How to Analyze Risk if is out of your control

Q

QAMTY

#1
Hi everybody

Regarding at addressing the risk


I´m thinking to use ishikawa to analyze internal risk, no doubt that I can do a good analysis because things happen into my company and have the information to implement action plans.

By using ishikawa, I consider the risk, I get the possible causes and with that Iimplement the needed actions.

But at analyzing external risks, what analysis I can do, if I dont have enough info to use?

Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.

For that, I can´t use my ishikawa, I think what I can do, it is to mention the risk in the list of risk and propose something inside my organization in order to mitigate it.

or maybe I can use ishikawa, and into the bones, to show what bones can help to mitigate the risk.

Do you have any idea as how to manage this issue?

Thanks
PD

Well, is not only problem of the used method, it applies also if using, FMEA, decision tree, etc.
 
Elsmar Forum Sponsor

Bev D

Heretical Statistician
Staff member
Super Moderator
#2
you are on the right track for risks you cannot control. The answer is to understand what can happen and then put mitigation plans in place.

Examples:
Natural disaster - backup systems in case records and documents get destroyed
single source supplier - get two sources in different geographical locations


included in mitigation would be some method for monitoring the likelihood of the risk being realized.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#3
Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.
Would you engage with a supplier from North Korea, at present?

If you had one there, wouldn't you be looking for an alternative source?

Geopolitical risks for your supply chain can and should be mitigated; that is, unless you work for a state-owned organization where political cronies, appointed by the government make decisions based on corrupt dealings and, then, you really have no control over supplier decision.

As for external risks that could be totally out of your control, why analyze something you can do NOTHING about it?
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#4
I agree with Bev, however in all the discussions of "risk based thinking" and related "risk" discussions, the ISO folks and many hundreds of consultants have, in my opinion, just stirred a pot of "stupid".

Why do I say that? After what is now over 30 years since I was first involved in "quality assurance" (some of you may remember I was a biology major with a chemistry minor in college, so long story of how I ended up in the "business" world), what I have consistently seen a lack of reality in thinking, and a lot of a lack of common sense (e.g.: Common Freaking Sense and Is Common Sense Learned, Taught, Inherent or An Outcome Of Life Experience? ). People are WAY over doing the "risk" thing to the point that people are reacting as if it's new and spending countless, mostly useless hours trying to "meet the requirements of the standard".

If I had a nickel for every hour spent by people in companies all over the world "trying to comply with the standard" producing mostly useless documents, and I shared it with my extended family, which I would were I that rich, as it is with the Walton family of Wal-Mart fame no one in my extended family, as well as generations to come, would ever have to work (as in have a job). Well, maybe not that rich, but I'd have one heck of a chunk of cash... Just a nickel an hour. Think about how much ISO 9001 is costing on a world wide basis just on "risk based thinking" alone.

Think rationally and realistically. For example:

Political risk - OK, put it on a list and simply state it is not something that can typically be predicted and prepared for by 99% of companies. Not to mention, what type of "political risk"? There are many kinds, from over throw of a government to the lesser, but still significant, numerous various potential changes in local/state/federal laws which are typically political rather than data based. And what about wars? What about the Brexit vote?

Commercial agreements in other countries - Again, put it on your list. That is evidence you have considered it which is all the standard requires. You can't even ensure that a commercial agreement (aka contract) within your country will be adhered to so add that as well. Over the years I've seen so any contracts broken for one reason or another that, while not typical, it isn't unusual. Thing is, it can't be predicted for every contract. If it can't be predicted no concrete, reliable plan can be made for it. This is not to mention, think about how many various contracts a company of any size will have. One may say "Well, we could predict a potential that this contract may be broken and planned for..." but think about that for a minute. Can that be said about every contract a company has? And again, Brexit is currently in play as another example...

Natural disaster - Some can be planned for, at least to some degree, but most can't (realistically). How are you going to plan for an earthquake that destroys a production facility? How are you going to do anything to mitigate the total loss of a production facility in a location? Build a "back-up" facility in a location let's say 200 miles away, fully equipped with production equipment, measurement and test equipment (etc., etc.) and let it sit idle as you wait for an earthquake, a flood, a tornado, a hurricane, a forrest fire, a catastrophic dam failure, (etc.) which may or may not ever occur? Or are you going to move everything to a new state (country, whatever) where there is, for example, a low risk of flooding or earthquakes, but a high risk of tornados and/or wild fires? There is no location with no risks.

