Sometimes the simplest path is the best path. If you look at the most successful businesses today, they have built their philosophy around very simple ideals. Apple is a great case of simplicity - simple design, simple message, and so forth (but let's not just talk about Apple). Simplicity in business means asking "Why". Simon Sinek, who is a prolific author and speaker boils it down to this concept. Ask yourself why you do business and build out from there - all the complexities of any initiative will fall in line. This can ring true for an organization looking to achieve compliance through risk management - understand the "why" and it won't seem so lofty a goal.
We talk about risk on this blog...a lot. So much so, that we often get into the big theories and methodologies behind risk management, risk assessment and operational compliance related to Quality Management and EHS management. And it's good stuff - I wouldn't write about it if it wasn't. However, when I speak to people who are starting out building a risk-based strategy, they often get caught up in the details, and forget to look at things in a bigger, more simplified context. "What tools to do I use?", "How many levels of risk do I drill down?", "What is ALARP?". and the list goes on. You can read our other blog posts to get a sense of that, but for now let me boil it down to this - Risk Management shouldn't stress you out - chances are you are already doing it. You just need to formalize it. Here are 3 things to consider in your risk journey that might make it easier to digest:
1. Risk should augment your processes, not replace them: Too often, people feel like they need to re-engineer their overall processes to build in Risk, but it's not the case. Risk Management seeks to identify threats and quantify them so you can make decisions. You can do this in your existing processes; you just have to add risk to the picture. Think of it like this - you encounter adverse events in the Quality System, and you have to make a decision on what to do with them. You already do this in operations, all you are adding with Risk is a systematic and consistent method for doing it. You just look at the events and rate the event with a risk assessment. This can be designed to be easy, like a decision tree that asks you questions. "Why is this event critical?" "What are the consequences of this?" "Is it bad - how bad?" Then, based on your answers, you come to a decision - most likely based on what you've done before. By continuing to do this for events, and looking at your past, you've established a risk assessment that doesn't rely on "gut feel", it relies on evidence from the past, or using calculations of consequences.
2. Ask yourself, "Why are we doing this"?: So many times, companies receive a directive or have a goal to build in risk, and never step back to ask "Why"? Knowing why risk is important is a big step to understanding how to go about it. Why do most people build in risk management? It's usually to help make better decisions. Why do we want to make better decisions? Because we want to be compliant. Why do we want to be compliant? Because ultimately, we make the best products and our customers are relying on us to make the best decision for them when using our products. Having this mentality helps to understand that risk is not about some larger directive, it's about making the process more efficient and making the best possible decisions for our customers. We want to make these decisions consistently and efficiently, and risk is just another extension of good business decision making.
3. Risk Starts with Your People: People always ask, "Where do i start on this risk journey?" Don't start with the tools; don't start with the process - start with your people. The best risk data comes from asking managers and operational leaders, "Where are your biggest threats to success?" Most companies will send out a simple survey to ask this question, and having the people in the organization identify where the threats lie is the most important step in starting risk management. These folks are in the field, executing on processes every day - they will know where potential problems/hazards lie. Once you've done that, you can categorize these threats and start to build a "Taxonomy of Risk" - which is a lofty way of saying you categorize and prioritize the common risk types to see where you need to focus your attention. Then, you can start to look at the processes with the most risk elements, and augment them with a risk assessment.
It's important to ask questions for Risk Management. Why? How? Who? These are the first steps to take in building a picture of your company's goals, opportunities, and obstacles to meeting the ultimate goals of the business. Risk Management is simply a method to help you identify problems and make better decisions to get closer to your company goals, in such a way that is faster, repeatable and consistent.