{"id":5967,"date":"2015-08-24T08:20:09","date_gmt":"2015-08-24T13:20:09","guid":{"rendered":"http:\/\/www.oxebridge.com\/emma\/?p=5967"},"modified":"2015-10-23T17:04:55","modified_gmt":"2015-10-23T22:04:55","slug":"practical-implementation-of-risk-based-thinking-part-2","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/practical-implementation-of-risk-based-thinking-part-2\/","title":{"rendered":"Practical Implementation of “Risk Based Thinking” – Part 2"},"content":{"rendered":"

Part 2:\u00a0Defining Risk and Opportunity<\/strong><\/p>\n

(For Part 1, click here<\/a>.)<\/em><\/p>\n

From the information you have derived from the COTO exercise<\/a>, you now have a better understanding of the company, it’s stakeholders, internal and external issues of concern, and other factors which will build the framework for your thinking about risk.<\/p>\n

You will also realize that because the information derived from the COTO exercise\u00a0will be\u00a0different for every company, the\u00a0risks will also be different for every company.\u00a0This means no auditor can tell you what your risks are.<\/em><\/strong> (Of course they are going to anyway, but you have to push back.) You<\/em> <\/strong>decide which risks are going to be managed… no one else. This is explicitly hard-coded into the standard, which says:<\/p>\n

6.1.1 When planning for the quality management system, the organization<\/em> <\/strong>shall …\u00a0determine the risks and opportunities that need to be addressed.<\/p><\/blockquote>\n

In the AS9100 scheme, which has had requirements for risk management since 2009, we have seen auditors come on site and try to dream up risks during the audit, and then play “gotcha” with the client. Despite being presented with formal risk registers, they will stroke their chin\u00a0and muse on things you’ve missed:\u00a0“well, did you think of whether or not a meteor will strike your HR manager on her way to work?” or “did you assess the risk of a zombie apocalypse?” Now, under 9001:2015, you get to tell them to\u00a0STFU <\/a>and look at the risks you’ve addressed, to stop auditing by fantasy, and for God’s sake, stop stroking their\u00a0chin.<\/p>\n

Re-Defining Risk and Opportunity<\/strong><\/p>\n

So the next step is to “determine” your risks. Unfortunately, we have another slight speedbump: ISO has completely mucked\u00a0up traditional concepts of risk. The reasons for this are complicated and political<\/a>, and not at all universally agreed-upon. There are two camps: one that thinks “risk” is neutral, and thus can be either negative or positive (thus defying the dictionary) and the other that believes risk is solely negative.\u00a0 The “positive risk” crowd has won over the ISO Technical Management Board and the authors of ISO 31000 on risk management, but did not win over TC 176. In fact, the “positive risk” debate is one of the main sticking points for ISO 9001 ratification across\u00a0the world.<\/p>\n

Why does this matter? Wouldn’t it be nice to let ISO have their fight and watch from the sidelines? Well, this has a real-word impact on you right now. You see, normally you work to mitigate risk — meaning minimize<\/em> <\/strong>it — because it’s bad. If you suddenly treat risk as “positive” then you would want to maximize<\/em> <\/strong>the possibility of the risk, right? But you can’t use the same tools to both minimize and maximize something at the same time. SWOT comes close, but other traditional tools like FMEA focus only on reducing\u00a0risk, understanding that risk is inherently bad. Other tools might work to maximize opportunities (such as expanding business development leads) but these wouldn’t work for reducing negative risk.<\/p>\n

The Silver Lining Theory<\/strong><\/p>\n

The “positive risk” camp tends to defend its view using what I have dubbed the “Silver Lining Theory” — this is where they paint risk as being positive only because there may be an accidental benefit of an otherwise disastrous thing. The example I often hear is the “hurricane” scenario: a hurricane is a bad thing because it causes damage.\u00a0The “Silver Lining” crowd says that a hurricane is also positive, since the destruction it leaves behind becomes an opportunity for those in the construction industry.<\/p>\n

The reason the Silver Lining Theory fails is when you try to apply it in a practical way. Remember, for negative risk we work to minimize the likelihood and severity; so\u00a0companies must reduce the risks associated with hurricane damage by having\u00a0business continuity plans in place, escape routes, shelters, data backups. etc.<\/p>\n

\"devil\"Remember too that positive opportunities must be managed to increase their likelihood and maximize the benefits. However, those in the construction industry cannot\u00a0increase the likelihood of a hurricane, and cannot maximize the damage (which to them is a benefit) unless they hire hordes of looters to tear the city apart, which they can rebuild later. Not a great business plan.<\/p>\n

The best a construction company can do is plan to have additional resources ready (reconstruction teams, hardware, etc.) in the event there is damage they can repair. But that’s not the same as risk management since mere planning does not increase either likelihood or severity. And, in fact, they may expend money to have those resources ready and it be all for naught, if the hurricane doesn’t make landfall at all. In which case, they’ve created a\u00a0problem (now they’re broke) and not achieved any opportunity. Not to mention they need to do all of this while mitigating their own exposure to the damage of the hurricane, like making sure the people they have on standby don’t get killed themselves. None of this magically turns a hurricane into a good thing; it just tries to examine the “silver lining” behind an\u00a0overwhelmingly bad thing.<\/p>\n

(The most ghoulish explanation I’ve heard is related to cancer. A few “positive risk” advocates claim that cancer is good because it creates jobs. They ignore the fact that those jobs are seeking to eradicate\u00a0cancer, an admission that cancer researchers never view cancer as an “opportunity” but as a risk that must be eliminated.)<\/p>\n

A “pure” positive opportunity exists, first and foremost, as an opportunity; it\u00a0is not an\u00a0accidental positive side effect of a bad thing, it is inherently good to start with. For example, a positive opportunity might be that the government puts a $5 Billion contract out for bid, and it’s something your company is qualified in. Another opportunity might be you find $100 on the street, or prices drop on a critical raw material, or that nerdy engineer who works in the lab and smells like tuna fish accidentally invented antigravity. All these things are positive first; they may have hidden negatives (a “tarnished silver lining” if you will) but they are primarily opportunities. You work to exploit them, not run from them.<\/p>\n

The Uncertainty Battery<\/strong><\/p>\n

So what you have is the reality that uncertainty is neutral<\/em><\/strong>, while\u00a0“risk” and “opportunity” are the negative and positive aspects of uncertainty.\u00a0If you imagine a battery is, itself, neutral and only the poles have a charge, then you begin to understand the true nature of uncertainty:<\/p>\n

\"riskbattery\"<\/p>\n

So the\u00a0Oxebridge view is that uncertainty<\/strong> <\/em>is neutral; risk is the negative effect of uncertainty<\/strong><\/em>, and opportunity is the positive effect of uncertainty<\/strong><\/em>. This interpretation has the benefit of (a) complying with English dictionaries and (b) actually making sense. I strongly suggest you adopt this view to proceed, but if you do, you may need to indicate this in your QMS documentation somewhere. Auditors may come in and disagree, depending on which ISO school of thought they were trained in, but\u00a0you<\/em> <\/strong>get to define concepts for your QMS, not them.<\/p>\n

The ISO 9000 Problem<\/strong><\/p>\n

An aside: some will say that ISO 9001 calls out the definitions in ISO 9000 as a “normative reference” which thus makes the\u00a0definition of “risk”\u00a0from ISO 9000 a mandatory requirement. This is not true, and you must be ready to defend yourself against this argument as well. Here are the talking points for your defense:<\/p>\n