How to Define and Identify Risk on Your Own Terms

Risk management often starts with identifying risks. What are the greatest risks your company faces? Specifically, I’m talking about the risk of poor quality processes and products.

Before you identify risks, however, you have to come to terms with the concept of risk within the context of your organization. That is, how do you define “risk” as an organization? Do you define risk in a way that everyone in your organization can understand it, relate to it, and agree on it?

Risk is defined by ISO[1] as “the effect of uncertainty on objectives”. This is a general, esoteric, and highly impractical definition. We need a definition the entire organization can all agree on if we’re to improve communication, interactions, cooperation, and understanding among ourselves. We also need a definition of risk that resonates with a variety of stakeholders, from clients to vendors to investors.

Lunch on a Skyscraper 1932 - Charles C Ebbets

Lunch on a Skyscraper (Charles C. Ebbets, 1932)

Defining Risk

What do we mean when we say “we’re risking it all”? What are we risking at the moment? Play money, on “Let’s Make a Deal”? Our own money, at the horse races? Our current job for one at another organization? A lender’s money, in the form of a loan?

Why are we taking the risk? We’re hoping – gambling, actually – that a perceived opportunity will materialize. We’re risking what we have for what we might have if the gamble pays off. We’re “playing the odds” that we will have as much as or more than what we had when we took on the risk, versus having less. We mostly think of risk in monetary terms but at a personal level, some of the risks we take may not involve money.

For instance, we set an alarm to get ourselves out of bed every workday. There’s always a risk of a power failure, at least for those who use alarm clocks[2]. There’s a risk involved in hitting the “snooze button” too often, like rushing through the normal morning routine and forgetting things, like a belt or matching socks or earrings. There is always the risk that traffic will be heavier than normal due to road maintenance, traffic accidents, or adverse weather. We deal with these risks every day without thinking about probability or impact.

In business, we’re supposed to look at risk differently. We’re supposed to analyze risk “by the numbers”. We’re supposed to be objective. Why? Well, because in managing a business, the risks we take are thought to have much larger and longer-lasting impacts. We believe we’re at risk of losing substantially more as a business owner than when we take risks relating to our personal lives (though, as “It’s A Wonderful Life” continually reminds us, the choices we make affect more than just us).

So, how does your organization define risk? If you’re the owner, president, and/or chief executive, you shouldn’t make that decision in a vacuum. Involve your function managers, and possibly some of their subordinates. Exactly how you do that – through brainstorming or some other method – is entirely up to you.

Identifying Risks

Now that you’ve decided how your organization defines “risk”, you need to identify the risks to quality inside and outside your company.

In what ways could you risk not meeting your customers’ requirements? What are their requirements? There are requirements common to all customers (e.g., on-time delivery) and there are unique requirements (e.g., product design). There may be stated requirements – identified in the RFQ or contract – and there could be unstated, or implied, requirements.

That you’re not going to do anything immoral or illegal in the process of making or selling your product used to be an implied requirement, but no longer. By the way, there may be legal requirements specific to your line of work, but I’m not going to go into those here.

Let’s look at one possible customer requirement and try to identify some of the associated risks to quality. Let’s say a customer ordered 100,000 units of a particular product of yours earlier today. It’s an existing product, so no new design or tooling is involved. They want you to deliver that product in 50,000-piece lots; the first lot is due in 30 days and the second in 60 days. It’s an existing product, you make and sell about 25,000 units in an average month, and you currently have 12,500 units in stock.

To be alive at all involves some risk.
(Harold MacMillan)

You’re going to make more stuff! More income/positive cash flow! What could possibly go wrong? For starters, you’re looking at tripling your normal production over the next two months. Could you be risking a decline in the quality of your product as you make more of it?

What’s the greatest number of that particular part that you’ve ever produced in one month? What were the circumstances surrounding or driving that level of production? Was it an isolated incident or part of a sustained level of production? Was your defect rate for those months of higher production about the same as that of a typical month, or higher?

Could you produce more parts with your current production line? Would you have to add a second or third shift? Do you have other production lines that could be quickly adapted to producing the part in question? How might those changes affect product quality?

Necessity is the mother of taking chances.
(Mark Twain)

Assuming this order means a temporary spike in production and not a permanent increase, what about getting qualified, skilled temp workers? How soon could you get them, and would they respond quickly to orientation/training? And could those issues increase the risk of reduced product quality?

Do you see where we’re headed? Risk identification is complex, which is why you, the company President, cannot and should not do it alone. And we’re only at the beginning of the risk management process.

Next time, we’ll look at assessing risks.

* * * * * * *

Could you use an unbiased third party to help identify your risks? Write or give me a call and we’ll set up a consultation.


[1] International Organization for Standardization – see

[2] I don’t know how many of us still use alarm clocks but at least one source said the number is falling, as “youngsters” (millennials?) were using their mobile devices for everything. Also, take a look at


We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , , ,
Posted in ISO 9001:2015, Quality management, Risk Management, Risk-based thinking

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: