Color Isn't Everything - Designing a Risk Mitigation Process

As you probably know by now, ISO 9001:2015 (by its own admission) incorporates “risk-based thinking.” My first thought was that this would give a significant professional advantage to those auditors who have ESP, a “sixth sense,” or other psychic abilities.  However, be forewarned – the rest of us will still be requiring objective evidence during audits.

In an effort to incorporate risk-based thinking (and meet the new requirements found in the text of clause 6.1), organizations have been scrambling to establish a process for mitigating risk (my preferred term).  Also, this risk mitigation process needs to address both risks and opportunities.  If you are a glass-half-full reader, feel free to substitute “opportunity enhancement”.

Dozens (hundreds?  millions?) of articles have been recently published offering methodologies for assessing risk.  The majority of these tools could be considered a 2-dimensional FMEA (Failure Modes & Effects Analysis).  The intent is that the organization assess a given risk across two dimensions:  (1) severity of impacts and (2) likelihood of occurrence.  For any given risk, the organization assesses the severity and likelihood of a risk and assigns an integer value to each (on some pre-determined scale).  Using the example shown in Figure 1, both severity and likelihood would be scored with an integer from 1 to 4.  Some systems use letters instead of numbers!  Then a risk prioritization matrix would be used to determine the “color” of the risk; the reddish colors are typically associated with fantastic adjectives like “catastrophic”.  The descriptions then devolve into terms like “high”, “medium”, and “low”.

Figure 1.  Risk Prioritization Matrix

Figure 1.  Risk Prioritization Matrix


These risk matrices can be 3x3, 3x4, 4x3, 4x4, 5x5, 4x6, 6x6 or any other rectangular dimensions.  And color schemes are limited only by your imagination (and good judgment.  And ability to document this risk assessment.  And the ability to train people).

Another method of risk assessment is (again) assigning a numerical value to a given risk’s severity and likelihood (often each on a scale of 1 to 10) and then multiplying the two values together for a product (on a scale of 1 to 100, often called a Risk Prioritization Number or RPN).  Then, the organization can quickly prioritize its risks by sorting RPN values in descending order.

There are a couple of considerations to take into account when designing a risk assessment scheme.  These include the use of scale and the ability of human beings to quantify the severity and likelihood of risks that may have no supporting data.  Putting “gut feel” into a ordinal scale may make the potential risk appear more defined, more quantitative, more objective than they actually are...

But, that is not what this blog is about.  The value in having some type of risk mitigation process is that it actually mitigates risk (but the numbers, colors, and adjectives in various risk assessment schemes are super-cool).  If the organization’s intent is to design and implement a risk mitigation process that will (a) actually reduce risk and (b) meet the requirements of clause 6.1, then all of the steps of the process should be considered in concert.  Based on observations, articles, blogs, posts, and inquiries, it appears that some organizations are expending vast efforts into designing the risk assessment step without a full understanding that this is just one step of a risk mitigation process (highlighted below in Figure 2).

Figure 2.  Risk Mitigation Cycle

Figure 2.  Risk Mitigation Cycle

Risks (and opportunities) may be identified during an organization’s process definition (refer to clause 4.4.1(f)).  Risks may be identified during audits or inspections or issues raised by customers.  Risks may be identified at any time by anyone based on a nearly infinite number of sources.  Design a process that makes identifying and capturing the risks easy.  [If you are familiar with the 11th-month mad rush to record “preventive actions”, that is what you want to avoid with this process.]

Because risks may be identified at any time, the list of risks will be a living document under near-constant revision. The step for assessing the risk needs to be flexible enough that it can be performed upon risk identification (if the risk appears to be dramatic) or on a routine schedule.  Each time risks are assessed, their Risk Priority Numbers (or colors or adjectives) will also change.  So, the list of risks will be re-prioritized on a regular basis.  What happens when a small business, or any organization with limited resources, finds itself with 17 significant (red) risks?  This is where good judgment trumps a risk assessment scheme.  How does the organization decide what actions to take?  Who should be involved?  If management reviews are performed monthly or quarterly, the senior leaders can re-assess, re-prioritize, and assign actions during management review.  Assign a limited number of action items proportionate to the risks and to the resources available to address the specified risks.

If you have “Quality” in your title and rolled your eyes at the idea that senior leaders will willingly take on the task of re-assessing, re-prioritizing, and assigning actions related to risk, give this some thought:  there has always been a language barrier between Quality and $enior Leaders.  By their nature, risks bridge the communication gap between operational and financial languages.  In a group setting where all departments and processes are represented (say, management review, for instance...), senior leaders will be able to whittle down the list of significant risks to a manageable number for action assignment because of the potential financial impact to the organization.  A few more action items will be assigned during the next management review wherein actions taken will drive a reassessment (and therefore reprioritization) of risk; hence the cyclical nature of this process.

Referring back to Figure 2, keep in mind that risks will continually be identified and captured.  High-severity / high-likelihood risks will require immediate action, but the majority should be handled on a routine schedule involving representatives from all departments and processes who have the authority to assign action items and adequate resources.  Management review is an excellent opportunity for this.  If your management review is annual or if it already takes several hours and you do not want to add another item to the agenda, well, that is another article.

How well does your organization assign action items?  Is follow-up a problem?  There is some solid advice to be found in clause 6.2.2 of the standard.  It might be argued that the requirements of clause 6.2.2(a) – (e) fit action items better than what they were intended to address in ISO 9001:  (a) determine what action will be taken, (b) what resources will be required, (c) who is in charge, (d) when action is due, and (e) how the results will be evaluated.  Record, publish, publicize internally, and continually remind the organization about outstanding action items.

In summary, the best risk assessment scheme will not mitigate risk if the other steps in the risk mitigation cycle are dysfunctional.  There is simply no amount of colorful alpha-numeric matrices that can compensate for a poorly designed or implemented process.  Any process with continual inputs and discrete steps takes some good design and implementation, maybe even prototyping.  Also, if your organizational culture isn’t strong in following up on action items, spend some time and effort designing a better system for assigning action items and follow-up.  Make sure the risk mitigation process is designed as a whole and that not all of your effort is concentrated solely on the assessment step of the process.