Mostrar mensagens com a etiqueta risk. Mostrar todas as mensagens
Mostrar mensagens com a etiqueta risk. Mostrar todas as mensagens

sábado, dezembro 09, 2023

Risk and objectives

With ISO 9001:2015 came the risk based approach, and with ISO 9000:2015 came a definition of risk:

"Risk - effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected"

It took me just over two years to realize the importance of Note 1 and formulate this approach:

"Therefore, in a strategic approach, the policy must be broken down into objectives for the management system (MS). These objectives cannot be established in a vacuum, but must consider the external context of the organization, its internal reality, and the expectations and values of relevant interested parties.

...

Assessing the external context, internal reality, and interested parties expectations and values allows for the identification of a set of risks that could hinder the company's ability to achieve its performance objectives, as well as a set of opportunities that could potentially benefit the company's ability to reach its performance targets. These risks and opportunities should be evaluated, and actions should be taken to minimize risks and capitalize on opportunities, based on priorities. These actions will be part of achieving the objectives of the desired future MS.

...

Thus, clauses 4.1 and 4.2 of ISO 9001:2015 refer to a moment prior to defining objectives aligned with the policy, influencing it. Meanwhile, clause 6.1 of ISO 9001:2015 refers to a moment after defining objectives, which may contradict or benefit their fulfillment."

This means that we should not determine risks and opportunities in the abstract, but rather by considering the objectives of the management system. Failing to do so runs the serious risk of generating long lists of risks and opportunities resulting from free brainstorming, but with little added value for organizations.

I had never looked for the definition of risk in ISO 31000 ... until some weeks ago.

According to ISO 31000, risk is defined as the effect of uncertainty on objectives. This implies that risk is the possibility of a positive or negative impact on an organization's objectives. Uncertainty refers to the state of having incomplete or imperfect information about something.

The relationship between risk and uncertainty is that uncertainty is the source of risk. In other words, risk cannot exist without uncertainty. For example, if you know with certainty that something will happen, then there is no risk. However, if you don't know with certainty what will happen, then there is a risk.

ISO 31000 defines risk as the effect of uncertainty on objectives. This definition is important because it emphasizes the fact that risk is not just about the probability of something happening. It is also about the impact that something happening will have on an organization's objectives.

Here are some examples of how uncertainty can lead to risk:

  • A company that is planning to launch a new product is uncertain about how the product will be received by consumers. This uncertainty could lead to risk if the product is not well-received and the company loses money.
  • A bank is uncertain about the future of the economy. This uncertainty could lead to risk if the economy takes a downturn and the bank loses money.
  • A government is uncertain about the future of the political climate. This uncertainty could lead to risk if there is a coup or other political instability.

As you can see, uncertainty can lead to risk in many different ways. It is important for organizations to understand the different types of uncertainty that they face and to develop strategies for managing them.

Uncertainty is generated by the internal and external context.

How do you determine risks in your MS, do you take objectives into account?

segunda-feira, fevereiro 08, 2021

"how to shape the future"

 

 "The future is not about prediction but about shaping the future with agile experimentation on what works and what does not work

Regardless of how much you plan, you will not predict the future because neither customers nor companies can anticipate what is possible. The only way to push for radical innovation is to accept the uncertainty and thereby accepting that with more traditional planning we can not predict the future.

By saying so, I do not mean that we need no planning or management anymore. We even need it more than ever, but with a different aim. The aim should not be to predict the future but to plan a creative process how to shape the future."

Recordar o pensamento baseado no risco que a ISO 9001 propõe: o que pode correr mal? 

Recordar os rinocerontes cinzentos e os fragilistas:

A 2 de Janeiro de 2016 escrevi em "O não-fragilista prepara-se para os problemas":

"Os fragilistas partem do princípio que o pior não vai acontecer e, por isso, desenham planos que acabam por ser irrealistas ou pouco resilientes. Depois, quando as coisas acontecem, chega a hora de culpar os outros pelos problemas que não souberam prever, não quiseram prever, ou que ajudaram a criar."
Em Julho do mesmo ano em "O fragilismo" escrevi:

"O fragilismo espera sempre o melhor do futuro, não prevê sobressaltos. Acredita que os astros se vão alinhar em nosso favor, não vê necessidade de precaução, just in case."

