Six Sigma approach to Risk Management – the benefits

As can be seen from the diagram above, the Six Sigma process is iterative both overall and within each pair of stages. In addition, if any stage does not work, the next step in the process is to go back to the previous stage. This forms part of the rigour of the Six Sigma approach. Not only is each stage closely evaluated, but the practitioner/team must repeat the stage using new ideas and solutions if the evaluation does not produce adequate results. This iterative approach seeks to ensure that changes made to business processes have the best chance of delivering the desired positive impact and that the change represents the best return in terms of the improvement achieved. 

The overall Six Sigma process 

1. Assess current state

As with all stages in the Six Sigma process, this stage has a business focus. The first two stages are to prioritise the process to be improved. This is achieved in the first stage by identifying problems and gaps, and the most pressing needs in the firm.

The equivalent stage in risk management is to identify and assess risks and  controls (through a risk and control self-assessment) and to identify indicators  and their thresholds. 

2. Agree process to be improved

From the areas identified, the process to be improved can be chosen. Often this is driven by business requirements. Alternatively, there are often links between processes such that an improvement to one process can have a beneficial effect on a number of processes. The current performance of the process  to be improved is documented using control charts for the process output over time, so that the improvements can be recognised. This assists  in generating awareness of the scale of the problem, and possibly a target  performance level. 

The equivalent risk stage is to compare the risk appetite with the current state using the risk and control self-assessment and the indicator thresholds from Stage 1. 

3. Investigate root cause

Theories as to the root cause of the problem are initially identified through consensus work and workshops, and then through the use of tools, such as cause and effect diagrams, histograms and scatter diagrams. Hypothesis testing may be used and standard statistical tests, such as equal variance analysis, are also key to this stage.  Data are collected to support the root cause analysis, and, by using the tools, strong correlations are sought that point to which cause should be addressed as a priority.

The equivalent risk management stage is event causal analysis, although  there may be very few events relating to the particular process. However, such  causal analysis will help significantly with the Six Sigma root cause analysis. 

4. Develop solutions

In order to develop solutions, this stage of the Six Sigma process will utilise workshops to determine the links to controls and other processes for the identified root causes. Cause and solution diagrams may also be utilised. This stage also tends to develop further relationships between causes, controls and processes which themselves may point towards solutions. The solutions generated are then prioritised for testing. 

Action plans resulting from event causal analysis, and from appetite analysis using risk and control self-assessments and indicators are the risk equivalents of Stage 4

5. Test solutions

Taking the most promising solution generated in the previous stage, controlled experiments are run to evaluate the impact of the solution. This stage also begins to determine the appropriate implementation of the solution, assuming that it delivers the required improvement/impact. 

The modelling of action plans, including modelling of qualitative data, is the risk management equivalent of Stage 5. 

6. Design and implement improvement

This stage in the Six Sigma process revolves around how to apply the validated change, including items such as training, implementation of a pilot and assessment of the pilot, the definition of how the change may be considered to be successful, and involving the business to set a success target (if one has not been already set). Once the pilot is successful, a permanent solution is then put in place, including data collection to show that the improvement continues and has become business as usual. 

The equivalent in risk is completing action plans, designing new controls and indicators and checking to see if the reduction in risk or improvement in controls expected has, in fact, been achieved. 

7. Review learnings

This is the typical debrief of a project, including the following:

• what worked well
• what didn’t work well 
• tools that were particularly effective 
• things that we would like to do better 
• learnings from overcoming difficult points 
• how we should manage the people side differently. 

The risk management equivalent to Step 7 is the embedding of the methodology (which is, of course, linked to governance). In addition, risk managers at this stage will challenge the methodology and tools used in terms of any improvements that can be made. 

8. Identify next improvement

This is a very easy stage in that, typically, the second choice from the original list of required improvements is chosen. This is a very natural step if the firm’s business profile has not changed significantly in the meantime. However, if there has been a change, Stage 1 should be repeated. 

From a risk perspective, a new risk and control self-assessment and continuing monitoring of events and indicators will lead to further appetite comparisons and renewal of the cycle.

Summary 

At the business level, a robust and efficient risk system will enable managers to react to events more quickly and with greater effectiveness. At the board level, good risk management reduces the volatility of performance and facilitates efficient resource and capital allocation.  From an investor point of view, risk management encourages and allows an understanding of where shareholder value is being created or destroyed. A good risk management system, fully embedded in the business, will prevent any blindness to risk which may affect the profitability of a business line or transaction.

Risk and control perception is improved through distilling a risk culture, which leads to business optimisation. That will be reflected in a firm’s credit rating. And it will also generate a significant regulatory benefit in an improved relationship with the regulator, wherever that is applicable. 

A further benefit is that if you get it right, you avoid paying the lawyers!  Risk management is fundamental to successful business management. It produces true business benefits in its own right.

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International.