Process Risk Assessment
Risk assessment is very topical in the modern world. All organizations need to manage risks but the good news is that many of the risks that face organizations on a daily basis are those that are within their own control. Few organizations have adopted a structured approach to risk assessment. Risk assessment does not necessarily require sophisticated tools. They can be conducted simply by asking some key questions. Even for those events that are outside your control, there are steps you can take to avoid, contain or reduce adverse impact on the organization.
If you were to ask your management team about risk, would it know:
- What factors affect the organization's ability to accomplish its mission or its objectives
- What provisions had been made to contain, reduce or control risk?
- In which processes were these controls installed?
- How the effectiveness of these provisions is being measured?
- What recent changes have been made to these processes to improve their robustness in preventing the risk having a detrimental effect on the business?
If you were also to ask your management team about the provisions it has made to mitigate against risk would it be able to explain what provisions had been taken to safeguard the organization from:
- Attack by competitors, disgruntled employees, computer viruses?
- Loosing customers, suppliers, employees, reputation
- Decline in orders, revenue, profit, market share
- Dissatisfying customers, shareholders, employees
- Prosecution by regulators, customers, employees
- Delayed delivery
- Delayed receipt of product or payment
- Hazards injurious to health of personnel and/or the environment
- Accidents to personnel and equipment
- Breakdown of equipment, plant, machinery, relationships
- Disruption to business continuity by computer failure, loss of information, strikes, weather.
Certain techniques can identify potential risks and assist in their elimination, reduction or control if the provisions are built into process design as shown the table below.
|
Risk, Failure Mode or Hazard
|
Results from the question, “How could this process fail to achieve the process objectives?”
|
|
Effect
|
Results from the question, “What effect would this failure have on the performance of the process?”
|
|
Cause
|
Results from the question, How likely is it that this will occur regardless of any controls in place at this time?”
|
|
Inherent Probability
|
The criteria for establishing the probability of occurrence regardless of any controls in place is as follows:
Very High: Failure is almost inevitable
High: Failure often occurs in this type of process
Moderate: Failure occasionally occurs in this type of process
Low: Failure occurs only in isolated cases
Very Low: Failure is unlikely – failure of this type has yet to be observed
|
|
Controls
|
These are the actions taken to change the process design to:
a). Eliminate the failure by process redesign
b). Detect and remove the failure by inspection/review measures
c). Reduce the effect by additional provisions
|
|
Ref
|
This is a link to the part of the BMSD that describes the provisions that have been made to mitigate risk
|
Many rules and regulations or requirements have their roots in the elimination of failures, disasters, accidents and the like. When such requirements are imposed upon us we sometimes forget what risk they were intended to prevent from happening. Often The risk is not present in our organization or its probability of occurrence is negligible, but the requirements are imposed just the same. By working backwards from the requirement, a relevance analysis would establish what it was designed to accomplish, the probability of this event happening in the organization and what impact it would have if it did happen. A common example is the raft of requirements there used to be in ISO 9001 on document control. Why so many requirements when in a computerized environment, document control is a given? Why would anyone want to use an unauthorized document? The use of Intranets has made this requirement obsolete. The requirements appear more relevant to an age when information was produced on a typewriter and documents were distributed manually. While computerization may have solved some of the issues concerned with controlling paper documents, it has brought in new risks such as computer viruses and data security threats.
More information of process risk assessment may be found in Chapters 10 and 21 in the ISO 9000 Quality System Handbook 7E
© Transition Support Last edit 12/12/2022
Transition Support
A flexible approach to business improvement