Tuesday, February 21, 2017

ISO 31010:2011 Risk Assessment Techniques – I

ISO/IEC 31010:2011 Risk Management 
Organizations of all types and sizes face a range of risks that may affect the achievement of their objectives. These objectives may relate to a range of the organization's activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of societal environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts. Thus all activities of an organization involve risks that should be managed, whereas risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.

Risk management includes the application of logical and systematic methods for;
Communicating and consulting throughout this process;
Establishing the context for identifying, analyzing, evaluating, treating risk associated with any activity, process, function or product;
Monitoring and reviewing risks;
Reporting and recording the results appropriately.

Risk assessment provides a structured process that identifies how objectives may be affected, and analyses the risk in term of consequences and their probabilities before deciding on whether further treatment is required.
Risk assessment attempts to answer the following fundamental questions:
What can happen and why (by risk identification)?
What are the consequences?
What is the probability of their future occurrence?
Are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk?
Is the level of risk tolerable or acceptable and does it require further treatment?

The standard is intended to reflect current good practices in selection and utilization of risk assessment techniques, which does not refer to new or evolving concepts that have not reached a satisfactory level of professional consensus. Nature of the standard is generic to any organization big or small across any industries and types of systems. There may be more specific standards in existence within these industries that establish preferred methodologies and levels of assessment for particular applications. If these standards are in harmony with this standard, the specific standards will generally be sufficient.

Go through below list of the 31 tools which are given in the ISO 31010:2011. Depending on the industry you are working in, you will almost certainly recognize at least some of them, even if you haven’t actually used any of the techniques to assess risk.

Tools of Risk Assessment
01. Brainstorming
02. Structured or semi-structured interviews
03. Delphi
04. Check-lists
05. Primary hazard analysis
06. Hazard and operability studies (HAZOP)
07. Hazard Analysis and Critical Control Points (HACCP)
08. Environmental risk assessment
09. Structure « What if? » (SWIFT)
10. Scenario analysis
11. Business impact analysis
12. Root cause analysis
13. Failure mode effect analysis
14. Fault tree analysis
15. Event tree analysis
16. Cause and consequence analysis
17. Cause-and-effect analysis
18. Layer protection analysis (LOPA)
19. Decision tree
20. Human reliability analysis
21. Bow tie analysis
22. Reliability centered maintenance
23. Sneak circuit analysis
24. Markov analysis
25. Monte Carlo simulation
26. Bayesian statistics and Bayes Nets
27. FN curves
28. Risk indices
29. Consequence/probability matrix
30. Cost/benefit analysis
31. Multi-criteria decision analysis (MCDA)

Not everybody of course will have the resources and capabilities within the organization to attempt such as: e.g., Fault tree analysis, Cause/consequence analysis, Monte-Carlo analysis, Bayesian analysis. Quality managers working for smaller enterprises (SMEs) may only dream of conducting analysis at the level required by some techniques in the list. The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that doesn’t mean to say that ISO 31010 isn’t a valuable reference should you ever be required to think about risk in these terms.

1. Brainstorming
Brainstorming as a technique could be particularly useful when, for example, identifying risks of new technology where there is no data or where novel solutions to problems are needed. As to ISO 31010 “…it encourages imagination which helps identify new risks and novel solutions”. However, it is not applicable to risk analysis tasks of consequence, probability or level of risk, which impart limitations and along with Check-lists and Primary hazard analysis, and most of the ‘Supporting Methods’ of Structured interviews, Delphi technique, SWIFT (Structured “what if”) and, it does not provide any quantitative output.

Here are a few tips to help your next brainstorm become a resounding success:
Make the objectives crystal clear from the start.
What are you trying to find/solve?
What constraints are you operating under?  
Just as with other collaborative meeting techniques, allow everyone to have a say.
Facilitate the session so that the people who are quiet have equal time in the spotlight as those who have the tendency to dominate discussions.   
Take away the possibilities of anchoring by letting people generate ideas individually first, before coming together to discuss and elaborate. 
Go for quantity over quality at the start. 

There are various ways to conduct brainstorming; following are some of the methods used in the industry today.
Brain Writing
The general principle of this technique is to separate idea generation from discussion. The team leader shares the topic with the team, and the team members individually write down their ideas. This helps eliminate anchoring and encourages everyone on the team to share their own ideas. It also gives everyone more time to think over their ideas, which is especially helpful for your introverted participants. This brainstorming technique works best for teams who seem to be greatly influenced by the first ideas presented during a meeting.

