Risky Business
"Risky Business"
Quality Assurance Team | April 2019
Some of us may remember that memorable scene in the movie “Risky Business” of a younger Tom Cruise sliding across the floor in a long sleeve shirt and socks as “Old Time Rock-n-Roll” played in the background. Wouldn’t it be great if we could run our businesses in that same carefree fashion or would that be too “risky”? Well it might be if we do not have a well-defined Risk Management Plan in place. Risk Management / Risk Assessment is a crucial part of the new ISO 9000 standard, ISO 9001:2015. So where do we start?
Risk Management 101
Steps in the Process
- Identify Risks
- Prioritize Risks / Risk Ranking
- Probability of occurrence
- Impact of occurrence
- Develop Risk Mitigation Strategy
- Accept, Avoid, Mitigate or Transfer
- Develop Business Continuity Plan
- The Plan to resume normal operations
Let’s work through these steps with a business example.
- Identify Risk:
What if our internet connection goes down (ISP) and we are unable to place and take orders and unable to make and receive phone calls over our VoIP Phone system?
- Prioritize Risks / Risk Ranking
The probability of occurrence can be related to several factors such as business location. Are you located in a large Metropolitan area where there is a highly developed infrastructure for communication options? Is weather in your area a factor? If you are in an area(s) prone to hurricanes, tornadoes, etc. this could increase the probability of losing your internet connection.
Loss of internet connection would have a crippling impact on our ability to do business if this occurred; therefore, this would be identified as a High Priority Risk with a very High Ranking when compared to other risks that may be identified. Addressing/mitigating this risk would be crucial to a successful Risk Management Plan/Strategy.
- Develop Risk Mitigation Strategy
Once a risk is identified, prioritized, and ranked, we would need to determine our strategy to mitigate/address the risk. In cases where the risk has a low probability of occurrence and/or impact, our strategy could be to just accept the risk and not do anything to mitigate it. Also, in cases where the cost to mitigate the risk far outweighs any negative impact that would occur, we could also choose to just accept the risk as part of our strategy. In our risk example, we could employ an avoid risk strategy by planning to utilize land lines for our phone system; therefore, avoiding the risk of not being able to utilize our phones to make and receive calls if the internet connection was lost.
In this case, however, we would want to determine how to mitigate this risk. One such option would be to have a redundant Internet Service Provider (ISP) in place. In the event that we lost our internet connection, our Internet connection would automatically rollover to that ISP, thus minimizing “downtime” and allowing us to continue doing business. Addressing/mitigating this risk would be vital to our Risk Management Plan.
- Develop Business Continuity Plan
Now that the risk has been identified, prioritized, ranked and our strategy to address it has been determined, we must now put specific steps in place outlining what needs to be done in the event this risk does occur. These steps are documented in a Business Continuity Plan. This plan should include all the Risks you have identified.
It should include:
- Risk Statement
- Risk Scope
- Risk Mitigation Tools
- Business Continuity Actions
Continuing with our example, the Business Continuity Plan could look something like this:
Risk Statement: If our internet connection (phone, internet, fax) fails, then we may not meet customer needs and may lose access to critical data.
Risk Scope: This risk assessment relates to the loss of internet connection limiting our ability to effectively communicate with customers, suppliers, and our associates. The inability to communicate via phone, internet, or fax could be an enterprise risk depending on the duration and severity of the communication loss. This plan ensures our ability to continue servicing our customers and to meet our obligations to suppliers, and our associates.
Risk Mitigation Tools: These pre-risk mitigation tools are designed to be a guideline for continuing to process transactions and to access customer data and other business information. Implementation will depend on local availability and specific situations and location.
- Establish, maintain, and store physical phone lists for emergency contacts and associates.
- Establish a plan that utilizes phone system call forwarding. Call forwarding could go to cell phones, land lines, or any alternate location. Additionally, technology such as VoIP allows business phones to be connected offsite to access business communication lines.
- Establish a secondary/redundant Internet Service Provider (ISP) with clear operational instructions on how to “rollover” the internet connection.
- Develop guidelines and a plan for associates to continue critical business operations.
Business Continuity Actions: After the risk event occurs, these steps are designed to assist the continuation of business functions and limit impact until we can resume normal operations.
1. Report outage/issue to communications provider.
2. Enact call forwarding plan.
3. Enact associate communication plan.
4. Switch to alternate source of connectivity.
In Conclusion:
Following these steps and being able to identify those Risks that can adversely affect business (Risk Mitigation Strategy) and having a documented plan (Business Continuity Plan) designed to address/ mitigate/minimize those risks allows us to feel a bit more carefree and help to take the “Risky” out of Business.