Risk-based Thinking: Creating Opportunities from Strategic Insights
“… in the end [risk management] is all about how organizational insights and knowledge are turned into strategic insights and advantage.” - Harry Hertz, Director Emeritus Baldrige Performance Excellence Program
Although quality managers are usually seen as the stewards of products that meet specifications and processes that don’t fail, what they’re really interested in is performance -- helping people and machines work together to make things easier, better, faster and less expensive. Sometimes, this means putting controls in place to prevent losses or running projects that reduce waste or increase efficiency. Other times, it means identifying and capturing opportunities for improvement and growth. Techniques to identify and manage risks are often found in the quality toolbox.
Risk-based thinking is a “mindset to proactively improve the certainty of achieving outcomes utilizing methods that consider threats and opportunities.” (Laqua, 2018) This mindset can be applied during operations, when designing a product or process, while improving a product or process or even when designing a strategy. Risk-based thinking can help you prevent losses, capture opportunities and improve communication throughout your organization -- so it’s not surprising that it’s a core element of many quality management systems, including ISO 9001:2015 and the Baldrige Performance Excellence Process.
HOW CAN YOU START ENGAGING RISK-BASED THINKING AS A MINDSET?
How can you develop the underlying habits of mind associated with risk management and deploy them at all levels of your organization? How can you leverage your quality management system (QMS) software to help make it happen? This report will get you started.
Hazards and threats are sources of risk. Hazards, which are situations with the potential to result in injuries, damage or harm, can be physical, chemical, biological, ergonomic, psychological, political or social. Hazards can become threats if (and when) they are activated. For example, a virus (computer or biological) may be a hazard, but it only becomes a threat if you might be impacted by it. The likelihood and severity of that impact on a particular person, place or thing determines the risk.
Risk is, then, relative to who or what is being impacted. As a result, you should develop an organizational profile (called “organizational context” in ISO 9001:2015) before you begin. This description of your organization should include its characteristics (including vision, mission and main offerings), its capabilities (assets and workforce profile) and its environment (including regulatory requirements, supplier and partner relationships, and market conditions). The organizational profile also should address the strategic context, such as the competitive environment, current challenges, and advantages or disadvantages that may impact success factors.
Most importantly, the organizational profile must describe stakeholders and their needs. Each stakeholder group may have a different risk profile, and some stakeholders may have more impact on the success of a company than others. Stakeholders, referred to as “interested parties” in ISO 9001:2015, can be customers, suppliers, employees, members of the community or region where the organization is located or society in general. Governments are also stakeholders, particularly for organizations that are highly regulated.
Organizations can identify, evaluate and treat risks to different degrees of formality, and can limit the scope to individual divisions or facilities or expand it to the enterprise level. Systematic risk management follows a data-driven Plan-Do-Check-Act (PDCA) approach (IOSH UK, 2017) and is characterized by the following activities:
- Setting policies for quality, environmental management and/or health and safety
- • Defining procedures, roles and responsibilities
- • Conducting risk assessments and establishing controls
- • Continuously monitoring performance and conducting regular reviews
- • Continuously improving policies, procedures, roles, responsibilities and controls to improve the performance of the entire system
These steps can be treated as parallel processes when quality, environment and health and safety systems are managed independently, or can be combined for organizations that have integrated management systems (IMS) in place.
WHY ADOPT RISK-BASED THINKING
Put simply, organizations adopt risk-based thinking to make better decisions -- especially when they are operating in a challenging, fast-paced or otherwise uncertain environment. Although the return on investment (ROI) for risk-based thinking is difficult to characterize, most organizations have anecdotes about the (sometimes spectacular) failures and inefficiencies that have come from pretending that nothing unexpected will happen – or by not investing the time or resources required to plan for the unanticipated.
According to Willumsen et al. (2017), this improved decision making can yield many benefits, including:
- Reducing frequency of losses
- Reducing likelihood of losses
- Reducing costs of losses
- Improving response time to unexpected events
- Reducing stress
- Improving communication
- Enhancing organizational learning
- Capturing new opportunities for growth and improvement
Risk assessment and risk management does take time, effort, and money. As a result, some organizations only give lip service to risk -- for example, by constructing a Risk Register during annual strategic planning -- and then letting it gather dust the rest of the year.
Addressing risk is far more than an assessment or management exercise, though. Time spent contemplating, finding, and dealing with risks also helps you learn about your organizational processes with your colleagues. This shared learning process helps to build and strengthen relationships, and often improves communication. A better understanding of the organization and its processes leads to improved business results. (Kovach & Fredendall, 2013)
Risk management is a set of “systematic approaches for organising the pros and cons of a decision alternative” that includes the following general steps: (Aven, 2016)
- Establish the Context. Define the purpose of, goals for and criteria governing the risk management activities in the organization.