Figuring Storming
Ever considered how someone else might handle the situation? Or what they might say about a particular topic? With figure storming, you aim to do just that. Think about how someone such as your boss, a famous celebrity, or even your janitor might handle the situation. Putting yourself in new shoes can give the team a different perspective and presents the possibility of fresh ideas. This technique works best for teams who find themselves come across the same ideas for repetitive projects.

Online Brainstorming (Brain-netting)
These days, virtual teams are becoming more and more common across all business types, where evolution of online or email and collaboration tools makes working remotely the norm in some environments. Having a central location online where team members can collaborate is crucial for these virtual teams; consider cloud-based document storage (e.g. Google Drive) or an online collaboration tool. This way, all the ideas are archived in one central location and can be referenced easily.

Rapid Ideation
Sometimes, time limitations can help generate ideas quickly, because you don’t have time to filter or overthink each one. With this technique, the team leader provides context beforehand with information or questions on the topic, budget, deadline, etc. Then, a time limit is set for individuals to write down as many thoughts or ideas around the topic as possible, using any mediums available. People should not worry about filtering their ideas. The time limit for your rapid ideation session can be anywhere from 5 to 45 minutes, depending on the complexity of your topic. This technique is good for teams who tend to get sidetracked, or for placing a time limit on brainstorming sessions that frequently last longer than expected.

Round Robin Brainstorming
This method begins by having the team gathers in a circle. Once the topic is shared, go around the circle one-by-one and have each person offer an idea until everyone has had their turn. Simultaneously, a facilitator records each idea so they can be discussed once the sharing is over. It’s very important to not evaluate any ideas until everyone has the opportunity to share. This technique is good when some of your team members have a tendency to stay quiet throughout meetings.

Star Bursting
This form of brainstorming focuses on forming questions rather than answers. Star bursting challenges the team to come up with as many questions as they can about your topic. An easy way to begin a session like this would be to start listing questions that deal with who, what, where, when, and why. This style assures that all aspects of the project are addressed before any work goes into executing it. It’s a good technique for teams who tend to overlook certain aspects of a project and end up rushing to get things done last minute.

Stepladder Technique
Developed in 1992, this style of brainstorming encourages every member in the team to contribute individually before being influenced by everyone else. The session begins with the facilitator sharing the topic or question with the whole team. Once the topic is shared, everyone leaves the room except two members of the team. These two members will then discuss the topic and their ideas. Then, one additional member is added to the group. This new member will contribute their ideas BEFORE the other two discuss theirs. Repeat this cycle until everyone from the original group is in the room. This technique is particularly useful for teams who are easily influenced by only one or two members, leading to groupthink. This also helps encourage the shy folks in the group to share their ideas without feeling intimidated by a room full of people.


2. Structured or Semi-structured Interviews
Researchers use interviews for a variety of purposes, because interviews can be used as a primary data gathering method to collect information from individuals about their own practices, beliefs, or opinions. They can be used to gather information on past or present behaviors or experiences. Interviews can further be used to gather background information or to tap into the expert knowledge of an individual i.e., interviewing a subject-matter expert on a new policy will likely gather factual material and data, such as descriptions of processes. Interviews will often include the collection of both types of information. Th e difference between these types of interviews is readily apparent to most. Interviews can be placed on a continuum of structure, from “unstructured” to highly “structured.” Embedded in this continuum is the idea of how much “control” the interviewer will have over the interaction.

The most controlled type of interview is structured whereas, the questions are fixed and they are asked in a specific order. Multiple respondents will be asked identical questions, in the same order. Structured interviews most closely approximate a survey being read aloud, without deviation from the script. Structured interviews have several advantages over surveys including lower levels of item non-response and the ability for an interviewer to mitigate inappropriate responses. However, in a structured interview, if a respondent indicates that they do not understand a question or a term in the question, the interviewer is generally limited to providing only a previously scripted explanation or defining the term as “Whatever [the term] means to you.” Otherwise, the interviewer is generally unable to provide any explanation beyond repeating the question. These interviews are often used when one has very large samples and is looking for data that can be generalized to a large population.

