pawel nowicki, phd the department of quality management cracow university of economics, poland risk...
TRANSCRIPT
Pawel Nowicki, PhDThe Department of Quality ManagementCracow University of Economics, Poland
RISK MANAGEMENT IN QUALITY MANAGEMENT -
METHODOLOGY
INTRODUCTION
An essential element in the strategy of any organization is to minimize business risk to a level that ensures the
security market.
To ensure efficiency and competitiveness, it is required from the organization to:
implement a system and a comprehensive approach to risk management and therefore
to identify effective methods for identifying, analyzing, monitoring and mitigation of risk.
TEMPUS MEETING KRAGUJEVAC 2015
INTRODUCTION
System management and its improvement should lead to a comprehensive minimizing of the risk of
adverse events.
A number of rules and standards supports this objective of minimizing risk.
TEMPUS MEETING KRAGUJEVAC 2015
INTRODUCTION
Universally known solutions relates to:
corporate risk management,
environmental risk,
the risk for accidents,
sickness,
biological risk or
loss of reputation due to the poor quality of the product.
TEMPUS MEETING KRAGUJEVAC 2015
INTRODUCTION
Risk is defined in the ISO 31000 standard as
"the effect of uncertainty on objectives".
At the same time it is shown that the uncertainty causes a deviation from the expectations - positive and/or
negative.
Risk is often expressed as a combination of the consequences of an event (including changes in circumstances) and the associated probability of
occurrence. TEMPUS MEETING KRAGUJEVAC 2015
THE RISK IN THE STANDARDIZED
MANAGEMENT SYSTEMS
The objective of each standardized management system is a systematic approach to supervise activities in the
organizations, focusing on the prevention of non-compliance.
Standardized management systems meet the requirements of different standards, and are a tools of
profiled risk management within the organization.
TEMPUS MEETING KRAGUJEVAC 2015
Combining the effects of the events of the likelihood of its occurrence is the most common component of the definition of
risk.
Risk management is defined as the coordinated efforts of directing and supervising the
organization's risk.
This definition is similar to the definition of the management of the different standards but a different element is always a major problem for the standard. In the ISO 31000 standard this applies to risk, and in the ISO 9001:2015 (draft version) it relates to quality.TEMPUS MEETING KRAGUJEVAC
2015
TEMPUS MEETING KRAGUJEVAC 2015
METHODOLOGY OF RISK MANAGEMENT
1. Risk identification (strategic and operational)
2. Risk analysis (strategic and operational)
3. Spot risk assesment
4. Hierarchisation of risk
5. Risk registration
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND OPERATIONAL)
Risk identification may be carried out:
top-down - head of the unit or the other senior executives identify risk in the organization;
bottom up - mid-level managers and employees identify the risks associated with their department and with the tasks performed.
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND OPERATIONAL)
Requirements concerning the risk identification:
Identification of risk requires the institution to understand the nature and objectives of the services provided. In this way, the institution can cope with the identification of risks to which it is exposed.
Then, specify the measures necessary to provide each service, based on knowledge of the functioning of the services and the risk of appearing at every stage of the business.
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND OPERATIONAL)
Example:
Service - Education Objectives - the safety of students, good results in exams Requirements - employment of qualified staff, maintenance of
buildings and equipment, ensuring cash. Identified risk: inability to maintain or improve the quality of teaching; lack of opportunities to optimize the contribution of all staff; changes in government policies affecting the curriculum; insufficient financial means to wealth creation; inadequate maintenance plan assets; serious violations of the legislation; failure to detect fraud; and inability to maintain the financial viability of the organization.
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND OPERATIONAL)
STRATEGIC RISK
RISK CATEGORY Risk Description The objectives which involve risk
Political
Economical
Social
Technological
Legislative
Environmental
OPERATIONAL RISK
RISK CATEGORY Risk Description The objectives which involve risk
Financial
Legislative
Vocational
Physical
Contractual
Technological
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND OPERATIONAL)
To effectively carry out the process of risk identification (manual):
In preparation for the session, managers and employees should have the opportunity to consider the impact of risk on the organization or the services provided by the unit.
Template should be drawn up to identify risks and give it to each participant prior to the session.
The execution of the contract there shall be determined the time necessary to discuss the risks, its causes and consequences. Therefore, it is necessary to understand the causes of risk.
