Steps to Avoid Becoming Another Samsung

"What should I focus on or watch out for in order to prevent a calamity from happening to my business?"

Asked at http://www.mosaichub.com/answers/question/what-should-i-focus-on-or-watch-out-for-in-order-t#57652

Study Risk Management

• I strongly suggest studying the Risk Management sections of Project Management Institute's (PMI's) Project Management Body of Knowledge Guide Guide (PMBOK). Add to that the corresponding chapter of a PMI-PMP (Project Management Professional) exam study guide such as the one by Rita Mulcahey.
• If your organization can bear the cost, consider hiring an employee or consultant with a strong background in risk management to help establish a risk management program or to review the program you establish.
• One such expert is Glen Alleman. I recommend the materials on his blog, Herding Cats.

Systematically Define Your Business and Identify Potential Risks

• In general, you need to systematically define and examine every facet of your business, processes, products, services, and business environment. (The whole of the PMBOK Guide will help you classify those areas for projects.) As you examine each facet, you compile a list of risks. Clarification: I'm not saying you have to do it all at once.

Evaluate Risks

• To evaluate the identified risks, you make a subjective, rough estimate of their effect and probability.
  
  Risk = Impact x Probability
  
  You then accept the low-risk items or place them on a watch list and make a more objective evaluation of high and medium risks.

Aleatory and Epistemic Risk

• One of the characteristics of risk that you need to consider is what you know about the risk. Epistemic risks can be reduced by learning more about them. Aleatory risks cannot be reduced because there's a random element. For example, knowing how many sides dice have lets you know the possible range of values, and testing them can tell you whether loading or poor workmanship make some results more likely. On the other hand, after that, you cannot reduce randomness. This is part of the information you use when evaluating strategies for managing the risks.

Identify Candidate Responses

• Identify possible responses (accept the risk, sidestep the risk (e.g., plan your road around the mountain instead of tunneling through it), reduce the effects, take steps to reduce the probability, transfer the risk to somebody else (outsourcing or insurance), or wait and see.

Evaluate, Select, and Implement Responses

• Evaluate and select responses based on their cost and probability of success. Note that risk responses become policies, changes to processes, or new requirements. 

Monitor Responses and Watch List

• Set up a risk monitoring system that tracks risks in the watch list as well as implementation of responses. This feeds into controlling performance and also into Lessons Learned (you have a Lessons Learned archive, don't you?) that save you work in the future.

Iterate and Integrate

• Risk identification is iterative because risk responses can create secondary risks, because everything eventually changes, and because . Many companies miss new risks because they perform risk identification and planning and never re-visit the subject.
• Many organizations delegate responses and leave them isolated from the . However, except for responses that are experimental (e.g., try it on a limited scale before rolling it out to the entire organization), they must be integrated into the business, project, product, etc.
• Like process improvement, risk management (RM) needs to be part of a company's culture. Some say that RM should dominate status meetings because it is more proactive and more actionable, and also because "status" is actually a facet of risk.

Copyright 2016, Richard Wheeler