Managing Risk IGMA Winter Conference Tucson, Arizona Feb 1, 2018

Size: px

Start display at page:

Download "Managing Risk IGMA Winter Conference Tucson, Arizona Feb 1, 2018"

Garry Gabriel Roberts
5 years ago
Views:

Managing Risk IGMA Winter Conference Tucson, Arizona Feb 1, 2018 this workshop was brought to you by www.human.

Risk refers to the uncertainty that surrounds future events and outcomes (negative or positive).

positively) organizational objectives. 6.1

1 Managing Risk IGMA Winter Conference Tucson, Arizona Feb 1, 2018 this workshop was brought to you by 1 What is Risk and why should we be interested in it? Risk refers to the uncertainty that surrounds future events and outcomes (negative or positive). Risk is the expression of the likelihood and impact of an event with the potential to influence (negatively or positively) organizational objectives. 6.1 Actions to address risks and opportunities When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed... 2 Montreal, Quebec Summer Conference 1

2 Difference Between Risk and Opportunity A risk is a potential for a loss. An opportunity is a potential for a gain. Most strategies and plans entail both risk and opportunity. As such, both play a role in decision making, strategy formation and management. We want to avoid risks and exploit opportunities. Opportunity is not the positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk. (ISO paper RISK BASED THINKING IN ISO 9001:2015) 3 ISO 9001:2015 Requirements 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. 4.2 Understanding the needs and expectations of interested parties Due to their effect or potential effect on the organization s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine: a) the interested parties that are relevant to the quality management system; b) the requirements of these interested parties that are relevant to the quality management system. 4 Montreal, Quebec Summer Conference 2

ISO 9001:2015 Requirements continued 4.4 Quality management system and its processes f) address the risks and opportunities as determined in accordance with the requirements of 6.1; 5.

1.3 Analysis and evaluation e) the effectiveness of actions taken to address risks and opportunities; 9.3.2 Management review inputs e) the effectiveness of actions taken to address risks and opportunities (see 6.

3 ISO 9001:2015 Requirements continued 4.4 Quality management system and its processes f) address the risks and opportunities as determined in accordance with the requirements of 6.1; 5.1 Leadership and commitment d) promoting the use of the process approach and risk based thinking; Customer focus b) the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed; Analysis and evaluation e) the effectiveness of actions taken to address risks and opportunities; Management review inputs e) the effectiveness of actions taken to address risks and opportunities (see 6.1); 10.2 Nonconformity and corrective action e) update risks and opportunities determined during planning, if necessary; A.4 Risk based thinking This International Standard specifies requirements for the organization to understand its context (see 4.1) and determine risks as a basis for planning (see 6.1). Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. A.8 Control of externally provided processes, products and services The organization can apply risk based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes, products and services.; 5 Where can we use risk based thinking? Here are some examples where you can use risk (and opportunity) based thinking throughout your organization: a) Strategic planning b) Launching new products c) Opening new markets d) Building partnerships and joint ventures e) Using new technology f) Project management g) Improving products and services h) Improving processes Over the next hour we ll take a look at 3 risk based thinking tools. 6 Montreal, Quebec Summer Conference 3

1 Here s a risk based thinking tool to improve processes Failure this workshop Mode was brought & to Effects you by www.human.ca Analysis 7 What is an Failure Mode and Effects Analysis?

4 1 Here s a risk based thinking tool to improve processes Failure this workshop Mode was brought & to Effects you by Analysis 7 What is an Failure Mode and Effects Analysis? Failure modes and effects analysis (FMEA) is a step-by-step approach for identifying potential risk of failure in the design, creation and/or delivery of a product or service. It then assists in implementing plans to prevent the most likely causes of failure. 8 Montreal, Quebec Summer Conference 4

A Three Dimensional Risk Assessment FMEAs evaluate three key dimensions of process

highest). 1. Severity is a measure of how damaging a failure would be. 2.

Detection is an estimate of how likely it is that you will detect the failure prior

5 A Three Dimensional Risk Assessment FMEAs evaluate three key dimensions of process failure; severity, occurrence and detection on a scale of 1 to 10 (1 lowest, 10 highest). 1. Severity is a measure of how damaging a failure would be. 2. Occurrence tells us how often this type of failure might occur. 3. Detection is an estimate of how likely it is that you will detect the failure prior to its having a harmful effect. 9 Failure Mode and Effects Analysis Template 10 Montreal, Quebec Summer Conference 5

6 Step 1 Define the Process Steps A Failure Mode and Effects Analysis (FMEA) begins by specifying the process to be studied. You should have a process flow diagram (PFD) of the process or at the very least have identified the steps. Record the process or product name and process owner in the top left of the FMEA template. Then record the key process steps in Column 1 of the FMEA template. 11 Step 2 Identify Potential Failure Modes Identify significant failure mode(s) for each process step and document them in Column 2 on the FMEA form. You can repeat this process for different failure modes. 12 Montreal, Quebec Summer Conference 6

Step 3 Potential Effects of the Failure Modes Write down the effects that would happen if the potential failure were a real failure. How would the failure impact your company? Your suppliers?

