Printer Friendly

Proactively managing risk: the new "waste".

An unforeseen risk causes a problem to hit you out of the blue. Someone is assigned to get to the bottom of the problem and solve it--quickly! Everyone looks for what, or who, is to blame for the latest predicament. You're in firefighting mode.

There are many ways to become aware of risks and their causes. Waiting until a problem arises is a very reactive solution. The better way is to take a more proactive approach.

A continuous process improvement (CPI) tool called value stream mapping (VSM) has been used effectively over the last decade to help organizations visualize their key processes so as to expose problems of waste and to plan improvements. The CPI approach follows through on those improvement efforts and repeats the process for still greater gains. Traditional CPI is focused on removing waste or non-value-added steps. But with just one more pass added to the standard CPI methodology, VSM can be used to also identify and reduce risks in all key processes. This combination of VSM enables organizations to leverage the continuous improvement initiatives that are likely already part of their ongoing transformation effort.

Risks as Threats

We are all exposed to risks daily--at work and in our private lives--and often manage them without even thinking about it. Organizations are challenged to maintain operations during disruptions and to avoid operational failures. Whether by natural disaster, terrorist action, or simple employee mistakes, organizations need to identify risks and mitigate losses. We need to ensure that we think about risk actively and proactively in the way we deliver value to customers.

Risks can be opportunities as well as threats, but this article will focus mainly on risks as threats. Risk management means developing and deploying a systematic corporate process for cost-effectively identifying, assessing, and addressing risks and causes of risk.


Risks can take various forms: financial risks, risks to the public or key stakeholders, risks to project success, risks to the products or services, risks from missed opportunities, policy failures, and even risks to reputation. Risks can affect an organization's performance, stakeholders, customers, and future livelihood. A clear understanding and plan are needed for managing risks. Done properly, a plan for mitigating risk can be integrated into existing strategic plans to meet key objectives, targets, and the demands of good corporate governance.

Good risk management reinforces the value of appropriate risk taking. It can also encourage innovation through promoting a no-blame culture. Risk management must not be seen as something in addition to effective operations; it must be part of what an organization does every day to be successful. Having a risk management process in place is critical for business success.

Risk: A New Form of Waste

Many firms have started implementing CPI principles in their many forms (Lean, Six Sigma, Theory of Constraints, etc.). The key principle in CPI, as outlined in many works on the Toyota Production System, is the constant elimination of wastes, which are non-value-added steps, tasks, or work. If risks are considered by all practitioners as another form of waste, risk analysis and mitigation can easily leverage the current CPI methodology (sequence of activities to improve processes). The seven wastes, first detailed by Toyota Production System developer Taiichi Ohno in the 1950s, are as follows:

* Overproduction--Producing more material than is needed before it is needed

* Inventories--Material sits taking up space, costing money, and potentially being damaged; problems are not visible

* Waiting--Material, people, or assets are waiting; value is not flowing to customers

* Defects--Defects impede flow and lead to wasteful rework, handling, and effort

* Motion--Any (human) motion that does not add value is waste

* Transportation--Any (product) movement that does not add value is waste

* Overprocessing--Extra processing not essential from the customer point of view.

To these, we add risk as the eighth waste:

* Risk--Any risk or cause of risk in a key process that is not identified, assessed, and mitigated is waste.

We think of risk as a waste because when an uncertain risk becomes a reality, the effort expended to address the problem is above and beyond what should have been expended--and that is waste.

Reactive versus Proactive Risk Management

A key to successful risk management is a method by which risks are identified and mitigated continually in an organization. Ideally, organizations should want a method that can identify the risk in advance of experiencing the failure. As we stated earlier, there are many ways to become aware of risks and their causes in an organization. The figure shows a continuum of reactive versus proactive methods, from getting hit by a problem and reacting, to leaders identifying key Value Streams and reducing risk as part of their larger transformation efforts.

