18 June, 2008

FMEA Step 1

Develop the Ratings table/index

The ratings table consists of 3 columns.

Severity Rating

Occurrence Rating

And Detectability Rating

You typically have a scale from 1 to 5, 7 or 10 depending on the level of granularity that is needed in your organization

Anyone who has done a real BIA would get the Severity section almost immediately.

In short the trick here is to tie each escalating level of severity to some specific series of business impacts.

Brand/Reputation - TJX, Hannaford ... what else needs be said
Direct Financial Loss - Fraud, Equipment Damage, Theft, Embezzlement, Lost Sales ...
Indirect Financial Loss - Cost of Data Recreation, Lost FTO time, Lost future sales, Project Delays
Legal Liability - often part of direct and indirect but also includes, Legal costs, Fines, Cost of increased regulatory oversight ...
Compliance - The costs associated with failed compliance

Many more ... when you develop the ranking table do it with the business leads and let them define their concerns

Occurrence, and Detection Continued later

I will stress this one more time this is not a risk assessment it is a risk priority ranking. The risk guru's will definitely get the distinction right away but if you don't get it and you are doing this you will eventually run into the all powerful cost justification argument. It is powerful when dealing with audit and those pesky internal budget decisions.

Because it focuses primarily on priority it is faster, easier and more agile. Think 10 meetings vice 100 with 20 people instead of 200. (obviously adjust those for company size)

3 comments:

Anonymous said...

re TJX and Hannaford - where's the objective data to show that the brand/reputation was harmed and by how much?
I just looked at a TJX stock graph and the trend has been good for the past 3 years - $24/share in June, 2005 and $32/share now, with a couple of brief dips.

Hannaford doesn't seem to be a publically traded company, so it's more difficult to find out about them.

I could understand your point of view for these two entities with regard to measurable costs.

But when you say with regard to brand/reputation: "What else needs to be said?", what exactly do you mean?

Patrick Florer

Jim C said...

Thanks Patrick

You are right there may not have been any directly identifiable financial link to the brand/reputation impact on those companies. That is why Brand and Reputation needs to be considered independently from Direct and indirect financial impact. It has to be considered in the context of the audience that one is working with.

The fact that you (and most people reading this chain) can identify and understand TXJ and Hannaford in context to the post is in itself proof that there was some brand impact though.

Some would argue that if there is no stock impact then why worry or even consider the issue. Certainly from the perspective of stock holders and investors that might be true.

On the other hand I am certain that the public relations teams at those companies and some of the senior executives (especially if their jobs were affected) would argue that there was a business impact.

Impact is relative to the perspective of the viewer. When you are having discussions about risk one always has to keep that in mind.

In the long run though it helps to take a "Stranger in a Strange Land" view though and realize that money assigns a beautifully impartial relative value to everything. Therefore Direct and Indirect Financial impacts make for the best arguments and justifications.

So I agree. The objective data is in the measurable costs. This is why one has to be careful with Risk Prioritization in contrast with true Risk Assessment.


Grok?

Anonymous said...

not sure that I do grok or agree - but will be content to suspend judgement until you publish the whole series.

If you take, for the sake of discussion, the position that the impact on TJX or Hannaford brand has been neglible, then would you assign a severity rating of 0 or 1?

Kind of counter-intuitive, but it's what the TJX stock data seem to suggest.

Thanks for your efforts - look forward to the rest of your ideas.

Patrick Florer