A primer for lab managers
This article explains the fundamentals of risk management and the ways that lab managers can serve as their organization’s primary risk manager.
Common risk terms
An event that has the potential to take place.
The monitoring, identification, analysis, assessment, control of, and response to unacceptable risks.
Negative risks are what people are thinking of when they most commonly define “risk” as “a situation involving exposure to danger, harm, or loss.” Unacceptable risks may be considered a subset of negative risks.
Positive risk is a beneficial potential occurrence. That is, something you want to happen that might happen.
Actions taken to either reduce the likelihood of a negative risk, or to increase the likelihood of a positive risk.
A number of common risk response strategies are provided below:
Acceptance—Assuming the risk and its resultant impacts.
Mitigation—Minimizing the potential impacts of a risk through various means.
Avoidance—Taking steps to actively prevent the event’s occurrence.
Transference—Shifting risk to another party through various means.
For positive risks, there is another response option:
Enhancement, or promotion—in which the probability of the positive risk is enhanced to ensure its likelihood.
Risk measurement commonly includes qualitative visualizations on a Cartesian field, with one axis measuring the risk’s severity of impact and the other gauging its probability. Higher severity/probability risks should be addressed first and most expeditiously.
There are also ways to assign numeric values for risk using the criteria referenced above as well as others (response effort, alternative paths, etc.) so that they can be prioritized and categorized that way. A combination of scoring along with grouping of risks based on those scores into four or five categories is a common method (e.g., scores of 0 to 50, say, would be low risk, while 51 to 80 might be medium risk).
It also helps in measuring risk to have appropriate levels of metadata for each risk managed. Recommendations for what metadata to collect are provided below.
Areas of risk
Risk management fundamentals usually categorize risks as either negative or positive as mentioned, but it’s important to remember that there are many “types” or “domains” of risk in labs, including organizational and enterprise, health and safety, clinical and analytical, and environmental risks, to name a few. In addition, there are areas of focus such as fraud risk management, contract risk management, terrorism threat assessments, and financial risk management associated with lab operations.
The difference between risks and issues
What is the difference between a risk and an issue? Answer: a risk has not yet occurred, and an issue has.
Thus, we commonly advise labs to develop a risk and issue management program. That way, risks and issues are being tracked together in an integrated way. When risks trigger, they are now tracked as issues. If issues are resolved but could possibly still occur, they should continue to be tracked—but now as risks.
Why the different but related approaches? Because response to a risk is approached differently than resolving an issue is. However, a risk and an issue share a lot of the same metadata—assigned owner, status, escalation processes, etc. That being said, there are metadata that are associated only with issues, such as target resolution dates, and those only with risks, such as trigger criteria.
Standard risk management process steps
Risk management processes can be customized, expanded, and extended to suit individual organizational needs, but the most common components are shown below. Activity is usually ongoing in all of these steps at the same time.
The risk management process begins with a vibrant elicitation and discovery of risks: sources, instances, metadata. This provides the data and information for the tracking, identification, and response phases of risk management. This is an ongoing process step.
This step inputs those future potential occurrences found as part of monitoring into a risk register (see below), gives them an ID, and assigns them to a risk analyst to review. This step sets the stage for the process-driven control of risks through the register.
Risk Assessment | Analysis
This step may be an informal assessment of each identified risk by the risk team, or may include more formalized, rigorous analysis and assessment. Examples of artifacts include cause and effect diagrams, control charts, and time series graphs. Severity and probability ratings, risk owner assignments, and risk prioritization, among other tasks, are performed. Initial response may also be conducted as a result of this process step. Results of the analyses are input into the register. This is also the step where, if the potential event is found to be not a viable risk for any reason, it can be voided, or retired.
Risk Response Development
As described above, there are several basic response strategies to choose from, with customized blending of responses such as mitigation and transference being a standard scenario. Tasks associated with risk response include further analyses and investigations, corrective and preventive action implementations, process redesigns, audits, and stop works. Response strategies can often be quite complex, requiring extensive task management efforts and broad documentation and reporting.
