# Risk impact can be modified?

#### qualprod

Trusted Information Resource
Hi guys

I have evaluated risks in a simple manner in 9001 2015.
and had the idea that when risk is evaluated, PxI,
the probability was the only that can be minimized.

However lastly have read somewhere that also impact can be modified.

Risk evaluation steps is as follows:

I´ll try to imagine a case, please tell me if is right or wrong.

Case:

Key person near to retirement
Risk value = probability x impact

range 1-5
probability is very high, (in six months is leaving the company)

Impact= well, here it could be measured in several viewpoints
normally, image, insatisfaction to clients, financial loss, because this person knows all the company, clients, business operation,etc.

So RV = 5 x 5 = 25, very high value

Actions for mitigation:

To hire a person with similar competency and be trained properly.

Ok, now new person is in place and is performing very well.

Then we need to evaluate residual risk.

RV = PxI
Probability is very low = 1, and the Impact value?

In my viewpoint, is the same because if this person (Position) is absent
the impact value remains the same, or can be changed?

A vague idea to reduce the impact could be, for example in the same case
(financial loss) that I may get some funds to reduce the impact, or the poor image to client, I could provide additional services or products to improve
satisfaction.
this way impact value, could be changed and lowered.

Rv = 1 x 2= 2

very low risk value.

Could you give some comments ?

Thanks

#### Bev D

##### Heretical Statistician
Staff member
Super Moderator
Well "I reject the premise of your question"

you have mitigated the effect of the event. good. have you put in systemic processes to ensure that the event won't happen again? if so you really haven't changed anything - just kicked the can down the road. after all the replacement you hire has a 100% probability of getting old and retiring or suffering an early death.

the bottom line is that the tired old RPN or Probability * Severity math is not relevant or useful. it is simply a ritual.

The intent of risk based thinking is to identify the risks and mitigate them as appropriate.

The calculation of mathematical formulas is no substitute for thinking...
.

#### Attachments

• 873.5 KB Views: 218

#### qualprod

Trusted Information Resource
Thanks Bev D

well, I ´ve been very short time in this fields (quality, QMS)
So your response is for me somewhat not clearly understood.

According to what article you shared, it seems maths in these cases, maybe wouldnt apply properly to risks.

So, in simple words, what approach would you suggest to address
risks according to Iso 9001?

Could you share some simple ideas?

Thanks

#### dsanabria

##### Quite Involved in Discussions
Hi guys

I have evaluated risks in a simple manner in 9001 2015.
and had the idea that when risk is evaluated, PxI,
the probability was the only that can be minimized.

However lastly have read somewhere that also impact can be modified.

Risk evaluation steps is as follows:

I´ll try to imagine a case, please tell me if is right or wrong.

Case:

Key person near to retirement
Risk value = probability x impact

range 1-5
probability is very high, (in six months is leaving the company)

Impact= well, here it could be measured in several viewpoints
normally, image, insatisfaction to clients, financial loss, because this person knows all the company, clients, business operation,etc.

So RV = 5 x 5 = 25, very high value

Actions for mitigation:

To hire a person with similar competency and be trained properly.

Ok, now new person is in place and is performing very well.

Then we need to evaluate residual risk.

RV = PxI
Probability is very low = 1, and the Impact value?

In my viewpoint, is the same because if this person (Position) is absent
the impact value remains the same, or can be changed?

A vague idea to reduce the impact could be, for example in the same case
(financial loss) that I may get some funds to reduce the impact, or the poor image to client, I could provide additional services or products to improve
satisfaction.
this way impact value, could be changed and lowered.

Rv = 1 x 2= 2

very low risk value.

Could you give some comments ?

Thanks
How about mitigating the process by cross training or hiring another individual to be trained.

Note: your impact is way off - you are making assumptions please don't share this formula - there are too many variables to come to a conclusion.

Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.

Maybe the customers are not aware and really don't care as long as they get their products.

Your formula is not workable due to many variable - please do not overthink it and take people throught this path - keep it simple - KISS formula.

#### qualprod

Trusted Information Resource
How about mitigating the process by cross training or hiring another individual to be trained.
I did it in this way to mitigate the risk.

Note: your impact is way off - you are making assumptions please don't share this formula - there are too many variables to come to a conclusion.
I have seen this method used everywhere, why not to use it?
It so common.

Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.
No comment.

Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.
no comment

Maybe the customers are not aware and really don't care as long as they get their products.
who faces The risk, is aware of it.

Your formula is not workable due to many variable - please do not overthink it and take people throught this path - keep it simple - KISS formula.

Thanks

#### Marc

##### Fully vaccinated are you?
Staff member
How about mitigating the process by cross training or hiring another individual to be trained.
I did it in this way to mitigate the risk.
Your assumption that in "key" personnel changes "risk" can be reduced is questionable. Please list positions which are "key" personnel (in your world).

