Risk analysis and mitigation is important in managing any project. Six Sigma is no different in this regard. You’ll need to understand what risk is, how it can affect your project, and what to do about it.

Risk comes from not knowing what you’re doing.

Warren Buffett

What is Risk?

Put simply, a risk is a chance of something negative happening. In the context of Six Sigma, risks are things that can delay, halt, or harm your project.

There are a few different types of risk:

  • External Risk: Occurrences outside your company that you have little to no control over. For example, natural disasters, social changes, and government policy modifications.
  • Enterprise Risk: The risks that can affect the entire organization and its ability to achieve its objectives. These risks are often strategic in nature and can have a significant impact on the overall success of the business. For example, A new competitor entering the market with disruptive technology that could obsolete the organization’s products.
  • Operational Risk: The risk associated with the day-to-day operations of an organization. It includes risks arising from internal processes, systems, people, and external events. For example, A manufacturing company faces operational risk if a key supplier fails to deliver critical components.
  • Occupational: This type of risk occurs when day-to-day operations a company relies on fail, including internal systems, processes, and staff. For example, this could include IT systems, department policies, and daily functions and routines.
  • Product Risk: The risk is associated with the potential issues or failures related to the development, manufacturing, or performance of a product or service. For example, A technology company faces product risk if a newly launched software product has undetected bugs.
  • Personal Risk: Issues arising from staffing issues, management problems, and the like. For example, a subject matter expert resigns, leaving you without a key source of knowledge.
  • Technical Risk: Problems with technology and automation (can also be considered part of operational risk). For example, a company might find that its current automated production hardware can’t be configured to use a new algorithm that would decrease production time.
  • Supplier Risk: Supplier risk involves the potential negative impact on an organization due to the performance or actions of its suppliers. This can include disruptions in the supply chain, quality issues, or financial instability of key suppliers. For example, you might need material for producing a new part. Conversely, you might be reliant on getting enough cloud resources to test a new SaaS product.
  • Security Risk: The risk pertains to the potential harm that may arise from unauthorized access, data breaches, or other security incidents that compromise the confidentiality, integrity, or availability of information assets. For example, A financial institution faces security risk if there is a cyberattack that results in unauthorized access to customer financial data.
  • Cyber Security: Cybersecurity risk is a subset of security risk that specifically focuses on the threats and vulnerabilities related to information technology systems, networks, and data. For example, An e-commerce company is exposed to cybersecurity risk if there is a successful ransomware attack that encrypts customer data.

Note: You’ll find that every industry and company tends to define its risk categories differently, according to need. You’ll rarely use the exact categories mentioned above. What matters is that you understand the wide varieties and sources of risk, then you can adapt as needed.

Risk is what’s left over when you think you’ve thought of everything.

Carl Richards, Future Babble

Process to Identify, Assess, and Prioritize Risks:

Risk Identification:

  • The initial step in Risk analysis is to gather input from key stakeholders, including employees, management, customer feedback, and external parties.
  • Utilize historical data, industry reports, process data and scenario analysis to identify potential risks.
  • Conduct brainstorming sessions with relevant stakeholders

Assessment:

  • Evaluate the likelihood and potential impact/severity of identified risks.
  • Use qualitative and quantitative methods
  • Assess the current detection method and rank it quantitatively

Prioritization:

  • Rank risks based on their potential impact and likelihood.
  • Consider the organization’s risk tolerance.
  • Use Risk priority number (RPN) based on severity, occurrence and detection to identify high risk items
  • Focus on high-priority risks that require immediate attention.

Monitoring and Mitigation:

  • Implement risk mitigation strategies and action plans.
  • Continuously monitor the risk landscape for changes.
  • Adjust risk management strategies based on evolving circumstances.
  • Communicate risk information to relevant stakeholders.

What We Can Do About Risk

Every project will contain risks. Some of them you’ll be aware of; some of them will hit out of the blue. No matter how hard you try, you can’t eliminate all risks from a project. So why are we even talking about this? Because through risk analysis and mitigation, you can decrease the chances of big negative effects on your project results. Or in other words: you can give your projects their best possible chance of success. Risk analysis and mitigation require identifying your risks, understanding how they might affect your project, and then figuring out what you can do to minimize their effects.

