Product Risk Management - Part 2 of 4

Making Safer Products is Hard

Mar 13, 2023

Apologies to all for not publishing much over the last few months, life has been busy. Hoping to be back at more consistently, lets pick up where we left off.

If you haven’t seen part 1 of this series check it out!

Systems Thinking

Product Risk Management - Part 1 of 4

Unless you are one of the rare birds who truly enjoys risk management, then this is typically a dreaded process for the majority of engineers. Risk Management is challenging and long process, filled with conversations, differing opinions, and confusion about what is actually the right thing to do…

3 years ago · 1 like · Austin Howell

In Part 2 of this series I want to focus on planning for Risk Management. We won’t be bringing up Gantt charts, but rather looking at a strategy for what should go into your plan.

If this is the first time you’re joining, this post is part 2 of a 4 part series on Product Risk Management. Feel free to join us and subscribe as next we will be tackling:

Risk Management Templates with content
Risk Management on Example Product

Planning Documents

When many projects begin, they start with a Product Development Plan, outlining a team, a product idea, perhaps a cost metric of some kind, a set of deliverables, and a general timeline for completion. There may be other tasteful content, but in general it is meant to be a guiding document for what the team intends to do over the next many weeks.

There may be other plans to compose like a Testing Plan, a Prototyping Plan, a Design Transfer Plan, etc. While writing these kind of documents isn’t always the most exciting thing about engineering, it always proves to be valuable about 2 months after you’re done with them; when you need them.

A note on planning documents in general; when creating some kind of “Plan” your team, the consumer of this document, they are your users. They need to be given clarity and simple instruction on what, how, where, and acceptability. The simpler and easier you can make a process, the better the outcomes will be. It’s not always an easy practice, but its a thought that is helpful to keep front of mind when authoring such documents.

A Risk Management Plan intends to describe how the team will conduct risk management, and what risk level is acceptable (and not). It may contain other helpful information like scoring strategies, a pre-scored harms list, or an appendix with some example work, but in general there are some basic elements that should be included in order to make the plan effective for users.

Risk Management Plan

Ideally this post can act as a copy+pasta for your starting your own plan. Keep in mind, this plan should outline how you are going to do your analyses and how you plan to score your risks. This is intended to be basic outline with the essential core elements, and it may be needed to add more content and instruction for your team.

Introduction

This section should include two essential elements: what is the Purpose (why is this work important) and what is the Scope (what does this work apply to?).

Purpose

The purpose of this document is to define the risk management strategy that will be used on the [Product Name].

Scope

The risk management plan applies to [Product Name] and will cover all phases of product development up to commercialization.

Definitions

Harm - Physical injury or damage to the health of people, or damage to property or the environment.
Hazard - Potential source of harm
Hazardous Situation - Circumstance in which people, property, or the environment are exposed to one or more hazard(s)
Probability of Occurrence - Measure how likely something is to occur
Risk - Combination of probability of occurrence and the severity of a harm
Risk Control - Measures by which risks are reduced (also known as a mitigation)
Severity - Measure of the possible consequence of a hazard

Roles and Responsibilities

Some example roles may include:

Risk Lead - Responsible for creating, authoring, reviewing, and approving risk deliverables. Expected to be familiar with the risk management practice and guiding the team through it.
Subject Matter Expert - Responsible for participating in review meetings and authoring applicable risk deliverables. Expected to be an expert on the product itself, its inter-workings, and its fault conditions.
Independent Reviewer - Responsible for participating in review meetings and reviewing risk deliverables for accuracy and completeness. Expected to provide an independent perspective for the team.
Management Lead - Ultimately responsible for ensuring the team has the resources and is supported through the risk management processes. Expected to approve risk management file and deliverables.

Risk Management Activities

The team will follow the risk management process as depicted in the image below.

Risk Analysis

Risk Analysis is the process of systematically identifying and scoring hazards of the product. The team will leverage a top-down approach of performing a Hazard Analysis, identifying Hazardous Situations and Foreseeable Events that could leads to potential harms. Other bottom-up methods such as Failure Mode Effect Analysis (FMEA) or Fault Tree Analysis (FTA) may be used to identify fault conditions.

Scoring Risks

The image below provides a depiction as to how the team will calculate risks.

In scoring risks the team may use a variety of sources to obtain information such as published Standards, scientific published data, data from fielded products, usability testing, expert opinion, etc.

The table below defines how the team will score risk

Risk Evaluation

For each hazardous situation the team will be responsible for evaluating if the level of risk is acceptable and if further risk mitigation is required. When determining the acceptability of risk, the team will use the table below.

Risk Controls

Risk controls will take the form of requirements for the product. By creating requirements for the product implementation will be ensured and verification of the product fulfilling the requirements will be completed.

Risk Benefit Analysis

There may be some occasions where the risk of the product is greater that the acceptable level. The team may gather and review data and literature to determine if the product benefits outweigh the risk. If evidence does not support this conclusion, then the risks remain unacceptable. If the benefits do outweigh the risk then the team should document this analysis and conclusion for future reference.

(This is more common in defense, medical, or other high risk programs. Probably not going to get away with this for most consumer products.)

Risk Management Report

At the conclusion of the risk activities effort the team will composed a Risk Report, summarizing most notable findings and drawing a conclusion on the safety and potential risk of the product. In the event risk management artifacts are updated, the Risk Report should be reviewed to confirm the findings and conclusion hold true.

Risk Maintenance

After market release of the product, a team will be responsible for monitoring issues of the product and ensuring the risk profile of the product is reviewed and maintained for the duration the product is available.