4 Steps to Risk Analysis & Management

How many of you grimace when you see the appointment in your diary for a risk analysis review meeting? Have we forgotten how useful this should really be? Are we also afraid to take risks? Without some risk, we cant push the boundaries out.

Why has this happened and more importantly, what can we do about it. Risk analysis should be equivalent to putting on a bullet proof jacket in combat – it is there for our protection and conducted properly adds real value to our projects. The reason why we should utilise it to remove or reduce the risks which threaten our project success.

So what framework do we have for Risk Analysis and Management?

I am suggesting that we take a 4 Step Process and apply it always and from the very outset (feasibility) of our project. The 4 steps are:

1. Risk Identification

2. Risk Analysis

3. Risk Response Plan

4. Risk Monitoring and Control

So let’s start at the beginning

You have just taken over on a new project and are busy, busy, busy. You believe that the key is to get the scope nailed down, the team built and the funding secured – we will take a look at risks later on – they are not really that important, because this is essentially the same as a project we did last year, but bigger and with more aggressive delivery dates.

That is a lot of assumption – if they are all TRUE, then you are in the clear; if any of them are FALSE, then you are ignoring potentially fatal risks – russian roulette comes to mind.

Apart from that, risk identification is going to influence how (and possibly what) you choose to execute the project and will also possibly influence your calculation of required contingency requirements.

So let’s start with “Risk Identification”.

In order to address this properly we need to define “What” the activity is and “How” we will execute it.

Let’s start with the WHAT
The key objective of this stage is to capture any risk/problems which might occur during the delivery of the project objectives which may impact our chances of success.

The HOW is a little bit more detailed
Here we will need to have some brainstorming sessions with the client and key technical resources so that we can evaluate the type of things that might happen, how likely they are to happen and finally, what the impact of such an event would be.
So let’s take a look at a framework that would allow us to analyze and manage the risks for our project from the outset – let’s call it the Kevlar Jacket Approach.

Step 1 – Risk Identification

As stated above, to aid in identifying the risk, we first need to identify the right people to aid us in this – technical experts, customer, project manager. Once we have identified the right team, we then need to conduct the risk analysis – here we need to use a mix of:

1. One on one meetings

2. Brainstorming meetings

3. Review of previous project risk and issue registers

Risk Identification

During these activities we need to capture key information to allow us to analyze, respond and manage these risk. During the identification step, make sure that you capture the following:

1. Give each risk a unique identifier – a simple number from 1 to n.

2. A risk description which is sufficiently detailed enough for anyone reading the risk register to understand the risk or ask intelligent questions of the person who identified the risk.

3. A risk indicator – i.e. any event which might be an early warning sign of the risk occurring, or may trigger a sequence of events that if not controlled properly would lead to the risk occurring.

4. Categorise the risks into specific buckets – e.g. Safety, technical, commercial etc..

5. Record who identified the risk, on what date

6. Record during what activity was it captured – e.g. brainstorming session, 1 on 1 interview – this will be useful for analysis across projects and will help you continuously improve your risk analysis process.

So that then covers the information you need to capture once you have identified a specific risk. The next step is to analyse it and get a detailed understanding of what its occurrence would mean.

Step 2 – Risk Analysis

Once you have identified a risk you need to analyze it – you need to once again ensure that you have all the right people present to conduct this in a meaningful way.

Risk Analysis

The key activities here are:

1. Get an understanding of the impact to the project/business if the risk did in fact materialise – this will require key input from the customer and the technical experts.

2. Rank this in terms of significance, using a scoring system of 1 to 5, where 0 = none, 1 = low and 5 = very high – make sure that this is discussed in detail and there is a reasoned basis for the score.

3. Gain an understanding of the probability of this event occurring and rank this in terms of probability, using a scoring system of 1 to 5, where 0 = none, 1 = low and 5 = very high – make sure that this is discussed in detail and there is a reasoned basis for the score.