Risk analysis and mitigation process. Identify, Analyze, and Mitigate.
Image: Risk analysis and mitigation process

Risk Mitigation vs Risk Avoidance

You’ll sometimes see ‘mitigation’ and ‘avoidance’ used together, but when it comes to risk, these are quite different concepts. That’s because while risk analysis and mitigation focus on handling risky situations, risk avoidance tries to eliminate them.

“Isn’t it good to avoid all risk?” you might ask. Emotionally, yes. But every great endeavor involves an element of risk. Remove all risks from your project, and you end up with a boring, bland, uninspiring result.

All good projects will have risks attached to them. Your job isn’t to take away all the risks but minimize their negative effects.

And the trouble is, if you don’t risk anything, you risk even more.

Erica Jong

How to Identify Risks

So you know what risk is and the main types of risk you could encounter. How do you actually identify the risks your particular project could face? There are a few methods you could use:

  • Brainstorming: Sit down with team members and subject matter experts to throw around some ideas for risks in the major risk categories.
  • Learned lessons: What did you learn from previous projects? Are any of the negatives applicable to the new project?
  • Keystones: What are the important supports on which the project relies? These could be people, regulatory requirements, a piece of technology, or an environmental situation. For example, say you’re designing a new piece of hardware for the building industry. Your keystones might be a supply of cheap steel from overseas and a continued boom in the commercial building industry.
  • Assumptions: This is tricky because it requires you to question points that you unconsciously consider factual. Sit down with your team to identify your assumptions about the project. For example, all team members will always be available to work in the office.
  • Fault tree analysis: This tool allows you to chart a process and its potential failure points. See Fault Tree Analysis for more information.
Video: Risk Identification Techniques

How to Analyze Risks

Once you’ve identified your risks, the next step is to analyze them. The analysis allows you to understand the risks that your project faces. You’ll then be able to prioritize them by severity and likelihood.

Properly analyzing your risks at this stage ensures that:

  • The most dangerous risks can be dealt with appropriately.
  • You don’t waste resources countering risks that aren’t important.
  • Your team can channel their efforts into getting the most benefit.
  • The project is safeguarded wherever practical.

Good risk analysis improves stakeholder confidence, minimizes unexpected expenditures, and allows for appropriate resource allocation.

Risk analysis tools

There are a few tools that you can use in your risk analysis:

Risk analysis results

At the end of your risk analysis, you should have a list of risks prioritized by danger level and likelihood.

How to Mitigate Risk

Once you fully understand the risks to your project, the next step is to mitigate those risks. To mitigate a risk means to limit negative effects as much as reasonably possible. You will rarely completely negate a risk. Rather, it’s like installing airbags into a car. The airbags won’t stop you from having a traffic accident. However, they will give you some protection if you have a collision with another vehicle at speed.

Each of your risk mitigation strategies should either:

  • Limit the chances of a negative event occurring, or
  • Limit the effects of a negative event if it occurs.

Add at least one mitigation strategy to each risk. You might find that you can apply a single strategy to more than one risk–this is good!

Video: Harry Hall talks about risk mitigation

Action

It’s all very well to have strategies to mitigate risk. But these are useless to you if you don’t follow through and do something. While you can put some into place immediately, others will be contingency based. You won’t be able to enact these. However, you can clear the path to ensure that the process will be easy and smooth if you need to implement them.

Example Risk Analysis and Mitigation

A construction company has a large CBD building project beginning soon. It needs to identify, analyze, and mitigate risks to the project.

Identify

The project team brainstorms and looks at similar past projects to gather a list of risks for the project.

Analyze

The team uses a feasibility study and risk assessment matrix to analyze and prioritize the risks that the project faces. It determines that the highest priority risk is that issues with shipping will cut supply lines and halt construction on the site.

Mitigate

While changing to a local supplier would eliminate that risk, it would also increase costs dramatically. The project team decides that the cost outweighs the benefit of eliminating the risk. However, it decides to make local suppliers an alternative option if the shipping issues actually occur. Getting a new supplier signed off requires quite a bit of paperwork and due diligence. If the problem hits, the team doesn’t want the project held up during this sign-off process. Instead, it starts the process at the beginning of the project, so it can quickly and easily switch to local suppliers if it can’t get material from international suppliers.

Note that this solution does not in any way change the potential event. The chances of international shipping disruption remain exactly the same. What the team has changed, though, is the negative impact that the event would have. The project might have higher costs due to higher prices from local suppliers, but it shouldn’t experience a time delay.

Authors

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.