Semi-structured interviews are used often in policy research, where semi-structured interviewing uses a guide note, with questions and topics that must be covered. Th e interviewer has some discretion about the order in which questions are asked, but the questions are standardized, and probes may be provided to ensure that the researcher covers the correct material. This kind of interview collects detailed information in a style that is somewhat conversational. Semi-structured interviews are often used when the researcher wants to delve deeply into a topic and to understand thoroughly the answers provided.

3. Delphi Technique
A structured collaborative communication technique originally developed as a systematic, interactive forecasting method which relies on a panel of experts. By combining expert opinions, the aim is to support the source and influence identification, probability and consequence estimation and risk evaluation. The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ forecasts from the previous round as well as the reasons they provided for their judgments. In this way, experts are encouraged to revise their earlier answers in light of the replies of other members of their panel.

Delphi can be used to estimate probability of adverse and positive outcomes as to the ISO 31010: “Expert opinion can be used in a systematic and structured process to estimate probability. However, expert judgments should draw upon all relevant available information including historical, system-specific, organizational-specific, experimental, design, etc. There are a number of formal methods for eliciting expert judgment which provide an aid to the formulation of appropriate questions. The methods available include the Delphi approach, paired comparisons, category rating and absolute probability judgments. The Delphi technique can be applied at any stage of the risk management process or at any phase of a system life cycle, wherever a consensus of views of experts is needed.” A true consensus approach that avoids the bias of dominant members of the team can be the wake-up call that management needs to assess risk.

4. Check Lists
Checklist is a simple form of risk identification, which provides a listing of typical uncertainties that need to be considered. In common practice users refer to a previously developed list, codes or standards. Check-lists and reviews of historical data are, naturally enough, a sensible step if you are serious about identifying the risks and opportunities in accordance with the requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate actions to address them. Although you could enhance the quality of the output by following a systematic process to identify risks by means of a structured set of prompts or questions for the experts. As a useful practice, you can start by making a check-list of the known issues in the environment that can (a) affect conformity of products and services [risk] and (b) have the ability to enhance customer satisfaction [opportunity].

No assessor is likely to fault you for making this much effort; whether or not you have addressed these risks and opportunities in the design of your quality management system and its associated processes. However, it is also worth remembering that check-lists are most useful when applied to check that everything has been covered after a more imaginative technique that identifies new problems has been applied.

5. Primary Hazard Analysis
Preliminary hazard analysis can be defined as “a simple inductive method of analysis of whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system”. However, the term ‘hazard’ is always used in the context of physical harm. At first sight, not a very promising tool but it does have advantages. Namely, it is able to be used when there is limited information and it also allows risks to be considered very early in the system life cycle. In some organizational contexts such as food manufacturing organizations, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps to prevent Critical Non-conformities which could, for example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on the product.

Rest of the 26 methods will be explained in the next 04 articles, if you need to explore them, please read the 31010:2009 series of posts.


Friday, February 17, 2017

ISO 31000:2009 Risk Management

Risk Management – Principles and Guidelines
Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk, because it is becoming a driver of strategic decision making, since it may be a cause of uncertainty in the organization or it may simply be embedded in the activities. An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‘upside of risk’. The global financial crisis in 2008 demonstrated the importance of adequate risk management. Since that time, new risk management standards have been published, including the international standard, ISO 31000 ‘Risk management – Principles and guidelines’.

Considering the business management, the risk is an intrinsic component of it where empirical evidences showed that 50 % of small and medium-sized enterprises (SMEs) were closed down before completing their fifth year. The business risks have its oven consequences in terms of economic performance and professional reputation, which also have environmental, safety and social considerations. According to the ISO, ISO 31000:2009, Risk management – Principles and guidelines, has been designed to provide principles, framework and a process for risk management, which can be used by any organization regardless of its size, activity or sector. The application of ISO 31000 in collaboration with other standards like ISO 9001 will help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. However, ISO 31000 is a set of guideline which will provide guidance for minimization of external and internal risks. Risk assessments are very new words in the industry today, but it was existed from the beginning which has been neglected for centuries. Now it is being considered today due to the extreme completion and market forces today, because underlying element of uncertainty, which is often possible to predict risks, and to set in place systems and design actions to minimize their negative consequences and maximize the positive ones. Those risks that arise from disorder can be controlled through better management and governance, where businesses that adopt a risk management strategy are more likely to survive and to grow.

