April 24, 2014

Don’t Get Skewered by Risk

When we talk about “risk,” what we’re talking about is the probability that some uncaught vulnerability in your product will have a negative result—possibly serious injury or worse—for someone using your product or affected by the use of your product.General Motors is learning this right now, thanks to a 57-cent part that the company failed to replace in a timely manner, resulting in several deaths and the recall of 2.6 million vehicles. Jon Stewart skewered GM's risk management process in a segment on his Daily Show. No one ever starts trying to build an unsafe product, but by not establishing a good risk management process early on and evaluating what those potential risks might be, you could end up with product recalls or even worse.

Three Components of Risk

Risk is a probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. The three components of risk are the severity, occurrence, and detection of issues that you may have with your product. When you look at a vulnerability, the first thing you need to determine is how severe the risk is. Once you define the severity, you need to examine how often that particular risk might occur. Finally, you need know what methods you have for detecting the risk. If you can determine what the severity and occurrence of a risk is going to be early on, you can then come up with ways to either detect or mitigate that particular risk.

The Right People

A good risk management process starts with the right people: subject matter experts (SMEs). When you have SMEs aboard, you’re able to rely on their past experiences and their in-depth knowledge about where risks might lie. SMEs can also determine the probability that a particular risk could occur. Employing the right people is only half of the equation, though. The other half is making sure you use them. In order to have a good risk management process, you must ensure that each found risk is assigned to a particular individual. That person is then responsible for making sure that the risk is managed—not just once, but throughout the product lifecycle.

Eliminate, Mitigate, or Accept

When developing a product, there are three different things that you can do to manage a risk: eliminate, mitigate, or accept.controlling risk pyramid The most important thing is to eliminate the risk. By eliminating the risk, you remove the possibility of it occurring once your product is released to the public. This is usually the preferred way to manage risk (for obvious reasons), but sometimes it is not possible to entirely remove the risk. For example, including an ejection seat in a jet fighter introduces the risk that someone on the ground crew could trigger it in the course of maintaining the aircraft. Removing the ejection seat or moving the trigger are not options, so the risk cannot be eliminated. In such cases, you have weigh the severity and possibility of occurrence for the risk, and decide if you want to accept the consequences of the risk, or figure out a way to mitigate, or reduce the possibility of the risk occurring. In the case of the ejection seat, even one occurrence of the ground crew triggering it could seriously injure or kill someone, so accepting the risk is out of the question. You would need to mitigate the risk by finding a way to deactivate the trigger while the plane was on the ground.

Risk Is Not a One-Time Event

Risk management doesn’t end when you eliminate or mitigate a risk. Sometimes, eliminating one risk introduces another. Therefore, it’s important to evaluate risks not only early on but throughout the development of your product. You don’t want to end up being skewered by Jon Stewart, and you definitely don’t want to risk your customers’ safety. With a good risk management process in place, and the right people making sure that process is actually being followed, you substantially lower your chances of risk being released with your product and endangering your users.