As it turns out, the reality-based, science-friendly communities and information sources many of us depend on also largely failed. We had time to prepare for this pandemic at the state, local, and household level, even if the government was terribly lagging, but we squandered it because of widespread asystemic thinking: the inability to think about complex systems and their dynamics. We faltered because of our failure to consider risk in its full context, especially when dealing with coupled risk—when multiple things can go wrong together. We were hampered by our inability to think about second- and third-order effects and by our susceptibility to scientism—the false comfort of assuming that numbers and percentages give us a solid empirical basis. We failed to understand that complex systems defy simplistic reductionism.
On point analysis. Hits many of the themes of this blog, including system thinking, complexity and risk and makes some excellent points that all of us in quality should be thinking deeply upon.
COVID-19 is not a black swan. Pandemics like this have been well predicted. This event is a different set of failures, that on a hopefully smaller scale most of us are unfortunately familiar with in our organizations.
I certainly didn’t break out of the mainstream narrative. I traveled in February, went to a conference and then held a small event on the 29th.
The article stresses the importance of considering the trade-offs between resilience, efficiency, and redundancy within the system, and how the second- and third-order impacts can reverberate. It’s well worth reading for the analysis of the growth of COVID-19, and more importantly our reaction to it, from a systems perspective.
Risk Management often devolves into a check-the-box, non-valued activity in an organization. While many organizations ensure they have the right processes in place, they still end up not protecting themselves against risk effectively. A lot of our organizations struggle to understand risk and apply this mindset in productive ways.
As quality professionals we should be applying the same improvement tools to our risk management processes as we do anything else.
To improve a process, we first need to understand the value from the process. Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
The risk evaluation is the step where the knowledge base is evaluated, and a summary judgment is reached on the risks and uncertainties involved in the case under investigation. This evaluation must take the values of the decision-makers into account and a careful understanding has to be had on just what the practical burden of proof is in the particular decision.
Does Risk Management then create value for those perceived by the stakeholders? Can we apply a value stream approach and look to reduce wastes? Some common ones include:
Waste in Risk Management
“The things that hurts you is never in a risk matrix” “You have to deliver a risk matrix, but how you got there doesn’t matter”
Missing stakeholder viewpoints, poor Risk Management process, lack of considering multiple sources of uncertainty, poor input data, lack of sharing information
“if it is just a checklist sitting somewhere, then people don’t use it, and it becomes a wasted effort”
Missing standardization, serial processing and creation of similar documents, reports are not used after creation
“we’re uncertain what are the effect of the risk as this early stage, I think it would make more sense to do after”
Documented risk lay around unutilized during a project, change or operations
Unnecessary movement of people
“It can be time consuming walking around to get information about risk”
Lack of documentation, risks only retrievable by going around asking employees
“Time spend in risk identification is always little in the beginning of a project because everybody wants to start and then do the first part as quickly as possible.”
The documents were supposed to be updated and re-evaluated, but was not, thus becoming partially obsolete over time
Common wastes in Risk Management
Once we understand waste in risk management we can identify when it happens and engage in improvement activities. We should do this based on the principles of decision quality and very aware of the role uncertainty applies.
Anjum, Rani Lill, and Elena Rocca. “From Ideal to Real Risk: Philosophy of Causation Meets Risk Analysis.” Risk Analysis, vol. 39, no. 3, 19 Sept. 2018, pp. 729–740, 10.1111/risa.13187.
Hansson, Sven Ove, and Terje Aven. “Is Risk Analysis Scientific?” Risk Analysis, vol. 34, no. 7, 11 June 2014, pp. 1173–1183, 10.1111/risa.12230
Walker, Warren E., et al. “Deep Uncertainty.” Encyclopedia of Operations Research and Management Science, 2013, pp. 395–402, 10.1007/978-1-4419-1153-7_1140
Willumsen, Pelle, et al. “Value Creation through Project Risk Management.” International Journal of Project Management, Feb. 2019, 10.1016/j.ijproman.2019.01.007
Talk about strategy, risk management or change and it is inevitable that the acronym VUCA — short for volatility, uncertainty, complexity, and ambiguity—will come up. VUCA is basically a catchall for “Hey, it’s crazy out there!” And like many catch-all’s it is misleading, VUCA conflates four distinct types of challenges that demand four distinct types of responses. VUCA can quickly become a crutch, a way to throw off the hard work of strategy and planning—after all, you can’t prepare for a VUCA world, right?
The mistake folks often make here is treating these four traits as a single idea, which leads to poorer decision making.
VUCA really isn’t a tool. It’s a checklist of four things that hopefully your system is paying attention to. All four represent distinct elements that make our environment and organization harder to grasp and control.
Our goal should always be to reduce ignorance. Many unknown unknowns are just things no one has bothered to find out. What we need to do is ensure our processes and systems are constructed so that they recognize unknowns.
