The last link in the closed-loop of strategy implementation is strategic monitoring, which involves internal control. Enterprise internal control is a series of activities in which an enterprise adopts effective supervision of human resources, finance, assets, and processes (i.e., personnel, finance, and financial affairs) in order to ensure the normal, orderly and legal operation of operation and management activities.
Human resources are mainly supervised through organizational talents, finance is mainly controlled through comprehensive budgeting, assets are mainly controlled through asset inventory, and processes are mainly monitored through risk management. We are familiar with the internal control of human resources, finance, and assets, and today we will focus on process internal control: process risk management. Every process has potential risks that can lead to unintended consequences. Identifying and analyzing risk factors in the process and evaluating the effectiveness of risk control in the process can help enterprises better prevent risks in a planned manner. In turn, risk management ultimately contributes to the continuous improvement of the process and the effectiveness of its execution.
So, how should organizations manage risk?
Risk and process analysis can help organizations understand where things could go wrong and how to deal with them. By identifying and evaluating factors that may affect the achievement of strategic objectives, organizations can manage these risks by designing or optimizing processes.
Risk analysis typically focuses on two variables: the likelihood of the risk occurring and the degree of impact. A project that is unlikely to happen or not very disruptive may not require much process optimization or risk mitigation strategies. Drawing on the methods used in the insurance or disaster recovery industries, actuaries weigh the frequency of risk, the availability of risk, and the variables of risk warning indicators in order to assess likelihood. Whereas, to assess the impact, the actuary considers the duration, consequences, necessary level of redundancy, and potential economic loss.
These details help guide the risk management plan. This article details how to analyze risks and processes;This information can facilitate risk mitigation and appropriate response to risk response.
The risk management process typically consists of three main steps:
1. Identify risks:Risk is a factor that affects the achievement of process objectives, including cost, efficiency, and the characteristics or capabilities of delivery. It can be initiated by anyone, and it is when a process is identified as a risk, passes a management review, and is registered in the company's system"OK"Finish.
2. Analyze risksRisk analysis begins with a risk category (e.g., a risk analysis table) and an assessment of potential outcomes. A risk is taken when a risk manager reviews an identified risk, assesses the likelihood of its occurrence and the extent of its impact, and determines the severity based on standardized risk measures"Analytics"Finish.
3. Dealing with risks:Risk managers follow corporate governance regulations based on the likelihood and potential impact of risks. Before identifying reasonable risk response strategies and controls, companies may brainstorm possible risk mitigation and action plans, including changes to processes or discontinuations.
But these steps are easier said than done. Organizations struggle especially when it comes to analyzing process risks. The first step is to establish evaluation criteria.
Risk analysis
Process risk can come from many sources. Political, economic, social, technological, legislative, environmental, financial, legal, and physical factors all influence organizational processes. It is recommended that companies review external and historical performance data to identify potential risks, starting with the most critical processes. Many businesses build risk checklists by category to consider when reviewing core processes.
With a checklist of potential process risks, businesses can begin to measure the importance of the risks. This is where the likelihood and impact of risk is assessed. For each risk, businesses should determine:
"Frequency--How often can this risk occur?
"Availability--Can the organization ** when the risk occurs (seasonality, sales peak, etc.)?
"Early warning and change-- How can the problem become serious gradually or suddenly?Can companies respond in a timely manner?
"Duration--How long will the incident last (limited or until some action is taken)?
"Consequences--What are the business scope affected (product quality, schedule, equipment safety, customer satisfaction, etc.)?
"Potential financial losses--What is the economic loss caused by the risk?
Risk Analysis Form
With these answers, a process optimization or risk management team (referred to simply as a risk manager in this article) can begin to score each risk. It is recommended to create a risk analysis table to evaluate and review the criteria and ultimately assign a risk score. Figure 1 provides an example of how risk can be rated.
Figure 1 Risk analysis table.
To create a **, the risk manager determines the likelihood of the risk occurring along a vertical axis. The degree of likelihood may require input from the main business expert and process manager. Businesses can set criteria to measure the level of risk, such as 5% being almost impossible, 10% being unlikely, 25% being probable, 50% being likely, and 75% being almost certain to happen.
They then determine the impact of the risk along the horizontal axis. Businesses may have terms to measure impact, such as process scope, potential financial losses, and impact on schedule.
Figure 2 lists the potential terms. For each term, companies also need to set standards for categorization. For example, when assessing the impact on schedule, businesses may assume that no extra time means negligible, with one day being secondary, three days being moderate, one week being primary, and longer being critical.
Figure 2 Potential impact terms.
Finally, risk managers color-coded risks on the map based on the likelihood of occurrence and impact of the risks in the risk map to draw attention to the most pressing issues.
Analyze the reliability of your processes
After analyzing the potential risks, the risk manager can analyze the process itself to improve its reliability.
The more activities a process has, the more fragile it becomes. The key to improving the effectiveness of the process is to simplify and remove unreasonable steps. But how do businesses know what's unreasonable?How do they identify redundant and/or unnecessary process variants?Two techniques are recommended to analyze process reliability: Six Sigma foolproof and fail-safe and failure mode and effects analysis (FMEA).
1. Poka Yoke (fool-proof and error-proof):
Foolproof is generally used in lean management, which is a technique that avoids accepting defects in a process, creating them, or passing them on to the next process. In general, foolproofing is a simple, relatively low-cost, automated technique that tries to ensure that everything is foolproof and prevent errors from entering the process and becoming defects.
In this technique, the risk manager examines the process for possible problems. For each element in the drawing process, managers attach a control or warning. A warning is an alert that is raised when a process activity exceeds its predetermined range or threshold. Control is the actual action specified by the risk manager to prevent defects. This error-proofing approach was initially only applicable to the manufacturing process, but has proven to be an effective way to manage people by seeing which actions in a system can go wrong. The resulting revision of the flowchart can guide the organization's response to risk.
2. Failure Mode and Effect Analysis (FMEA):
Failure Mode and Effects Analysis, or FMEA, is a technique for identifying failures in a design, process, or product service step by step. "Failure modes"Refers to the way or mode in which something may fail due to an error or defect. "Impact analysis"refers to the study of the consequences of these failures. The purpose of FMEA is to eliminate or reduce failures, starting with the highest priority failures and then controlling the documented risks through process optimization.
Risk managers prioritize failures based on how severe the consequences are, how often they occur, and how difficult they are to detect. The more technical the process, the more possible failure modes there are. A system view of the process, through high-level system drawing, simulation, and visualization, can help identify risks that may occur.
FMEA is not suitable for every process. It is best suited for product development and technical processes. FMEA is usually carried out after a process redesign, a new application, a control plan, a process optimization, or a periodic review of failures.
Process risk mitigation
After analyzing potential risks and core processes, organizations have the information to target to address risks, often starting with the most critical ones. Figure 3 details the categories of response measures to ensure that an organization's response is acceptable.
Figure 3 Types of response measures.