Gambling with risk management? How cyber security could increase process robustness with a tool that could be sketched with a pen and paper.
Raised as one of 2022 top worldwide business concerns, Cyber risks have been on the rise. According to the Allianz Risk Barometer, companies are more concerned about ransomware attacks, data breaches, and catastrophic IT failures than they are about business and supply chain disruptions, natural disasters, or the COVID-19 pandemic.
With the shift to digital processes and remote work, increased by 151% globally, in the first half of 2021, the number of ransomware attacks.
Unfortunately, these statistics are sure to continue rising, especially with the fact that process design was not at all in focus, at least with the level of required attention, during pandemic and many organizations are bending to the fact that hybrid arrangements are a must have to attract the right talent!
Regardless, processes are in place and the vulnerability associated with cyber security should be enough to rethink process robustness.
Back to basics
When it comes to process robustness, there is nothing that beats a Failure Mode and Effect Analysis (FMEA) as a tool to prevent process related risk. Designed back in the 50’s, this problem solving and risk prevention tool its associated with many renowned organizations that use it to ensure high level risk missions like NASA or simply want to ensure the best customer experience ever like Toyota.
The truth is, either during the process design stage (that would be named Design Failure Mode and Effect Analysis - DFMEA) or already during live operations and production (Production Failure Mode and Effect Analysis - PFMEA), this tool alone, if used correctly, can create a risk mitigation approach that ensures that every process is very well thought through and every employee aims to contribute, as part of their KPIs, to continuously mitigating that risk.
How does it work
In best practice companies, every process has a Risk Priority Number (RPN) and every team leader has area goals to constantly reduce this RPN, year on year. This means that every single process is risk monitored and there is accountability to ensure that risk is constantly being reduced.
I'll give you a moment to absorb this last sentence...
When using a FMEA, that basically is a table that walks you through a thought process, here are some of the main deep dive analysis that every process has to have their risk monitored and risk situations prevented:
Process steps are listed - Every single process step is listed to ensure that every step receives the same level of attention when it comes to risk analysis;
What happens if failure happens - For every process step listed, a description of what would happen if that process step is created;
Likelihood of failure - For every possible failure, the likelihood of that event occurring is quantified numerically;
Consequence of failure - For every possible failure, the consequence of that event occurring it’s also quantified numerically;
Existing Detection is questioned - For every possible failure, the level of detection mode is also quantified numerically;
The RPN is calculate - The RPN results of multiplying Likelihood x Consequence x Detection
I have seen companies using scales as simple as 1 to 5, to some with hundreds or even thousands. It depends on the level of rigor really. Majority of the company’s using simple scales don’t measure a process in seconds but in minutes or hours…
After every single process goes through this analysis, the FMEA (either in Design stage or already in production), the RPN’s become a way to monitor and prioritize where efforts should focus first. It also becomes a live document since KPI’s are attributed to ensure continuous improvement and risk mitigation is a need.
So, if you are serious about cyber security as well as risk management for that matter, why not start with simple and basics before going into software complexity?
If you are serious about deploying a tool like this and make a cultural shift around cyber security and risk management, try gamifying it. Create games around this topic! To know more about using gamification as a way to transform a business, check out this article.
This article is nowhere near enough to master FMEA usage. The intent is to bring awareness that there isn’t a need to heavily invest in software changes before undertaking the due diligence of knowing at least, what process you should focus on and mitigating risk first.