A while ago I was talking with a friend who works in retail, and she told me about a time when one of the clerks at her store helped a customer take her [the customer's] bags to the car. Then, as he loaded the bags into the car, the customer’s dog bit him.
There was more to the story, though the rest of the details don’t
matter right now. But one of the things I asked my friend was, “You’re on the
store’s Safety Committee. Did you update your Risk List to include ‘Getting
bitten by a customer’s dog’?” She said they discussed it, but it seemed like
something that would happen only once in a blue moon. And in that case, does it
really make sense to add it to the list?
This happens a lot – I mean, identifying a risk that shows up only rarely. It’s only common sense to want to know what risks you might be facing, and (for example) the ISO management system standards all require some level of risk identification. (ISO 9001, ISO 14001, and ISO 45001 all put this requirement in section 6.1.1.) But of course you can’t take action to prevent everything you think of, so you need some way to rank your list in order of importance. That way you can plan for the ones that really matter, and let the rest go. But what ranking do you choose? Generally there are at least two questions to consider:
- How likely is this risk?
- And how bad will the impact be if it happens?
Anything that scores high on both questions goes to the top of the list. After that, it’s not so obvious. But here’s one simple approach you can take. Please note two things:
- You can use this approach for any kind of risks. In my story about the dog, I was talking about safety risks. But your marketing team can do the very same thing to analyze competitive risks. Your product developers can use this approach (or a more sophisticated version of it) as an FMEA (Failure Mode and Effects Analysis) to think through potential product failures. Your shipping department can do this to evaluate different logistical methods. It is a very general and very powerful tool.
- There are a lot of ways to make this approach more sophisticated, depending on the needs of your organization. What I describe here is the simplest possible version.
Step one: Score all of your risks according to how likely
they are, using just three values: High, Medium, Low.
Step two: Now score all of your risks according to their
impact – how bad things would be if they happened – using the same three
values: High, Medium, Low.
Step three: Use these two scores to calculate a priority
for each risk, using the following formula:
Priority = Likelihood x Impact
|
High |
Medium |
Low |
High |
High |
High |
Medium |
Medium |
High |
Medium |
Low |
Low |
Medium |
Low |
Low |
On this scale, for example, “getting bitten by a customer’s dog” would probably rank Low for likelihood but potentially High for impact, for a composite priority of Medium.
Now that you have assigned a priority to every risk on your list, what next? The next step should be to address the important ones.
- What does it mean to “address” a risk? If possible, prevent it. If you can’t prevent it, take steps now to mitigate the impact when it happens. Also, consider how you will respond when it does happen: those are your contingency actions.
- Which ones are “important”? It depends on what you are doing. At the very least, you should address all the risks with priority = High. Naturally you don’t have to stop there. Maybe you want to address the Medium ones as well, or some of them. Maybe there are steps you can take for a few of the Low risks too, though typically you should think about them last. You have to decide what works for you. But addressing all the risks rated High is pretty much a minimum.
What happens to the risks that you choose not to address? If
my friend’s company updated their list of safety risks to include “getting
bitten by a customer’s dog” and then calculated its priority as only Medium,
they might not plan any action for it. So why put it on the list?
The point is that the priority ratings aren’t static. From
time to time you’ll review your list to see if things have changed. As you take
mitigation steps, for example, the impact of some risks will drop. The impact
of others might rise, depending on changes in the outside world. Back in 2019,
most American companies who did disaster planning probably rated “global
pandemic” at a very low likelihood; by mid-2020, it had become a simple fact of life.
So even if a risk falls below your threshold and you decide not to address it
right now, keep it on the list. Then the next time you review the list – next quarter,
next year, or whenever – you can think about it again. And as long as it stays
on the list, you won’t forget.
No comments:
Post a Comment