MANAGING RISK

How to Apply the Process Classification Framework (PCF)

Every process has inherent risks that can result in unintended consequences. Understanding the
source of risks, as well as the reliability of a process, allows an organization to plan for and
ideally prevent negative outcomes. In turn, risk management ultimately leads to more
consistent processes.
So how do organizations manage risks? Risk and process analysis can help organizations
understand what could go wrong and what to do about it. By identifying and assessing factors
that may jeopardize success or undermine a strategic goal, an organization can design processes
to manage those risks.

The Risk Management Process

The risk management process typically comprises three main steps (Figure 1).

Risk Management Process

Figure 1

APQC’s Process Classification Framework (PCF)®, in combination with discussion and historical
performance data, can be used to determine which processes are in scope for the risk
assessment and used as the format for the risk assessment spreadsheet.

STEP 1. IDENTIFY THE RISK

A risk is a situation involving exposure to danger exceeding planned process parameters
including cost, time, and delivered features or capabilities. Initiated by anyone, a process risk is
Page 1 of 4

K08340 ©2020 APQC. ALL RIGHTS RESERVED

“identified” when it has been specifically determined, shared with management, and registered
in an organizational system.
There are many sources of risk, and the list changes depending on the source. Organizations
need to expand beyond just financial risk. The common types of risk include, but are not limited
to:

» political,
» economic,
» social,
» technological,
» legislative,
» environmental,
» financial,
» legal, and
» physical.
Organizations can also use historical and external data to identify potential risks.

STEP 2. ANALYZE THE RISK

Risk analysis begins with categorizations (e.g., a risk analysis table) and assessment of potential
outcomes. A risk is “analyzed” when risk managers review the identified risk, assess its
likelihood and impact, and determine severity based on a standardized scale of thresholds.
Risk analysis is usually focused on two variables: likelihood and impact. An item that is unlikely
to happen or wouldn’t be terribly disruptive may not warrant much process improvement or
contingency planning. Consider the approach used by the insurance or disaster recovery
industry. To assess likelihood, an actuary would weigh frequency, predictability, and
forewarning variables. And to assess impact, an actuary would consider duration, consequences,
necessary redundancy levels, and the potential dollar loss.
With a list of potential process risks, an organization can begin gauging whether each risk is
significant or negligible. This is where likelihood and impact are evaluated.
For evaluation of the risk for likelihood, consider:

» Frequency – How often might this risk occur?

» Predictability – Can the organization predict when it will occur (seasonal, peak sales, etc.)?
» Forewarning and onset – How gradually or suddenly will the issue become critical? Can the
organization react in time?
And for impact, consider:

» Duration – How long will the event last (finite or until an action is taken)?
» Consequence – What is affected (product quality, time to deliver, equipment, customer
satisfaction, etc.)?
» Existing and required redundancy levels – What is the cost to implement and sustain
redundancy?
» Potential dollar loss – What is the potential monetary value at risk?
Page 2 of 4

©2020 APQC. ALL RIGHTS RESERVED

Once you have discussed the identified risks to estimate their potential, determine the
likelihood and impact with a simple rating scale (Figure 2).

Quantifying Risk Table

Figure 2

To create a table, risk managers identify the likelihood of the risk along the vertical axis. The
degree of likelihood may require input from subject matter experts and process managers based
on the three questions above. An organization can assign standard percentages, such as 5
percent for remote possibilities, 10 percent for unlikely, 25 percent for possible, 50 percent for
likely, and 75 percent for almost certain.
They then identify the impact of the risk along the horizontal axis. The organization can use the
four questions above to measure impact such as process scope, potential dollar loss, and effect
on schedule. For each question, the organization again assigns standard thresholds for
categorization. For example, in assessing the impact to a schedule, an organization may regard
no additional time as negligible, one day as minor, three days as moderate, a week as major, and
any longer as critical.
For example, a risk that has about a 25 percent (possible) likelihood of happening and will
impact the process by a week (major) would be a level 3 risk.
The organization then plots the value of risk for each process in consideration in a spreadsheet
to assess the potential areas of risk (Figure 3).

Page 3 of 4

©2020 APQC. ALL RIGHTS RESERVED

 Process Risk Sheet Illustrative Example

PCF ID Hierarchy ID Process Name Type of Risk Overall Risk Likelihood Impact Method to Address
10003 2.0 Develop and Manage Products and Services technological 3 likely moderate contingency planning
19696 2.1 Govern and manage product/service development program social 1 remote minor accept
10061 2.1.1 Manage product and service portfolio financial
3 possible moderate mitigation
10067 2.1.2 Manage product and service life cycle economic 4 almost certain moderate contingency planning
19985 2.1.3 Manage patents, copyrights, and regulatory requirements legislative 2 possible minor accept
11740 2.1.4 Manage product and service master data technological 5 likely critical transfer

Figure 3

Typically, organizations will first focus on the “red” or level 5 risks and then work through other
risks until the risk exposure seems acceptable.

STEP 3. RESPOND TO RISKS

Risk managers follow organizational protocol depending on the likelihood and potential impact
of the risk. The organization may brainstorm possible mitigation and contingency actions before
determining the desired response, be it altering or suspending a process.
There are many ways to deal with risks, but the most common ways are:
1. Mitigation – Find ways to eliminate it or reduce its likelihood or impact in the process
design.
2. Contingency Planning – Prepare for the risk with known responses so that you are ready if
they occur.
3. Transfer – shift to other parties (e.g., insurance, outsource)
4. Accept – recognizing and accepting potential impact from risk

ABOUT APQC
APQC helps organizations work smarter, faster, and with greater confidence. It is the world’s
foremost authority in benchmarking, best practices, process and performance improvement,
and knowledge management. APQC’s unique structure as a member-based nonprofit makes it a
differentiator in the marketplace. APQC partners with more than 500 member organizations
worldwide in all industries. With more than 40 years of experience, APQC remains the world’s
leader in transforming organizations. Visit us at https://www.apqc.org/, and learn how you can
make best practices your practices.

Page 4 of 4

©2020 APQC. ALL RIGHTS RESERVED