Trecho retirado de "The missing part for business model innovation: The process

quarta-feira, janeiro 27, 2021

Análise de risco

Aquando da próxima vez que alguém, no seu sistema de gestão da qualidade ou ambiente, lhe falar na necessidade de actualizar a análise de riscos da sua empresa, lembre-se deste evento no Hospital de Amadora-Sintra com o fornecimento de oxigénio.

Qualquer organização tem um desempenho limitado pelo seu elo mais fraco. Qualquer organização que precise de aumentar a capacidade de produção, remenda o elo mais fraco, para depois, a seguir, encontrar outro elo mais fraco e assim sucessivamente. Aquilo a que se chama a Teoria das Restrições aborda este tópico.

Alguns dos constrangimentos são claros e sabemos quando vão aparecer, por exemplo, a limitação de pessoas. No entanto, outros são mais invisíveis e só são considerados quando se manifestam.

Uma das formas de prevenir a sua manifestação consiste em fazer periodicamente uma análise de risco.

Não menospreze este exercício.

segunda-feira, junho 29, 2020

"Risk is failure of a projected narrative"

A ISO 9001 aborda a abordagem baseada no risco. 
“The Oxford Dictionary defines risk as ‘the possibility that something unpleasant or unwelcome will happen’,
Risk in its ordinary meaning concerns unfavourable events, not beneficial ones.
.
Risk is asymmetric. We do not hear people say ‘there is a risk that I might win the lottery’ because winning the lottery is not something they would describe as a risk. They do not even say ‘there is a risk I might not win the lottery’ because they do not realistically expect to win the lottery. The everyday meaning of risk refers to an adverse event which jeopardises the realistic expectations of the individual household or institutionAnd so the meaning of risk is a product of the plans and expectations of that household or institution. Risk is necessarily particular. It does not mean the same thing to J. P. Morgan as it does to a paraglider or mountain climber, or to a household saving for retirement or the children’s education.
Very often, the risks that concern us are not risks to the status quo, but risks to our plans to change that status quo.
We believe the best way to understand attitudes to risk is through the concept of a reference narrative, a story which is an expression of our realistic expectations. For J. P. Morgan, the overarching reference narrative is one in which the bank continues profitable growth. A large corporation will have many strategies for achieving that overarching objective in particular areas of its business and there will be a reference narrative relating to each business unit. Some of these business unit reference narratives may be very risky, but the corporation may tolerate such risks provided they do not endanger the reference narrative of the organisation as a whole.
And since different people start with different reference narratives, the same risk may be assessed by different people in different ways. Risk may not be the same for those who work in an organisation as it is for the shareholders of that organisation.
Risk is failure of a projected narrative, derived from realistic expectations, to unfold as envisaged. The happy father anticipating his daughter’s wedding has in mind a reference narrative in which events go ahead as planned. He recognises a variety of risks – the prospective bridegroom has cold feet, a torrential downpour drenches the guests. There is an implied measure of risk in such assessment – an outcome can fall short of expectations by a narrow margin or a wide one. The scale of that risk may or may not be quantifiable, before or after the event. But this interpretation is very different to the view that has come to dominate quantitative finance and much of economics and decision theory: that risk can be equated to the volatility of outcomes.”
Trechos retirados de “Radical Uncertainty” de John Kay e Mervyn King 

sábado, fevereiro 01, 2020

Monitoring risks - Frequency

Last Thursday I was asked how often to update the risk assessment and assessment in a quality management system according to ISO 9001: 2015. I gave an answer around this:
"At least annually, but that is not very effective, the more the risk based approach is embedded in the organization’s management system, the more frequently it should be performed. Every day, I see in newspapers external events that can generate risks and opportunities. For example, will this coronavirus crisis have an impact in your own organization? I try to implement the risk-based thinking in all management meetings, at several levels."
In the meantime, I had the opportunity to read an interesting article on risk and supply chains,"Supply chain risk management is back", and I saw the answer to the question from another perspective:
"A systematic classification of risks, and development of a related response strategy, is essential to improve supply-chain resilience strategically—while keeping required investment to a minimum. A simple framework can help by classifying risks on two axes: the vertical estimates to what extent a risk can be anticipated, while the horizontal quantifies the risk’s expected impact.

