The Anti-fragile Risk Management (ARM) Model has seven components; the third is Process & Plant.
- Purpose: Why Does the Organization Exist, what are its objectives?
- People: Does the Organization have adeptness to achieve its objectives?
- Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
- Product: Does the organization have a product or service that the market/society wants?
- Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
- Governance: Does the organization have the strategic and leadership capacity to Change the Above?
- Risk Tested: What identified risks can be used to test the above to ensure they are functioning?
Changing process, buying machinery, installing software – these all take time which is why the ARM Component People & Plant has a medium term impact. While your staff may be constantly on the look out for risk/opportunity it takes longer to give them systems, procedures or policies when things change. This is demonstrated in the following diagram.
Process: Knowledge to operate the systems?
The story so far is that an organization has discovered its Purpose, hired the right People and now needs to know what the heck these people are doing and are they doing it right! The following are all examples of organizational plant and equipment. Each one requires knowledge of how to operate it through procedures, policy and of course organizational adeptness:
- Machinery, buildings and land.
- Computers, firewalls, networks.
- Patents, rights, licenses and royalty agreements.
There are LOTS of books on not only risk relative to process but also on how to manage process. Certainly one of the grand-daddies is the now classic ‘Balance Score Scorecard‘ by Kaplan and Nolan. It introduces the concept of segregating (and measuring through key metrics) the business into four areas: finance, internal business, learning & growth and the customer.
No matter how your slice and dice your processes, this deductive process is the core of traditional risk management. For Risk X, what process Y or asset Z is going to protect or mitigate the risk?
This ARM is Brought To You by Organizational Biology
Process & plant are all things you can drop on your foot or print off and drop on your foot. Collectively all this foot dropping is called ‘Mass’ which brings us to our sponsor… ‘Organizational Biology‘ which describes how organizations work. In a nutshell, organizations are composed of two parts, Mass and Adeptness:
Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures. Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.
ARM’s Length Definition and Why Does this Matter?
The ARM definition for Process-Plant Component is: does the organizational have the tools to complete its objectives and do the people know how to properly use the tools?
This component strives to understand ‘How and What‘ processes an organization is engaged in and ‘Where‘ are the integration points between these processes. A good first start is a listing of business functions that support an organization’s products and services (more on this in the next blog). Quality processes will further define and articulate the business processes down to the point in which your staff are heartily sick and tired of being ISO-9001-compliant.
In other words, by spending time and effort on this ARM component, process and plant, the organization can better understand how its people are achieving the organizational purpose to deliver products and services.
ISO 31000 Context and Its Risk Assessment Techniques
ISO 31000:2009 Principles and Guidelines is full of managing process and plant including the following:
- Section ‘2.11, internal context‘:
- Policies, objectives, and the strategies that are in place to achieve them;
- Information systems, information flows and decision-making processes (both formal and informal);
- Standards, guidelines and models adopted by the organization; and
- Form and extent of contractual relationships.
- Section ‘3 Principles‘:
- b) Risk management is an integral part of all organizational processes.
- Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization.
- Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
- Section ‘4 Framework – 4.3.4 Integration into organizational processes’:
- Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
- The risk management process should become part of, and not separate from, those organizational processes.
Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of process and plan on risk.
Examples of Risk Tests and Mitigation
Risk Identification: Does the organization understand its internal business processes?
- Evaluation/Analysis: It is not clear what functions staff are doing and how the contribute to the final product. Staff claim to be very busy but the exact work tasks, the relative importance to organization objectives and authorization to complete them is unclear.
- Stakeholders: Staff, contractors, management, the board.
- Measure: Identify high level business functions, staff time reporting, production cycle time.
- Example: Within the Ministry of Widgets, there is a constant request for more staff and contractors. However the Deputy Minister is not quite sure what all his staff ‘do’. Key services are identified and business functions are mapped to these services to determine which activities are of highest priority and which can be stopped, scaled back, outsourced or deferred.