TEMPUS MEETING KRAGUJEVAC 2015
RISK IDENTIFICATION (STRATEGIC AND
OPERATIONAL)
Provide incentives for starting and controlling the debate, stimulate discussion, maintaining a session within the set hourly and the results recorded session.
Each session participant can ask questions / identify risk without fear of any repercussions.
Sessions should be an open forum where employees can safely discuss the identified risks.
The results of the session should be saved and transmitted to verify and examine the participants of the session, which will enable clarification or extension of risk descriptions.
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL
How can you make a risk analysis?
After identifying the risk, it should be subjected to analysis. The necessity of risk analysis results from the need to better understand the nature of the identified risks faced by the organization.
Risk analysis includes:
determine the cause and effect of identified risks;
risk of cross-checking (duplication and escalation of risk);
separation of the low risk from the significant risk;
evaluate the nature and risk category; and
the risk connection with the objectives of the organization.
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL
Causes and effects of risk
In order to risk identification showed its results and to allow the definition of the future risk management method, for each identified risk should be followed :
The causes of risks (strikes, shortages of relevant stocks, natural phenomena) and
The impact of risk on the organization when they occur.
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL
Questions that will enable the determination of impact:
whether the organization will work in breach of the law?
if the organization violates its duty to protect people - whether people will die? Do people get injured or get sick?
whether the risks would lead to financial losses? whether the risks would lead to a loss of image or
reputation of the organization? whether service users will notice any difference?
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL
Separation of small and significant risk. The risk is divided considering:
its impact on the organization in the event;
probability of risk; and
existing risk control mechanisms.
This procedure allows the assessment of the level of risk, and whether action can be taken to control risks.
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL
Effects/Impacts
These are possible outcomes, effects or consequences for organizations such as losses, injuries, adverse events, cost or delay.
Probability/Likelihood
This is the estimated probability or possibility of the event.
Risk control mechanisms
The existence and functioning of policies, standards, procedures and physical measures to prevent whose objective is to minimize the negative effects of risk for the organization.
TEMPUS MEETING KRAGUJEVAC 2015
RISK ANALYSIS – STRATEGIC /OPERATIONAL – AN EXAMPLE
Risk Analysis:Cause and effect
Analysis:Operating risk
control mechanisms
Anlysis: The relationship between the impact, probability
and control mechanisms
Risk of injury to the worker.
Cause:· Lack of training in health and safety of persons;· Dangerous equipment.The result:· The claim related to negligence;· Interference in providing services (as a result of the absence of the employee);· Damage to reputation.
· A comprehensive training program;· Evaluation each of the key activity in terms of protection of the health and safety of persons;· Ensuring in the budget more resources for the health and safety of people;· The inspection and maintenance of equipment;· The budget for the service;· The replacement of equipment;· The event reporting process with the health and safety of persons and· The presence of the person responsible for the health and safety of people in every department
Preliminary analysis suggests the risk of placing risks in the upper right corner of the chart, due to the high probability of an accident taking into account the number of employees participating in their activity or nature of the activity, which can lead to an accident.
However, the functioning of risk control reduces the likelihood of injury or death in an accident. Therefore, the risk moves from right to left on an axis of probability.
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
How should you perform a spot/point risk assessment? The risk should be assessed in two ways:
As if there were no control mechanisms; and
Taking into account existing control mechanisms.
This assessment is carried out in order to:
Demonstrate the effectiveness of internal control mechanisms for reducing the risk; and
Highlight the serious risks that may be hidden, despite operating controls.
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
The organization must agree and implement a spot/point risk assesment system including definitions for equal levels of probability and impact of risk.
After making these arrangements, there should be used risk management criteria in a uniform manner across the organization.
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
In this way:
identified risks are assessed according to their impact on the entire organization,
(The risk to the greatest extent affecting the organization's ability to achieve the objectives are those risks which are assigned the highest priority from the point of view of risk management);
reduces the subjectivity associated with risk assessment point, and enhances transparency and accountability in the process of scoring risk assessment and prioritization.
