How to Analyze Risk if is out of your control



Hi everybody

Regarding at addressing the risk

I´m thinking to use ishikawa to analyze internal risk, no doubt that I can do a good analysis because things happen into my company and have the information to implement action plans.

By using ishikawa, I consider the risk, I get the possible causes and with that Iimplement the needed actions.

But at analyzing external risks, what analysis I can do, if I dont have enough info to use?

Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.

For that, I can´t use my ishikawa, I think what I can do, it is to mention the risk in the list of risk and propose something inside my organization in order to mitigate it.

or maybe I can use ishikawa, and into the bones, to show what bones can help to mitigate the risk.

Do you have any idea as how to manage this issue?


Well, is not only problem of the used method, it applies also if using, FMEA, decision tree, etc.
Elsmar Forum Sponsor

Bev D

Heretical Statistician
Super Moderator
you are on the right track for risks you cannot control. The answer is to understand what can happen and then put mitigation plans in place.

Natural disaster - backup systems in case records and documents get destroyed
single source supplier - get two sources in different geographical locations

included in mitigation would be some method for monitoring the likelihood of the risk being realized.

Sidney Vianna

Post Responsibly
Suppose political risk, commercial agreements in other countries,etc. I dont have control over them.
Would you engage with a supplier from North Korea, at present?

If you had one there, wouldn't you be looking for an alternative source?

Geopolitical risks for your supply chain can and should be mitigated; that is, unless you work for a state-owned organization where political cronies, appointed by the government make decisions based on corrupt dealings and, then, you really have no control over supplier decision.

As for external risks that could be totally out of your control, why analyze something you can do NOTHING about it?


Fully vaccinated are you?
I agree with Bev, however in all the discussions of "risk based thinking" and related "risk" discussions, the ISO folks and many hundreds of consultants have, in my opinion, just stirred a pot of "stupid".

Why do I say that? After what is now over 30 years since I was first involved in "quality assurance" (some of you may remember I was a biology major with a chemistry minor in college, so long story of how I ended up in the "business" world), what I have consistently seen a lack of reality in thinking, and a lot of a lack of common sense (e.g.: Common Freaking Sense and Is Common Sense Learned, Taught, Inherent or An Outcome Of Life Experience? ). People are WAY over doing the "risk" thing to the point that people are reacting as if it's new and spending countless, mostly useless hours trying to "meet the requirements of the standard".

If I had a nickel for every hour spent by people in companies all over the world "trying to comply with the standard" producing mostly useless documents, and I shared it with my extended family, which I would were I that rich, as it is with the Walton family of Wal-Mart fame no one in my extended family, as well as generations to come, would ever have to work (as in have a job). Well, maybe not that rich, but I'd have one heck of a chunk of cash... Just a nickel an hour. Think about how much ISO 9001 is costing on a world wide basis just on "risk based thinking" alone.

Think rationally and realistically. For example:

Political risk - OK, put it on a list and simply state it is not something that can typically be predicted and prepared for by 99% of companies. Not to mention, what type of "political risk"? There are many kinds, from over throw of a government to the lesser, but still significant, numerous various potential changes in local/state/federal laws which are typically political rather than data based. And what about wars? What about the Brexit vote?

Commercial agreements in other countries - Again, put it on your list. That is evidence you have considered it which is all the standard requires. You can't even ensure that a commercial agreement (aka contract) within your country will be adhered to so add that as well. Over the years I've seen so any contracts broken for one reason or another that, while not typical, it isn't unusual. Thing is, it can't be predicted for every contract. If it can't be predicted no concrete, reliable plan can be made for it. This is not to mention, think about how many various contracts a company of any size will have. One may say "Well, we could predict a potential that this contract may be broken and planned for..." but think about that for a minute. Can that be said about every contract a company has? And again, Brexit is currently in play as another example...

Natural disaster - Some can be planned for, at least to some degree, but most can't (realistically). How are you going to plan for an earthquake that destroys a production facility? How are you going to do anything to mitigate the total loss of a production facility in a location? Build a "back-up" facility in a location let's say 200 miles away, fully equipped with production equipment, measurement and test equipment (etc., etc.) and let it sit idle as you wait for an earthquake, a flood, a tornado, a hurricane, a forrest fire, a catastrophic dam failure, (etc.) which may or may not ever occur? Or are you going to move everything to a new state (country, whatever) where there is, for example, a low risk of flooding or earthquakes, but a high risk of tornados and/or wild fires? There is no location with no risks.

