Every organisation is on their toes in their effort to achieve their business goals. In the uncertainty of the times, it is important to integrate Risk Management in the way we manage our businesses. We must realize that risk is the effect of uncertainties on our objectives and we need a structure for managing such risks..... if we must ensure the sustainability of achieving our goals.
Risks Management refers to the architecture for managing risks and Managing Risks refers to applying that architecture to particular risks. To manage such architecture, we have to be aware about the principles for managing risks, the frameworks for risk management, and the risk management process itself. ISO 31000 was developed to give us directions for our risk management process and its application, it was published 2009 along with the guidelines for Risk Assessment Techniques within ISO 31010.
To be effective in the management of risk requires focus, while risk management encompasses varied applications, it is also a risk that we get hanged up in its applications and detail. Get the baseline wrong and you end up managing a wrong risk and the wrong cause leads to waste in efforts. It is also a risk that the risk management becomes an exercise and does not provide the depth of the reality within the risk existence meriting the value expectation for its application. While there is an attempt to provide a holistic process for managing risks, it is still to be customized for its various applications. While in the field of quality, a risk is centred on potential causes and effect harbouring on various failure modes, the field of environment, health and safety focuses on the environmental aspects and hazards that will bring about threat and consequences. The field of information security likewise focuses on threat that will bring about breaches to confidentiality, integrity and availability to information assets, and the business continuity focuses on the potentiality of disruptive incidents that we intend to prevent for potential business disruption, disaster and worst a crisis.
The common component within the risk analogy for quality, environment, health and safety, information security and business continuity is the presence and reality of the unwanted risk, including the realization that threat prevails and that we have to be cautious about its consequences. And as we attempt to be proactive in managing processes, in our effort for identifying risk and its corresponding threat and consequences, a weakness in the risk management prevails which is dependent on the insights about the risks and the effectiveness of our understanding about our vulnerabilities and the effectiveness of controls. Once again, get the baseline wrong and you end up managing a wrong problem and the wrong cause leads to waste in efforts. The subject of Barrier Analysis which is the technique in the Bow-tie method of risk assessment is something to be explored to address the weakness of the current risk management approaches…The perspective of Barrier provides structure in the thinking about underlying causes and proactive and reactive Barriers. It helps you dig deeper into organisational knowledge that is implicit, and make it explicit. Barrier analysis makes you look deeper into the risk beyond the surface of just the potential threat and event assessment. It helps be more definite in the preventive and recovery controls and the identification of esclation factors to guarantee the effectiveness of the controls.
Risk Management and Business Continuity Management Systems
It is then but timely to explore the framework and related risk assessment techniques of ISO 31000 to guide the company in its structure for risk assessment, mitigation and treatments. It will also be more effective if we support such by best practice and techniques to properly identify risk and understand the balance between reactive and preventive controls through a risk assessment technique tested through time by organizations involved in high risk operations. ISO 31000 and its suggested techniques for risk assessment does not intend to put risk assessment in a box but to provide options in a structured thinking for risk assessment and creatively facilitate risk assessment to be more visual , effective and value-adding.
In business, risks abound at all angles at any given time. The risk of a customer dissatisfaction, the risks of penalties and closure arising to that of non compliance to prevailing rules and regulations, the risks of attritions, cyber-attacks, fraud, and repudiation, the reputational risk for any smear campaign that can be done against the company image and its personalities. That’s but to name a few, but when a detailed assessment is performed, it makes all process owners realize that the way to manage a process is not just to understand its input and outputs but expand the perspective to cover dependencies not only towards process compliance and effectiveness, but its general protection from risks towards business continuity. The challenge to companies is to understand the environment in which it operates, to understand the prevailing threat in its priority processes, determine its impact to business and perform business contingency plans and recovery strategies to mitigate such risks.
As system evolve, managing processes became more than just documenting procedures, we began to look beyond effectiveness and look at resources and its conservation towards efficiency. Managing processes became more than just making a plan out of what we would normally do per customer and regulatory requirement, we began to look closer at the process dependencies and evaluate the risks of any failure from any such dependencies. As the market widens and technology is ever improving, and convenience became a top concern for managing processes, risk increases across every transaction. Managing risks used to be a specialist function, nowadays, we see every process owners becoming aware of business risks and initiating and instituting controls in their processes beyond basic requirements. At this juncture, companies are bracing themselves for bigger risks. The climate has been fazed with disasters brought about by climate change and the need to address the concern on the conservation of natural resources and reduce our carbon foot prints abound as priority concerns for companies to contribute to business continuity. The technological convenience and the risks it brings intensifies the image or reputational risks because of the fast dissemination of information across the various medium and channels available.
