How to Analyze Risk if is out of your control



Hi everybody

Regarding at addressing the risk

I´m thinking to use ishikawa to analyze internal risk, no doubt that I can do a good analysis because things happen into my company and have the information to implement action plans.

By using ishikawa, I consider the risk, I get the possible causes and with that Iimplement the needed actions.

But at analyzing external risks, what analysis I can do, if I dont have enough info to use?

Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.

For that, I can´t use my ishikawa, I think what I can do, it is to mention the risk in the list of risk and propose something inside my organization in order to mitigate it.

or maybe I can use ishikawa, and into the bones, to show what bones can help to mitigate the risk.

Do you have any idea as how to manage this issue?


Well, is not only problem of the used method, it applies also if using, FMEA, decision tree, etc.
Elsmar Forum Sponsor

Bev D

Heretical Statistician
Staff member
Super Moderator
you are on the right track for risks you cannot control. The answer is to understand what can happen and then put mitigation plans in place.

Natural disaster - backup systems in case records and documents get destroyed
single source supplier - get two sources in different geographical locations

included in mitigation would be some method for monitoring the likelihood of the risk being realized.

Sidney Vianna

Post Responsibly
Staff member
Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.
Would you engage with a supplier from North Korea, at present?

If you had one there, wouldn't you be looking for an alternative source?

Geopolitical risks for your supply chain can and should be mitigated; that is, unless you work for a state-owned organization where political cronies, appointed by the government make decisions based on corrupt dealings and, then, you really have no control over supplier decision.

As for external risks that could be totally out of your control, why analyze something you can do NOTHING about it?


Fully vaccinated are you?
Staff member
I agree with Bev, however in all the discussions of "risk based thinking" and related "risk" discussions, the ISO folks and many hundreds of consultants have, in my opinion, just stirred a pot of "stupid".

Why do I say that? After what is now over 30 years since I was first involved in "quality assurance" (some of you may remember I was a biology major with a chemistry minor in college, so long story of how I ended up in the "business" world), what I have consistently seen a lack of reality in thinking, and a lot of a lack of common sense (e.g.: Common Freaking Sense and Is Common Sense Learned, Taught, Inherent or An Outcome Of Life Experience? ). People are WAY over doing the "risk" thing to the point that people are reacting as if it's new and spending countless, mostly useless hours trying to "meet the requirements of the standard".

If I had a nickel for every hour spent by people in companies all over the world "trying to comply with the standard" producing mostly useless documents, and I shared it with my extended family, which I would were I that rich, as it is with the Walton family of Wal-Mart fame no one in my extended family, as well as generations to come, would ever have to work (as in have a job). Well, maybe not that rich, but I'd have one heck of a chunk of cash... Just a nickel an hour. Think about how much ISO 9001 is costing on a world wide basis just on "risk based thinking" alone.

Think rationally and realistically. For example:

Political risk - OK, put it on a list and simply state it is not something that can typically be predicted and prepared for by 99% of companies. Not to mention, what type of "political risk"? There are many kinds, from over throw of a government to the lesser, but still significant, numerous various potential changes in local/state/federal laws which are typically political rather than data based. And what about wars? What about the Brexit vote?

Commercial agreements in other countries - Again, put it on your list. That is evidence you have considered it which is all the standard requires. You can't even ensure that a commercial agreement (aka contract) within your country will be adhered to so add that as well. Over the years I've seen so any contracts broken for one reason or another that, while not typical, it isn't unusual. Thing is, it can't be predicted for every contract. If it can't be predicted no concrete, reliable plan can be made for it. This is not to mention, think about how many various contracts a company of any size will have. One may say "Well, we could predict a potential that this contract may be broken and planned for..." but think about that for a minute. Can that be said about every contract a company has? And again, Brexit is currently in play as another example...

Natural disaster - Some can be planned for, at least to some degree, but most can't (realistically). How are you going to plan for an earthquake that destroys a production facility? How are you going to do anything to mitigate the total loss of a production facility in a location? Build a "back-up" facility in a location let's say 200 miles away, fully equipped with production equipment, measurement and test equipment (etc., etc.) and let it sit idle as you wait for an earthquake, a flood, a tornado, a hurricane, a forrest fire, a catastrophic dam failure, (etc.) which may or may not ever occur? Or are you going to move everything to a new state (country, whatever) where there is, for example, a low risk of flooding or earthquakes, but a high risk of tornados and/or wild fires? There is no location with no risks.

Single source supplier - Bev's statement is well taken, but not every company can have two sources for every component, every sub-assembly, every raw material, every service. Yes, for some companies it is possible, but for most? I don't think so.​

We could produce a 20 page, single spaced list of potential risks in a small company. For a large company one could produce a list of 500 pages (or 1000, or more!) of the potential risks alone, not including an analysis for each.