- Risk Assessment, which includes:
- Risk Identification. Identify situations or events (including hazards, threats and opportunities) that could affect the organization.
- Risk Analysis. Systematically investigate causes and consequences of these events.
- Risk Evaluation. Assess the likelihood, consequences and significance of the risks.
- Risk Treatment. Address risks and monitor the effectiveness of the treatments.
This process is summarized in Figure 1, from ISO 31000:2018, Risk management – Guidelines:
The risk treatment step requires more than just identifying a control and putting it in place, because there are several different ways your organization can respond to a risk. If you’re not identifying or managing any risks, your default choice is to Ignore all risks. Implementing controls (in design, on the production process, or post-sale) helps to Reduce risks, and sometimes even eliminates them. An organization can Share its risks with partners or customers (for example, by cooperatively developing new products or features) or can Transfer risks to other parties, like insurers. Finally, an organization can Avoid risks by adjusting its business model, influencing the competitive environment, or transforming the business to change the nature of the risks. The treatment step is not limited to implementing controls.
The Baldrige Performance Excellence Program (a quality system that shares foundational concepts of ISO 9001:2015, but applies them in a more holistic and more flexible way) presents some ideas for how to leverage the organizational profile to explore risks. Baldrige promotes intelligent risk taking to find routes to transformation:
- Item 1.1—How do senior leaders create an environment for innovation and intelligent risk taking, achievement of strategic objectives and organizational agility?
- Item 2.1—How do you decide which strategic opportunities are intelligent risks to pursue?
- Item 5.2—How does (your performance management system) reinforce intelligent risk taking to achieve innovation, reinforce a customer and business focus, and reinforce achievement of your action plans?
- Item 6.2—How do you pursue strategic opportunities that you determine are intelligent risks? Risk-based thinking may not solve all your problems, but it will get you thinking more strategically about how to deal with the unexpected.
Risk-based thinking may not solve all your problems, but it will get you thinking more strategically about how to deal with the unexpected.
RISK-BASED THINKING IN ISO 9001:2015
The latest revision to ISO 9001 places risk-based thinking front and center. Although risk was an important part of previous ISO 9001 revisions, these changes encourage companies to adopt a more preventive and anticipative mindset. Risk appears throughout the main clauses of ISO 9001:2015 (Hoyle, 2017)
- Clause 4 — Identify risk profile, which includes the risks to the organization and its stakeholders, and determination of acceptable levels of risk (“risk appetite”).
- Clause 5 — Communicate executive-level commitment to risk-based thinking and promoting awareness through the organization.
- Clause 6 — Identify and proactively manage risks to QMS.
- Clause 7 — Provide resources to support risk assessment and management activities.
- Clause 8 — Institute and follow processes to manage risks and take advantage of new opportunities.
- Clause 9 — Monitor risks and respond to signals and outcomes.
- Clause 10 — Continuously improve processes in a manner sensitive to risks and opportunities.
The Plan-Do-Check-Act approach is retained, but risk now plays a central role in defining the organizational context, establishing the structures that are put in place to manage quality and evaluating the performance of the QMS against customer satisfaction and other business results.
GET STARTED WITH RISK-BASED THINKING
Perhaps your organization is in the early stages of process maturity, and you haven’t spent much time working with risk yet. Alternatively, you may be in a large enterprise where risk assessment and management is mature and systematic, but it’s not something that people are doing on a continuous, proactive basis. How can you integrate risk-based thinking into your culture?
- Know your processes. It’s difficult to explore the effects of uncertainty on outcomes until the baselines are well understood. Processes should be clearly defined, and people who add value to those processes should all agree that the documented process represents what they do. Many risks are reduced simply by people sharing a conceptual model that accurately describes their work.
- Design good quality into your products and processes. Rather than just inspecting bad quality out. A proactive approach to quality planning may involve Design for Manufacturing and Assembly (DFMA), Design for Six Sigma (DFSS), Quality by Design (QbD) in the life sciences or Advanced Product Quality Planning (APQP) in automotive or aerospace. Keep track of how these efforts reduce uncertainty and help you achieve desired outcomes.
- Work your Opportunities for Improvement (OFIs). Corrective actions can restore processes to the desired performance level, while preventative actions and improvement projects will anticipate issues that require future restoration and transform performance. Fortunately, your QMS is the perfect place to begin: Whether you’re working on products, processes or your QMS, every activity should simultaneously reduce risk while improving performance.
- Get agile. Adopting agile processes helps you reduce risk. For example, incorporating close, continuous communications between designers, developers and customers reduces the chances of developing or delivering the wrong thing. Delaying decisions until the last possible moment means you have more information available as you move forward.
- Engage everyone. When everyone has a shared view of the organization, mistakes due to not having the right information are few and far between. Provide your people with shared information systems where they can get access to the most up-to-date data, documentation and practices. Provide them with resources to contribute their knowledge, observations and insights about events, risks and opportunities.
