This paper briefly highlights the main components associated with Risk Modeling & Analysis concepts. Professional references are provided in-text and links to the source can be found in the Reference section on the last page(s). In this paper, the writer will play the role of an established Business Intelligence (BI) Analyst for a prestigious company (i.e. McCormick & Company, Inc.) with multiple sites (facilities) for its various business processes. For an operational overview, the working company manufactures product X, Y, and Z (i.e. Grill Mates, Zataran’s, and Frenchy’s) across three listed as A, B, and C (i.e. Atlanta, GA, Gretna, LA, and Lakewood, NJ). The BI Analyst is asked to visit the facilities and offer risk modeling and analysis. In this discussion, the BI Analyst will communicate with top managers at the working company’s headquarters and share insights on the risk assessment conducted. Readers can expect to get an outline of the five-step process associated with risk management, an overview of factors that need to be considered when identifying risk avoidance, and the importance of feedback in reference to process analysis.

What are the company’s top risks, how severe are their impact and how likely are they to occur?

“Sense and deal with problems in their smallest state, before they grow bigger and become fatal” (Zhu, P., n.d.).

With any new project comes risks. While all organizations do their best to avoid them, they don’t always take a right approach. Perhaps they just didn’t know where to start? Or maybe, the situation was too complex to figure out? Regardless, there’s good news and it starts here. Below is an outline of the five steps to lay the foundation for your next risk management plan.

What is Risk Management?

To get started, one may ask ‘What is Risk Management’? According to Lucidchart (2020), risk management can be defined as an ongoing process of identifying, treating, and then managing risks. In order to do this, you need to start by establishing the context of the situation. Once you develop a clear understanding of the situation, you will need to identify risk(s), analyze risk(s), prioritize risk(s), treat risk(s), and monitor risk(s). Let’s take a closer look at the process.

Source: Corey Seamster (2020) | Image: Risk Management Process Diagram

Establish the Context

Before you start defining risks, it’s important that you establish a baseline understanding of the context in which you will conduct the risk assessment. For instance, if you were to conduct a risk assessment of a company’s manufacturing facilities, you may want to conduct an on-site visit to the facility to meet the personnel to gauge the dynamics of the relationships within, observe workflow processes, and assess the general environment for noticeable threats. Generally speaking, this sets the stage for defining risks associated with the company’s operations in respect to each of the facilities visited. This phase of the process is critical because it enables you to create a framework for your risk management plan. Once this is complete, you need to closely collaborate with key-stakeholders to identify the risk(s).

Step 1 – Identify Risk(s)

In order to identify risks, you must gather as much input from key-stakeholders to create a list of risks that need to be assessed. Creating risks doesn’t need to be difficult, keep it simple. Simple enough that everyone on the team can understand. Furthermore, it’s important to be as thorough as possible to ensure key areas are not overlooked or neglected to be represented. Additionally, it’s common to see risks associated with all echelons-of-command (i.e. strategic, operational, and tactical) depending on the scope of the risk assessment. So be sure to customize yours to fit your scenario. Moving on, once this data is identified, you can visually organize it using a simple ‘hierarchy’ diagram in the form of a risk breakdown structure. The risk breakdown structure is an entity-relationship type diagram that outlines the risk areas in a hierarchy form. To visually depict all entities and their relationships and can easily be used to communicate risk management efforts at a high-level.

Before showing the risk breakdown diagram, read the scenario below to get a background on the situation in order to understand how this concept can be applied.

Scenario: BI Analyst working for prestigious company tasked to conduct risk assessment

As an example, let’s role play. As an established Business Intelligence (BI) Analyst for McCormick & Company, I visited three of their manufacturing facilities (i.e. Atlanta, GA, Gretna, LA, and Lakewood, NJ). Each facility had their own special products they produce daily. For the sake of this story, Atlanta, GA produced three product lines associated with Grill Mates spices and herbs, while Gretna, LA produced good for Zataran’s sauces and spices, and Lakewood, NJ produced Frenchy’s products. Each facility was assessed based on three risk types (i.e. Internal, External, and Industry) with four sub-categories (i.e. Environment, Team, Approach, and Suppliers). For each risk category, risks were identified below them for later prioritization. See below for the McCormick & Company risk breakdown diagram that was created using hypothetical data.

Source: Corey Seamster (2020) | Image: Risk Breakdown Diagram

Step 2 – Analyze Risk(s)

Once you visually outlined your risks, it’s now time to analyze that data. According to Lucidcharrt (2020), some questions that you should be asking right about now are, “How likely are these risks to occur”? And/or, “If they do occur, how bad are the consequences”? With all things considered, the right approach from here would be to define weighted measures and calculate the probability of such risks occurring in order to mitigate business loss. See below for an example of the type of data used to create the matrix.

