Thursday, July 28, 2022

Context and risk

A few days ago, I attended another of Christopher Paris's Oxebridge classes.* This one was about using Context of the Organization (COTO) as a tool to address the requirements for Risk-Based Thinking (RBT). The class was entertaining, like all of Paris's classes; but it also had solid content. If you didn't attend the session I did, there's still one more session offered on August 8 and I recommend it.

(No, Chris did not pay me to advertise his class. Do you think I should have asked him to?)

The basic idea behind the class is a simple one, but it's easy to miss: what kind of business you are in determines what kinds of risks you face. If you design medical devices, you face a different set of risks than if you manufacture cars. If you create video games, you face a different set of risks than if you operate a nuclear power plant. This should be obvious.

The reason it's easy to miss is that some organizations skimp on their COTO analysis, because they don't see the point of it. I've audited groups whose COTO analysis must have taken them ten minutes, tops.

Who are your interested parties? Shareholders, suppliers, customers, and society.

What are their expectations? Shareholders want us to be profitable, suppliers want us to pay our bills, customers want good products, and society wants us to offer jobs.

Really? That's it? I probably could have downloaded that list off the Internet too, without even knowing anything about your company.

But organizations get away with this because the documentation requirements for COTO are so thin. ISO 9001:2015 says you have to determine who your interested parties are and what they require of you, but it never says you have to keep records. And so organizations that don't understand the point of COTO do the minimum they think they can get away with, just "to satisfy the auditor." 

On the other hand, if you actually do a thorough job of analyzing your COTO, you can generate a list of your important business risks almost automatically, as a side-effect. Many of these will be topics that you are already aware of, to be sure. But don't be surprised if there are one or two that make you smack your head and ask, "Why didn't we ever think of that one before? It's so obvious now."

Paris's class walks you through how to do this work systematically, and he provides a log file template that is really elegant. It's not the only possible way to organize this information; I've seen at least one other layout I like, which looks rather different. But this one is good, and I'm happy to recommend it. 

If you haven't taken Paris's class yet, sign up for the upcoming session. And even if you pass on the training, spend some time thinking through your COTO. The effort will repay you by giving you clarity on what you are doing today and what you need to do next.    

__________

* I talk here about the last time I attended one of his classes.


No comments:

Post a Comment

Five laws of administration

It's the last week of the year, so let's end on a light note. Here are five general principles that I've picked up from working ...