Traditional Culture Encyclopedia - Traditional festivals - How to manage the risk of equipment development?

How to manage the risk of equipment development?

"Risk-based thinking" is one of the three core concepts in GJB900 1C-20 17 quality management system, which runs through the whole process of quality management system and is also applicable to the whole life cycle of equipment. However, in the process of equipment development, there are often problems such as incomplete risk identification, inconsistent risk analysis with the project situation, and identical risks and countermeasures in each development stage. Risk management has evolved into a formal job that only deals with auditing, leaving many people with good quality at a loss.

Why is this happening and how to solve these problems?

Everything needs to start with the connotation of risk management in equipment development.

First, the risk management of equipment development

According to the definition of GB/T23694-20 13 "Risk Management Terminology", risk is the impact of uncertainty on objectives, including three connotations. First, uncertainty is an event that may or may not happen in the future (if something happens, it is not a risk); Second, it has an impact on the goal. If something happens, it has no effect on your goal and does not belong to the category of risk; The third is the impact, including positive (based) and negative (risk). The object of risk management is generally aimed at negative risks.

According to GJB/Z.

17 1-20 13 the process of risk management is generally composed of risk planning, risk assessment, risk response and risk monitoring. Among them, risk assessment includes risk identification, risk analysis and risk assessment.

1) risk planning

Risk planning provides a basis and arrangement for risk management by establishing a risk management framework and defining various activities of risk management, which generally includes: defining internal and external environmental information of the project, determining risk management roles and responsibilities, defining risk criteria, planning risk management resources, and formulating and maintaining risk management plans. Most of the contents are clear at a glance. Let's explain the "risk criteria" below.

Risk standards provide a benchmark for the project to determine the risk level or evaluate the risk response effect, generally including the possibility level determination standard, the consequence level determination standard, the risk acceptance standard or the risk review standard. The following are some examples of criteria (not necessary, each enterprise can define its own risk criteria according to its own characteristics).

Figure 1 is a matrix diagram based on the possibility of risk occurrence and the severity of consequences. In the matrix, risks are divided into three levels: high (1), medium (2) and low (3). Among high risks, (1) it is necessary to formulate risk response measures, prepare detailed risk response plans, and concentrate project resources to deal with them; Medium risk (II) needs to formulate risk response measures and deal with them after comprehensively considering the costs and benefits of the response measures; Low risk (III) You don't need to formulate countermeasures and take special response activities, but you can monitor them regularly.

2) Risk assessment

Risk assessment includes three steps: risk identification, risk analysis and risk assessment.

Risk identification is to generate a risk list by identifying the source of risk, scope of influence, events and their causes and potential consequences, which generally includes: selecting risk identification methods, dynamically identifying risk events, and recording the process and results of risk identification. Appropriate risk identification methods should be selected according to project objectives, environmental information, available data, theories and methods and expert opinions. Common methods include brainstorming, Delphi method, scenario analysis, list method and so on. (See GJB/Z 17 1 Appendix D for details). The dynamic identification of risk events focuses on "dynamic", that is, at each development stage, the "residual risk" of the previous stage should be evaluated first, then the new risks of that stage should be identified, and finally the risk analysis and evaluation should be carried out together. Only by dynamically identifying risks can we ensure the comprehensiveness and scientificity of risks.

Risk analysis is a qualitative and quantitative analysis of identified risks according to the types of risks, the information obtained and the purpose of using risk assessment results, which provides support for risk assessment and risk response, and generates analysis records of the possibility of risks and the severity of consequences, generally including: selection of analysis methods (see GJB/Z 17 1 Appendix D for details), consequence analysis, possibility analysis and uncertainty.

Risk assessment is to compare the results of risk analysis with risk standards, or to compare the results of various risks to determine the risk level, so as to make decisions on risk response and form a risk ranking list, which generally includes determining the risk level, ranking risks and recording the process and results of risk assessment.

The ultimate goal of risk assessment is to provide input for risk response, so risk assessment must be objective and true to meet the needs of risk response, otherwise further analysis is needed.

3) Risk response

Risk response is to control the risk within the acceptable range of business stakeholders by selecting and implementing appropriate risk response measures, which generally includes: selecting risk response measures, formulating risk response plans, implementing approved risk response measures or plans, and recording the risk response process and results.

