To Manage Risk, Consider SIPOC

By John Ager, Kepner-Tregoe

“It is difficult to make predictions, especially about the future.” (Variously attributed to Mark Twain, Yogi Berra, Niels Bohr, Samuel Goldwyn, et al.)

Imagine you are embarking on an adventure, perhaps launching a product, installing a piece of equipment, beginning a manufacturing run, or going on vacation. Despite the inherent truth in the opening quote, to proactively take actions to keep the adventure on course requires making predictions about what could go wrong. Whether using Potential Problem Analysis, Failure Modes and Effects Analysis, Fault Tree Analysis, Cause and Effect (Ishikawa) Diagrams, or any of their derivatives, we can improve our predictions and choice of actions by: 1) considering what we know, 2) addressing small slices, and 3) focusing on customers. The SIPOC model (supplier, inputs, process, outputs, and customers) provides a framework for making this information visible and facilitating analysis.

Consider What You Know

Although “Past performance is no guarantee of future results.”, the past is all we can know. The more relevant the facts are that we begin with, the better our predictions and choices of actions. So, when managing risk, we should begin by documenting: 1) the desired output, 2) the customers, 3) the process or project, 4) the inputs, and 5) the suppliers. A SIPOC for taking a vacation in North Carolina (starting in New Jersey) might look like this.

We manage risk by taking preventive actions to increase the probability the outputs of our processes or projects satisfy our customers, planning contingent actions to reduce the seriousness when they do not, and setting triggers to increase detectability of potential problems. The more relevant facts we begin with, the more appropriate our choice of actions will be.

Address Small Slices

When our projects or processes involve many suppliers, inputs, process or project steps, outputs, and customers, there will be many risks and relevant facts to consider. When this is the case, trying to assess and manage all the variables in one analysis adds unnecessary complexity and can lead to inefficient or ineffective responses. Certainly, all the variables and risks are ultimately connected, but not all necessarily require attention, and those that do may need different responses. So, once we understand the big picture, the next step is to dig into the details of the project, or process, and continue breaking it down into specific actions or steps. Taking a vacation in North Carolina might be broken down as follows:

Taking time up front to understand the specific actions or steps of the process or project and the relationships between them will make it easier to prioritize which require our focus. With this knowledge we can then identify which variables to address and choose which of these need preventive actions, contingent actions, and what triggers to put in place.

Focus on Customers

In the final analysis, risk management is only successful if we ultimately satisfy our customers, which might be ourselves or others. When managing risk, it is human nature to focus on preventing our Suppliers, Inputs, and Process from causing problems. But, sometimes our best efforts are insufficient and so we need to plan contingent actions to mitigate and set triggers to increase detectability if our Outputs fail to satisfy our Customers. The risk plan for the drive to North Carolina includes both preventive actions to increase the probability of success as well as contingent actions to mitigate potential problems and their effects, as well as triggers that tell us when we need to take them.

Although it is human nature to focus on taking actions that prevent our suppliers, inputs, and processes from causing potential problems, we must accept the inevitability that sometimes our outputs will fail to satisfy our customers. When this happens, we need to be able to quickly detect it and quickly respond with actions to compensate for the damage done and minimize its spread.

The purpose of risk management is taking preventive actions to reduce the probability of our outputs not satisfying our customers, planning contingent actions to reduce seriousness if we fail, and setting triggers to increase detectability. To choose the most appropriate actions, we should 1) consider what we know, 2) address small slices, and 3) focus on customers. Using the SIPOC model to make this information visible is one way to ensure thorough consideration and effective analysis of all the variables.

Proactive Problem Solving and Creating Non-Events
Mapping the support organizations path to proactive problem management
Incidents and Problems – Opposite Sides of the Same Coin
Best practices in post incident reviews dramatically improve incident response