13 Step 4 Severity of the Failure Mode The Severity Rate (S) is the "best guess" of how serious it would be to the customers, the product, or the service if the failure really occurred.

7 Step 3 Potential Effects of the Failure Modes Write down the effects that would happen if the potential failure were a real failure. How would the failure impact your company? Your suppliers? Your customers? What would be the worst possible outcomes? 13 Step 4 Severity of the Failure Mode The Severity Rate (S) is the "best guess" of how serious it would be to the customers, the product, or the service if the failure really occurred. 9-10: With potential safety risk or legal problems - potential loss of life or major dissatisfaction 7-8: High potential customer dissatisfaction - serious injury or significant mission disruption 5-6: Medium potential customer dissatisfaction - potential small injury, mission inconvenience, or delay 3-4: The customer may notice the potential failure and may be a little dissatisfied - annoyance 1-2: The customer will probably not detect the failure - undetectable 14 Montreal, Quebec Summer Conference 7

15 Step 6 Occurrence of the Failure Mode The Occurrence Rate (O) is an estimate of how often the failure happens due to each specific

8 Step 5 Potential Causes of the Failure For the failure mode listed in Step 2, write down all factors the team can think of that could cause the failure to occur. 15 Step 6 Occurrence of the Failure Mode The Occurrence Rate (O) is an estimate of how often the failure happens due to each specific cause listed in Step : Very high probability of occurrence 7-8: High probability of occurrence 5-6: Moderate probability of occurrence 3-4: Low probability of occurrence 1-2: Remote probability of occurrence 16 Montreal, Quebec Summer Conference 8

Step 7 Current Controls For each of the failure mode causes in Step 5, write down the current controls that are in place to prevent the causes from occurring.

9-10: Zero probability of detecting the potential failure cause 7-8: Close to zero probability of detecting potential failure cause 5-6: Not likely to detect

9 Step 7 Current Controls For each of the failure mode causes in Step 5, write down the current controls that are in place to prevent the causes from occurring. 17 Step 8 Detection of the Failure Mode The Detection Rate (D) is an estimate of how difficult it is to detect the failure before the customer sees it. 9-10: Zero probability of detecting the potential failure cause 7-8: Close to zero probability of detecting potential failure cause 5-6: Not likely to detect potential failure cause 3-4: Good chance of detecting potential failure cause 1-2: Almost certain to identify potential failure cause 18 Montreal, Quebec Summer Conference 9

Step 9 Risk Priority Number (RPN) Multiply the Severity times the Occurrence times the Detection for each cause to get an initial Risk Priority Number (RPN).

10 Step 9 Risk Priority Number (RPN) Multiply the Severity times the Occurrence times the Detection for each cause to get an initial Risk Priority Number (RPN). S x O x D = RPN 19 When should we take action on a Risk Priority Number? While no defined rules apply for a minimum acceptable RPN number, practitioners often refer to the following: RPN < 125 no action necessary 125 > RPN take actions to reduce the RPN to <125 Note: every possible option should be explored to reduce Severity ratings of 9 or 10, regardless of the Occurrence or Detection levels. 20 Montreal, Quebec Summer Conference 10

IGMA uses FMEA s to review their critical processes Here s an

Planning Risk Register Your IGMA leadership used this approach

11 IGMA uses FMEA s to review their critical processes Here s an example of how IGMA used an FMEA to identify risks to their Conference Planning Process Here s a risk based thinking tool to use with Strategic Planning Risk Register Your IGMA leadership used this approach during their 2017/18 strategic planning cycle. this workshop was brought to you by 22 Montreal, Quebec Summer Conference 11

12 Steps to Strategic Planning Previous Fiscal Year New Fiscal Year Gather Facts Assess Risks Measurement Method Determine Target Monitor Results SWOT Analysis Create Objectives Determine Baseline Plan Actions Approve Budget 23 The Balanced Scorecard Financial Customer Internal Business Process Learning & Growth Quality Products Profitability Customer Loyalty Employee & Volunteer Skills & Attitude Quality Services The Balanced Scorecard is a strategic planning methodology. It s a way of looking at your organization holistically and long term. It also provides focus areas to help determine where the organization should improve to ultimately help the bottom line. 24 Montreal, Quebec Summer Conference 12

Environmental Scan (gather data) 7.1.6 Organizational 1. knowledge About IGMA (organizational chart) 2.

Interested Parties, Their Needs and Expectations 6. Financial Data 7. IGMA Meeting Data 8. Membership Data 9.

