We manage risk to ensure the outputs of our actions or plans meet our customer’s expectations, be they ourselves, our associates, or the people to whom we provide goods and services. Although some psychologists say our ability to consider the future is what separates us from other animals, risk management is inherently difficult because the future is inherently unknown and we can only speculate about what we don’t know. To better manage our speculation, effective risk management begins with a thoughtful consideration of what we do know.
Three things we can know when managing risk are:
1) The customers and their expectations for the outputs of the actions or plans
2) The specific actions needed to meet customer expectations
3) The suppliers and inputs needed to complete each action
Effective risk managers use this information to:
a) Take preventive actions against likely causes to reduce the probability of potential problems and Llkely effects occurring;
b) Plan contingent actions to reduce seriousness if potential problems and likely effects do occur; and
c) Set triggers to increase the detectability of potential problems and likely Eefects
One way to gather the necessary information is to use the SIPOC framework, a visual continuous improvement tool used to document all relevant elements of a business process from beginning to end: Suppliers – Inputs – Process – Outputs – Customers.
Understand Customer Expectations for Outputs
All actions or plans are necessarily preceded by a decision; someone chose to do something. Furthermore, either thoughtfully or intuitively, the action or plan was chosen to maximize certain results, minimize use of certain resources, and meet certain restrictions. Effective risk management begins with a thoughtful consideration of those objectives.
In the example shown above, consider the thinking required to plan a vacation that results in enjoyable experiences for all. Because different people enjoy different things, it is helpful to begin with an understanding of what enjoyable means for the different customers. In the case of Take North Carolina Vacation, this trip was planned to maximize outdoor time, maximize extended family time, minimize travel time, minimize travel cost, and be completed the first two weeks of July. If we achieve or exceed all of these goals, the trip should be considered successful. If we fall short on any of these, then the trip might be considered a failure, unless we have countermeasures in place.
Effective risk managers use their understanding of their external and internal customer’s goals to identify the potential problems that are the focus of risk management: outputs that do not deliver desired results, or consume too many resources, or exceed restrictions. They use this knowledge to set triggers that increase detectability of potential problems and likely effects and plan contingent actions to reduce seriousness if potential problems and their likely effects occur.
Understand the Process Steps
Once we understand customer’s expectations, the next step is to consider how to frame the actions or plans to be managed. Although we ultimately need to consider the larger plan or process to protect the interests of the final customers, risk management is both more effective and efficient when we minimize the number of variables being considered at one time. This can be done by focusing on the specific actions that transform inputs into outputs throughout the plan or process rather than trying to analyze the larger plan or process at one time. If our risk management frame is too broad we might get overwhelmed peeling the onion, trying to manage cause of cause of cause, or resorting to ineffective and inefficient generalized counter-measures.
In the example, Take North Carolina Family Vacation, consists of multiple related but separate actions: Drive to N.C.; Stay in N.C.; Drive to N.J. Furthermore, Stay in N.C. can be separated into: Go to Camp; Go Hiking, Go Horseback Riding. Because each of these actions produces different results or benefits while consuming different resources under different restrictions, each is subject to different potential problems with different likely causes and likely effects.
Whether the starting point is a complex plan or process or a specific action, effective risk managers break down complex plans and processes into specific actions and understand how specific actions support larger plans and processes. By understanding the role of specific actions in plans and processes we are able to consider all of our customers when identifying potential problems. By separating and clarifying complex processes into specific actions, we are better able to identify specific preventive actions to increase the probability of success, and specific contingent actions to reduce seriousness, and specific yriggers to increase detectability of potential problems.
Understand Suppliers and Inputs
With a good understanding of our customer’s expectations and the actions required to deliver, we can now consider likely causes. Following the logic of the SIPOC framework, the likely causes of outputs that do not deliver desired results, or consume too many resources, or exceed restrictions are the suppliers or inputs or processes necessary to produce those outputs. Theoretically, our suppliers, inputs, and processes are all under our control and so we can take preventive actions to lower the ability of potential problems and likely effects occurring.
In our example, suppliers for drive to N.C. include the family, they need to be packed and ready to go; Inputs include the vehicle, it needs to be capable of making the trip; and the process is the drive itself, which needs to be well planned.
Effective risk managers use their understanding of suppliers, inputs, and processes and how they contribute to meeting customer’s goals to identify the likely causes of the potential problems that are the focus of risk management: outputs that do not deliver desired results, or consume too many resources, or exceed restrictions. They use this knowledge to take preventive actions to reduce the probability of potential problems and likely effects occurring.
The Value of Considering SIPOC
The output of risk management is preventive actions to reduce the probability of likely causes creating potential problems and likely effects, contingent actions to reduce seriousness, and triggers to increase detectability should potential problems occur. These countermeasures are most effective and efficient when focused on specific actions that produce specific outputs for specific customers. To achieve focus, effective risk managers seek first to understand their customer’s expectations, be they ourselves, our associates, or the people to whom we provide goods and services. With this understanding, they identify the specific actions needed to meet customer expectations. Then, for each action they consider the suppliers and inputs needed to produce outputs. With this information they are able to implement countermeasures that appropriately balance prevention and contingency.
Appendix A – Documenting Risk Management
Appendix B – Applying Risk Management to Potential Opportunities