“Risk Based Thinking” has become a more common discussion among organizations, more than likely it is related to the release of ISO 9001:2015. With the United States having nearly 35,000 ISO 9001 certificates issued, the topic and approach to meet the requirement varies
among organizations. With organizations related to healthcare, nuclear and aerospace to name a few, they may have a formal approach to “Risk Management”. This may even be further supported by development of a system to meet the requirements of ISO 31000, which is a standard for risk management and then coupled with ISO 9001 management system. But what about other organizations which do not have formal risk management systems, how can the requirements be effectively and efficiently incorporated into the business model? This is a question we answered while speaking at the 2017 Honda Lean Conference this month.
First of all, almost every organization interviewed regarding quality management and ISO 9001 used the phrase “risk analysis” when determining how to fulfill the ISO 9001 requirements for risk based thinking. I know of one automotive manufacturer that said it this way, “We just risk analyzed the heck out of everything”, well they actually used another descriptive word but we will just use “heck”. To make matters worse, auditors are specifically asking organizations for their “risk analysis” to show evidence of meeting this requirement. Although the concept of “risk based thinking” is different, it seems that the common path is to conduct risk analysis.
With over thirty years of working with quality and an extensive portion of that time working with quality management systems, I have found that the path of least resistance, no matter how inviting, often leads to unexpected results that become difficult to manage. Let’s take the topic at hand of risk based thinking. Managers and directors across the country are taking the path of least resistance and simply conducting a risk assessment of the organization. For the most part, the assessment would go unnoticed except with perhaps the only inconvenience is when leadership is informed during the scheduled snoozapalooza, also known as management review. These risk analysis may be conducted utilizing traditional SWOT analysis, FMEA studies and even new tools that have been developed by some of the best minds in the country. In case you were wondering, I am referring to consultants who love to complicate everything. I have a friend who says it this way “consultants feel anything worth doing is worth complicating”, I hate to say it, but there is truth in that statement!
Let me bring closure to this approach of taking the path of least resistance. Some of the concern is simply having time to conduct the risk assessment, especially with all the hours we commit each day to just fight fires. Well we could just really take the path of least resistance and just mock-up the risk assessment, yes I know of professionals that have already done this too. Another concern regarding this approach is the “who really cares” outcome. By conducting a solo risk assessment, even though it may be across multiple departments with the typical lack of buy-in who really cares in the outcome. We have found this evidenced by limited or no action being taken for the areas of “high risk” to the processes of the organization. If we want to get down to the nitty-gritty this whole approach violates the basis of the integration of the management system with leadership of the organization.
Let me introduce a thought that I would like for each reader to consider. Rather than take an approach that isolates the risk assessment to the view of an individual or small posse through a risk assessment, lets leverage the natural processes of the organization. Natural processes or natural outcomes are events and results that occur within an organization based upon the culture or business design. Not all organizations will be able to leverage this method because their culture and or business design is unhealthy. However, for organizations that have a relatively healthy culture, one that is embraced by leadership and simply focuses on doing the right things right, we can leverage the natural outcome method. Over the past several years of reviewing organizations I have found that processes have become fragmented and do not function properly. This often results in incubators being created or problems that set dormant until the right pieces come together, then we experience a full-fledged fire. I know this does not sound healthy, however in typically all organizations this has become a normal culture. Now stepping back and looking at this situation, we have to determine why our processes have become fragmented. Well that is the easy answer, change! For some organizations desiring to embrace risk based thinking, this has become the topic of focus and change has naturally aligned itself with the requirements in ISO 9001:2015. No longer are organizations pursuing risk assessments, unless of course they are a natural part of the business culture, they are learning new concepts of both introducing and managing change. Why they have discovered the single most significant risk to their organizations is change.