Single source supplier - Bev's statement is well taken, but not every company can have two sources for every component, every sub-assembly, every raw material, every service. Yes, for some companies it is possible, but for most? I don't think so.​

We could produce a 20 page, single spaced list of potential risks in a small company. For a large company one could produce a list of 500 pages (or 1000, or more!) of the potential risks alone, not including an analysis for each.

ISO 9001:2015 only requires "risk based thinking" which companies are doing anyway whether they realize it or not. It doesn't require 100 pages of potential risks, much less an analysis for each.

I do suggest people read through some of the existing "risk based thinking" discussions here - https://elsmar.com/Forums/tags/risk management and analysis/

I also highly recommend that people read through other posts Bev has made, as well as Jennifer and Sidney, about "risk based thinking" compliance to ISO 9001:2015 - Remember - You can search for all posts a specific user has made by simply clicking on their name in any post they make (you will get a "drop down" list with options, one of which is "Find all posts by <Name of the poster>").

Anyway - My :2cents: Too many people are over thinking the "risk based thinking" requirement and are wasting a heck of a lot of time on unnecessary "work" they think is required to meet the requirements of the standard.

I leave you with the following....

Today we mourn the passing of a beloved old friend - Common Sense
 
Last edited:

MrPhish

ISOLove to Dance
#5
I see Bev D said: find out what can go wrong, then put a plan in place to address. With this in mind, have you ever thought of creating a FMEA (instead of a fishbone) for each specific risk you want to address?
 

Miner

Forum Moderator
Staff member
Admin
#6
I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.
 
#7
I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.
This made me smile, from your link:

'Many are afraid to assess their compliance – better to keep their head under the sand than know the truth'.

I've seen this a few times, sadly it's far too common. And all too often, if management are queried, you get something along the lines of 'well, if we've been doing it wrong for 20 years, it can't be that bad can it?' :notme:
 
Thread starter Similar threads Forum Replies Date
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
K QMS Improvement - Analyze the systemic weaknesses of the QMS for improvement purpose Quality Tools, Improvement and Analysis 6
S Is there a difference in the process? Analyze residuals, construct interval estimate Using Minitab Software 2
K Measurement system analysis "shall be conducted to analyze the variation..." Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
T How do I analyze the Sound Quality Testing of vacuum cleaners? Misc. Quality Assurance and Business Systems Related Topics 9
M Please help to analyze Response Surface Methodology by using Minitab 16 Using Minitab Software 6
D Is this an IDE or not? Helping a doctor collect and analyze data Other US Medical Device Regulations 1
D The correct way to analyze Skewed Data using Minitab Using Minitab Software 3
P How to analyze DOE: 2 Factor, 4 Level Experiment Six Sigma 7
B Analyze 'Factorial Design' or 'Variability' - Difference when used for DOE Analysis? Using Minitab Software 1
D Analyze of Fractional Factorial Design in Minitab - I didn't get F and P- values Using Minitab Software 4
B Gather and Analyze Production Scrap - MiniTab 16 vs. Excel Data Analysis Quality Assurance and Compliance Software Tools and Solutions 5
F Data Analysis Methods - No clue how to analyze this data Using Minitab Software 18
U Ideas or example on how to analyze and present results on data collected Statistical Analysis Tools, Techniques and SPC 3
P PFMEA vs. 8D report - Can we use PFMEA to analyze problems? FMEA and Control Plans 3
C Six Sigma Project - Using FMEA in the Analyze Phase Quality Manager and Management Related Issues 6
E Monitor, Measure, and Analyze Processes? ISO 9001 Clause 4.1.e and 8.2.3 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
D Are Process Behavior Charts the only way to Analyze Deviations from Targets? Statistical Analysis Tools, Techniques and SPC 6
N How to evaluate and analyze Customer Satisfaction Surveys Quality Tools, Improvement and Analysis 16
A PDCA (Plan Do Check Act) vs. DMAIC (Define Measure Analyze Improve Control) Quality Tools, Improvement and Analysis 24
Q Six Sigma DMAIC (Define - Measure - Analyze - Improve - Control) program Six Sigma 1
E Question on how to analyze Customer Survey Results Statistical Analysis Tools, Techniques and SPC 2
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1

Similar threads

Top Bottom