As to the ISO 31000:2009, it provides generic guidelines to design, implement and maintain an efficient risk management model throughout an organization which can facilitate broader adoption of enterprise risk management standards as to the context of organization when and where requires the harmonization with multiple silo-centric management systems. The approach enables all strategic, management and operational task of an organization to capture into the risk management system throughout the projects, functions and processes that are aligned to a common set of risk management objectives. Thus, ISO 31000:2009 has included broader stakeholder group which comprised of executive level stakeholders, appointment holders in the enterprise risk management group, risk analysts and management officers, line managers and project managers, compliance and internal auditors, and independent auditors.  

ISO 31000:2009 also provides a list of methods to deal with risks identified.
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
Accepting or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the likelihood
Changing the consequences
Sharing the risk with another party or parties (including contracts and risk financing)
Retaining the risk by informed decision

Risk Management Principles
Risk management is a process that is underpinned by a set of principles. Also, it needs to be supported by a structure that is appropriate to the organization and its external environment or context. A successful risk management initiative should be proportionate to the level of risk in the organization (as related to the size, nature and complexity of the organization). Further, it must be aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. This approach will enable a risk management initiative to deliver outputs, including compliance with applicable governance requirements, assurance to stakeholders regarding the management of risk and improved decision making. The impact or benefits associated with these outputs include more efficient operations, effective tactics and efficacious strategy. These benefits need to be measurable and sustainable.

Nature and Impact of Risk
Risks can impact an organization in the short, medium and long term and these risks are related to operations, tactics and strategy, respectively. Thus risk management strategies are set out for long-term aims of the organization, whereas strategic planning horizon for an organization will typically be 3, 5 or more years. Tactics define how an organization intends to achieve change, because tactical risks are typically associated with projects, mergers, acquisitions and product developments. On the other hand, operations are the routine activities of an organization.

Definition of Risk
There are many definitions of risk and risk management. However, the definition set out in ISO Guide 73 is that risk is the “effect of uncertainty on objectives”. In order to assist with the application of this definition, Guide 73 also states that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. This definition links risks to objectives, because it can most easily be applied when the objectives of the organization are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process.

As to the current multiple-platform initiative, ISO 31000 framework also mirrors the plan, do, check, act (PDCA) cycle, which is common to all management system designs. However, as to the standard, “This framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system”. This statement is encouraging organizations to be flexible in incorporating elements of the framework as needed.
Major elements of the framework include:
Policy and Governance
Provides the mandate and demonstrates the commitment of the organization

Program Design
Design of the overall Framework for managing risk on an ongoing basis

Implementation
Implementing the risk management structure and program

Monitoring and Review
Oversight of the management system structure and performance

Continual Improvement
Improvements to the performance of the overall management system

The actual process of assessing risks first requires definition of what ISO 31000 calls the “context”, whereas context is a combination of the external and internal environments, both viewed in relation to organizational objectives and strategies. The context setting process begins during the framework phase with the examination of the organization’s internal and external environments, but management should continue this assessment in greater detail here and focus on the scope of the particular risk management Process.

The remaining assessment steps involve developing techniques to identify, analyze, and evaluate specific risks. While multiple documented methods and techniques exist, all should include the following key elements:

Risk Identification
Identification of the sources of a particular risk, areas of impacts, and potential events including their causes and consequences
Classification of the source as internal or external

Risk Analysis
Identification of potential consequences and factors that affect the consequences
Assessment of the likelihood
Identification and evaluation of the controls currently in place

Risk Evaluation
Comparison of the identified risks to the established rick criteria
Decisions made to treat or accept risks with consideration of internal, legal, regulatory and external party requirements

Those interested in each of the risk assessment techniques and methods should refer to ISO/IEC 31010 (Please refer the next article). The complexity of methods and the extent of analysis required are highly dependent on the nature of the organization and management should consult with all stakeholders when developing an appropriate approach. Overall, management should develop and implement risk treatments to reduce residual risks to levels acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.

Key Aspects of Planning Risk Management
There is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward for any organization including never certified for any standard.
Organizations need to understand the overall level of risk embedded within their processes and activities, which is important for organizations to recognize and prioritize significant risks and identify the weakest critical controls.
The expected benefits of the risk management initiative should be established in advance when setting out to improve risk management performance.

The outputs from successful risk management include compliance, assurance and enhanced decision-making, which will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.