Risk response measures are generally divided into four categories: ① risk avoidance: eliminating risk sources, such as changing design schemes, technical requirements and specifications; (2) Risk reduction: acknowledge the risk and try to reduce the possibility of the risk or the degree or scope of the consequences; ③ Risk transfer (sharing): transfer (sharing) all or part of the possible consequences of the risk to other business stakeholders, such as subcontracting or insurance; ④ Risk taking (acceptance): It is judged that the risk is tolerable and acceptable. Generally speaking, countermeasures should be formulated for high risk (I) and medium risk (II), and special countermeasures may not be formulated for low risk (III).

For unacceptable high risk (i), a detailed risk response plan should be prepared separately for the identified risk response measures, and submitted to the person in charge of project management or the risk management committee for approval. The content of the risk response plan should be practical, measurable and reliable, and as detailed as possible, so as to take concrete response measures according to its description. For medium risk (II) or low risk (III), a separate risk response plan is generally not prepared.

4) Risk monitoring

Risk monitoring is a process of monitoring and reviewing risk status, feeding back and recording risk information. Its purpose is to ensure the continuous and effective risk management process, which generally includes: monitoring identified risks and their residual or secondary risks, dynamically identifying new risks, recording and feeding back risk monitoring information, and conducting risk review.

The content of this part is also very clear, but there are several concepts that need to be explained: residual risk refers to the residual risk after risk response. Secondary risks refer to other risks arising from the implementation of risk response measures. Risk assessment is an activity to confirm the suitability, sufficiency and effectiveness of risk management related matters in weapons and equipment development projects in order to achieve the established goals; Risk assessment can be carried out independently or in combination with other professional assessments, quality assessments or technical reviews.

Second, risk management.

GJB/Z 17 1 introduces the work of risk management in detail, gives the risk management work in each stage of weapons and equipment development project, and provides templates such as risk management plan, evaluation report and register. After learning these contents, can you do a good job in risk management of equipment development projects?

This is by no means the case. The knowledge of risk management in equipment development is not difficult to understand, but how to implement effective risk management in equipment development is another matter. When the system based on GJB 900 1C-20 17 was changed, most enterprises were trained in risk management. However, the author still found various risk management problems during many audits, such as failure to identify risks from the perspectives of technology, schedule, capital and quality, which led to incomplete risk identification. Risk identification in the review of sales/purchase contracts is often "risk-free"; In the process of project implementation, a lot of communication has been made on the progress delay, but there is no typical phenomenon of two skins of progress risk in risk management; The risk identification and countermeasures in each stage of equipment development are completely consistent, which fully shows that the risk management of equipment development is only a formal state to deal with audit, and often does not reach a serious formal level.

Third, the cause analysis of the problem

The main reasons for these problems are "unwilling to do" and "unable to do".

1) unwilling to do it

Increasing the workload can't see the effect: many military enterprises are already full of tasks, and the new standard requires risk management outside the equipment development work, forming a series of reports, which invisibly increases the workload, but can't see the effect of risk management, so the project team is relatively exclusive, but the internal and external audits of the quality system have to be checked, which leads to the strategy of most project teams to deal with things. As long as the system is audited, the quality of risk management is irrelevant.

Affect the work process: if too many risks are identified in the review of sales contracts and purchase contracts, it will lead to the attention of leaders in the examination and approval. Why are there so many risks, how to deal with these risks, and whether the contract can be signed? These problems will increase the operator's extra workload, but also greatly delay the process of contract approval, which directly leads many employees to ignore the risks intentionally or unintentionally, which seems to reduce the workload and speed up the process, but it has buried many hidden dangers for the subsequent contract implementation.

It doesn't matter much if you don't do it seriously:

In the process of equipment development, the quality of risk management has little influence on the implementation of the final contract. For example, when the schedule is tight, the delivery can be handled through communication and coordination, and the contract is rarely strictly implemented because of the delay of the development cycle. If the technical risks are not solved well, they can also be solved through expert discussion and review; The risk of capital can also be balanced in many cooperations, and so on. However, with the gradual implementation of various systems (for example, the qualification examination of equipment contractors pays attention to contract performance, and the qualification of equipment contractors is also included in the list of dishonesty due to "development delay"), poor risk management may also have a great impact on enterprises.

2) can't do it

I don't know the law of promoting new things: any new thing will be introduced, cultivated, promoted and repeated for a long time before it is finally accepted by people. This is especially true for management work, which generally goes through "establishing rules and regulations->; Publicity and training-> Commissioning->; Check and correct-> Run-> Check and correct-> Run-> ..... "process, need to be in the" run->; It took 2-3 years (or even longer) for the link to be finally accepted by the public. However, many quality people don't know enough about this "long-term process", so they started trial operation after publicity and training. After repeating the same question several times, they arbitrarily thought that the project leader was "weak in quality awareness" and "weak in responsibility", and then they became numb. They have no motivation to take further measures to guide or motivate project leaders to implement standard requirements, and the risk management of equipment development is stagnant (in fact, many management tasks are related to this).