4. Now calculate a Risk Score = Significance x Probability

5. Colour code the risk based on score – define Red, Yellow and Green bands e.g. 0-5 = Green, 6-12 = Yellow, >12 = Red.

Now we have some useful information to go forward with – the next step is to build a plan to either reduce the impact or eliminate the opportunity for it to occur. We are now in the realm of managing our risks and we must build a risk response plan – our next step.

Step 3 – Risk Response Plan

Here we start to look at how we manage the risk we have identified – we have 4 main strategies that we can use, and we are going to call the them 4 T’s.

Risk Response

The 4 T’s

1. Terminate (often referred to as Avoidance)

2. Transfer

3. Treat (oftener referred to as Mitigate)

4. Tolerate

So, let’s look at each of these individually.

Terminate is where specific steps are taken to ensure that the risk is eliminated (avoided) or that the impact it had is prevented.

Transfer is where the risk is passed to another party; the weakness with this is that the risk does not go away, it’s just causes someone else a problem.

Treat is where by taking certain actions immediately, the risks can be reduced.

Tolerate is what it says and the reason we tolerate them is that despite the fact that we cant do much to reduce or eliminate them, the benefits of taking them far outweigh the penalties/cost.

Step 4 – Risk Monitoring and Control

This is the routine part and requires the project manager to be diligent and monitor the status of the risk, the residual score by reassessing the risk at critical junctures and the risk state – is it static increasing or declining. This is a key activity and depending on the trend and significance may require a renewed effort by the project team to ensure that identified risks are dealt with appropriately.

Risk Monitoring

Finally, the housekeeping. Put all of this information in one central location – A risk register. Make sure that all key stakeholders are informed on this and agree with your plan of action.

Would love to hear your comments and am delighted to answer any questions you might have.

0
shares

  • Dishant Sanghavi

    Can you give one example of 4 Steps to Risk Analysis & Management ?

    Dishant Sanghavi

  • Dishant Sanghavi

    Can you give one example of 4 Steps to Risk Analysis & Management ?

    Dishant Sanghavi

  • chandra

    Very nice article, thank you sir

  • chandra

    Very nice article, thank you sir

  • JIm Lehane

    Good article William. Worth emphasing that you MUST have the right blend of experience at the Risk review, and you must push the boundaries to try discover the ”unknown risks”.

    Jim.

  • JIm Lehane

    Good article William. Worth emphasing that you MUST have the right blend of experience at the Risk review, and you must push the boundaries to try discover the ”unknown risks”.

    Jim.

  • Cleach

    When should risk management be applied? At a contract lab we do not manufacture, only work on projects from other companies. When would it be important to apply a risk analysis?

  • Cleach

    When should risk management be applied? At a contract lab we do not manufacture, only work on projects from other companies. When would it be important to apply a risk analysis?

  • Toni J. Fernandez

    It would also be very useful to me if a real-life example could be provided using the process. A GxP computer system validation project example would be particularly useful to me, especially with regards to how to apply risk analysis and management to the level of validation required for the project.
    Thank you.
    Toni

  • Toni J. Fernandez

    It would also be very useful to me if a real-life example could be provided using the process. A GxP computer system validation project example would be particularly useful to me, especially with regards to how to apply risk analysis and management to the level of validation required for the project.
    Thank you.
    Toni

  • ravindra singh

    hello it is nice but i need to know more deep about this actualy it is the only outer parameter but the time of incident it is not sufficiant.

  • ravindra singh

    hello it is nice but i need to know more deep about this actualy it is the only outer parameter but the time of incident it is not sufficiant.

  • Jay Naidoo

    Nice framework to work with. What risk score would you consider as being appropriate when developing a risk plan?

    Also, the use risk based approach requires buy-in from all stakeholders ie. Top management, clients. Often deleloping a risk plan may involve additional resources and time which impacts on the target date of the project.

