Managing Risk Collaboratively

One of my most memorable consulting engagements was at a large hair salon company that was struggling with its first real technology deployment across 6,000 salons. Many basic systems that are taken for granted as the fabric of most organizations weren’t there, and on top of that, they were being led by a smart new leadership team. This team was making a huge investment in foundational-level capabilities in IT, Human Resources, and others.  

As I started helping them deploy new technology, it became readily clear that they hadn’t taken the time to fully understand what all the change would mean to them and where the most important challenges lie.

On the bright side, there’s a tool that lends itself to ready customization, understanding not just the risks (which are huge), but also what levers need to be pulled to fix them, and knowing what the before and after risk profile looks like. The tool is called ๐—™๐—ฎ๐—ถ๐—น๐˜‚๐—ฟ๐—ฒ ๐— ๐—ผ๐—ฑ๐—ฒ & ๐—˜๐—ณ๐—ณ๐—ฒ๐—ฐ๐˜๐˜€ ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜€๐—ถ๐˜€ (FMEA).

Failure Modes are essentially the way your product, platform, or anything really, might fail. They are systematically reviewed by the cross-functional team you assemble for three things: severity, likelihood of occurrence, and detectability. For example, a nuclear blast would score very severe, low likelihood of occurrence (a debatable point), and very, very detectable.

Failure Mode & Effective Analysis

FMEA playbook for risk management
https://asq.org/quality-resources/fmea
  • Get a solid cross-functional team together. You need respected folks who can work in a team to form a comprehensive view of the area you’re reviewing. Include some of the downstream people who manage risk, such as attorneys and HR folks (depending on the needs of your effort). You’re purely a facilitator and your job is to draw it out of your team – never to give them the answer
  • Meeting 1 Part 1: The goal of this meeting is to gather as many ideas on paper as possible. You need enough time to thoroughly go through all the scenarios you can come up with. You’ll want to do this on a spreadsheet, so it’s a good idea to have a note-taker sharing their screen as you go. Once you’re done, give everyone a break and reconvene to score them
    • Hint 1: A second meeting might make sense for Part 2, especially if the participants are tired
    • Hint 2: You often receive better brainstorming if you don’t tell the participants they will be scoring the ideas next (the average person tends to start scoring in their head)
  • Meeting 1 Part 2: Here’s the magic… have the folks score against Severity (SEV), the likelihood of occurrence (OCC), and detectability (DET). Bad is a high number and Good is a low number. I usually use a modified Fibonacci sequence (1, 3, 5, & 9) to create a separation of the numbers. In practice, your audience always begs to have 7 back, but for some reason I always try
  • After the meeting, multiply the three numbers together to get your Risk Priority Number (RPN), your risk score. I don’t like to share this process, as your team will start doing math in their head and move their pet concern up the list – simply human nature
  • Meeting 2:ย Reconvene with the RPN rank-ordered list, with the expressed purpose to review to ensure rankings ‘feel right’. By doing this, you’re likely to get more thoughtful answers, and those with an ax to grind will have to grind that bad boy in front of the team, which is just fine. Let them make their case and seek consensus

If you choose. you can stop here. You have a prioritized list of risks and alignment from those who know the area best, and which are the most likely to blow up in your face. That may be enough, but I like to go a step further. 

Bonus Work: To go that extra mile, reconvene one more time to discuss how to reduce the risk of the top X% (often that percentage is dictated by the spread of the RPNs). I’ve experienced great conversations and many times you’ll discover there are quick changes that will move the needle on the RPN.  

With the bonus work, you can rescore (as if you have completed all the fixes) and use those numbers to report the risk before and after the work is complete so senior leadership has a good feel for the bang they get for their buck. 

So, how did this go over at the large hair salon company? Very well. We identified key areas of the network we hadn’t thought of and put mitigation plans in place to address them. The C-Level individual we were working for saw the work, zeroed in on the Risk Profile Numbers, and started asking thoughtful questions about the work to correct the ship.  

If you’d like to talk through Risk Management and Failure Mode & Effects Analysis, reach out to Larry at larry.odebrecht@trissential.com

headshot of Trissential's Head of Data Analytics and Data Science, Larry Odebrecht
More Larry Odebrecht Blogs