  • “Manageable surprises” are difficult to anticipate but manageable in terms of impact.
  • “Black swans” are hard to anticipate and severe in terms of impact.
  • “Brewing storms” can be anticipated and will have a high impact once they materialize.
  • “Business challenges” are typically low-impact risks that can be both anticipated and managed quite easily."
Each quadrant deserves a different treatment:
"For each of the quadrants, a specific set of response strategies can be developed. A reactive risk-management approach should be taken for risks that are difficult to predict, and a more proactive approach for those with higher predictability.
  • Low-impact risks that are hard to anticipate, such as the bankruptcy of an individual supplier or a localized conflict in a country without major operations, can be accepted or avoided to a certain extent by diversifying operations. Systematically implementing a dual-sourcing strategy, through nominating new suppliers or negotiating a second source of supply from the same supplier, help mitigate this risk category.
  • High-impact risks that are hard to anticipate, including natural disasters, terrorist attacks, or cyberattacks, can be managed by building strong crisis-management capabilities and resilience throughout the system. A supply-chain risk-management team can introduce a systemic risk-monitoring process which can be enhanced by regular scenario-planning exercises. Through keeping healthy reserves for parts with long recovery times, companies can prevent some supply-chain disruptions. Another way to mitigate risks which are difficult to anticipate is transferring risk to other parties: taking out insurance and introducing risk-related contract language are possible answers.
  • Low-impact risks that are relatively easy to anticipate, such as labor disputes, regulatory changes, or changes in customer preferences (for minimal plastic usage or increased product sustainability, for example) can be managed proactively by increasing the robustness of the supply-chain system. The most important single measure, though, is solid training of the workforce to handle everyday risks. Encouraging employees to voice concerns about possible defects and disruptions helps create a general risk awareness as a first step to managing disruptions. IT systems and tools can then help to continuously monitor disruptive trends and events.
  • High-impact risks that are relatively easy to anticipate, including Brexit, US–China trade regulations, or decarbonization targets, need the most attention. A systematic review of the supply-chain setup may be advisable. Possible response strategies include redefining the sourcing strategy by, say, raising the share of local suppliers, or revisiting the manufacturing footprint by moving some manufacturing operations out of certain areas. Establishing CKD operations in countries with high import taxes on finished products can be another option. The review of the inventory build-up strategy helps optimize service levels by increasing safety-stock levels for critical components which cannot be sourced from alternative locations. In some cases, preparing for changes in demand can be an appropriate answer."
An idea to improve risk management efficiency is to give different attention depending on the greater or lesser capacity for anticipation and the greater or lesser impact of the risk.

Now, I'm remembering an example from Tom Peters in the book "Re-Imagine" about Dell answer to problems in the supply chain... managing risks wasn't managing risks, it was doing normal business.

quarta-feira, janeiro 15, 2020

Context, interested parties and risks (part III)

Part I and Part II.

The following excerpt is all about context and risks:
"Many of the world’s problems stem from the false belief that we can accurately predict the future.
...
We do not know what the future will hold. But we must make decisions anyway. So we crave certainties which cannot exist and invent knowledge we cannot have. But humans are successful because they have adapted to an environment that they understand only imperfectly."

Excerpt from "How to Make Decisions for an Unknowable Future"

segunda-feira, janeiro 13, 2020

Context, interested parties and risks (part II)

Part I.

ISO 9001:2015 clause 4.1 is about understanding the context of an organization.

What external and internal issues are relevant to the organization’s purpose and strategic direction?  What external and internal issues can affect, either positively or negatively, the organization’s ability to achieve the intended results of its quality management system (QMS).

We saw in Part I that intended results of a QMS is something that is a function of who are chosen as the relevant interested parties. So, we cannot expect to determine internal and external issues correctly without having in mind who are relevant interested parties and what are their relevant needs and expectations.

One of these mornings I read:
"Le scénario se répète pour la quatrième année consécutive. Les défaillances d'entreprises vont continuer d'augmenter en 2020 à l'échelle mon-diale
...
Un zoom géographique montre une prédominance de l'Asie dans les faillites, avec la Chine en première ligne
...
Si la France s'en sort mieux que ses voisins européens, 2020 devrait marquer un tournant. C'est la première année depuis 2016 que les défaillances ne baissent pas. Elles devraient stagner, contre une hausse de 3 % en Allemagne et au Royaume-Uni, de 4 % en Italie et de 5 % en Espagne."
And at another one I read:

And then I thought of a number of companies I work or worked with that depend heavily on sales to the German market.

What have I mentally done?

I selected an external event that can't be controlled by and organization and related it to an internal issue a particular organization:

Because of the strategic choices of the organization - bet on export to demanding German customers - one can say that both the external event and the internal issue have a negative connotation.

What will probably happen when we join the external event with that internal vulnerability? We determine a negative risk!

