the scale of one to nine. You identify, let’s say probability as five, impact as nine, whatever number you assign to that, then you get a risk score by multiplying these two numbers. The probability number multiplied by impact number will give you the risk score. So the higher the risk score, more critical that particular item is. So here we have an example. Let’s say if we have a risk which has low probability of happening and the example of that would be, let’s say the earthquake, the probability number for that will be one.

So we have assigned the minimum number one as the probability, but then the impact, if that particular event happened, the impact will be high. So for that we have assigned the impact number as nine. So in this particular case, the risk score will be the probability multiplied by impact or one multiplied by nine is equal to nine. So this is how you will be looking at each of the risk which you have identified, assign the probability rating, assign the impact rating and multiplying those two numbers to get the risk score. So here is a sample table for probability which you would need to define for your organization in the planning stage. So which basically defines that in what case you define the probability number as one and in which case you will define the probability number as nine. So let’s say if you have defined a risk and the risk event is not expected to occur. In that case you will assign the probability number as one and if the risk is expected to occur, definitely then you will assign the probability number as nine. So this is from one to nine. How do you define the probability rating? And then you will have a similar table for impact as well. So in impact also you need to assign a rating of one to nine.

So here in case of impact, you could look at the impact from the point of view of cost, schedule, scope or quality. So you need to see that what will be the impact of that particular event, whether that will have impact on the quality, whether that will have impact on the cost. And then based on, let’s say, this particular table, you can define that what is the rating you want to give in case of the impact value. So these are the tables which you need to define in the planning stage. Once you have these two numbers, then what you can do is you can make a matrix such as this, where you have on one axis impact on another axis you have the probability. I have made this table short by having number as 1357 and nine, rather than having one, two, three.

So here if you see if you have the probability as one and impact as one, so low probability and low impact, that means you will end up somewhere here and this is in the green zone. Green zone means okay, you can live with this particular problem, this particular risk. And on the other hand, let’s say if you have identified the impact as five and the probability as also as five, then the multiplication of that will be 25, this will fall in the yellow zone. But then if you have a risk which has nine as the impact and nine as the probability, high impact, high probability, then that will fall here and which will be in the red zone. So definitely you need to take action, immediate action to avoid that risk. So this table can help you in prioritizing those risks. So the red one will be the top priority, the next priority will be the items which fall in the yellow zone and then the low priority risk will be the one which fall in the green zone. Other way to have this table is this where instead of having rating as one to nine, here you have given rating as very low, low, medium, high and very high.

Here also you look at each of the risk and see whether the risk has the high probability, low probability or very low probability. And then you also look at the impact and based on that, you see that where does that risk fall, whether the risk falls in the red zone, yellow or the green zone. And based on that you can prioritize.

37. 5H Plan Risk Response and Monitor/Control Risks

We want to take some action on those risks. So this is what which will be covered in this video, which is planning risk response. So here we are planning what actions we need to take for those risk which we have identified and which we have analyzed. So when it comes to risk response, there are two things which you can do for negative risk. So if you have negative risk, first thing which you can do is reduce the possibility of that risk happening or you could reduce the impact of that risk. If that risk happens, the impact of that gets minimized. So two things you can do for negative risk. On the other hand, if there is a positive risk, then you want to take the maximum advantage of that positive risk. So for that, what you could do is do something which will increase the possibility of that positive risk happening and also you could increase the impact of that risk.

So now, based on whether the risk is positive or the risk is negative, we will have different strategies, different responses to deal with those risks. So here on the left side have negative risk and on the right side I have positive risk. So if you have negative risk, then you have four types of response which you can take for negative risk. You can avoid the risk, you can mitigate, you could transfer or you could accept the risk. When it comes to positive risk, you can exploit that risk or you could enhance, share or accept the risk. So there are four strategies to deal with negative risk and four strategies to deal with positive risk. Let’s look at each of these in next eight slides, starting with negative risk. So in negative risk, the first strategy is to avoid that. And once again, negative risk is something which will avoid you or your organization achieve the objective. And once again, if I take that simple example of me traveling from my home to office using my car and my risk is that I might get delayed because of traffic, because of signal, et cetera, that’s my risk. I’m just keeping things simple here. So now what strategy I can take? So the first strategy for that could be avoid that risk, if I could avoid that.

So I might work from my home, I might call in for all the meetings which I have to attend, that’s one way to deal with that negative risk. I understand that the example which I’m taking here is quite simple, but then you can understand there are many risks which you can straight away avoid that. So this is the first strategy. So let’s say in your risk register you have one of the risks which has very high probability of happening and the impact is very high. And if there is any way to avoid that thing altogether, you might consider to avoid that activity so that you don’t end up in a big trouble. Coming to the second strategy for negative risk, which is mitigating in avoiding. We were totally avoiding that activity. Whereas in mitigating, what we are doing is we are reducing the probability and reducing the impact of that particular activity. So if we could do something to reduce the possibility of that risk happening and how we can do that let’s say we can simplify the processes so that there is less chance of making mistake let’s say if we are launching a big product.

