The most difficult part of risk management is figuring out what risks should be managed. Management involvement is important here; in a perfect world, the management team would spend some time brainstorming possible risks, which could then be evaluated and actions taken. The relevant risks to be managed depend a lot on the area of the organization under analysis; production risks are very different than sales risks. Start by working through the key processes, and don’t forget external threats such as changes in interest rates or regulations.
But what kind of risks should be considered? Section 6.1 specifies “external and internal issues relative to the purpose of the organization and direction” and “stakeholders and their requirements”, which is pretty broad. To start the discussion, here are some categories that might be relevant.
- For production: the 5 Ms – Manpower, machines, materials, methods, and measurement
- Mother Nature, including weather and natural events like earthquakes
- Security, both commercial and terrorism
- Contract terms
- Changing customer requirements
- Critical suppliers
- Changing technology
- Age of work force and skills availability
- Packaging
- Sustainability
- Litigation
Once you have a list, analyze the risks, considering the effect on the organization and also its suppliers. Hurricanes aren’t a big risk in Montana (although Billings can get tornadoes), but hurricanes elsewhere can cause problems for critical suppliers, affecting production in Montana. Similar kinds of weather can cause a variety of risks such as power outages, reduced staffing due to impassable roads, and flooding, so think through the consequences. Don’t list “hurricane” as the risk, list “power outage, late deliveries from suppliers, and flooding”. These are easier to feed into an evaluation system and to manage – there’s not much you can do to prevent a hurricane, but you can buy a generator in case of a power outage.
Taking the time to identify and analyze the possible risks carefully will make evaluation and managing them easier, and it is worth the extra effort to do it right.