© 2007 MAS Solutions LLC. All Rights Reserved.
BULLET-PROOF YOUR BUSINESS
President, MAS Solutions LLC.Risk in business is a reality, and to some degree, is inherent to all organizations. Risk can manifest itself in many forms, from risk that is associated with the consequences of natural events (i.e., flood, fire, tornado, hurricane, etc.) to more business-specific concerns including health and safety, professional liability, environmental impact, and others.
When we use the term “Bullet-Proofing” in relation to risk, what we’re referring to is risk management. A “Bullet-Proof” business is one that has established effective risk management practices to identify and prioritize risk and that has developed appropriate strategies to control the consequences should such risk be realized.
While specific risk management practices may vary, they are all similar in their attempts to achieve the following outcomes:
•To identify high-risk areas where a process, product or service might fail;
To identify high-risk areas where a process, product or service might fail;•To prioritize high-risk areas to aid in effective risk management; and
To prioritize high-risk areas to aid in effective risk management; and•To assist in the development of controls to prevent the causes of those failures
To assist in the development of controls to prevent the causes of those failuresAn abbreviated technique for risk management is detailed in the paragraphs that follow. As both a home and business owner in Houston, Texas, I’ve used hurricane preparedness as my example. Houston is located near the Gulf of Mexico, and is frequently threatened by such occurrences.
The Identification Process
The first step in effective risk management is identification. To perform this step effectively, an organization must analyze its entire system of business processes, to determine the sequence and interaction of key activities. Once these activities are defined, they can be used to establish where the potential for failure lies.
For our hurricane preparedness exercise, we’ve organized this information according by Activity (system or process), and their related Aspects (failure mode) and Impacts (consequence), as shown below:
Table 1 -
Activity, Aspects and Impacts
Needless to say, the table above illustrates only a sampling of the entire analysis. It’s not uncommon for such a review to be several pages and cover a hundred or more issues.
Feel free, if developing a table like this, to use whatever terminology best fits your organization. I’ve used Aspects and Impacts, because that’s the terminology I’m most comfortable with; this would work just as well however, substituting the terms Hazards and Risks.
The Prioritization Process
The second step of the process is to prioritize each risk. This is necessary to identify those types of potential risk with the greatest consequences.
For our hurricane scenario, we’ll assign a subjective ranking to each risk, based on the following criteria:
•The Severity (S) of each consequence on a scale of 1-10.
The Severity (S) of each consequence on a scale of 1-10.•The Probability of Occurrence (PO) on a scale of 1-10.
The Probability of Occurrence (PO) on a scale of 1-10.By then multiplying these two values (S x PO), we can obtain a Significance Rating (SR) for each risk. The higher the “SR” value, the greater the risk that is present (see Table 2):
Table 2
Severity, Probability and Significance Rating
Based on the above results, in the event of a hurricane, our greatest risk appears to be the loss of data that would occur in the event of a power outage (SR=80). The lowest risk would be from broken windows; while possible, their overall significance is relatively low.
Establish Controls
The third, and final, step of this process is to determine what, if any, additional controls are necessary to reduce the risks identified previously. To manage this risk, it may be necessary to implement controls that adjust either the severity of the risk or its probability of occurrence, or both.
The tables below show a before-and-after comparison of risk, as it related to our hurricane exercise. Table 3a shows risk based on existing controls, and Table 3b shows risk after applying risk management controls.
Table 3a
Risk Prioritization Based on Existing Controls
Table 3b
Revised Risk Significance with Increased Controls
Note that in Table 3b, the Significance Rating (risk) for each of these items has been reduced considerably.
Based on the example above, I’d say that we’ve been successful in preparing for our hurricane. I must point out however, that in real life, this process should be iterative. This analysis should be periodically reviewed and updated as part of a comprehensive, on-going effort to manage risk.
Conclusion
“Bullet Proofing” a business is one of the most important activities that a business owner can undertake. Risk is a reality, and it’s important for a business to develop the ability to manage risk before it is realized with potentially devastating consequences to the business.
To realize “too late” that a core business system or process is vulnerable may, in the best case, subject the business to operations down-time and/or losses in revenues. In the worst case, this may result in a loss of the entire business with considerable financial consequences to customers, owners and employees alike.
A “Bullet-Proof” business is one that has established effective risk management practices to identify and prioritize risk and that has developed appropriate strategies to control the consequences should such risk be realized, thus avoiding the “too late” scenario. Through an awareness and understanding of the risks that are present, we can implement the necessary controls to mitigate, or eliminate where possible, these risks before their effects can negatively impact our business.
Want updates when new articles are added? - Join our mailing list
The Quality Management Specialists™
Articles
Our Locations
Resource Center