Single source supplier - Bev's statement is well taken, but not every company can have two sources for every component, every sub-assembly, every raw material, every service. Yes, for some companies it is possible, but for most? I don't think so.​

We could produce a 20 page, single spaced list of potential risks in a small company. For a large company one could produce a list of 500 pages (or 1000, or more!) of the potential risks alone, not including an analysis for each.

ISO 9001:2015 only requires "risk based thinking" which companies are doing anyway whether they realize it or not. It doesn't require 100 pages of potential risks, much less an analysis for each.

I do suggest people read through some of the existing "risk based thinking" discussions here - management and analysis/

I also highly recommend that people read through other posts Bev has made, as well as Jennifer and Sidney, about "risk based thinking" compliance to ISO 9001:2015 - Remember - You can search for all posts a specific user has made by simply clicking on their name in any post they make (you will get a "drop down" list with options, one of which is "Find all posts by <Name of the poster>").

Anyway - My :2cents: Too many people are over thinking the "risk based thinking" requirement and are wasting a heck of a lot of time on unnecessary "work" they think is required to meet the requirements of the standard.

I leave you with the following....

Today we mourn the passing of a beloved old friend - Common Sense
Last edited:


I see Bev D said: find out what can go wrong, then put a plan in place to address. With this in mind, have you ever thought of creating a FMEA (instead of a fishbone) for each specific risk you want to address?


Forum Moderator
I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.


I've seen a lot of comments about identifying risks, but none so far about risk mitigation strategies. The following link has a good summary of the four possible mitigation strategies.
This made me smile, from your link:

'Many are afraid to assess their compliance – better to keep their head under the sand than know the truth'.

I've seen this a few times, sadly it's far too common. And all too often, if management are queried, you get something along the lines of 'well, if we've been doing it wrong for 20 years, it can't be that bad can it?' :notme:
Thread starter Similar threads Forum Replies Date
D Question: How to analyze numerical and attribute data Reliability Analysis - Predictions, Testing and Standards 11
G Team to analyze a non conformance Customer Complaints 26
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
K QMS Improvement - Analyze the systemic weaknesses of the QMS for improvement purpose Quality Tools, Improvement and Analysis 6
S Is there a difference in the process? Analyze residuals, construct interval estimate Using Minitab Software 2
K Measurement system analysis "shall be conducted to analyze the variation..." Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
T How do I analyze the Sound Quality Testing of vacuum cleaners? Misc. Quality Assurance and Business Systems Related Topics 9
M Please help to analyze Response Surface Methodology by using Minitab 16 Using Minitab Software 6
D Is this an IDE or not? Helping a doctor collect and analyze data Other US Medical Device Regulations 1
D The correct way to analyze Skewed Data using Minitab Using Minitab Software 3
P How to analyze DOE: 2 Factor, 4 Level Experiment Six Sigma 7
B Analyze 'Factorial Design' or 'Variability' - Difference when used for DOE Analysis? Using Minitab Software 1
D Analyze of Fractional Factorial Design in Minitab - I didn't get F and P- values Using Minitab Software 4
B Gather and Analyze Production Scrap - MiniTab 16 vs. Excel Data Analysis Quality Assurance and Compliance Software Tools and Solutions 5
F Data Analysis Methods - No clue how to analyze this data Using Minitab Software 18
U Ideas or example on how to analyze and present results on data collected Statistical Analysis Tools, Techniques and SPC 3
P PFMEA vs. 8D report - Can we use PFMEA to analyze problems? FMEA and Control Plans 3
C Six Sigma Project - Using FMEA in the Analyze Phase Quality Manager and Management Related Issues 6
E Monitor, Measure, and Analyze Processes? ISO 9001 Clause 4.1.e and 8.2.3 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
D Are Process Behavior Charts the only way to Analyze Deviations from Targets? Statistical Analysis Tools, Techniques and SPC 6
N How to evaluate and analyze Customer Satisfaction Surveys Quality Tools, Improvement and Analysis 16
A PDCA (Plan Do Check Act) vs. DMAIC (Define Measure Analyze Improve Control) Quality Tools, Improvement and Analysis 24
Q Six Sigma DMAIC (Define - Measure - Analyze - Improve - Control) program Six Sigma 1
E Question on how to analyze Customer Survey Results Statistical Analysis Tools, Techniques and SPC 2
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
thisby_ Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
W Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 11
D How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Doninina Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
T Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
T IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
E Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
R Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
G Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
N Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
E How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
M Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
L Risk analysis Manufacturing and Related Processes 4
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
J ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
B Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 29
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3

Similar threads

Top Bottom