The Risk Question

The risk question established the purpose and scope – the context of the risk assessment. This step is critical since it sets the risk assessment’s direction, tone, and expectations. From this risk question stems the risk team; the degree, extent, or rigor of the assessment; the risk assessment methodologies; the risk criteria; and levels of acceptable risk.

The risk problem needs to be clear, concise, and well understood by all stakeholders. Every successful risk assessment needs a tightly defined beginning and end, so the assessment team can set good boundaries for the assessment with internal (resources, knowledge, culture, values, etc) and external (technology, legal, regulatory, economy, perceptions of external stakeholders, etc) parameters in mind.

To ensure the risk team focuses on the correct elements, the risk question should clearly explain what is expected. For example:

For a risk assessment of potential emergencies/disasters, should the assessment be limited to emergencies/disasters at facility sites or include events off-site? Should it include natural, manmade, or technological emergencies/disasters, or all of them?
If the hazards associated with the job of repairing a porch as to be assessed, would it just cover the actual porch repair, or would it include hazards like setting up the space, bringing materials on site, and the hazards associated with use/not-use of the porch?
If the risk assessment covers getting a new family dog does it include just those associated with the dog, or does it include changes to the schedule or even next year’s vacation?

Setting the scope too narrow on the risk question might prevent a hazard and the resulting risk from being identified and assessed or making it too broad could prevent the risk assessment from getting to the real purpose.

Risk questions can be broken down in a tree structure to more define scopes, which can help drive effective teams.

For example, if we are doing a risk assessment on changing the family’s diet, it might look like this:

The current draft of ICH Q9 places a lot of importance on the risk question, rightfully so. As a tool it helps focus and define the risk assessment, producing better results.

Preliminary Hazard Analysis

The Preliminary Hazard Analysis (PHA) is a risk tool that is used during initial design and development, thus the name “preliminary”, to identify systematic hazards that affect the intended function of the design to provide an opportunity to modify requirements that will help avoid issues in the design.

Like a fair amount of tools used in risk, the PHA was created by the US Army. ANSI/ASSP Z.590.3 “Prevention through Design, Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes” makes this one of the eight risk assessment tools everyone should know.

Taking the time to perform a PHA early on in the design will speed up the design process and avoid costly mistakes. Any identified hazards that cannot be avoided or eliminated are then controlled so that the risk is reduced to an acceptable level.

PHAs can also be used to examine existing systems, prioritize risk levels and select those systems requiring further study. The use of a single PHA may also be appropriate for simple, less compelx systems.

A. Identify Hazards

Like a Structured What-If, the Preliminary Hazard Analysis benefits from an established list of general categories:

by the source of risk: raw materials, environmental, equipment, usability and human factors, safety hazards, etc.
by consequence, aspects or dimensions of objectives or performance

Based on the established list, a preliminary hazard list is identified which lists the potential, significant hazards associated with a design. The purpose of the preliminary hazard list is to initially identify the most evident or worst-credible hazards that could occur in the system being designed. Such hazards may be inherent to the design or created by the interaction with other systems/environment/etc.

A team should be involved in collecting and reviewing.

B. Sequence of Events

Once the hazards are identified, the sequence of events that leads from each hazard to various hazardous situations is identified.

C. Hazardous Situation

For each sequence of events, we identify one or more hazardous situations.

D. Impact

For each hazardous situation, we identify one or more outcomes (or harms).

E. Severity and occurrence of the impact

Based on the identified outcomes/harms the severity is determined. An occurrence or probability is determined for each sequence of events that leads from the hazard to the hazardous situation to the outcome.

Based on severity and likelihood of occurrence a risk level is determined.

I tend to favor a 5×5 matrix for a PHA, though some use 3×3, and I’ve even seen 4×5.

Intended outcomes		Likelihood of Occurrence
Severity Rating	Impact to failure scale	1 Very unlikely	2 Likely	3 Possible	4 Likely	5 Very Likely
5	Complete failure	5	10	15	20	25
4	Maximum tolerable failure	4	8	12	16	20
3	Maximum anticipated failure	3	6	9	12	15
2	Minimum anticipated failure	2	4	6	8	10
1	Negligible	1	2	3	4	5
Very high risk: 15 or greater, High risk 9-14, Medium risk 5-8, Low risk 1-4

F. Risk Control Measures

Based on the risk level risk controls and developed and applied. These risk controls will help the design team create new requirements that will drive the design.

