Risk Assessment in Product Development
Everybody hates risk. Or at least everybody hates the bad stuff that happens when risk transitions to reality. At the core of risk is uncertainty, the possibility of an event. The other primary element of risk is the negative outcome resulting from that event, such as safety hazards, increased costs, delayed delivery, etc. But the flip side of risk is opportunity – while risk and opportunity are both associated with uncertainty, opportunities resolve with successful outcomes.
Product designers are an inherently risk-averse group – this is understandable, as they are creating devices that could present hazards to users. Given the profound responsibility to produce products that are safe, risk management is core to the thought processes of the design engineer. Yet challenges remain.
One challenge is centered on the very notion of safety. There is a common perception that “safe” is equivalent to “risk free,” but in practice it is impossible to completely eliminate all risk (in any aspect of life, really). Given the definition of risk as the combination of an uncertain event with a negative outcome (ISO 14971), we can clearly see that there are plenty of risks in life with either a low likelihood or less severe outcome, which means we can spend less time managing them. We do, however, need to pay closer attention to risks which are more significant.
The tension between risk and opportunity is related to this. Both risk and opportunity revolve around uncertainty — often a scenario associated with higher risk also presents bigger opportunity (investing in the stock market vs in a savings account, for example). The objective is to maximize opportunity while minimizing risk. The challenge is to find the appropriate balance point.
Although many people consider risk implicitly in their daily activities, the formalization of risk management requires resources. There are well-established processes and techniques for executing risk management (one example is ISO 14971), but an effective realization requires knowledgeable staff with time allotted for execution. This is also a balancing act, with the challenge of balancing risk management resources (with impact to project cost and schedule) against the benefits. The challenge here is to maximize the benefit while minimizing the resources required.
Compounding this challenge, the benefits of risk mitigation are indirect. In effect, risk management is an insurance policy; a relatively small expenditure reduces the likelihood of a large one. In some industries, most notably medical device development and aerospace, the significance of a bad outcome (harm to or loss of human life) is severe enough that formal risk management is required by regulatory agencies. Because of the inherent uncertainty, we can never be sure that a bad outcome will happen, which leaves a hollow feeling about expending the resources necessary to perform risk management effectively. This hollow feeling can often lead to an “obligatory” approach to risk management activities, which “check the box” for the regulators but don’t really meet the “spirit of the law.” A begrudging attitude toward the process can result in an incomplete or failed effort. Fortunately, execution by an experienced can reduce the resource expenditure needed to get a good result, which is a high level of confidence that the risks have been minimized.
Product design specialists primarily focus on safety and security risks. These risks are directly addressed within the domain of product development. As products become more connected via the Internet, cybersecurity risks are becoming more prominent and just as important to manage as traditional safety risks.
The process for effective risk management is fundamentally the same as any other control process — sense (identify/assess the risks that are present), decide (determine a strategy for minimizing the most serious risks), and act (implement that strategy). It is a repetitive process – once a mitigation strategy is implemented, assessment is repeated to judge its effectiveness. The risk management process is not difficult in concept or to execute, but it requires a high degree of diligence and organization to be effective. The risk assessment phase is often tedious and requires coordination of specialists across an array of technical domains. The strategy segment requires decisiveness and clear documentation. Implementation of risk management requires coordination and review.
Of course, one of the most critical risk management tasks is establishing a risk management plan, which logically occurs before the iterative process begins. The risk management plan defines which risks are being managed and the process by which they are being managed. That process includes identification of:
- the frequency of the risk management cycle,
- the risk assessment techniques to be utilized,
- identification of details of the risk assessment criteria (such as levels for occurrence/severity/detection and format of the risk priority number/RPN), and
- identification of the artifacts (reports) that are captured throughout execution of the risk management cycle.
The Importance of Risk Management in Product Development
The core element of risk management is risk assessment.
The captured artifacts are particularly important in ensuring that the risk management process is effective. The result of the risk assessment activity is effectively a database and the mechanism for capture (often a spreadsheet) is considered a “living document” in the sense that it evolves continuously throughout the process. To ensure effective use of that data, it is necessary to snapshot the risk assessment database at the point where the risk mitigation strategy is formulated. The risk management report is used to capture the essential database information in conjunction with the mitigation strategy. Then, in the next cycle, the risk, strategy, and implementation can be reassessed to determine whether the risk has been mitigated. The risk management report serves to document the progression of risk reduction.
None of these tasks are particularly difficult, but they often take the form of “something else to do” when schedules are tight and staff resources are stretched. To that end, it can be useful to engage assistance with the risk management process. Whether from a separate entity within your organization or from a third-party source, risk management specialists can assist with:
- Formulation and capture of a risk management plan, assuring that all elements of the plan are adequately addressed and captured in a formal plan document.
- Establishment of a database for capture of risk assessment data, which may take the form of a spreadsheet-based template.
- Definition of the assessment criteria, including levels for occurrence/severity/detection estimates and format of the RPN.
- Execution of the risk assessment process, assuring that the appropriate development staff are included and that the assessment data is accurately captured.
- Decision processes, assuring that risk management decisions are formulated, documented, and communicated to the development team.
- Implementation processes, assuring that the design documentation reflects the necessary changes and are properly reviewed and released.
As with any technical domain, engaging specialists provides an opportunity to simultaneously increase effectiveness and reduce cost through utilization of dedicated expertise. Specialists will know which questions to ask, which techniques to employ, which data to capture, which artifacts to create, and how to keep the team engaged. Assistance from risk management specialists can ensure that the execution of risk management meets both the letter and the spirit of the law. The shared objective is efficient and effective execution of risk management, which is a benefit to everyone.