A new standard just recently released May 2012 was ISO 22301:2012 that intends to facilitate the societal security management system requirements readiness for emergency preparedness and business continuity. The scope of this standard encompasses within a particular scope possibilities of threats, events and disruptive incidents.
The standard will incorporate the universal and cyclical PDCA approach as we have seen in the typical management system, extending the conventional business continuity planning process to take greater account of business continuity to prepare the organization’s critical business functions against unforeseeable events that could change the risk environment and impact business continuity. It will incorporate ‘failure scenario assessment methods’ such as Threat Profiling and Assessment, FMEA (Failure Modes and Effects Analysis), with a focus on identifying ‘triggering events’ that could precipitate serious incidents. It will streamline the resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.
The coverage of ISO 22301 is similar to BS 25999-2 such as business continuity policy, business impact analysis, risk assessment, business continuity strategy, business continuity plans, exercising and testing etc. to raise the company’s level of resilience and credibility. The level of importance of this standard is fast increasing along with the business intent to address action requirements for managing the risks that abound. As the old mantra goes, an ounce of prevention is better than a pound of cure. And while a regular process owner struggles between the difference of Correction and Corrective Action to address prevailing business concerns. To manage business continuity, we must facilitate the change to shift the emphasis from Corrective action to Preventive Action. Preventive actions should be a primary focus of business nowadays along with performing a good business impact analysis and programs to manage the risks.
The Game of Innovation
As the marketplace expands due to the growing need for industrial globalisation, CEO’s are facing a pressure to further drive operational and product innovation to meet the customer demand. In a fast phased environment, meeting customer demand without sacrificing quality is necessary; as such, the concept of innovation seeks to bridge this gap through proper identification of critical business areas to deliver customer needs. While the ultimate goal is to identify opportunities for improvement, such objectives may not be realised if the accompanying risks are not managed diligently. As failure becomes not an option, CEO’s turn to two management approach to resolve their questions relating to innovation uncertainty, Lean Sigma and Design for Six Sigma.
Calculated Risk with Design for Six Sigma
Product development is a very crucial part when playing the game of innovation. At the onset of product planning, one missed potential failure could ultimately spell disaster. Realising that a lot of things can go wrong from planning to execution, project management efforts are now centred on placing control points in critical areas of the product life cycle. Such approach to product development heavily dwells on what is known as Design for Six Sigma (DFSS). DFSS addresses risk through its Define, Measure, Analyse, Design, and Verify (DMADV) method to product planning.
At the start of the product lifecycle, product definition would require the proper identification of the potential value for innovation. It is at the defining stage of value where most companies fail to realise the potential risk and accompanied impact of such innovation. As a result, corporation’s experience an accelerated rate of innovation in order to just cope with market demand. The accelerated rate of product innovation could ultimately lead to product and market saturation as consumers become unresponsive to the product.
Because of the realisation of such risk, project management now treats the early stages of innovation as a means to mitigate risk by properly classifying potential threats and its possible impact. DFSS as a tool for product development has a proven track record in providing useful control points in the product lifecycle. These control points can help address potential market saturation by realising the value and level of priority for innovation through product simulation and quality function deployment.
Risk management through Lean Six Sigma
While innovation draws a common misconception of being limited only to products, such concept may also be applied to business processes. Since business processes are likewise output oriented, its vulnerability to the failure of people and systems are very evident; such risks can either be directly or indirectly affecting one’s operations as manifested by output. With Basel II drawing the line on what is operational risk (as, any failure in the internal process due to people, system or external event), there has now been a growing consciousness on how such risk can be properly managed in order to further surpass, if not at least maintain, one’s service level.
The stringent and structured methodology of Lean Six Sigma offers a proactive approach in addressing operational risk through proper identification, evaluation and recommendation on how defective processes may be eliminated. The Lean Six Sigma philosophy sprung from two of the most effective problem solving approaches which were pioneered by leading organisation; these approaches are Lean and Six Sigma, with the first aiming to streamline process and remove non value adding activities and the latter being focused on providing consistent output through variation reduction.
The systematic approach of Lean Six Sigma, proves to be a very useful method in addressing the risk management within the organisations business processes. Its focus on process flow efficiency and service level variation reduction proved to be a very important facet if one is to calibrate their operations. Moreover, the Lean Six Sigma problem solving philosophy also aims to assess such process in order to further identify potential gaps within the operations that could lead to service delay and inconsistency.
Taking the stage
Realising the greater need to address such risk in order to propel towards operational innovation, Neville Clarke had long instigated Lean Six Sigma as a tool towards achievement of such goal. Dedicated to being a preferred business solutions provider, Neville Clarke have been assisting organisations realise these objectives, through consultancy and training centred on the idea of speed and quality. As such, these corporations assisted by Neville Clarke are well on their way in becoming a more competitive and operationally innovative through the use of Lean Six Sigma.
Download the article