On-going risks should be evaluated for the risk register.

Decentralized Decision-making

Decentralizing decision-making helps make better and faster decisions while inspiring people to feel needed by the organization and to be empowered. It is a central aspect of democratic leadership and a core way to build a quality culture.

Decentralized decision-making requires psychological safety and a recognition that it just doesn’t happen. Like any behavior, it needs time needs to be spent to develop and nurture.

Decision Quality

As a value, decentralized decision-making might look like this:

Value: Decentralized Decision-Making
Definition: Decisions are made by the people who do the work. Everyone is trained to make data-driven decisions by paying attention to the problem, task or numbers, not the person.
Desired Behaviors:
- I make decisions based on data, using a defined process.
- I solve problems by involving the right people.
- I foster an environment of transparency in decision-making
- I push decision-making to the right people as appropriate.

To make this work, it is critical to teach decision-making. A popular method is RAPID, an acronym of 5 words that refer to the group of people involved in the steps of decision-making -Recommend, Agree, Perform, Input, Decision. This was a framework developed by Bain & Company as a systemized framework to design an action plan regarding a problem.

With the base of how a decision is made, the next step is to decide what sort of decisions exist in the organization, and how they get made. I recommend two axis:

The Scale of the Decision: What is the risk level of the decision
The Level of Process Controls: How well defined is the process around the area of the decision

Competence

We can break down people’s abilities into four areas:

Capability	What people need to do to produce results
Skill	Broken into technical knowledge and practiced performance
Interest	Passion
Required behaviors	Operationalize the organization’s vision, culture, or way of being in behavioral terms.

Competence is a combination of Capability and Skill. If I do not have the capability for the work, no amount of developmental training will be helpful. And, I don’t have the skill, you will never see my capability. Competence is a combination of both.

Interest or passion for the work will influence the amount of time for practice. The more interested I am, the more time I will spend in practice. And if I don’t practice a skill, the skill goes away, and competence diminishes.

There is also a set of required behaviors. Practice arrives with many qualities, frequency of practice, duration of practice, depth of practice, and accuracy of practice. Accuracy of practice relates to required behaviors. Practice doesn’t make perfect, only perfect practice makes perfect.

Deliberate practice allows us to influence all four attributes.

Deming Unrealized

W. Edwards Deming’s substantive influence upon management thinking and practice is evidenced by the number of organizations that have worked to implement his key points, the abundance of books and papers related to his ideas, and the impact of his ideas on the practice of business today. While I’m not a fan of the term Quality Guru, it is hard to miss his impact.

Deming’s main concepts can be summarized as:

Visionary Leadership: The ability of management to establish, practice, and lead a long-term vision for the organization, driven by changing customer requirements, as opposed to an internal management control role.

Internal and External Cooperation: The propensity of the organization to engage in non-competitive activities internally among employees and externally with respect to suppliers.

Learning: The organizational capability to recognize and nurture the development of its skills, abilities, and knowledge base.

Process Management: The set of methodological and behavioral practices emphasizing the management of process, or means of actions, rather than results.

Continuous Improvement: The propensity of the organization to pursue incremental and innovative improvements to processes, products, and services.

Employee Involvement: The degree to which employees of an organization feel that the organization continually satisfies their needs.

Customer Satisfaction: The degree to which an organization’s customers continually perceive that their needs are being met by the organization’s products and services.

Summarizing the System of Profound Knowledge

Almost thirty years after the publication of The New Economics for Industry, Government, Education and we are still striving to realize these. They are still as aspirational and, for many organizations, out of reach today as they were in the eighties. We can argue that a lot of the concepts that swirl around Quality 4.0 is just trying out new technologies to see if we meet those objectives.

We can, and should, discuss the particulars of the System of Profound Knowledge. For me, it makes an excellent departure point for what we should be striving for. By looking to the past we can discover…

Strengths that define us
Weaknesses that frustrate us
Causes that energize us
Relationships that inspire us.