Risk Response Implementation
The implementation of the risk response strategy planned in the previous step is carried out, usually by the business unit(s) for which the risk applies (i.e., not the risk team). However, risk team members commonly serve as oversight and consultation resources in risk response implementation.
This is the “lessons learned” step, discussed in more detail below.
People, process, and technology
We discussed the overall risk management process at a high level above, but here we want to delve deeper. At the very least, there should be someone assigned as the single point of contact for risk management in your laboratory, and a risk management team (governance teams often make excellent risk teams) should be empaneled. In addition, we recommend that you track your risks in a digital manner, preferably in a relational database (but at least in something like a spreadsheet). This is your risk register (see below).
Optimally, one person should serve as the risk manager for your lab, even if that person has other responsibilities—as is commonly the case. The risk manager leads the overall management approach, leads the risk management team, reports to management, conducts risk-related sessions and workshops, and chairs risk team meetings.
Risk analysts are those specialists who engage in the actual assessment activities described earlier. They perform discovery, investigation, and reporting activities that support the risk team’s management efforts. One or more of the analysts usually administers the risk register (see below).
The primary tracking and communication tool for your risk management program is the risk register. It can be something as simple as a spreadsheet or a multi-table relational database, or as complex as a component of an ERP system. It should track at least the following metadata for each risk:
Risk Title—A short “name” for the risk
Risk Description—A more narrative description
Identification Code—A unique identifier for every risk
Identification Date—An aid for tracking and prioritizing
Identified By—An aid for tracking, assessment, and control
Potential Impacts—A narrative description of what could result from the risk triggering
Severity—Commonly “high/medium/low,” a number ranking, or other logical coding system
Status—Such as identified, in analysis, monitored, in response, triggered, and retired
Owner—The person in charge of responding to this risk.
Intranet Collaboration System
Stepping up the communication game a little bit, we often recommend that our clients use an intranet or other type of web-based collaboration system to assist in the communication of efforts such as risk management; this could have its own website in the intranet, or be part of an operations or project management office (PMO) site. The important point is that risks can be further broadcast to (and received from) the staff.
The follow-up: Lessons learned
One of the most commonly overlooked, yet critical, components of risk management is post-response review sessions, commonly known as lessons learned sessions (LLS). LLS provide the assessment and improvement link that will prevent your lab from repeating the same scenarios. Furthermore, LLS can highlight what went “very right” with a risk management scenario so that it might be scaled out into the rest of your program. LLS also allow the discovery of risk patterns that you can proactively identify and manage in future operations and projects.
At a minimum, capture the following information from the sessions:
- Description of the managed risk(s)
- Proposed and selected risk response actions
- Successes: what went well
- What did not go well
- Mistakes encountered
- Unexpected occurrences encountered
- Actions taken to prevent these mistakes and unexpected events
- Suggestions for improvement
Risk management takeaways
The following are some key points we want to underscore with regard to a sustainable risk management program:
- Minimize negative risks, potentiate positive risks— The key to any good risk management program is that risk retirement is quick, efficient, and sufficiently documented.
- Create a risk register—Don’t try to do it all “in your head” or make the register process so arcane that no one follows it.
- Hold lessons learned sessions—Perform them after major risk response efforts at least, but we recommend starting with all but trivial responses being analyzed post-response at first.
- Engage your staff in risk management—Flagging potential risks for identification and analysis is the responsibility of each lab member.
- Appoint and convene a risk management team—Or extend the charter of a governance or change control team, but get a group of your sharp people from a cross-section of the lab involved in this effort.
- Speak up, keep up the chatter, and keep your staff informed—An enormous part of a risk management program’s success is based on communication.
- Constantly assess and improve—Carefully assess your risk management program and continuously improve it.