664 Posts
I work for a small engineering services and tech pubs company. We are not manufacturing, and our products differ by customer. Data and measurables have always been difficult because there has never been an easy way to capture data. I am really interested in the idea of developing a risk register or risk library, but I'm not sure the least cumbersome way to go about it. The majority of our risk assessment and mitigation occurs during our bid preparation and contract review process. I would like to start looking a the similarities of the risks we address instead of encouraging silos by assuming the risks in each project/process/product is more different than similar.
11 Replies
27 Posts
Amanda, a RISK register can be pretty daunting when you first look at it. but once you figure out the bare essentials, just lay it out. When we went through our ISO 9001:2015 RISK played a big new role in the process. Our auditor liked how our FMEA was laid out; fairly simple really:
Interested parties (listed all of our major interested parties in separate columns so that with each risk we could 'X' the box) : local government, environmental parties, employees, neighbors, etc.)
Risk Identification:
Activity (what do we do)
Related company procedure/document (do we have a document for that?)
RISK (what could possibly go wrong!)
potential affect (what stops because of that? who gets upset?)
Determine the Risks
Severity
Probability
RECOMMENDED ACTION (this is the RISK mitigation part)
recommended action
I too work at a small business (less than 75 employees) and it has a small town feel (which is amazing!), but I got a lot of pushback on how much risk identification is too much? do we need to address the potential of a meteor falling on our building? Probably not... but if you think that the likelihood of it happening matches the affect of what it could do to the process/company/interested party... push for it! don't give up! (what is the worst that could happen for writing it down?)
Interested parties (listed all of our major interested parties in separate columns so that with each risk we could 'X' the box) : local government, environmental parties, employees, neighbors, etc.)
Risk Identification:
Activity (what do we do)
Related company procedure/document (do we have a document for that?)
RISK (what could possibly go wrong!)
potential affect (what stops because of that? who gets upset?)
Determine the Risks
Severity
Probability
RECOMMENDED ACTION (this is the RISK mitigation part)
recommended action
I too work at a small business (less than 75 employees) and it has a small town feel (which is amazing!), but I got a lot of pushback on how much risk identification is too much? do we need to address the potential of a meteor falling on our building? Probably not... but if you think that the likelihood of it happening matches the affect of what it could do to the process/company/interested party... push for it! don't give up! (what is the worst that could happen for writing it down?)
664 Posts
Emily Labs Thank you! This is exactly the kind of feedback I was hoping for. We have the same problem regarding dramatic end-of-the-world type risks, though I think everyone knows what doesn't belong in the conversation at this point. Of course if this becomes a more likely risk...
OK, so your categories make sense to me - very generally applicable. Do you simply use a spreadsheet for capturing the information?
Do you have an objective means for determining severity? Since our products carry little risk of bodily harm or equipment damage, I have struggled a little determining how to objectively evaluate this.
Do you do any further analysis once you've captured the data in the register/library?
I hope to use ours both to improve our bid process to objectively reduce/eliminate risks and to develop training so that we can apply lessons learned in our project to the entire company.
OK, so your categories make sense to me - very generally applicable. Do you simply use a spreadsheet for capturing the information?
Do you have an objective means for determining severity? Since our products carry little risk of bodily harm or equipment damage, I have struggled a little determining how to objectively evaluate this.
Do you do any further analysis once you've captured the data in the register/library?
I hope to use ours both to improve our bid process to objectively reduce/eliminate risks and to develop training so that we can apply lessons learned in our project to the entire company.
27 Posts
yup, excel all the way! We hold Quarterly Risk Meetings to assess what we have identified and to add new ones, if needed. Our Risk is still new (less than a year old) so we have not needed to take any off yet, but we make sure to track our changes on another page of the EXCEL. (that way, if something needs to be added back later, you can... or it is proof that we addressed a risk, and we state why it was altered)
We do used a RISK PRIORITY NUMBER (RPN). Severity x occurrence x detection. it was useful for us to see what we think is important to our company, and from there we would address those with a HIGH risk. Then after we addressed the risk, and had steps in place to mitigate that risk, we would rescore it based on our actions. (we stopped ranking our risk because ISO 9001:2015 says to manage ALL risks, not just the High risks)
We do used a RISK PRIORITY NUMBER (RPN). Severity x occurrence x detection. it was useful for us to see what we think is important to our company, and from there we would address those with a HIGH risk. Then after we addressed the risk, and had steps in place to mitigate that risk, we would rescore it based on our actions. (we stopped ranking our risk because ISO 9001:2015 says to manage ALL risks, not just the High risks)
664 Posts
Emily,
Thank you so much for your advice and help. I have a much better understanding of the concept now. I think I can start to develop a Risk library for my company now. This is great!