Note: your impact is way off - you are making assumptions please don't share this formula - there are too many variables to come to a conclusion.
I have seen this method used everywhere, why not to use it?
It so common.
Yes it is. The link pretty Bev gave much says (correctly) "If you don't understand statistics, talk to a statistics expert." Too many people give "false" information, typically because they do not actually understand, for example, statistics (but who think they do).

Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.
No comment.
Case:

Key person near to retirement
or not?

Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.
no comment
Case:

Key person near to retirement
or not?

Maybe the customers are not aware and really don't care as long as they get their products.
who faces The risk, is aware of it.
This of course, depends upon the role and function(s) of the "key person". As noted herein, "key personnel" often have assets which one can not quantify, such as in sales and design. Reputation and "friends" (connections) is only one of the assets you can not quantify.

Your formula is not workable due to many variable - please do not overthink it and take people throught this path - keep it simple - KISS formula.

Thanks
Here is my take...

First of all, no - There is no simple "KISS" approach which would apply. As Bev says - There is no replacement for "thinking".

Bev gives her "down vote" for FMEA's, and I agree with her for the most part. I go back many years and in critical missions and products we didn't do a typical FMEA. We brought teams together, multifunctional teams, to discuss potential failure modes. We had to think together in Teams which always included a reliable, knowledgable statistician.

I was involved with a DoD program back in the Iraq War 1 of 1991. While I can not relate details, I can tell you that the project was critical on a new "product" design. We had a weekly team meeting. We discussed many aspects. We "thought". Every week's output was the next weeks input. No one ever even said "FMEA". We did have a team statistician whose input was invaluable.

I also did a lot of work in automotive "airbag restraint" systems, not to mention explosives and automotive breaking systems. Statisticians were always key project personnel.

This discussion started out with
...Case:

Key person near to retirement...
You can not apply a mathematical / statistical formula to evaluate risk because, as has been said - There are too many variables.

For example, I know people who are well known in their industries. There is no training or other way to assess what the loss of their personal reputation and "connections" comes into play on many levels. Comments such as
...Risk in this case is dynamic and unpredictable. Maybe the position is not needed and it is replaced with a robot.
no comment...
make no sense other than at the level of line personnel. Sales cannot be replaced by robots. R&D personnel can not be totally replaced by a robot. Many positions can not be replaced by a robot.

That said - Neither AI (artificial intelligence) nor robots can replace many (most?) personnel at this point in time/history. While both are being highly hyped these days, what do you see in reality? A McDonalds somewhere has paid for equipment which will cook burgers (equipment cost ~US\$60,000). But - It still requires a human to apply certain toppings. Order clerks being replaced with kiosks.

I believe in the long term. I have lived a lot of years and seen changes I could never have imagined. We can only guess as to what the future will bring. As I age, I remember my father telling me, when I was very young, about the first time he saw an airplane fly over him. From self driving cars (a dream of mine considering the miles I have driven) to AI. I am old enough to realize that there are many things I would not have considered possible, to actually become possible. "Feature phones" today have more computing power than many computers sold 10 years ago.

However, the "future" is not now. One can dream of tomorrow, but one has to live in "today".
***********************
Having said all of this - I'm not a professional statistician, nor am I a GD&T expert. But throughout my career of about 35 years, I have always called in an expert when necessary.

And - There are a number of experts here whose participation, helping people in the discussion forums, I seriously appreciate their input in discussions.

Thank you all.

Is it possible to reduce Risk likelihood and impact Post control Ranking after corrective action taken for risk? FMEA and Control Plans 1
Propose Aspects to evaluate risk impact? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Q Risk Impact - Risk Assessment Sample/Method per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
A Difference between Environmental Impact and Risk ISO 14001:2015 Specific Discussions 7
G Combining Aspect Impact and Hazard Risk Register Miscellaneous Environmental Standards and EMS Related Discussions 8
Risk based Impact Level related to Customer Complaints 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Aspect Impact Analysis & Risk Assessment Technique Miscellaneous Environmental Standards and EMS Related Discussions 8
S Aspect vs. Impact and Hazard vs. Risk - Short/clear explanation & example Miscellaneous Environmental Standards and EMS Related Discussions 11
J Introducing a risk/impact assessment to nonconformity procedure ISO 13485:2016 - Medical Device Quality Management Systems 12
M Defining High/Medium Risk Impact Misc. Quality Assurance and Business Systems Related Topics 11
Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
Supply risk management Manufacturing and Related Processes 4
Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
Risk Management Review ISO 14971 - Medical Device Risk Management 4
Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 12
IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
Traceability of requirements to design and risk Design and Development of Products and Processes 3
Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1