2016/17 Strategic Objectives and Their Status 25 Interested Parties (Key Stakeholders) Members Volunteers Employees

13 Environmental Scan (gather data) Organizational 1. knowledge About IGMA (organizational chart) 2. Guiding Policy Statements 3. Strategic Initiatives Statement 4. What if IGMA was Created Today 5. Interested Parties, Their Needs and Expectations 6. Financial Data 7. IGMA Meeting Data 8. Membership Data 9. Knowledge Management Risks 10. Other Considerations /17 Strategic Objectives and Their Status 25 Interested Parties (Key Stakeholders) Members Volunteers Employees Contract Employees Sister Organizations 4.2 Understanding the needs and expectations of interested parties Standard Development Organizations (SDO s) Federal Trade Association (FTC) 26 Montreal, Quebec Summer Conference 13

14 SWOT Analysis SWOT analysis is an acronym for strengths, weaknesses, opportunities, and threats. STRENGTHS It is a structured planning method that evaluates those four elements of an organization, project or business venture. 27 We completed a SWOT Analysis Strengths Opportunities Identify organizational Strengths, Weaknesses, Opportunities and Threats on the different flipcharts available. Add checkmarks to ones already there that you agree with Weaknesses Threats 28 Montreal, Quebec Summer Conference 14

A Rating Matrix is a tool that is used to assess the various levels of risk or opportunities for the organization.

The Opportunity Rating Matrix looks at the ease of implementation of opportunities and the impact on the organization if they were taken advantage of.

Creating and maintaining a risk and opportunity register protects the assets of a business.

15 A Rating Matrix is a tool that is used to assess the various levels of risk or opportunities for the organization. Risk and Opportunity Rating Matrices The Risk Rating Matrix looks at the likelihood of risks occurring and the impact on the organization if they did occur. The Opportunity Rating Matrix looks at the ease of implementation of opportunities and the impact on the organization if they were taken advantage of. 29 Risk and Opportunity Register # R/O Category Description Rating Treatment Owner Due Date Date Complete Likeli hood NEW RISK Rating Only Impact Rating Creating and maintaining a risk and opportunity register protects the assets of a business.... To be effective, an organization's risk management plan requires the development and maintenance of an ongoing process that enables the identification, analysis, evaluation, and treatment of risks and opportunities that may impact the organization. 30 Montreal, Quebec Summer Conference 15

Risk and Opportunity Treatments Treatments are the different strategies that

Remove Source Increase (in cases of opportunity) Share Change Impact Change

initiative Force Field Analysis Based on an article by www.mindtools.

16 Risk and Opportunity Treatments Treatments are the different strategies that can be put in place to reduce the risk or increase the opportunity. Remove Source Increase (in cases of opportunity) Share Change Impact Change Likelihood 31 3 Here s a risk based thinking tool to use with any change initiative Force Field Analysis Based on an article by Force Field Analysis Analyzing the Pressures For and Against Change 32 Montreal, Quebec Summer Conference 16

17 Force Field Analysis Force Field Analysis was created by Kurt Lewin in the 1940s. Lewin originally used it in his work as a social psychologist. Today, however, it is also used in business, for making and communicating go/no go decisions. The idea behind Force Field Analysis is that situations are maintained by an equilibrium between forces that drive change and others that resist change. For change to happen, the driving forces must be strengthened or the resisting forces weakened. 33 To carry out a Force Field Analysis, use a blank sheet of paper or a whiteboard, and follow these five steps. Step 1: Describe Your Plan or Proposal for Change Define your goal or vision for change, and write it down in a box in the middle of the page. Step 2: Identify Forces For Change Think about the kinds of forces that are driving change. These can be internal and external. Step 3: Identify Forces Against Change Now brainstorm the forces that resist or are unfavorable to change. Step 4: Assign Scores Next, score each force, from, say, one (weak) to five (strong), according to the degree of influence each one has on the plan, and then add up the scores for each side (for and against). Customers want new products Improved production speed Reduced training time Low maintenance costs Loss of staff overtime Staff fearful of new technology Impact on environment Cost Disruption 34 Montreal, Quebec Summer Conference 17

18 Step 5: Analyze and Apply Now that you've done your Force Field Analysis, you can use it in two ways: 1. Decide whether or not to move forward with the decision. 2. Think about which supportive forces you can strengthen and which opposing or resisting forces you can weaken, and how to make the change more successful. For instance, you could: Train staff to minimize their fear of technology. The cost of training increases "Cost" to 4 but the benefits reduce "Staff fearful of new technology" to 1. Introduce employee empowerment and innovation teams, along with single minute exchange of dies (SMED). This could reduce loss of staff overtime to 2, increase production speed to 3, and increase low maintenance/downtime costs to 3. Introduce on the job training. This could increase reduced training time to 4. These changes would swing the balance from 11:10 (against the plan), to 14:9 (in favor of the plan). Forces for Change Customers want new products Improved production speed Reduced training time Low maintenance costs Forces against Change Loss of staff overtime Staff fearful of new technology Impact on environment Cost Disruption Total: 14 Total: 9 We hope you enjoyed this Managing Risk presentation LIKES WISHES 1. Common sense 2. Good examples: clean and crisp 3. Good overview 1. Would like to see data to back up use of specific tool 2. Which tools are used the most across organizations and which are most successful 3. Would have like it to be interactive 36 Montreal, Quebec Summer Conference 18