Question 1: “I’m speaking with Ben Hirschenfang, a former Deputy Program Director at the Lockheed Martin Corporation.  What is your background in Risk Management?”

Risk Management and Risk Assessment are prevalent in many industries. My association is within my 35 years in the aerospace industry,mainly with Lockheed Martin. My earliest association with Risk Management came in the early 1980s, applying the US Navy’s “Willoughby Templates” for risk management to transition from product development to production.  Mr. Willoughby brought a culture change to the Navy. He preached early identification of technical risk so it can be mitigated rather than taking a "wait and see what happens" approach.  All the programs at Lockheed and most U.S. Aerospace companies require an up to date Risk Management Plan. One of my responsibilities was to manage the plan for my program. I was responsible for approval of the risk management plan, leading the risk management process and meetings, and ownership of risk mitigation/contingency planning and execution.  

‍

Question 2. What exactly is Risk Management and what are the steps involved?

The overall risk management approach follows the standard risk management model which is to…

1. Identify the risk: “If this happens, the result could be…”. The resulting risk could have an impact on public health, safety, cost, schedule, and customer satisfaction.
2. Analyze the risk: What is the probability of occurrence if no mitigation plans are enacted and what is the consequence (severity) of the occurrence?  Past history and statistical analysis are used to determine probability of occurrence.  Consequence can be plotted out on a numerical scale where “0.1” might be minimal consequence and “1.0” may be a catastrophic consequence.  Multiplying these two numbers together allows for a quantitative ranking of the risks in the simplest manner. This provides a quantitative result instead of subjective ranking of risks.
   Taking it to the next level, companies, program teams, and service teams look to spend limited resources most effectively (return on investment).  Risk ranking is best accomplished here by quantifying the resulting impact of each risk. This is done by using the same probability of occurrence x consequence (severity) of the occurrence as I mentioned, then multiplying that number by the quantified impact of the risk (again in cost, public health, etc).  That enables a cost/benefit analysis approach in the quantitative ranking.
3. Plan the risk mitigations: What steps could be put in place to mitigate the risks?  Preventative actions are planned in the process steps, control points, measurement requirements, and risk “step-down” points where the risk probability is planned to be reduced upon specific action completions.  For example, if a temperature monitoring device and process are documented and put in place, at that point, the probability of occurrence may step down to a lower value.
4. Monitor and Control the Risk: During risk monitoring and control, plans are implemented,and monitored. Measurements are taken where applicable, and results are reviewed to confirm proper control.  As the steps are implemented and proceed as planned, then the risk might be numerically reduced along the process as part of the pre-determined plan.

Question 3. So how does Risk Management apply to Food Safety for example?

Food Safety is a public health risk that needs to be managed. HACCP (Hazard Analysis Critical Control Points) in itself is a type of Risk Management Tool. The HACCP Approach is a risk mitigation planning approach. It utilizes a decision tree to determine risk in a subjective manner and establishes “control points” to mitigate risks.   Coincidentally, like the Willoughby Templates for Risk Management, the HACCP concept was also developed by NASA and the Pillsbury Company in the 1960s, while working with the US Army Laboratories to provide safe food for space expeditions.

Risk Assessment is the best method to apply a quantitative method for determining the significance of a hazard in a repeatable way.  It utilizes a singular, common mathematic method for determining a hazard and sets guidelines for actions based on the result. It's not enough to just have a risk matrix, in food safety or any other compliance-related process. You need a team in place to analyze the risk and utilize the data to make the decisions. There is always "tweaking" (adjusting) based on other factors and human experience. HACCP is about commonsense. Risk will help to automate it and give a consistent, auditable, andlogical result.

Question 4. If Risk Management is important, should it be documented?

Absolutely. All identified risks should be documented and entered into the risk register (an Excel spreadsheet), and retained for future use.  It should include:

1. Risk identification number
2. Risk Owner (person/persons responsible for the risk and mitigation plans)
3. Risk Identification Statement: “If this happens, the result could be…”
4. Potential Outcomes: such as Severe Illness or Death; Reportable to CDC, Negative publicity; Loss of X% of returning guests”
5. Probability of Occurrence
6. Consequence/Severity of Occurrence
7. Quantitative Impact: such as Medical costs, Potential lawsuits, Additional government oversight/cost, Cost of negative publicity on future cruises, Loss of returning guests
8. Risk Strategy: Mitigate, Transfer, Accept (Mitigate requires a plan, Transfer moves the risk to another responsible entity, and Accept acknowledges that there are no planned risk mitigations and that the risk may occur.)
9. and finally, the Risk Mitigation Plan: a detailed plan with the actions necessary to mitigate the risk that may include step-down points that lowers the risk along the way.

Question 5. Can you show an example on how this works?

Risk Probability Example

Risk Consequence/Severity Example

Risk Probability and Consequence Matrix Example

• Risks that fall into the red-shaded cells of the matrix are the high risks and therefore highest priority.
• Risks that fall into the yellow-shaded cells of the matrix are medium risks.
• Risks that fall into the green-shaded cells are low risks.

Question 6. Where else besides Food Safety can Risk Management be applied on a cruise ship?

Almost everywhere, but for example, Potable Water processes, Recreational Water chemical controls, and all the other items checked on the CDC’s Vessel Sanitation Inspection Report.

There is the electronic version of that report with GPHS.  It has conditional formatting that highlights areas of excellence and areas requiring corrective action in Green, Yellow, and Red, accordingly.  Just like the Risk Matrix!  This allows management to focus resources on problem areas, and reward excellence.  It also enhances records retention, precluding the handwritten forms from being kept as paper files.