ISO 9001:2015 only requires "risk based thinking" which companies are doing anyway whether they realize it or not. It doesn't require 100 pages of potential risks, much less an analysis for each.

I do suggest people read through some of the existing "risk based thinking" discussions here - management and analysis/

I also highly recommend that people read through other posts Bev has made, as well as Jennifer and Sidney, about "risk based thinking" compliance to ISO 9001:2015 - Remember - You can search for all posts a specific user has made by simply clicking on their name in any post they make (you will get a "drop down" list with options, one of which is "Find all posts by <Name of the poster>").

Anyway - My :2cents: Too many people are over thinking the "risk based thinking" requirement and are wasting a heck of a lot of time on unnecessary "work" they think is required to meet the requirements of the standard.

I leave you with the following....

Today we mourn the passing of a beloved old friend - Common Sense
Last edited:


I see Bev D said: find out what can go wrong, then put a plan in place to address. With this in mind, have you ever thought of creating a FMEA (instead of a fishbone) for each specific risk you want to address?


Forum Moderator
Staff member
I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.


I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.
This made me smile, from your link:

'Many are afraid to assess their compliance – better to keep their head under the sand than know the truth'.

I've seen this a few times, sadly it's far too common. And all too often, if management are queried, you get something along the lines of 'well, if we've been doing it wrong for 20 years, it can't be that bad can it?' :notme:
Thread starter Similar threads Forum Replies Date
D Question: How to analyze numerical and attribute data Reliability Analysis - Predictions, Testing and Standards 11
G Team to analyze a non conformance Customer Complaints 26
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
K QMS Improvement - Analyze the systemic weaknesses of the QMS for improvement purpose Quality Tools, Improvement and Analysis 6
S Is there a difference in the process? Analyze residuals, construct interval estimate Using Minitab Software 2
K Measurement system analysis "shall be conducted to analyze the variation..." Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
T How do I analyze the Sound Quality Testing of vacuum cleaners? Misc. Quality Assurance and Business Systems Related Topics 9
M Please help to analyze Response Surface Methodology by using Minitab 16 Using Minitab Software 6
D Is this an IDE or not? Helping a doctor collect and analyze data Other US Medical Device Regulations 1
D The correct way to analyze Skewed Data using Minitab Using Minitab Software 3
P How to analyze DOE: 2 Factor, 4 Level Experiment Six Sigma 7
B Analyze 'Factorial Design' or 'Variability' - Difference when used for DOE Analysis? Using Minitab Software 1
D Analyze of Fractional Factorial Design in Minitab - I didn't get F and P- values Using Minitab Software 4
B Gather and Analyze Production Scrap - MiniTab 16 vs. Excel Data Analysis Quality Assurance and Compliance Software Tools and Solutions 5
F Data Analysis Methods - No clue how to analyze this data Using Minitab Software 18
U Ideas or example on how to analyze and present results on data collected Statistical Analysis Tools, Techniques and SPC 3
P PFMEA vs. 8D report - Can we use PFMEA to analyze problems? FMEA and Control Plans 3
C Six Sigma Project - Using FMEA in the Analyze Phase Quality Manager and Management Related Issues 6
E Monitor, Measure, and Analyze Processes? ISO 9001 Clause 4.1.e and 8.2.3 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
D Are Process Behavior Charts the only way to Analyze Deviations from Targets? Statistical Analysis Tools, Techniques and SPC 6
N How to evaluate and analyze Customer Satisfaction Surveys Quality Tools, Improvement and Analysis 16
A PDCA (Plan Do Check Act) vs. DMAIC (Define Measure Analyze Improve Control) Quality Tools, Improvement and Analysis 24
Q Six Sigma DMAIC (Define - Measure - Analyze - Improve - Control) program Six Sigma 1
E Question on how to analyze Customer Survey Results Statistical Analysis Tools, Techniques and SPC 2
T IEC 62304 : Risk control for SaMD IEC 62304 - Medical Device Software Life Cycle Processes 8
Thee Bouyyy Risk Assessment and Management Misc. Quality Assurance and Business Systems Related Topics 0
P Scenario based risk assessment IEC 27001 - Information Security Management Systems (ISMS) 1
Q KPI risk assessment - Criteria for the given score IATF 16949 - Automotive Quality Systems Standard 3
S Foreign Risk Notification Canada Medical Device Regulations 2
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Measurement Equipment Revocation - Looking for a Disposal Form with Risk Assessment IATF 16949 - Automotive Quality Systems Standard 10
B ISO13485 Risk managment implementation for suppliers ISO 14971 - Medical Device Risk Management 2
Moncia Chemical risk assessment / COSHH Manufacturing and Related Processes 5
E Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 6
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 13
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6

Similar threads

Top Bottom