Amanda
Thank you so much for your advice and help. I have a much better understanding of the concept now. I think I can start to develop a Risk library for my company now. This is great!
Amanda
15 Posts
Emily - I just wanted to add because you made a comment about it that ISO 9001 does not say you have to manage all risks. It says you need to "...determine risk and opportunities that need to be addressed...". (6.1.1). You have to plan actions for those, not necessarily all. The exceptions are any that can affect conformity of products/services and the ability to enhance customer satisfaction are determined and addressed both.
Amanda - I agree with Emily, don't over complicate. I work with a little company in NY with two brothers running the place. They have an excel doc that has a tab for risks and opportunities. They use it as part of their daily meetings and discussions. They like bringing up during conversations the question of whether there are any risks. They identify them and then, if there are any actions required (go check this, do that, etc.) it goes on an action item list that they use to keep track of all the things they need to make sure they don't forget to do. Make it make sense for your organization and your culture. You don't necessarily even need to rank them if you don't want. I've seen the full RPN (SOD) and I've seen just low, med, high. I've also seen Severity and occurrence alone together. I like that you want to do the risk register for the right reasons. Good on you and your company.
Amanda - I agree with Emily, don't over complicate. I work with a little company in NY with two brothers running the place. They have an excel doc that has a tab for risks and opportunities. They use it as part of their daily meetings and discussions. They like bringing up during conversations the question of whether there are any risks. They identify them and then, if there are any actions required (go check this, do that, etc.) it goes on an action item list that they use to keep track of all the things they need to make sure they don't forget to do. Make it make sense for your organization and your culture. You don't necessarily even need to rank them if you don't want. I've seen the full RPN (SOD) and I've seen just low, med, high. I've also seen Severity and occurrence alone together. I like that you want to do the risk register for the right reasons. Good on you and your company.
664 Posts
Christianna Hayes, thanks! I am still working out what this will look like at our company. I have cautious buy-in from senior management. They want to see what this looks like and what the benefits are. Of course I feel the benefits are obvious, but they want to know what the upkeep will look like. So I am trying to put together an Excel tool that will be intuitive yet complete.
5 Posts
I work in a larger company and have the opposite problem. We have processes to manage risks distribute throughout the organization, managed by the functional departments. Marketing looks at risks associated with competitors and changing customer needs. Engineering considers product development risks. Purchasing is managing all the risks throughout the supply chain. And so on!
I feel like the auditors want to see one list, register, library of risks that is reviewed in Management Review. I have struggled with how to appease the auditors w/o creating a redundant/parallel risk tool. If I have this list, auditing 9.3.2 is a straight forward, almost check the box audit. Without a list it could become an audit worm hole throughout the organization.
Anybody run into a similar situation?
I feel like the auditors want to see one list, register, library of risks that is reviewed in Management Review. I have struggled with how to appease the auditors w/o creating a redundant/parallel risk tool. If I have this list, auditing 9.3.2 is a straight forward, almost check the box audit. Without a list it could become an audit worm hole throughout the organization.
Anybody run into a similar situation?
664 Posts
Scott,
Interesting dilemma, at least from my point of view. Is there any way you could develop a sort of linked directory from outputs of each of the individual risk processes? That way you would have a single place for management review purposes without duplicating the real work in the functional departments?
Interesting dilemma, at least from my point of view. Is there any way you could develop a sort of linked directory from outputs of each of the individual risk processes? That way you would have a single place for management review purposes without duplicating the real work in the functional departments?
1 Posts
A risk register or risk library is a tool that can be used to manage and monitor the risks associated with a particular activity or project. It can help to identify potential risks, assess the potential consequences drift boss of any action, and determine the best way to mitigate or avoid these risks.
1 Posts
@Amanda Foster To develop a risk register or risk library, you need some knowledge of the field to help with the bidding process and contract review. It will be you who decide to fleeing the complex instead of encouraging silos and making assumptions.