  • Jay Naidoo

    Nice framework to work with. What risk score would you consider as being appropriate when developing a risk plan?

    Also, the use risk based approach requires buy-in from all stakeholders ie. Top management, clients. Often deleloping a risk plan may involve additional resources and time which impacts on the target date of the project.

  • Abdul Rauf

    INFORMATIVE ARTICLE

  • Abdul Rauf

    INFORMATIVE ARTICLE

  • Srikanth

    Good and refreshing article.Clarity at each step provides better understanding of the topic

  • Srikanth

    Good and refreshing article.Clarity at each step provides better understanding of the topic

Similar articles:

The Similarity Between Device Master Records & Chocolate Chip Cookies [Video]

The device design once complete, must be adequately transferred to manufacturing. This is typically accomplished through product specifications, standard operating procedures, work instructions and training.

Collection of Documents

Often a product specification is thought of as a document. The reality is the product specifications should be thought of as an association of written documents.

The product specifications typically include:

  • Assembly drawings
  • Component procurement specifications
  • Manufacturing instructions
  • Inspection
  • Test instructions
  • Digital data files
  • Manufacturing fixtures (jigs and molds)
  • Training materials
  • Artwork associated with labels
  • Acceptance criteria
  • Etc

Device Master Record (DMR)

The ultimate document to ensure adequate design transfer is the Device Master Record, or DMR.

The DMR is somewhat theoretical in that it is really a compilation of all the documents which are needed to realize the product.

For that reason, the DMR, is often established as an index which simply lists all of the documents needed to realize the product.

Contents of the DMR

The DMR typically includes the following documents:

  • Product specifications
  • Work instructions for device realization
  • Device history records/Forms to generate device history records
  • Component drawings/Specifications
  • Label artwork/Specifications
  • Test/Inspection methods
  • Software/Firmware
  • Validation Master Plan (VMP)

Since these documents may be revising and changing and may be at various distribution points, the DMR typically is an index of all the documents.

Chocolate Chip Cookie Analogy

One very common analogy is to envision the DMR as a chocolate-chip cookie recipe. If the DMR is complete, by providing the DMR to someone they can make the exact same chocolate-chip cookies.

While this is somewhat simplified, it’s an excellent analogy, but in order to make the perfect chocolate-chip cookie we would want specifications for the grade of flour, chocolate chips, sugar and other components.

We’d also like to know which equipment was validated, how they are tested/inspected, what are the instructions for each processing step, etc.

If we have all the relevant information we can reproduce the cookies exactly.

The DMR is the key to any successful design transfer whether it is an internal transfer to manufacturing or a transfer to a Contract Manufacturing Organization (CMO).

1
shares

Similar articles:

The Four Phases of Conducting a Laboratory Investigation [Video]

The process which will be described here is based on the process discussed in the MHRA’s guidance on Out of Specifications Investigation.

When an out of specification, atypical or suspect result is obtained, it is particularly important that all solutions and reagents associated with the test are retained, as this will greatly assist the investigation.

The MHRA advocate laboratory investigations should proceed in four phases as follows:

Phase I(a)

Phase I (a) consists of a preliminary review, by the analyst, to determine whether there has been a clear and obvious error or event that caused the OOS, atypical or suspect result.

Phase I(b)

Phase I (b) occurs after phase 1(a) has failed to identify a clear and obvious cause. This is a more detailed investigation by the analyst and supervisor to identify a laboratory assignable cause.

Phase II

Phase II occurs after the phase I investigation has failed to identify a laboratory assignable cause for the OOS, atypical or suspect result and are driven by written and approved instructions in order to test particular hypothesis.

Phase III

In Phase III all the information obtained during Phases I and II of the laboratory investigation, and any manufacturing investigation, is reviewed and assessed, and a decision is made on the disposition of the batch

Learn More About Laboratory Investigations

If you would like to learn more about laboratory investigations click here for an overview of this course.

2
shares

TOP

Similar articles: