Identifying risk is an important first step. It is not sufficient though.
Taking steps to deal with risk is an essential step. Knowing about and thinking about risk is not the same as doing something about risk.
Risk will occur. Some good, some bad. Some minor, some catastrophic. Your ability to mitigate risk allows you to proactively acknowledge and accommodate risks. Let’s talk about four different strategies to mitigate risk: avoid, accept, reduce/control, or transfer.
If a risk presents an unwanted negative consequence, you may be able to completely avoid those consequences. By stepping away from the business activities involved or designing out the causes of the risk you can successfully avoid the occurrence of the undesired events.
One way to avoid risk is to exit the business, cancel the project, close the factory, etc. This has other consequences, yet it is an option.
Another approach is to establish policies and procedures that assist the organization to foresee and avoid high-risk situations. By not starting a project that includes a high unwanted risk successfully avoids that risk.
Testing or screening of products that may have a latent defect which may lead to unwanted and unacceptably high field failures is an option. Screening is not 100% effective yet may reduce the risk of field failures sufficiently.
Design out of a product or process the elements that permit an unwanted risk to arise. A product design change to a more robust material avoids unwanted failures due to unacceptable wear of a less robust material. Implementing engineering design reviews in the product lifecycle process may help identify high-risk areas of a new product or process prior to the decision to start shipping.
Every product produced has a finite chance of failing in the hands of your customer. When that risk is at an acceptable level, sufficiently low estimated field failure rate, then ship the product. Accept the risk.
When the decision to accept the risk is in part based on an estimate or prediction, there is the risk the information incorrectly forecasts the future. Therefore, for high consequence related field failures, closely monitoring field performance or establishing early warning systems may be prudent.
Reduction or control
FMEA, hazard analysis, FTA, and other risk prioritization tools focus help you and your organization identify and prioritize risks. Reducing the probability of occurrence or the severity of the consequences of an unwanted risk (say product failure) is a natural outcome of risk prioritization tools.
If it is not possible to reduce the occurrence or severity, then implementing controls is an option. Controls that either detect causes of unwanted events prior to the consequence occurring during use of the product, or the detection of root causes of unwanted failures that the team can then avoid.
Controls may focus on management or decision-making processes. Improving the ability to find design flaws or to improve the accuracy of field failure rate prediction both improve the ability to make the appropriate decisions concerning risk.
Another method to reduce or control risk is to diversify. Thinking through the mix of products, technologies, markets, operations, and supply chains permit the team the ability to limit the high-risk opportunities to a manageable or acceptable level.
Finally, unwanted events or high field failure rates will occur. Think through both how you will detect the onset of the event and how to respond. It may be wise to stop production and shipping when product failures, even one, has a major consequence (starts a home on fire, for example). Have plans in place. Acting quickly and appropriately may reduce the exposure to more failures/adverse consequences.
This strategy is to shift the burden of the risk consequence to another party. This may include giving up some control, yet when something goes wrong your organization is not responsible.
This approach may not work to protect your brand image if the product is associated with your organization. Even if the power supply vendor pays for all damages due to failures in their unit, the customer only knows that your product has failed and caused damage. Use this approach with caution.
A conventional means to transfer risk to another organization is with the purchase of insurance. This may require a careful analysis of the presenting risks and probabilities, yet is a viable option in some situations.
Contract terms with suppliers, vendors, contractors, etc may provide a means to shift risk away from your organization. For example, if a power supply fails in an expensive server causing the loss of revenue for a customer, in typical situations, you might ask for and receive a replacement power supply. Or, you could require the power supply vendor to cover the cost of the entire server (which the power supply caused to fail) and the loss experienced by the customer.
Summary of Risk Mitigation Strategies
Avoid, accept, reduce/control, or transfer. For each risk you encounter, you and your organization will have to deal with it. A little forethought and work enable more options than just a major product recall or bankruptcy filing.
Within your organization’s risk management framework there should be both aware of the various strategies along with understanding the guidelines for their implementation.
Engineers and managers throughout the organization make decisions concerning risks every day. Providing a set of clear strategies along with guidance allows the entire organization to appropriately mitigate risks on a daily basis.