There is a lot of cost involved. So what we could do is we could develop a prototype before we develop the full product, so that we can take feedback from the market. And based on that, only we will go ahead with a new product. This is mitigation. So rather than spending the whole lot that’s the millions and millions of dollars in developing that product, we just might want to develop a prototype and test that another is having additional inspections. Or we might want to use the lessons learned in past all these things you can do to mitigate that risk. Mitigate means to reduce the possibility of that thing happening and also to reduce the impact if that particular thing happens. The third strategy in dealing with negative risk is to transfer that risk. The very simple example of transferring risk is insurance. Let’s say I have a house and there is a risk of flooding and there is a risk of theft. So there are many risks related to my house. So what I do is I transfer that risk to someone else and someone else here is the agency which is doing insurance for my house.

So this is another way to deal with risk. Some of the risk which have very low probability but have very high impact, many times the best strategy for those will be to transfer that risk. So in this case of house insurance, there is a very low probability of all those bad things happening. But then if those bad things happen, the impact of that is very significant. So in that case, you transfer that risk to someone else and which will be the insurance agency. And that’s the reason all the factories, your car, your house, those things get insured because you want to transfer that risk to someone else, or you might want to subcontract or you might want to put a performance warranty. So these are some of the examples to transfer that risk to someone else. The fourth strategy is to accept the risk.

There are some risks which have low possibility, low probability of happening, impact is also low. Then what you want to do is you just want to accept that. I’m just going back to the first example which I took in avoiding if reaching office in time is my goal and I know that the impact of that is not very significant. Probability is also not very high that I will be significantly late when traveling from my home to office. In that case, I just might want to accept that risk. Rather than avoiding or something, there are a few things which you have to accept. There is nothing which is without risk. So if the impact is low, the probability is low. Just live with those risks and deal with them when they happen. So this is the fourth strategy, which is accept the negative risk. When we talk of accepting the risk, there are two types of acceptance the passive acceptance and active acceptance. In passive acceptance, there is no plan created to deal with this. You just accept the risk and live with that.

Whereas in active acceptance, you accept the risk. You understand that you are not doing anything to deal with that risk, but you still have a contingency plan. So again, going back to the simple example of accepting the risk for my going from home to office, let’s say I’m going from home to airport to catch a flight. Now here I have a little bit of risk that I might get delayed, but I still live with that. It’s fine. Like most of the time I reach airport in time. But in this particular case, I might want to have a contingency plan. Like morning, if my car doesn’t start or there’s a starting problem or something, I have a contingency plan. For example, I have the taxi company’s phone number handy with me. Or I could take Uber. So I still keep a contingency plan even though I am accepting the risk. So this was the fourth strategy to deal with negative risk. Now, coming to positive risk, these strategies are just opposite to what we learned in the negative risk. In the negative risk, we talked about avoiding the risk altogether. This was the first strategy as against avoiding.

In positive risk, what we want to do is we want to exploit rather than avoid in the negative risk. In the positive risk, we want to exploit that. So if there is a great positive risk which could help your company making lots and lots of profits. So what you want to do is you want to exploit that risk, take maximum advantage of that, put your best team members, put all the resources to take advantage of that particular positive risk. So this is the first strategy. Second strategy is enhanced. Enhance is the opposite of mitigation. In negative, we were mitigating the risk. In mitigating, we were attempting to reduce the probability and impact here. In enhance, we want to increase the probability and impact.

We want to make sure that that positive risk happens. Whatever we could do to increase the probability of that positive risk happening, we do that. So this is the second strategy in positive risk, which is to enhance. Third strategy is share. Share is opposite of transfer. In negative, we were transferring that risk to insurance agency. In sharing, we shared the positive risk by forming a team, by forming a joint venture or partnership with a third party. So these are something which we could do to take the maximum advantage of the positive risk. And similar to the negative risk, the fourth strategy in positive risk is also accept. Let’s say there is a positive risk which could make your company more profits, but the probability of that happening is low and the profits are also not very significant. So what you might want to do is just accept that, just ignore that because you cannot take care of all these small things. So you need to focus on big things only. So this completes our discussion on planning risk response.

So now we have planned the risk response, we have put all those plans in the risk register. What is the next activity? Now we need to monitor and control those risks. So in the risk register we have all the risk, we have the priority number for that risk and we have the response against each of these risks, the planned response. Now, the next thing what we want to do is we want to monitor that. We want to see with time if something happens, whether we have taken appropriate action. This is something which we do in monitoring and controlling.

So here we regularly review our risk register and we see that if some of those risks are still relevant or not, if time, time has passed and those risks are not relevant, then you remove those risks from the risk register. If things have changed, there are new risks which have emerged, then you add those risks to risk register. And then you might want to do risk audit to make sure that whatever plans you had, whether those are implemented and whether those are effective.