Solve the existing wrong thinking first: In the initial stage of promoting the risk management of equipment development, many quality people adopted a wrong method of "solving the existing problems first", and first organized everyone to prepare risk management plans, risk analysis reports and other documents to meet the system requirements, temporarily ignoring the specific situation of risk management, which is also one of the reasons for the ineffective implementation of risk management. This method artificially increases the difficulty of management, and changes the one-time education cost of "risk management" into two education costs of "compiling risk management documents" and "implementing effective risk management". In many cases, after completing one-time education (compiling risk management documents), quality personnel and project teams also lose the motivation to continue deepening, which leads to the current situation of risk management in equipment development.

Improper publicity and training: From the learning process, a complete training should at least include the following links: training, demonstration, evaluation, inspection, error correction/encouragement of progress, and the real training purpose can only be achieved after repeated times. However, many trainings only organize everyone to listen to the teacher's lectures and organize the effect evaluation according to the requirements of the quality system (whether the effect can be evaluated). As for demonstration, follow-up inspection, correcting mistakes/encouraging progress, there is nothing at all. What are the consequences? Training is organized. Can everyone do it? Still no, everyone is concerned about whether they have an operation, but no one is concerned about the consequences of the operation.

Four. Suggestions on risk management

1) to create an environment, the risk of equipment development must be really improved.

In ancient times, the crusade against governors paid attention to "clear meaning", but in modern times, we must first solve the problem of "necessity". In terms of external environment, the "E2 Contract Performance" in the Detailed Rules for the Implementation of Qualification Examination of Equipment Undertaking Units pays great attention to the timely performance of contracts, and the "Development Delay" in the List of Equipment Undertaking Units has been included in the general management of dishonesty, which puts forward clear requirements for the schedule risk of equipment projects; High-intensity actual combat assessment requires higher equipment quality, and also puts forward requirements for risk management and control of equipment technology and quality; The fund management in normal audit work is more and more strict, and the risk management of funds is also imperative. These contents require that the risk management of equipment development must be effectively promoted.

The internal environment is more critical, because the external environment puts pressure on the enterprise, and the enterprise must transmit the pressure to the front-line personnel of equipment R&D and production, instead of becoming an insulator, resulting in pressure interruption. Therefore, it is necessary to create an atmosphere through publicity and training, supervise the implementation, and create a "field" conducive to promoting equipment development risk management through performance appraisal and rewards and punishments, so that all employees can realize that equipment development risk management is very important and must be done to solve the "necessity" problem.

2) Strengthen training through continuous follow-up.

Combined with the above training, we will continue to strengthen risk management training. Invite industry experts and quality backbones to "train" front-line personnel in equipment development, emphasize the integration of risk management and equipment development, and enhance risk awareness and risk management skills; Prepare risk management document templates and work instructions for the actual business of enterprises as "demonstration" samples to provide effective guidance for business personnel; In view of the training effect, it is suggested to "evaluate" the effect by means of assessment to ensure that relevant personnel know how to carry out risk management; By means of system audit and special inspection, the risk management of equipment development is "checked", the problems found are "corrected", and the good behaviors found are commended and encouraged. This kind of checking, correcting/encouraging behavior needs to be repeated many times. In the process of repetition, further measures (retraining, modifying templates/instructions, etc. ) to ensure the final training effect.

3) Persist for a long time until the improvement is completed.

Promoting a new thing is a long-term process, so we should have a clear understanding of it and follow the principle of "establishing rules and regulations->"; Publicity and training-> Supervision and inspection->; Repeat the "correct/encourage" model. Through 2-3 years or even longer efforts, all employees can cultivate the habit of risk management in equipment development, which completely solves this problem.

Five, the last sentence

Not only in the field of equipment development project management, but also in the field of enterprise operation and management, formal risk management often appears, and the management mode of "handing over homework" can not play a good role. Huawei has three experiences in risk management: first, it can identify risks; Second, after identifying risks, we can honestly handle risks and not speculate; Third, when risks do occur, we should be able to react quickly and not be afraid of them.

I hope all enterprises can deal with risks with a "pragmatic" attitude, and I also wish all enterprises can successfully deal with all the risks they face in the future like Huawei.