Everything from regular daily operations to crisis management deserves forethought

Every company takes on risk. The assessment of risk depends on circumstances and the level of leadership’s comfort.

The key is whether the organization manages risk or lets risk dictate the course of action.
Risk often is associated with a new project or initiative. However, risks also apply to daily core operations. This is why risk planning is an integral piece of operations management.

A risk planning program considers what could happen, analyzes potential impact, outlines how to mitigate potential impacts and forges a path to avoiding the situation in the future.

Consider how a precast plant that does not practice risk management would respond to the following:

  • A coarse aggregate supplier experiences critical equipment failure. As a result, shipment is delayed three days.
  • A storm knocks out power for two days.
  • A facility’s lone quality control lead, the person who has spent years as the QC expert on site, turns in their two-week notice, taking all of that knowledge out the door. It has been nine years since the most recent written update of the QC processes.

The results are sure to include some long meetings, even longer days, extra work distributed throughout the plant and heightened stress shared by all. Some companies pride themselves on being able to pull through challenges and meet business demands – even wear it as a badge of honor.

The reality is these challenges are self-inflicted and only occurred as result of a lack of planning. The effects of failed risk management goes far beyond any singular incident. Reduced quality, inefficient operations and employee turnover due to heightened stress ultimately cuts sharply into the bottom line.


Risk planning includes all actions to control risk and the impact that the risk may have on a business, its personnel and the brand. The risk planning process comprises the following steps:

  • Risk assessment
  • Risk mitigation
  • Risk monitoring


Definitions differ for risk assessment depending on the industry and functions involved. However, they all have at least one of the following things in common:

  • Risk identification
  • Analysis to determine the frequency and impact of those risks
  • Risk evaluation

Identifying risk typically involves a team of experts walking through a process to identify potential dangers. The list is analyzed and evaluated so that risk mitigation efforts are leveraged in order of which poses the greatest threat to the organization.

A straightforward tool to complete this analysis and evaluation is the 5-by-5 risk matrix.

A 5-by-5 risk matrix defines boundaries and provides an objective score for each risk in order to provide an action list.

This evaluation is a prerequisite for starting risk mitigation activities. It does not, however, stand alone.

For example, an aggregate delivery delay would have a major impact on any facility. However, the probability is unlikely (medium, 8).

A precast plant in an area prone to weather-related power outages may deem the probability as almost certain and the impact as severe (extreme, 25). A facility in an area not prone to such storms would have a much lower number.

A QC leader resigning with little notice may have a severe impact but is unlikely due to employment history and overall morale (high, 10).

These are examples of how the same situation may require different levels of attention based on a facility’s circumstances.


Now that risks are identified, there are several options to determine how to proceed with mitigation. It is important to remember that not every defined risk needs to have an action plan right away. Instead, focus on the most severe and most likely risks first. Some situations may not even be addressed until future exercises.

Each risk can be:

  • Accepted. Acknowledge that the risk exists but intentionally decide not to take any actions to mitigate the risk.
  • Avoided. The requirement or process causing the risk can be removed.
  • Controlled. This is a decision to take action to mitigate the risk directly or indirectly.
  • Transferred. Shared with or completely offloaded to another party.

When acceptance, avoidance or transference are not an option, risk needs to be controlled. For example, a precast plant may choose to invest in backup power generation for essential equipment while choosing to take no action toward an aggregate supply chain or personnel departures.

Depending on a risk’s impact, a team may be needed to develop an action plan to ensure that the appropriate actions are being considered across the different functional areas. Once the action plan is determined, actions are assigned and tracked to close the gaps and take advantage of opportunities to improve the plant.

Load improvement actions into a task management system in order to assign an owner, a due date and have a recurring method to ensure that the appropriate progress is being made. This means written processes – not relying on any worker’s or workers’ memory.

If the identified risk involves more complex effort, such as in the example with the generator, a project management approach can break down the effort into value-add parts, establish milestones, manage resources and drive project implementation.

At this point, risks are identified and actions are taken to implement the upgrades needed to close out that risk, but the process still isn’t done. A properly executed risk planning process includes ongoing risk monitoring and iterates through the planning process regularly, or as needed.


Risk monitoring starts as the team determines the actions to address identified risks. After all, what good is acting to eliminate a risk if there is no way to know if that action achieved the desired end state

Monitoring typically is not considered until after the work is done. This critical piece of the process is what validates the efforts taken, provides concrete proof that risk has been managed and is the information to allow for data-based decisions.

Risk monitoring includes two elements as appropriate depending on the risk: metrics and reviews.
The first step is to define the metric – number of days missed, number of complaints, percent of target, etc. Who is accountable for the performance of the metric, and at what frequency is the metric reported?

“That which is measured improves,” writes British mathematician and statistician Karl Pearson in Pearson’s Law. “That which is measured and reported improves exponentially.”

The number of metrics tracked tends to grow over time, so it is a good idea to define the targeted success early and, once reached, consider celebrating and then retiring the metric.

For example, a plant that identifies employee absences as a risk worth mitigating can start a program to reward attendance. The incentive program’s impact is measured by monitoring the difference in missed days and production.

Sometimes, risk gap closure is not something that can be tracked with a meaningful metric. For example, increasing the number of approved aggregate suppliers from one to two.

In these cases, implementing a periodic review may be more beneficial to ensuring that the risk remains sufficiently mitigated. Regardless of the method, a monitoring process ensures that a risk remains acceptably mitigated and may inform additional actions.


The next step involves a practical discussion of the risk planning process. Because every plant is in its own unique state and condition, the resulting discussion must be tailored to that individual facility.

There are many ways to organize a methodical review of plant operations: value stream and function.

According to the Project Management Institute, “a value stream is the set of actions that take place to add value for customers from the initial request through realization of value by the customers.”

A precast plant value stream includes the following:

  • Raw material acquisition
  • Supplier risks
  • Quality control
  • Production planning and preparation
  • Design and engineering
  • Production capacity
  • Production
  • Health and safety
  • Production practices
  • Quality control and assurance
  • Equipment maintenance
  • Logistics and transportation
  • Storage capacity
  • Delivery scheduling
  • Transportation risks
  • Installation
  • Project coordination
  • Contractor capability

There also are some aspects to be considered throughout the value stream.

  • Customer relations and communication
  • Contracts
  • Expectation management
  • Problem resolution
  • Environmental and regulatory compliance
  • Environmental impact
  • Compliance
  • Continuous improvement
  • Post-installation evaluation / feedback
  • Lessons learned
  • Corrective actions

An alternative approach is to assess risk by function. A list of functions may include:

  • Sales and marketing
  • Operations
  • Financial
  • Project management
  • Cybersecurity
  • Supply chain
  • Legal, compliance, regulatory
  • Workforce and personnel
  • Business continuity
  • Weather and disaster recovery

Regardless of the approach, a cross-functional team must complete the risk planning process together. Each department will view the same risk area with a different perspective, and by working as a group provides the most comprehensive assessment, mitigation strategy and overall reduction in risk to plant operations.

Risk planning, when executed correctly, is an ongoing process to incrementally improve the business while reducing or eliminating risks. The process may integrate well with an already established continuous improvement program or quarterly planning process.

The entirety of the risk planning process does not need to be perfectly implemented and executed from day one. However, it is critical to get started and take the first step.