Source: Corey Seamster (2020) | Image: Business Risk Assessment Matrix

As outlined in the matrix above, you will notice the following columns: Ref/ID, Location, Facility, Risk Type, Risk Category, Risk, Potential Area of Impact, Risk Severity, Risk Level, Mitigation/Warnings/Remedies, Financial Impact (est.), and Party Responsible. The decision to use 12 factors to consider risks is solely based on the scope of this study. Not all risk assessments (i.e. risk matrix) need to be this detailed. However, with more detail, you can expect to see risk areas clearer that generalizing. But, with more detail requires more project development efforts. In particular, in order to analyze the data, you need to define the weighted measures associated. By example, each column needs to be defined according to project evaluation criteria. See below for the Smartsheet (2020) risk assessment matrix formulas. This key shows the range of probability using the rating key for likelihood and severity as it relates to each risk.

Source: Smartsheet (2020) | Image: Business Risk Assessment Matrix Formula Key

Step 3 – Prioritize Risk(s)

Here is where you need to prioritize the risk associated with the areas previously outlined. The prioritization process is critical because it helps the users understand where the major concerns will be in the event that risk arise. See below for an example I created using the BI Analyst role playing scenario to showcase McCormick & Company’s risks and the priorities associated in the matrix.

Source: Corey Seamster (2020) | Image: Business Risk Assessment Matrix – Prioritization

Next, you can move to step 4, Treat the risk(s).

Step 4 – Treat the Risk(s)

This part of the process requires you to execute the strategies you designed with your key-stakeholders, which is presented in the matrix, in order to mitigate business loss if the risk(s) were to occur. As outlined below, you can see the mitigation solutions that were defined to present forward-looking solutions to McCormick & Company’s leadership team for contingency planning considerations. To prevent major loss, you must focus your mitigation efforts in the areas that pose the biggest risk to your business operations.

Source: Corey Seamster (2020) | Image: Business Risk Assessment Matrix – Mitigations/Warnings/Remedies

This part of the process requires attention detail, leadership advocacy, and proper execution. Next, let’s focus on the final step, which is monitoring the risk(s).

Step 5 – Monitor Risk(s)

To ensure success, you must monitor the risk(s) you identified, prioritized, and created mitigation strategies for in order to reduce business loss. To do this, all responsible parties need to be held accountable and provide frequent feedback on risk as necessary. In most cases, when you create a risk assessment model, you must also create a function within the business to manage and provide oversight of all risks. This must be sustainable because your business will never NOT have risks. If additional resources aren’t available to get new personnel, find ways to incorporate these duties into existing stakeholder responsibilities. For the sake of McCormick’s facilities, you can see in the matrix above who is responsible for each task by looking in the last column (to the right) called, Party Responsible.

So…what’s the story behind McCormick’s Facility and Product Risk Matrix?

After visiting all three of McCormick & Company’s manufacturing facilities, the BI Analyst (i.e. me) was able to design a risk assessment model executing the first three steps (i.e. Identify Risk, Analyze Risk, and Prioritize Risk) in the Risk Management Process. The following products were created to present my findings.

Source: Corey Seamster (2020) | Image: Risk Breakdown Diagram

The risk breakdown diagram shows each facility and their respective risks. Each risk is then structured in a spreadsheet to form the Risk Assessment Matrix. After analyzing the matrix of risks, I discovered that the biggest risk across all facilities linked to Facility B, which is the Gretna, LA location that produces Zataran products. The area that needs focus is the risk type, Internal Risk, associated with the category, Approach. The risk in concern is “Wrong Prioritization” that could potentially impact the marketing and production operations. This shows an undesirable severity, probable likelihood, and EXTREME risk level rating. The mitigation solution proposed is to make a prioritization process that’s transparent to all key stakeholders. Codify this in all standard operating procedures (SOPs) and monitor for implementation needs.

As you can see in the matrix provided below, there are other competing risks as well. However, I wanted to point out the most concerning risk as it relates to the probable impact that it has on the future production of Zataran products at the Gretna, LA facility.

Source: Corey Seamster (2020) | Image: Business Risk Assessment Matrix

Furthermore, it’s important to note that in order to properly sustain a risk assessment model, you must consider how you will continuously get feedback from the right stakeholders on the evolving process to measure risks. For that reason, check out a way to do just that using a feedback loop.

Feedback Loops (Positive & Negative Feedback)

Source: Research Gate (n.d.) | Image: Positive & Negative Feedback Loop Diagram

According to Research Gate (n.d.), a positive sign linking two variables (e.g., between A and B) indicates that A adds to B, or a change in A produces a change in B in the same direction. A negative sign linking two variables indicates an inverse relationship. For example, E subtracts from F, or a change in variable E produces a change in variable F in the opposite direction. To determine whether a negative or positive feedback occurs, count the number of negative causal links within the loop; an even number of negative links indicates a positive feedback and an odd number of negative links indicates a negative feedback. This concept can be applied to the previous McCormick scenario once McCormick takes the appropriate action to Treat the Risks (i.e. Step 4) and maintain a framework to continuously Monitor the Risks (i.e. Step 5) as the dynamics of the environment change over time.