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
Points 1 2 3 4 5
Description Remote Unlikely Possible Probable Highly probable
Probability 0-20% 21-40% 41-60% 61-80% 81-100%
Table point of the probability of risk
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
Points Description
Criteria
Financial OrganisationalProtecting the
health and safety of persons
Reputation
5 Extreme/Catastrophic
Financial loose> 125.000 EURO
Failure to achieve key objectives. Life loose
Press reports around the country
4 MajorFinancial loose25.000 EURO <
125.000 EUROFailure to achieve a key objective. Serious injuries
Some of the information in the national media
3 ModerateFinancial loose2500 EURO <
25000 EUROBusiness disruption Some injuries
Some of the information in local or regional media
2 MinorStrata finansowa25 EURO < 2500
EUROSmall business disruption Little injuries
Limited information in the local or regional media
1 Insignificant Financial loose< 25 EURO
Short-term business disruption Little injuries
Poor information in the local or regional media
Table point of the impact of risk
TEMPUS MEETING KRAGUJEVAC 2015
SPOT RISK ASSESMENT
Impact
Catastrophic 5 10 15 20 25
Major 4 8 12 16 20
Moderate 3 6 9 12 15
Minor 2 4 6 8 10
Insignificant 1 2 3 4 5
Remote Unlikely Possible ProbableHighly
probableProbability
Spot risk assessment matrix
HIERARCHISATION OF RISK
Spot risk assessment lets you organize your risks by their weight or dot matrix criteria for risk assessment.
This method allows prioritization of actions taken to reduce the risk:
Risk located in the upper right corner (red) need urgent attention of the organization;
risks contained inside the matrix (yellow) should be discussed and monitored. In some cases, an organization may take further action; and
Risk located in the lower left corner (green) is the lowest risk for the organization.
TEMPUS MEETING KRAGUJEVAC 2015
Impact
Catastrophic 5 10 15 20 25
Major 4 8 12 16 20 Moderate 3 6 9 12 15
Minor 2 4 6 8 10 Insignificant 1 2 3 4 5
Remote Unlikely PossibleProbabl
e
Highly probabl
eProbability
TEMPUS MEETING KRAGUJEVAC 2015
HIERARCHISATION OF RISK
It should be noted that:
Immediate action required for certain high-risk spot evaluation may not be possible at the moment.
Some operations can be easily and quickly undertaken to reduce medium and low risk.
TEMPUS MEETING KRAGUJEVAC 2015
RISK REGISTRATION
To understand the organization's risk profile, all information about the risks can be introduced into "risk register".
Risk register may be maintained in paper form, spreadsheet, database, or in a specialized risk management program. The Register should include all types of identified risks.
Risk register which forms the basis a risk management plan in the organization must be a "living document", changing in order to reflect the dynamic nature of risk and the risk management of the organization. There is no specific format of the risk register.
TEMPUS MEETING KRAGUJEVAC 2015
RISK REGISTRATION - EXAMPLES OF THE
INFORMATION CONTAINED IN THE RISK REGISTER
Risk Identification Number - a unique reference number for each type of identified risks.
Risk description - The description of risks, possible time scale of the risk and the possible impact on the organization.
The type / category of risk - the nature of the risk, ie. The strategic, financial, operational, and so on.
Risk Management - Manager responsible for the risk management.
Impact - Grading assigned to the consequences or effects of the risk to the organization.
Probability (likelihood inherent) - Grading attributed to the occurrence of risk in the absence of control mechanisms.
TEMPUS MEETING KRAGUJEVAC 2015
RISK REGISTRATION - EXAMPLES OF THE
INFORMATION CONTAINED IN THE RISK REGISTER
The total points assessment of the risk (inherent).
Functioning control mechanisms - control mechanisms currently operating in the organization, which reduce the likelihood of risk.
Probability (likelihood residual) - Grading attributed to the occurrence of risk, taking into account operating controls.
The total points assessment of the risk (residual).
Required action - concerted action to be taken to further reduce the likelihood of risk. Such action should reduce the residual risk assessment point.
Responsible for the operation and the date of implementation - the person responsible for carrying out the action and the date by which you must perform the operation.
CONCLUSION
Risk management is a term and practice that has been known for a long time.
In conclusion it is important to underline that risk management in the context of profiled management
systems is not substitutable but complementary in the idea of minimizing risks for business operation.
Elements that influence the decision of choosing a management system include type of business, size of the
organization and market conditions.
TEMPUS MEETING KRAGUJEVAC 2015
CONCLUSION
The application of effective mechanisms of risk management allows an organization to:
identify threats quickly and respond to them better than the competition
use appearing opportunities faster and better than the competition
which translates into
achieving more than the average income and will
maintain a relatively high rate of development, which is one of the conditions for lasting competitive advantage.TEMPUS MEETING KRAGUJEVAC 2015