Risk closeout , mitigation was not effective, next?

qualprod

qualprod

Trusted Information Resource
Hello everybody
Im facing certain doubts as to what actions to take after a risk was not mitigated properly, was high value, after evaluating residual ia almost same value.
I see two possible ways :
Because I have a document (risk analysis), ok
One way is to declare it ineffective first analysis and start a new one.
Other option could be to keep same analysis but adding other mitigation plans.

What action are you taking when risk mitigation was not effective?

Thanks for your help
 
B

Bambang TR

Registered
I'd prefer to declare the ineffectiveness in the report and revise the risk analysis so the revised risk analysis will only contain mitigation that is effective.
 
John Broomfield

John Broomfield

Leader
Super Moderator
qualprod said:
Hello everybody
Im facing certain doubts as to what actions to take after a risk was not mitigated properly, was high value, after evaluating residual ia almost same value.
I see two possible ways :
Because I have a document (risk analysis), ok
One way is to declare it ineffective first analysis and start a new one.
Other option could be to keep same analysis but adding other mitigation plans.

What action are you taking when risk mitigation was not effective?

Thanks for your help
Click to expand...

qualprod,

And, of course, you’ll want to remove the system weaknesses that caused this ineffective risk analysis or risk treatment so it doesn’t happen again.

So, raise a corrective action request per the requirements of your management system. That is what you close out not the risk.

John
 
B

Bambang TR

Registered
Since mitigation is just to reduce the severity of the risk, can you put control (administrative, engineering, etc ) in such way that it reduces the likelihood of the risk or even eliminates it.

Id prefer to establish mitigation after establishing prevention to bring the risk to alarp.
 
qualprod

qualprod

Trusted Information Resource
Thanks Golfman25
As I understand, I'll declare risk analysis ineffective, because only 2 out of 4 actions for mitigation worked fine, as such will be closed out, but immediately will do the the analysis again (new analysis on same risk ).
Depending on the risk value I might decide to open a Ca when is ineffective.
On the other hand, I think the risk value is changed by implementing actions (mitigation)
risk value = occurrance x impact= risk vàlue, if Occurrence is low, of course risk value will change.
Is the way I understand both issues, are you agree, maybe I'm misunderstanding something.
PD
I think that criteria to open CA for each ineffective ,may be not recommended, it may be applied when is a repetitive failure on same risk.
Please give inputs, thanks
 
Ninja

Ninja

Looking for Reality
Trusted Information Resource
qualprod said:
I think that criteria to open CA for each ineffective ,may be not recommended, it may be applied when is a repetitive failure on same risk.
Click to expand...

Going back into plain language:

- We saw a risk.
- We decided it was worth some effort to lower it (by lowering impact or lowering chance of occurrence, whichever).
- We came up with four ideas that we thought would work.
- Two of the ideas actually WERE good, and they worked to our satisfaction.
- Two of the ideas weren't as great as we thought, and nothing really happened.
- ...So we're gonna come up with more ideas based on this lesson learned and try again.

Me...I would have this as part of the original risk management...I tried and failed so I'm trying something different. Case still open.
Probably OK to document that it didn't work, close it, and open a new one...it's all just paperwork.

I don't see a real need to burn calories on paperwork...burn calories instead on coming up with the thing that mitigates the risk. The concept here is similar to R&D...we don't know what will work, and we're trying to figure it out...and we're not done yet.

HTH
 
Jen Kirley

Jen Kirley

Quality and Auditing Expert
Leader
Admin
We may never "fully" mitigate a risk, as issues (I think of them as factors that enable risk) can change. There can also be more than one risk involved, and an opportunity can introduce its own risk.

We should not feel as though we must squash the thing completely, just address that which would bring value.
 
John Broomfield

John Broomfield

Leader
Super Moderator
Ninja said:
Going back into plain language:

- We saw a risk.
- We decided it was worth some effort to lower it (by lowering impact or lowering chance of occurrence, whichever).
- We came up with four ideas that we thought would work.
- Two of the ideas actually WERE good, and they worked to our satisfaction.
- Two of the ideas weren't as great as we thought, and nothing really happened.
- ...So we're gonna come up with more ideas based on this lesson learned and try again.

Me...I would have this as part of the original risk management...I tried and failed so I'm trying something different. Case still open.
Probably OK to document that it didn't work, close it, and open a new one...it's all just paperwork.

I don't see a real need to burn calories on paperwork...burn calories instead on coming up with the thing that mitigates the risk. The concept here is similar to R&D...we don't know what will work, and we're trying to figure it out...and we're not done yet.

HTH
Click to expand...

Ninja,

You make a fair point about persisting with ineffective processes that have yet to be validated.

But the “suck and see” approach to risk management is risky in itself.

So, we need to consider the consequences of inadequate understanding of the hazards and how to remove or mitigate the most damaging of these hazards.

I do admit that I’m playing it safe by advocating corrective action after the inherently risky RM processes have failed once.

Thanks for the reminder.

John
 
Ninja

Ninja

Looking for Reality
Trusted Information Resource
Well,
Maybe we're saying the same thing...but maybe not...so I figured I push on it again here...

"But the “suck and see” approach to risk management is risky in itself. "

Not 100% sure what you mean by this. Life is trial and error. If you're advocating thinking about pros and cons before trying, I'm 100% in agreement...but no matter how long you consider, you still have to try it to be sure.
...and since you're not 100% sure until after the try, it does (of course) involve its own risk...that's what every number below 100% includes...risk.

"So, we need to consider the consequences of inadequate understanding of the hazards and how to remove or mitigate the most damaging of these hazards."

Yup...that's why it's called "Trying"...
If we had complete understanding of the hazard and how to mitigate it, we'd be done already.

"advocating corrective action after the inherently risky RM processes have failed once"

Really not sure if I understand this. The real world steps are the same...I'm only seeing differences in documentation system...so perhaps I just don't understand what you're saying...it doesn't matter to me how its documented.
To me, it's pretty similar to Design Control...we don't know how to do what we want, and we're working to figure it out...
Putting this into CA on first failure seems to me like putting every R&D project into the CA system when the first try doesn't work.

Risk management totally IS NOT Design control...and I'm not saying it is...I'm just drawing the parallel in documentation approach.
 
You must log in or register to reply here.

Similar threads

S
Risk trace matrix vs design trace matrix
2
Replies
12
Views
316
stm55
S
R
Using RPN to Confirm Risk Reduced to an Acceptable Level
2
Replies
12
Views
4K
Bev D
Bev D
V
What to include in the risk analysis table?
Replies
2
Views
534
Vetty007
V
Matt Swartwood
Job Opportunity: Automotive Quality Engineer Arkansas
Replies
1
Views
894
Randy
Randy
D
Opinions on internal audit schedule adjustment
2 3 4
Replies
34
Views
3K
Steve Prevette
Steve Prevette
Top Bottom