What is risk-based thinking?
Ernest Blanchard, who has over 20 years of experience conducting system audits in a variety of industries and three years of study dedicated to risk in a doctoral program, dove into answering this question during the Deploying Risk-Based Thinking within Management Systems webinar hosted by Govzilla in April.
To watch the entire webinar and download the slides, go here. Otherwise, continue reading to learn about the key points Blanchard discussed during his talk and how you can use risk-based thinking to make decisions in your organization.
Risk vs. Uncertainty
Blanchard cited Risk Uncertainty and Profit by Frank H. Knight published in 1921 as one of the first works that ever talked about risk. From this book, the concept of “Knightian uncertainty”, or a risk that is “immeasurable, impossible to calculate”, arose in the world of economics.
As defined in Knight’s book, risk must be separated from uncertainty. Risk, he argues, is generally a measurable uncertainty as opposed to ‘true uncertainties’ that cannot be measured such as health or relationships. Risk management then, according to Blanchard, is the coordinated activities used to direct and control an organization with regard to its calculable risk.
Defining Risk-Based Thinking
Risk management is a concept that is generally understood and used across industries, however, risk-based thinking is something that’s not broadly well-defined or practiced. To fill this void, Blanchard combined the definition of risk from three sources to craft a solid definition, including:
- ISO 3100:2018
- ISO 9001:2015
- Enterprise Risk Management
The result is Blanchard’s definition of risk-based thinking: “A systemic organic process of integrating risk management thinking at all levels of the organization continuously.”
Definition of risk-based thinking: “A systemic organic process of integrating risk management thinking at all levels of the organization continuously.”Ernest Blanchard
To further unpack this a bit, Blanchard explained “systemic organic” as people and not just a framework. It’s not just working the plan, it is an organic process where people integrate the idea of risk management thinking into all levels of their organization on a regular, continuous basis.
Using risk-based thinking is what enables an organization to determine the factors that could cause its processes in quality systems to deviate from the planned results.
Tools for Risk Assessment
When leadership in an organization begins to assess risk, they begin by identifying the context the stakeholders need. They ask questions such as:
- What are the actions we’re doing?
- How are we going to make sure we get it implemented throughout the quality system?
- Then how do we evaluate the effectiveness?
To begin answering these questions, Blanchard suggests using a heat map. A heat map is a visual representation of the risk spectrum and should be highly tailored to meet your organization’s needs.
The rows are different categories of likelihood and the columns are categories of consequences. In some cases, you might only use three categories for each, but in a more highly regulated industry, more detail and options will be needed for your risk assessment.
For example, if you manage a plant that produces safety-critical products, then you’re going to have to identify not only what the risk is, but also the probability of it happening in various levels of severity.
To easily distinguish between the different levels of risk, you can add color and numbers to your heat map. The standard is as follows:
- Red/High Number = Critical or Intolerable
- Yellow/Mid-Range Number = Cautionary
- Green/Low Number = Acceptable
Risk Assessment Log
Another risk assessment tool is one that Blanchard put together himself, the Risk Assessment Log. In it he lists:
- Potential Hazards
- Stakeholders that control the severity of the risk occurrence
- Controls such as a Business Contingency Plan
- Severity with Moderate, Major, and Severe as the options
- Occurrence ranked from 1 to 5
- Consequences ranked from 1 to 5
- Risk Rating ranked from 1 to 20
Combined Heat Map and Risk Assessment Log
Blanchard then presented an example that combined both tools, the Heat Map and the Risk Assessment Log. Using the two you can easily answer the following questions:
- What processes are impacted?
- What’s the name of the risk?
- What are the KPIs used to evaluate the effectiveness of the risk control?
Also, as you can see in this example, the list includes everything from quality, equipment, production, logistics, finance, HR, and the overall plant. So, based on Blanchard’s own definition of risk-based thinking, it’s applicable to all levels of the organization.
Implementing Risk-Based Thinking
The leadership at any organization is tasked with implementing a risk management process and, in turn, promoting risk-based thinking in conjunction with that process, said Blanchard.
One of the most valuable aspects of a quality management system is a solid risk management program that is then expanded and promoted throughout the entire organization. And, to take things further, each site of an organization should have its own documentation because each site may have different risks and may rate risk differently.
One of the most valuable aspects of a quality management system is a solid risk management program that is then expanded and promoted throughout the entire organization.
It’s not enough to just have a solid documented process in place by leadership. Successful implementation of risk-based thinking must include a solid communication plan. Put your risk assessment in the lunchroom, on the floor, in training materials—everywhere. “Communicate. Communicate. Communicate.” said Blanchard. All levels and functions within an organization need to be involved to implement a truly effective risk-based thinking approach.
[NOTE: Instant access to the Deploying Risk-Based Thinking Within Management Systems webinar by Ernest Blanchard video and slides can be accessed here.]