There are six factors that need to be explored to find the unknown unknowns.
Complexity: A complex process/system/project contains many interacting elements that increase the variety of its possible behaviors and results. Complexity increases with the number, variety, and lack of robustness of the elements of the process, system or project.
Complicatedness: A complicated process/system/project involves many points of failure, the ease of finding necessary elements and identifying cause-and-effect relationships; and the experts/participants aptitudes and experiences.
Dynamism: The volatility or the propensity of elements and relationships to change.
Equivocality: Knowledge management is a critical enabler of product and project life cycle management. If the information is not crisp and specific, then the people who receive it will be equivocal and won’t be able to make firm decisions. Although imprecise information itself can be a known unknown, equivocality increases both complexity and complicatedness.
Perceptive barriers: Mindlessness. This factor includes a lot of our biases, including an over-reliance on past experiences and traditions, the inability to detect weak signals and ignoring input that is inconvenient or unappealing.
Organizational pathologies: Organizations have problems, culture can have weaknesses. These structural weaknesses allow unknown unknowns to remain hidden.
The way to address these six factors is to evaluate and challenge by using the following approaches:
Interviews with stakeholders, subject matter experts and other participants can be effective tools for uncovering lurking problems and issues. Interviewers need to be careful not to be too enthusiastic about the projects they’re examining and not asking “yes or no” questions. The best interviews probe deep and wide.
Build Knowledge by Decomposing the System/Process/Project
Standard root cause analysis tools apply here, break it down and interrogate all the subs.
Identifying the goals, context, activities and cause-effect relationships
Examining the complexity and uncertainty of each element to identify the major risks (known unknowns) that needed managing and the knowledge gaps that pointed to areas of potential unknown unknowns.
Construct several different future outlooks and test them out (mock exercises are great). This approach accepts uncertainty, tries to understand it and builds it into the your knowledge base and reasoning. Rather than being predictions, scenarios are coherent and credible alternative futures built on dynamic events and conditions that are subject to change.
Communicate Frequently and Effectively
Regularly and systematically reviewing decision-making and communication processes, including the assumptions that are factored into the processes, and seeking to remove information asymmetries, can help to anticipate and uncover known unknowns. Management Review is part of this, but not the only component. Effective and frequent communication is essential for adaptability and agility. However, this doesn’t necessarily mean communicating large volumes of information, which can cause information overload. Rather, the key is knowing how to reach the right people at the right times. Some important aspects include:
Candor: Timely and honest communication of missteps, anomalies and missing competencies. Offer incentives for candor to show people that there are advantages to owning up to errors or mistakes in time for management to take action. It is imperative to eliminate any perverse incentives that induce people to ignore emerging risks.
Cultivate an Alert Culture: A core part of a quality culture should be an alert culture made up of people who strive to illuminate rather than hide potential problems. Alertness is built by: 1) emphasizing systems thinking; 2) seek to include and build a wide range of experiential expertise — intuitions, subtle understandings and finely honed reflexes gained through years of intimate interaction with a particular natural, social or technological system; and 3) learn from surprising outcomes.
By working to evaluate and challenge, to truly understand our systems and processes, our risk management activities will be more effective and truly serve to make our systems resilient.
Changes meet their intended objectives and pre-defined effectiveness criteria. Any deviations from those criteria are adequately assessed, accepted and managed/justified. Whenever possible, quantitative data are leveraged to objectively determine change effectiveness (e.g. statistical confidence and coverage).
Sufficient data points, as described in the implementation plan, gathered to a described timeline, before an assessment of the change is made.
The success criteria should be achieved. If not, reasons why they have not been achieved should be assessed along with the mitigation steps to address the reasons why, including reverting to the previous operating state where appropriate. This may require the proposal of a subsequent change or amendment of the implementation plan to ensure success.
Data and knowledge gathered from implementation of the change should be shared with the development function and other locations, as appropriate, to ensure that learning can be applied in products under development or to similar products manufactured at the same or other locations
As part of the quality risk management activities, residual risks are assessed and managed to acceptable levels, and appropriate adaptations of procedures and controls are implemented.
These are action items in the change control.
As part of the closure activities, revise the risk assessment, clearly delineating risk assessment in two phases.
Any unintended consequences or risks introduced as a result of changes are evaluated, documented, accepted and handled adequately, and are subject to a pre-defined monitoring timeframe.
Leverage the deviation system.
Prior to or after change closure
Any post-implementation actions needed (including those for deviations from pre-defined acceptance criteria and/or CAPAs) are identified and adequately completed.
If you waterfall into a CAPA system, it is important to include effectiveness reviews that are to the change, and not just to the root cause.
Relevant risk assessments are updated post-effectiveness assessments. New product/process knowledge resulting from those risk assessments are captured in the appropriate Quality and Operations documents (e.g. SOPs, Reports, Product Control Strategy documents, etc.)