Willumsen et al. (2017) also proposes six principles to integrate lean thinking into risk management. Each one of these concrete suggestions represents a method for integrating risk-based thinking into your approach:
- Continuously engage internal customers in risk identification and management.
- Capture knowledge associated with issues and errors to reduce time-to-solution.
- Integrate risk management into design and development, rather than making it a separate activity performed by a risk management team.
- Let design and development teams “pull” risk management specialists in following a just-in-time approach.
- Make imperfections of the risk management and monitoring process, imperfections in understanding the risk landscape, and imperfections in mitigation clearly visible to everyone. Provide everyone with the opportunity to contribute to or improve each one.
- Reward people for cooperatively identifying and responding to risks, rather than rewarding “firefighters” or penalizing messengers of bad news.
DEMONSTRATE RISK-BASED THINKING TO AUDITORS
Because risk-based thinking is more prominent in ISO 9001:2015, many organizations are wondering how to demonstrate their activities to auditors. Fortunately, most activities in the domain of quality management, if successful, serve to reduce risks. The key is to keep track of how your efforts relate to risk. Here are some actionable recommendations:
- Train your staff about risk. Use the training management module of your QMS software to ensure that everyone in your organization knows the foundational information about risk, such as:
- what risks are, as well as the risk profile of your organization based on stakeholder needs and the organizational profile
- the relationship between hazards, threats and risks
- how (and how often) your organization assesses and monitors risks, and
- how lessons learned are integrated into processes and the QMS.
- Prioritize activities with risks in mind. Determining which corrective action, improvement project or audit finding you work next often includes looking at the benefits you expect to realize. Incorporating expected reduction in risk can add to the prioritization decision.
- Show progress on Action Plans that emerge from quality events like nonconformances, audits and management reviews. In ISO 9001:2015, this is mentioned in Clause 6.1, where management review
- Keep records of how risks change after you implement corrective actions or improvement projects. Not only will this provide information about the effectiveness of your efforts, but it will also demonstrate that you are incorporating risk into decision making and evaluation of results.
- Demonstrate how your organization is continuously improving its physical, knowledge and social infrastructures. Improved physical infrastructure enhances reliability and performance while reducing costs over the long term. Building knowledge infrastructure improves communication and institutional memory, which reduces the risks associated with incomplete or outdated information. Improving the social infrastructure builds resilience, helping your organization recover from risks if they lead to incidents.
Risk-based thinking is not just “watered down” risk management -- it’s the basis for managing risk in any organization. But while risk management is systematic and institutional (and sometimes, only occasional), risk-based thinking is continuous, proactive, engaged and personal.
RISK-BASED THINKING FOR GROWTH AND INNOVATION
Opportunities can also be 1) identified by seeking ways to respond to threats, and 2) can arise from reducing the risks associated with threats. Although you may hear opportunities described as the “positive side” of risk, it is difficult to use the same tools and techniques to capture them -- and the actions you take to respond to them will be different. New risks can also emerge when you pursue opportunities. A more useful approach is to manage risks and opportunities concurrently, with full transparency and visibility between the two management processes.
Click here to download a pdf of this article.
- Baldrige Performance Excellence Program (BPEP). (2018). Baldrige Excellence Framework. Available from https://www.nist.gov/baldrige/publications/baldrige-excellence-framework/businessnonprofit
- Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13.
- Hertz, H. (2016, Summer) Enterprise Risk Management Requires a Systems Perspective. Baldrige Blog. Available at https://www.nist.gov/baldrige/enterprise-risk-management-requires-systems-perspective
- Hoyle, D. (2017). ISO 9000 Quality Systems Handbook-updated for the ISO 9001: 2015 standard: Increasing the Quality of an Organization’s Outputs. Routledge.
- Illés, B. C., Szuda, C., & Dunay, A. (2017). Quality and management – Tools for continuous and systematic improvement of processes. Institution of Occupational Safety and Health (IOSH UK) (2017). Joined-up working – an introduction to integrated management systems.
- Kendall, K. (2017). The Increasing Importance of Risk Management in an Uncertain World. The Journal for Quality and Participation, 40(1), 4.
- Kovach, J. V., & Fredendall, L. D. (2013). The influence of continuous improvement practices on learning: An empirical study. Quality Management Journal, 20(4), 6-20.
- Laqua, Raimond. (2018, August 23). Demystifying Risk. Intelex Community Webinar. Available at https://community.intelex.com/library/peer-resources/demystifying-risk
- Willumsen, P., Oehmen, J., Rossi, M., & Welo, T. (2017). Applying lean thinking to risk management in product development. In Proc. 21st Intl. Conf. on Engr. Design (ICED 17), Vancouver, 269-278.