Article Overview

Risk management is different for any organization or industry: what one organization can tolerate, another organization will not accept. Read the article that follows to find relatively easy-to-follow risk management approaches.

Table of Contents

Overview of Risk Management

Risk is subjective, that is what one organization or industry can tolerate, another organization or industry will not accept. To that end, the nature of the work has implications on what the organization deems is suitable risk to address. I like to compare automotive product development company launching a new ABS system, or an online gaming product that does not require personal log in credentials to play. In the former, there are system failures possible, delivery precision failures getting the product to the manufacturing plant, to name but a few. These can have serious impact on the customer – perhaps even death in the event of a system failure. The online video game has no material impact, no shipping, no field replacement costs, and so on.
Risk consists mostly of two dimensions, probability, and severity. Probability is a statistical dimension, that is how probable or likely is this event to happen. Severity is just like it sounds, how painful will this event be should this potential become an actual event. Once an event happens, it is no longer a risk, sometimes this gets confused. More than once have I had team members come up to me and say we have a risk, but what we have as a burgeoning failure. Once the event happens, there is no longer any risk, the impact of the risk is now in the queue to hit our organization or project. The worst condition is a highly probable event that has a high severity of impact.

One relatively easy-to-follow risk management approaches enumerated below.

  • Risk Identification – identify what can go wrong, we can use historical record, organization process metrics, subject matter experts, and brainstorming type activities. This identification activity should be performed with a cross functional team to get many perspectives. The result of risk identification is a list of the things that can go wrong.
  • Risk Evaluation – risks vary in severity or implications on the organization or organization’s objectives. There is an old proverb, He who grasps too much lets much fall.  We will need a way to prioritize those things that can go wrong, paying attention to the most likely and the most severe of events.  We can think of the two risk evaluation approaches below as filters.  We first pass the evaluation through the course evaluation, and those high impact and probable events then pass to the quantitative risk evaluation.
    • Qualitative Risk Evaluation – an ordered ranking of the identified risks, this risk has a greater impact than that risk, and this other risk is the greatest impact of the entire list. We can enumerate risk 1 through n.  Those risks at the lower end having the greater impact and probability. (some examples here )
    • Quantitative Risk Evaluation – an assessment of risk that connects monetary and depending impacts on the specific endeavor the organization is undertaking.  This approach will use tools like decision tree analysis that will produce an Expected Monetary Value from which we can make appropriate decision. (examples here)
  • Plan Risk Response
    • Avoid – sometimes it is possible to avoid the risk.  We can choose a different strategy or tactic and eliminate the risk.  This may lead to other risks that are more palatable, making this a desired approach.
    • Transfer – insurance and outsourcing can help get rid of the risk.  However, this is not likely a true transfer, for example, if we outsource some work to eliminate or reduce our risk, the supplier may not deliver as well.  Therefore, the risk still impacts our organization.  This gives us some legal recourse, and perhaps other avenues of negotiation.  However, outsourcing does not eliminate the risk, it may reduce the risk if the supplier has more resources or competency in that area of work.
    • Accept – we do nothing, the risk is so improbable or the impact is so negligible, we choose to do nothing or take no action.
    • Reduce – we can take actions to reduce either the severity or the probability of that risk happening.
    • Contingency – we recognize the risk may happen and we secure funds as a response should the risk happen.  The contingency is calculated by multiplying the probability of the risk coming to fruition, with the monetary impact of the risk should it happen. For example, consider outsourced work to a supplier that has a $500K impact, and a 30% probability of failure (delivered late for example), then the contingency budget would be $150K.
  • Risk Monitor and Control
    • Part of our risk exploration will be to develop predictive metrics that will allow us to take action to reduce the severity or impact and perhaps, invoke actions when the risk is emerging, reducing the impact and implications.  For each risk identified we should have metrics as well as identified talent to keep track of the situation. For example, consider outsourced work to a supplier. We believe there are risks associated with delivering the work at a specific time.

Supplier Selection and Risk

There are abundant failure modes when it comes to supplier interactions with our organization, many of which are reducible with a competent supplier evaluation and selection process.  Company’s need to move beyond the pure price model when it comes to supplier selection, in my experience any price benefit will simply evaporate when the first, not even traumatic or risky event happens.  To gain some insight into the supplier we should have a list of attributes we find desirable in a supplier, and find ways to understand the

Supplier Evaluation Example

A top-level example of categories to consider when evaluating the supplier provided in the list below.  For each category, there may be several items (for example see item 8 below) with specific metrics and attributes.  

Consider, under the management function we have a sub-category of risk management. We may allocate points based upon the demonstrated capability below:

- Well organised and monitored procedures, good prevention      3 point
- Good system internally, but doesn’t include suppliers.                2 point
- Limited systematic approach, actions mostly after the fact.       1 point
- No plans, no Risk Management at all                                           0 point

Assessment Guideline Example

This element in the evaluation investigates the supplier’s risk management approach and capabilities.

  • Is there an appointed Risk Manager or set strategy?
  • Are there well-documented and known processes for Risk Management in the organization?
  • Do these processes apply to operation and projects?
  •  Areas may include production and operations processes, such as fire protection (sprinklers, etc.), flooding, earthquake, etc. but also environmental hazards and computer system break-down, etc.
  • Does the Risk Management also include sub-suppliers?
  • Are essential data, product- and process specifications securely stored?
Parameters Evaluated
Appointed risk manager or organization with risk management tasks, information given by supplier
fire protection machine/tool breakdown
protection for water related hazards supply of raw material and parts
environmental protection legislation, legal affairs
computer and software protection   others
insurance for part and tooling replacement political risks

Supplier Evaluation Outline Example

1. Company presentation (e.g. booklet, brochure)
2. Management
3. Check any result on Environment
4. Business
5. Corporate structure – parent and associated companies
6. Facility locations
7. Supplier Financial evaluation
8. Employees

a. Number
b. Variation
c. % turnover annually for n years
d. Employee survey & results
e. Employee education / training % or $

9. Sales Turnover
10. Net Income
11. Manufactured part quality

a. PPM statistics (parts per million)
b. First pass yield (range for products and for specific products or supplied part)

12. Warranty statistics
13. Corrective action process and annual performance
14. Sales turnover
15. Logistic audits conducted by the supplier and results
16. Delivery precision (statistics – on time, package contents etc.)
17. Major customers
18. Major customer % turnover
19. Any quality awards
20. Quality system / standards / processes
21. Testing resources / competencies and capabilities (example product development and manufactured parts)
22. Investment in R&D or manufacturing improvement as % of sales


It should be abundantly clear, given the last year, that the supply chain is critical to all manufacturing endeavors.  It does not take a pandemic to impact the capability of the supply chain.  Risks come from many areas as you see from this article.

Risk Management is one of our Hot Topics. In fact, we are working on a book with Glen Alleman for CRC Press / Taylor and Francis on risk management coming out later this year and have taught Risk Management for The Society of Automotive Engineers (SAE) International.  Please visit for more information and follow Value Transformation on LinkedIn here.