The method described on the far left of the continuum is not really risk management, and some organizations remain there, at least until major risks affect them. Firms often move their risk management efforts to the right on the continuum over time, based on the impact of the risk events they are experiencing. Unfortunately, it sometimes takes significant impact, like legal action or oversight body intervention, to move some organizations to a proactive position. The closer a firm is to the left side of the scale and the more it resists movement to the right, the greater the likelihood that a public-, investor-, media-, or regulator-driven crisis will threaten its existence.

A Risk Management Framework

A risk management framework, which incorporates the DoD's five-step risk management process, is the basis for the methodology. The five steps are identify risks; assess risks; develop mitigation control options and choose the best ones; implement mitigation controls; supervise and evaluate.

The first four steps are sequential and repeated as new, discrete risks are identified. The supervise and evaluate step runs concurrently with the other four steps. Within the supervise step, the organization involves internal and external stakeholders, plans for risk management, and tracks risk and mitigation activities. In the methodology, risk mitigation is partitioned into two separate steps: one to develop risk mitigation options and make decisions, and the other is to implement the selected options. The model was developed by NewVectors LLC in a project called Material Security in the DoD Disposal System, conducted for the Defense Sustainment Consortium with funding from the Defense Logistics Agency. The prime contractor was The Advanced Technology Institute.

Using VSM to Identify More Risks

For process risks, a CPI planning tool called value stream mapping can be used by teams to effectively visualize and improve their key processes, as well as to identify and reduce risks in those processes. A typical value stream mapping session will detail both the material flow (product, paper, or even a service) and information flow (rules, plans, or directions for who does what and when) that make up the process. This is sometimes called the "current-state map" or "as-is" map. After the map is developed and verified, the team can make a second pass to highlight risks and causes of risk in and between each process or information step. After a brief discussion of the high-level risks for the organization (be they financial, safety, or other--and they will be different for each organization and business unit), the facilitator could ask the team some key questions to uncover causes of risk in each key process:

* What could happen in and between these steps to cause one of the high-level risks?

* What could happen in the process that we might not catch internally?

* What could be missing or wrong in the information flow to cause one of the high-level risks?

Some possible causes of risks are entry errors, inadequate equipment to perform a task, and even language barriers.


Value stream mapping is a form of process mapping that also includes the total accumulated time (both value and non-value added) at the bottom of the map. It is time-scaled. The team mapped in detail the demilitarization (demil) and mutilation as a condition-of-sale process. This is one of the key processes for the Defense Logistics Agency's Defense Reutilization Marketing Service (DRMS), which sells scrap material, requiring it to be demilitarized or mutilated after the property is sold. After doing the traditional value stream mapping, the team made a second pass over the process, identifying potential causes of risks. These risks were documented on the map using different colored 3M Post-it[R] Notes. A Post-it Note representing each process step in the value stream map was placed in its own functional "swim lane" or row across a multirowed roll of paper. The team collected some key data about each process, including total process cycle, "touch" time, paper/information flows, and causes of risk.

Initial results for DRMS, after just a few weeks of implementing its risk control plan for the demil process, showed a 25 percent reduction in overall risk score (a product of the likelihood of each identified event, multiplied by the impact if it were to occur, normalized by the team on a 1-to-10 scale). Significant improvements were also made to the process to help prevent improper releases of materials and reduce information errors.

The biggest benefit to using VSM to identify risk is that CPI tools are likely already used in organizations today. As organizations adopt Lean or other CPI methodologies, they should consider using VSM as a strategic planning tool to integrate, highlight, and prioritize opportunities for waste, risk, and complexity reduction. A key part of developing a company's risk management strategy and plans (step 5 in the DoD framework) is to set clear guidelines for continued risk management in all key processes. Using best CPI practices, the leaders of each value stream should create a new "vision" every 12 months or so to further improve the process. Because they are combined, risk analyses will be repeated in this same timeframe and implemented with improvements in flow, waste, and variation. Instead of making a supply chain more brittle (e.g., by removing inventory and going faster), this new process would reduce risk by addressing the causes alongside removing waste from a process.

