If the people on the plane were fully aware of the seriousness of the risk consequences, prevented the pilots from flying into the clouds, or had adequate emergency measures, perhaps the tragedy would not have been staged, but ignorance, fearlessness and luck prevailed.
GJB900 1C-20 17 has three core concepts: process method, PDCA cycle and risk-based thinking, and risk-based thinking is used to solve these problems. What is "risk-based thinking"?
First, the connotation of risk
With regard to the definition of risk, GB/T23694 Terminology of Risk Management, GB/T 19000 Fundamentals and Terminology of Quality Management System, GJB5852 Requirements for Risk Analysis of Equipment Development, etc. have all been defined, and the definitions are similar. Here we adopt the concept of risk management terminology in GB/T23694:
? Risk: the impact of uncertainty on the goal.
? Note 1: Impact refers to the deviation from expectation, which can be positive and/or negative.
? Note 2: Goals can be different goals (such as finance, health and safety, environment, etc.). ) and level (such as strategy, organization, project, product and process, etc.). ).
? Note 3: Risks are usually distinguished by potential events, consequences or a combination of the two.
? Note 4: Risk is usually expressed by the combination of event consequence (including situation change) and event occurrence probability.
? Note 5: Uncertainty refers to the lack of information or one-sided understanding of events and their consequences or possibilities.
From this definition, we can see that risk has the following connotations:
? 1) The uncertainty of risk, and events that may or may not occur in the future constitute risks. If the event is destined to happen, it is not a risk; If it doesn't happen, don't think about it.
? 2) Target risk, which only constitutes a risk when the event will have an impact on the expected target. If it has nothing to do with the expected goal, it will not be considered.
? 3) Risk has two sides, which can be positive (opportunity) or negative (risk), and more often refers to negative risk.
? 4) the diversity of risks, based on different objectives, risks can be financial, health and safety, environmental and other aspects; Based on different management levels, risks can be company level, department level, project level, etc.
? 5) Relativity of risks. Risk refers to the lack of information or one-sided understanding of the event and its consequences or possibilities, but different people have different degrees of understanding of the event, so the risk is great for A and may be small for B, which is relative.
? 6) Risk is measured by the combination of the possibility and consequences of an event, but there are different combinations.
Second, risk management.
? According to GB/T24353 Risk Management Principles and Implementation Guide, risk management includes four parts: defining environmental information, risk assessment, risk response, and supervision and inspection.
1) Clear environmental information
? Environmental information includes external environmental information, internal environmental information and risk management criteria. External environmental information includes but is not limited to factors from international, domestic, regional and local laws and regulations, technology, competition, market, culture, social and economic environment; External stakeholders and their needs, values and risk tolerance. Internal environmental information includes but is not limited to: organizational values, culture, performance and other factors; Internal stakeholders and their needs, values and risk tolerance. Risk management standards include risk assessment methods, risk judgment standards, risk acceptance and response standards; Among them, risk assessment methods include: brainstorming, structured/semi-structured interviews, flow charts, scenario analysis, FMECA, risk matrix, analogy and so on. Each method has a suitable scenario, and the relevant content is easy to search, so I won't go into details. The criteria of risk determination include the possibility of risk, the impact of risk on consequences and the combination of the two, which is the premise of subsequent risk analysis; Risk acceptance and response criteria are to determine what risks are acceptable and unacceptable according to the comprehensive results of risk possibility and consequences, and what measures to take for unacceptable risks, which is the premise of subsequent risk assessment.
2) Risk assessment
Risk assessment includes risk identification, risk analysis and risk evaluation. Risk identification is to generate a comprehensive risk list by identifying the risk source, scope of influence, events, their causes and potential consequences. Risk analysis is a qualitative and quantitative analysis of the identified risks according to the types of risks, the information obtained and the purpose of using the risk assessment results, which provides support for risk assessment and risk response, and generates an analysis record of the possibility of risk occurrence and the severity of consequences. Risk assessment is to compare the results of risk analysis with risk standards, or to compare the results of various risks to determine the risk level, so as to make decisions on risk response and form a risk ranking list. The ultimate goal of risk assessment is to provide input for risk response, so risk assessment must be objective and true to meet the needs of risk response, otherwise further analysis is needed.
3) Risk response
Risk response is to select and implement one or more measures to change risks, including measures to change the possibility or consequences of risk events. Risk response measures include avoiding risks, taking risks for seeking opportunities, eliminating risk sources, changing the possibility or consequences of risks, sharing risks or keeping risks through fully informed decision-making. All kinds of environmental information, including the risk tolerance of internal and external stakeholders and the requirements of laws and regulations, should be considered in risk response decision.
After the risk response measures are selected, it is necessary to formulate a detailed risk response plan, which should include performance indicators and their assessment methods, personnel arrangement, measures arrangement, supervision, inspection and reporting, resources, time arrangement, communication, etc., and will not be repeated here. It should be emphasized that risk response measures should not start from scratch, but should be integrated with other management processes to improve management efficiency.
4) Supervision and inspection
Supervision and inspection is the most important part of risk management, including two aspects: one is process supervision, and the other is performance evaluation and summary. Process supervision is to monitor the changes of events, environment and risks in the process of risk response, so as to correct the response measures and ensure the effectiveness of risk management. Performance evaluation and summary refers to repeating the whole process, maintaining experience, improving lessons and constantly improving risk management and control ability after risk management is completed. A better way is to sublimate and solidify the lessons into "principles" to guide the follow-up actions. Dario in bridgewater is a typical example.
Third, the risk of misunderstanding.
GJB900 1C-20 17 formally put forward "risk-based thinking" and incorporated risk management requirements into the text. Its purpose is to make enterprises pay attention to risk management in order to control losses and create value. The key point is to integrate risk management into various management processes of enterprises. However, in practice, many enterprises do not understand the "initial intention" of standard setting, and there are many misunderstandings, which not only can not effectively control risks, but also increase a lot of extra workload. Here is a brief explanation for your attention.
1) Half-step environmental analysis
Analysis of internal and external environment is the premise of identifying risks. Many enterprises use SWOT and PEST models to analyze the internal and external environment, prepare internal and external environment analysis reports, and then use them to deal with various inspections, or simply shelve them. So what is the purpose of our analysis of the internal and external environment? Deal with the inspection?
GJB900 1C-20 17, Article 4. 1 clearly stipulates: "The organization shall determine various external and internal factors related to its purpose and strategic direction that affect its ability to achieve the expected results of the quality management system." An enterprise analyzes its internal and external environment in order to support its own goals and strategies, so the internal and external environment analysis that cannot support its own strategies can only be called "half-step environmental analysis". So what kind of internal and external environment analysis?
We take SWOT analysis as an example. The previous SWOT analysis part is relatively simple (omitted). When defining the external OT and internal SW of an enterprise by two-dimensional four-quadrant method, the analysis continues as follows: The internal advantages under external opportunities (SO), enterprises should think about how to explore external opportunities through their own advantages and profit from them. Internal disadvantages (WO) under external opportunities need to be carefully weighed by enterprises. Is it too risky to seize the opportunity? The internal advantage (ST) in the threat environment needs to be changed. When threats can be solved by advantages, should we adjust the allocation of resources to turn threats into opportunities? Or do you need other opportunities to defend? Internal disadvantages in a threatening environment. When internal can't resist external threats, enterprises need to think about how to deal with unfavorable factors to avoid or overcome threats. Only through such detailed analysis can we provide effective input for enterprise strategy and complete risk identification and assessment, which is truly effective environmental analysis.
2) Independent risk management
This situation often occurs in quality system audit. On the one hand, many risks such as technology, capital and manpower are identified in the project risk analysis report, all of which are analyzed, and countermeasures are formulated to form a perfect closed loop; On the other hand, the project leader did a lot of communication and coordination work because of the tight delivery schedule, but it was not mentioned in the risk analysis report. This misunderstanding separates the risk management from the actual work, which is called "independent risk management", which not only has no effect on the risk management of the project, but also increases the burden of the project leader, thus artificially setting obstacles for the quality management personnel. What needs to be clarified here is that quality management has never been an independent job. Need to combine specific business and management work, "write what you do, do what you write". Never make some superficial articles to cope with the inspection, it will do more harm than good.
3) A group of risks comes to an end.
There is also a typical problem in the risk management of a project, that is, risk analysis reports should be prepared in the scheme, technical design and production stages. But look carefully, the risks identified in each stage are the same, not to mention the results of risk analysis are no different. Let's call it "a set of risks to the end".
The reason behind the analysis of the problem is that people do not have enough learning and understanding of risk management. They think that risk management is very demanding, and there is no job to meet the requirements at present. Let's solve the problem first. I want to say one more thing. The idea of "solving problems first" is unacceptable. You know, implementing (or improving) a new management method requires huge educational costs. The idea of "solving problems first" is to divide the implementation of a new management method into two steps, which requires two educations, which will greatly enhance the difficulty of management. When it is really necessary to implement a new management method, it is suggested to borrow the "zero defect" thinking and do it right once, which is the best and most efficient way.
To sum up, risk-oriented thinking is a methodology, a way of thinking that identifies, analyzes and evaluates future risks and opportunities from the internal and external environment, formulates and implements countermeasures, and constantly monitors and continuously improves. This methodology is not only applicable to the field of quality management, but also a universal way of thinking, which is applicable to all aspects of work and life. However, it is necessary to practice, summarize and constantly improve in combination with specific work and life in order to gradually acquire this thinking ability. Finally, the risk-related standards are listed below for your reference.
1)GB/T23694-20 13 risk management terminology
2) Comprehensive Risk Guidelines for Central Enterprises (SASAC)
3)GB/T24353-2009 Risk management? Principles and implementation guidelines "
4)GB/T20032-2005 Project Risk Management Application Guide
5)GJB 5852-2006 Equipment Development Risk Analysis Requirements
6) GJB/Z171-2013 Risk management guide for weapons and equipment development projects.
7)ISO/DIS 3 1000, Risk Management-Implementation Principles and Guidelines