Risk Management: Risk Scoring That Matters to Product Developers

Managing risk in technology can feel overwhelming. After you’ve done the work of identifying potential risks, you have to prioritize them. Most people use a scoring system to do this.

This is especially true for regulated industries. Risk mitigation is an expectation of compliance. Often these companies will rely on something like a failure modes and effect analysis (FMEA) template to get risk scores. 

But are FMEA and other traditional formulas the best way to score your risks?

With the right formula, your risk identification process can actually produce a score that qualifies your quantifiable data. In other words, your score can make better sense of the numbers and empower you to make smarter decisions.
 

What Is Risk Management?

Risk management is the process of:

• Identifying the risks associated with the use and production of a product.
• Prioritizing the risks, typically through a manner of risk assessment and scoring.
• Mitigating risks to reduce their probability, likelihood, or impact.
• Providing continual monitoring. 

Do You Need a Risk Management Plan?

Technology is embedded in our daily lives more than ever, and it is automated to a high degree. This opens more opportunity for harm to occur as a result of product failure — both to the  consumer and to the company.

Compliance of all kinds continues to become more stringent as it becomes easier to compromise safety. People rely more heavily on technology, so its failure is potentially more catastrophic.

That means we need more risk planning up front, before releasing the product.

Of course, not all product development risks pose harm to the user. A risk is, according to Project Management Body Of Knowledge, “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives.”

By that definition, not every risk needs to be mitigated.

Simply put, risk mitigation is for everyone who builds a product in which there is an unwanted consequence to poor quality.

If that’s you, a solid plan helps you successfully identify and analyze your risks to be properly addressed.
 

Risk Identification

Before you can prioritize and mitigate your risks, you have to know what they are.

There are numerous types of risks, so it’s important to do the legwork of finding as many as possible early in the project. Some strategies for identifying risks include:

• Brainstorming sessions with employees.
• Interviews with stakeholders.
• Document analysis.
• Diagramming techniques: read up on Gliffy's guide to using diagrams for risk assessment.
• Checklist analysis.
• Scoring impacting and probability.

The kinds of risks you can identify are fairly broad, but here’s a checklist to help you get started:

Dependencies 

These are factors that depend on outside influences, like subcontractors, availability of necessary experts, and customer-supplied information. Traceability is vital to mitigating these risks and ensuring company-wide visibility.

Functional and Performance

These are all the technical risks associated with the functionality and performance of the software or product.

Proper Knowledge

Does everyone have sufficient training for all the tasks, methods, and tools needed to complete the job?

Operational or Procedural

Everything from issues with process implementation to conflict resolution falls under this category. How clear are everyone’s roles, and how well do they get along?

Requirements Issues 

Are the requirements clear, unchanging, and agreed upon? Was there adequate customer involvement in identifying them?

Planning and Schedules

All time-related risks belong here, including deliveries, estimations, proper resource allocation, etc.    
       

Standards Typically Dependent Upon FMEA, SIL, and ASIL

Regulated industries need to demonstrate that risks have been controlled throughout development. You can confidently prove this, and at the same time, address regulatory requirements with a tool that provides traceability. (See what makes a good automated solution below.)

Compliance standards also add to the kind of risks you face, so you should include them in your risk identification. (Think PR and legal harm.) Some common standards include:

• Medical Device/Life Science
  • 21 CFR
  • ISO 14971
  • IEC 62304
• Other 
  • IEC 61508
  • ISO 26262
     

Risk Assessment

With risks identified, it’s time to determine which need your attention and how quickly. This is where you assign risk scores.

If you follow an ASIL or FMEA formula, you’ll end up with a mathematical equation that looks something like these:

Score each from 1 (absolute best) to 1000 (absolute worst)
Severity x (Exposure x Controllability) = ASIL 
Severity x Occurrence x Detection = Risk Priority Number (RPN)

These formulas work for some, but they’re problematic in that they don’t account for human judgment.

You need to know how to qualify the score (what does an 800 mean?) and be able to compare the difference between two identical scores.

A real life example of this appears in Problems With Risk Priority Numbers. The author compares two risks that scored the same RPN.

One is a “hazardous failure mode that would affect the safe operation of the vehicle and that would occur without warning. This problem would have a very high incidence of occurrence, affecting approximately one vehicle in three. And this problem would have a moderately high chance of being detected during the design phase and eliminated from the vehicle before production begins.”

The second is a failure mode that affects fit and finish. It can’t be detected in the design phase and would affect one in three vehicles.

Should these two problems appear equivalent? They earned the same RPN. That’s the problem with traditional scoring. You still need a human to judge whether they’re equally severe threats.

An easier, more accurate score qualifies the quantitative data. Rather than a number, this kind of formula will tell you how serious the threat is.

There are formulas that let you manually produce this kind of score. One is described in this article.

However, this is most easily accomplished with a risk scoring tool.

For example, Helix ALM lets you establish your own parameters within its templates so you can input your risk identification data, and it will translate the RPN into something everyone understands.

Additionally, Helix ALM provides end-to-end traceability, letting you link your risk items directly to the functions causing or mitigating that risk.

With a score that is clear to everyone, the degree of seriousness is immediately apparent. Employees don’t have to spend any more time interpreting or tweaking results.
 

What To Look For in a Risk Management Solution

How do you know whether a risk management tool will improve your mitigation process? An automated solution is worth considering if you want to:

• Cut time and confusion out of the scoring process.
• Confidently meet requirements.
• Prove control over your process.
• Lower development costs.
• Maintain a single source of truth.
• Create faster time to market.

Risk management solutions with these features will help you with all that:

End-to-end traceability — your most powerful ally in audits, compliance, and efficiency. 
Customizable templates — configure the scoring to work for you every time.
Qualifiable data — know at a glance how severe each risk is without decoding a number system.
Easy integration with your existing tools — achieve visibility across the entire development lifecycle.
Meets regulatory standards — don’t assume all risk management solutions will meet standards; always ask.

Helix ALM was designed to help your entire lifecycle. It contains all of the features above and more. And you can check out for FREE.

Improve Your Risk Management