That risk will affect needs and expectations of a relevant interested party: the capital owners of the organization

One can also imagine internal events that can't be controlled by and organization:

Resignation of a critical worker will undermine our ability to respond to development requests, which will undermine our ability to capitalize on a boom in demand for co-created solutions.

In this case we have a positive external trend in motion that clashes with an internal negative event that the organization's top management cannot control.



The product of that clash is another risk - undermining of our ability to capitalize on a boom in demand for co-created solutions.

That risk will affect needs and expectations of different relevant interested parties: the capital owners of the organization and the potential customers searching for competent suppliers of co-created solutions.

These two examples illustrate the exercise I try to do with organizations to determine context-based risks and opportunities, using interested parties needs and expectations as a factor in assessing the importance of risk or opportunity.

What sources do I bring to the table to determine external issues? Normally, I use Political, Economic, Social, Technological, Legal, Environmental analysis (PESTLE) to trigger the brainstorming of external issues.
Those external issues start as neutral issues. Thn they are later analyzed under the light of strategic orientation. Then they can gain a positive or negative connotation. If the connotation is positive I call them Opportunities, if it is negative I call them Threats.

When determining internal issues I ask people things like:
  • What issues keep appearing in your internal meetings and reports?
  • What issues keep appearing about overall performance of the organization, persons, resources, governance, ...?
Those internal issues start as neutral issues. They are later analyzed in the light of strategic orientation. Then they can gain a positive or negative connotation. If the connotation is positive I call them Strengths, if it is negative I call them Weaknesses.
So, this way we developed the classic SWOT matrix. But in the examples above what we have done was about giving a dynamic twist to the SWOT matrix, something that some call a TOWS matrix:

Each combination is a possible risk or opportunity.

quarta-feira, janeiro 08, 2020

Context, interested parties and risks

I have a commitment to publish a video about context, interested parties and risks, according to ISO 9001:2015, during this month. So, I'm starting to gather raw material to that video.

Let us start with ISO 9000:2015 risk definition.

risk = effect of uncertainty

It's important to higlight the word "uncertainty". Something that we cannot control, something that it is outside of our level of control.

And an effect is a deviation from the expected — positive or negative.

So, one can say that risk is a deviation from the expected (positive or negative) resulting from a trigger event that we cannot control. BTW, the ability to control the trigger event is what separates a positive risk from an improvement opportunity.

What are we talking about when we talk about "the expected"?
Let us keep the conversation here at a strategic level.

Expected results are the results we want the organization as a whole to achieve.

Who expects these results?

The capital owners. 

So, the capital owners are an interested party of this organization. 

We started with expected results and connected those expected results to an interested party. Normally, things go in the opposite direction. Because we have an interested party with should work for some expected results.

Let us consider another example. 

Making money in a sustainable way has a funny particularity, we cannot elect that objective as a first order objective, we should consider that kind of objectives as an indirect consequence of other objectives (something that I learned to call obliquity)

To get a profit an organization must be able to sell a service to a set of target customers at a price above the cost. Why would a set of target customers decide to buy the service to a particular supplier?

Let us consider those target customers as another interested party for this organization.

So, we have here another set of expected results.

A risk would be a consequence, an impact that could afect negatively the ability of an organization to meet an expected result.

An opportunity would be a consequence, an impact that could afect positively the ability of an organization to meet an expected result.

When we think about expected results we can immediately realize that although we work for expected results, because the outside world and the organization are complex entities we can get undesired results that affect our ability to serve interested parties.

We started this text with the risk definition and keep coming to interested parties. Why are interested parties so relevant for managing risks and opportunities?

Interest parties are relevant at two levels.

Level 1 - relevant needs and expectations of relevant interested parties determine expected and undesired results.
Events that we can't control can act together to make our organization get an undesired result (no-compliance with legal requirements)
Level 2 - relevant needs and expectations of relevant interested parties can be used as a basis for determining the importance of each risk and opportunity.

This figure has the three topics that I want to include in the video:
Clause 4.1 (context) gives us a potential trigger event (internal ou external) that reacts with another Clause 4.1 (context) issue, an internal strength or vulnerability. The consequence of that reaction (risk - Clause 6.1) is evaluated against the requirements of interested parties (Clause 4.2).

 If the consequences are significant an action plan should be developed in order to minimize the risk or take advantage of the opportunity.

What is becoming more and more clear to me is the relevance of the expectations and needs of the interested parties in determining the risks and opportunities and their relevance.

Next topic will be focused on the events (Clause 4.1)