Safety is a type of risk that is well suited to this approach. It is possible to get improvements in safety as Lean and CPI implementation ensue, but often the reverse is true in companies today. In an article circulated by Toyota Motor Manufacturing, Kentucky, Taiichi Ohno said, "Safety is always our first and foremost concern, and there can be no man-hour reduction activity without consideration for safety." He also warned that "there are times when improvement activities do not proceed in the name of safety." As flow and efficiency improvements are made, people go faster. This can cause injuries. If the CPI team makes risk a part of their value stream mapping while elevating safety to a high-level risk, they will proceed with actions that must also improve safety.

Summing up the CPI with Risk Management Process

The team added more elements to the standard DoD 5-step risk management framework to reduce and manage risks even further. This allowed the team to focus on the actual risk-reduction activities as risks were identified. The following list highlights some key steps to reduce risk within the framework of a larger CPI effort. The second-level items show the added elements in the typical VSM methodology that identify and reduce risks:

* Identify key process to improve (core processes that add value for your organization)

* Create a team tasked to continue working until the goals are met

* Create a Current State Value Stream Map; validate

* 2nd Pass: Additional Risk process steps: Discuss the high-level risks for the organization (e.g., financial, safety, other)

* Assess risks

* Propose and evaluate mitigation options

* Select mitigation options

* Create a Future State Map; a 12-month-ahead vision for what the process should be

* Create action plans; integrate and prioritize risk-reduction items with other improvements

* Implement action plans

* Track improvements

* Repeat--schedule another analysis of this key process in 12 months, and spread the combined CPI/risk-management methodology throughout the organization.

Why Combine Risk Management and CPI?

There is synergy in combining risk management with CPI. There are also several similarities between risk management and CPI process steps that are worth noting; some of them are:

* Need for reflection or capturing lessons learned

* (Always) involving teams of subject matter experts

* Just-in-time training for the people implementing the changes

* Communication in many forms

* Good governance at the leadership level

* Great follow-through.

According to John Maxwell in his book The 21 Irrefutable Laws of Leadership, "everything rises and falls on leadership." This applies to risk management and CPI. As improvement efforts mature, workers see that the documented improvement philosophy does not change with new leaders and that this methodology is becoming part of the way people think and work every day.

Norman Vincent Peale said, "How you think about a problem is more important than the problem itself." Does your organization have a systematic process for improving processes (e.g., CPI)? Do your people all know and use that methodology? Where is your organization along the continuum of reactive to proactive in addressing risk? Does your organization see risk as another form of waste? And, one last question: Wouldn't it be nice if the CPI methodology used daily also reduced risk as well? This is the goal of combining risk management with CPI.
Continuum of Reactive vs. Proactive Risk-Management Methods

 Hit by Make plans based on Brainstorm on Leaders identify Value
problem; prior experience of occasion; make Streams and reduce risk
 react bad risks plans to prevent (as part of larger CPI
 future risks effort)

Reactive Proactive

Hoeft is a Lean coach at NewVectors. He trained with Toyota and now serves as a sensei, while teaching in the University of Michigan's Lean programs. Davey works for NewVectors on supply chain improvement projects using risk management and simulation. She studied industrial engineering at SUNY and the University of Michigan. Newsome is a Lean Black Belt and chief of transformation initiatives with the Defense Reutilization and Marketing Service.

The authors welcome comments and questions and can be contacted at, and
COPYRIGHT 2007 Defense Acquisition University Press
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2007, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:RISK MANAGEMENT
Author:Newsome, Dean
Publication:Defense AT & L
Date:May 1, 2007
Previous Article:Should opportunity management be added to my programs acquisition strategy?
Next Article:Top ten PBL lessons learned.

Related Articles
A new career.
ElectronicSchoolBoard: Intercom Network.
Comprehension strategies kit: Sundance Publishing.
PockeTracker red/green: Visionbase.
D3M education connection: D3M Alliance.
Video Management System 3.0: Wren.
CRM SaaS: paying more for uptime.
First things first: the importance of risk identification.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters