Search This Blog

Thursday, December 15, 2011

Three steps to developing a sound SIPOC diagram


Overview Handout

Purpose: The purpose of a SIPOC Diagram is to define and document the key elements of an activity. This includes Customers/Requirements, Outputs, Process Steps/Requirements, Inputs and Suppliers.

Materials: SIPOC overview handout, whiteboard, worksheets, flipcharts, PowerPoint (not preferred as it can take away from engagement and participation), Posters, PostIts™ (or my favourite, coloured sticky arrows – which are then placed on a large, blank, laminated SIPOC chart)

Time: Varies. Plan for at least two hours based on the complexity of the process, the knowledge of the participants of the process, and their previous experience creating SIPOCs.

Step ONE: Get everyone on the same “purpose” page
Note 1 to facilitator: Do this step even if working with a knowledgeable group by reviewing the elements critical to conducting a successful SIPOC session.
Use this review as a means of setting a positive tone and developing a “conversational” style of facilitating the session.

The five critical elements to a good SIPOC are:
1.   Provide participants a brief overview of the SIPOC structure and how it important to manage its use in terms of range of purposes.
Apply the Covey principle “begin with the end in mind”– SIPOCs are flexible tools and can be focused on achieving a range of purposes – such as project planning, or vulnerability mapping or organisational restructuring. So be mindful – ask how will you USE this SIPOC?

2.  The challenge for service industries (as distinct from making widgets) is to think beyond the process column (where many SIPOCs start). The challenge for individuals is to think outside of their square.

3.   When recording on the SIPOC use only as much detail as needed to understand/communicate effectively.

4.   Record the agreed purpose of this SIPOC session – make the agreed purpose the label of the “car park”. The “car park” is an area of white space, such as butcher’s paper or a whiteboard on wheels, which is structured to capture – as they relate to the SIPOC element being mapped at the time - (1) assumptions (2) constraints (3) risks and (4) decision criteria

5.  This is not an academic exercise - define how things really get done, not how we might want them to be.

Step TWO: Establish the Framework
Note 2 to facilitator: Groups sometimes prefer to be more “organic” than systematic. Be flexible and accommodate as long as the entire SIPOC form is completed with enough detail to understand the process. Be flexible and use plain language. Write it down, and then ask open-ended, clarifying questions to get it right. Place the “thing” or “issue” on the SIPOC at a place of best agreed fit. Challenge the status quo, test the understanding of the process, and encourage dialogue.

Note 3 to facilitator:  A challenge from here on out in this process is to keep the group at a high level of detail - not allow them to get too granular. The detail can come later in the process flow diagram mapping or you can go back and break each key process step into sub-steps and SIPOC them. (It depends on the purpose of the SIPOC and the complexity of the process.)

Use the SIPOC framework (on the wall chart, computer, whiteboard, worksheet, or flipchart).

1.     Seek permission and agreement from the group to start “backwards from the right” - from the Customer column.
  • Identify customers (some will be stakeholders with specified needs to be met which are contractual, or legally obligatory - others stakeholders may have a more indirect and general interest, needing only to be appropriately informed).
  • “Back into” the customer requirements column by now clearly stating the requirement(s) of each stakeholder. 
(This two set customer column should be reviewed whenever something changes – so that the ripple effects can be mapped and managed.)

2.     List the outputs from the process which will deliver the requirements of the customer – and collectively, achieve the required outcome of the activity.

3.     Structure a process which will deliver the outputs effectively and efficiently.
  • Clearly identify the START of your process (cue, prompt, trigger that requires you to act).
  • Clearly identify the END of your process (how do you know you are done?).
  • List the 3-5 (NO MORE THAN 7) key steps in the process being mapped.
  • Incorporate feedback loops – how will you, your customer, your supplier communicate?
(Record: Process name; Process owner; Process performance measures/metrics – structured to inform improvement opportunities; any known operational definitions of key process elements; any known assumptions/constraints and immediately apparent risks - record in “car park)

Note 4 to facilitator: Remind the group that the assumptions and operational definitions are ongoing lists and may be added to as needed during the session. The idea is to make sure everyone is working on the same sheet of paper and means the same thing when using a term and those assumptions are made visible, discussed, and validated or challenged as appropriate.

4.     List the inputs into each step of the process
  • List the requirements of each input (your view – the person doing the work)
  • List the supplier of each input of the process

5.     List or highlight the Critical-to-Quality (CTQ) elements for the process

Step THREE: Check your work
Review the completed SIPOC.
Verify all key components are completed/addressed.
Determine Next Steps/Action Plan.
Make sure all assumptions are visible, discussed, validated, and documented.
Document operational definitions of terms, symbols, acronyms, equipment, standards, etc.
Do not forget to identify your information/communication loops and feedback mechanisms.
Document source specifications, standard operating procedures, and/or references for your process.
Review where you need to have Service Level Agreements (SLAs) – between you and supplier, you and customer.

Saturday, December 10, 2011

Friday, December 9, 2011

"I get knocked down ... I get up again"

One of our favourite clients was recently hit by a significant fire (see video below).


The conclusions of the report to their governing body highlighted that: 

"The early initiation of the Business Continuity Plan proved effective. A well managed and strategic approach to decision-making was evident. The Crisis Management Team was engaged at an early stage and managed the situation in a structured and strategic manner. The Business Continuity Plan worked well, and adequate administrative support and equipment was available."
(Reference: Report OCM.109/11 of 20 September 2011 on 'Portable Office Building Fire 15 June 2011', Section 5.3 Page 3).

 The structure invoked and applied is based on EPCB's "Buttress" methodology.
The Buttress Software Package which is available as an immediate download (Database, Instructions, and Planning Template) is currently discounted - for less than $100 - plus another 10% off if you insert the Coupon X147

Thursday, December 8, 2011

EPCB releases heavily discounted Business Continuity and Crisis Management Software

EPCB is pleased to announce the release of the new Beta version of Buttress™
 
Buttress™ will help you understand your risks, evaluate your exposures, and take timely action. It is based on an easy to use Access Database which focuses on the vulnerability of your resources - to ensure you are more resilient to any source of risk – and to enable you to bounce back effectively.

As an integrated business continuity and crisis management package, Buttress™ has three distinguishing features.

First, it focuses on the things you need in order to run your business effectively. That is your resources – the assets, people, skills, information (electronic / non electronic), technology (including plant and equipment), premises and supplies which underpin your critical activities. This ensures an alignment with best practices business continuity standards, which have moved their focus away from hazard events towards business vulnerabilities.

Second, Buttress™ has a significant mitigation component – which empowers you to reduce your vulnerability before an incident – to build resilience into the structures and functions of your business.

Third, Buttress™ supports the decision making processes to manage the consequences of impact after an incident.

In summary, whether it is mitigation before an incident or crisis management after impact, Buttress provides a platform which allows straightforward data entry and the production of tailored reports to meet your decision making needs.

The Buttress™ package is made up of an Access Database, PowerPoint Guidelines (PDF), and a Crisis Management Planning Framework (PDF). It is available for immediate download as a Zip file.

At under $100, this current software offering is a heavily discounted Beta version which has been validated by EPCB clients across both the public and private sectors over the last two years. (Clients who had been significantly impacted by extreme events – fires, floods, and reputation loss. Clients who knew they needed a better approach.) To take advantage of this offer, go to the secure purchasing site.

Tuesday, December 6, 2011

National Emergency Risk Assessment Guidelines (NERAG)

The National Emergency Risk Assessment Guidelines
(Click above for a free PDF download of the Guidelines)

Thursday, May 5, 2011

"Enterprise Risk Management" - COSO or ISO 31000

I have been recently asked to conduct a "workshop" on "Enterprise Risk Management". You know, the "COSO thing" which was a reaction to poor financial management. Followed by SOX et al. Ended up being a tick the box exercise for too many - and we had continued uncertainty and poor risk management. Not a good combination - as the latest financial crisis demonstrates.

So I was initially a little skeptical. Old wine, new bottles - maybe even a "corked" wine. However the organisers have been kind enough to steer away from a narrow, linear promotion of doctrine. Instead, I will facilitate the exploration of using the international risk management principles and guidelines (ISO 31000) to achieve enterprise-wide risk management outcomes. Ha! I hear you scoff - "that's hardly different". Well my friends, having worked in a few places and been around the traps for a few years I can tell you - not many entities actually have a tailored and integrated approach to risk management. Most are still characterised by a mixture of "layer cake" - with the top and bottom not knowing what each is up to. This mix is then pierced by some "silos" - of excellence maybe, but isolation definitely.

Anyway, if the topic appeals, and you are in Kuala Lumpur 5-6 July this year, and you can cover the fee - it would be great to have you as a participant. Regardless, the themes we will explore are laid out below if you just want to peruse and reflect.

Title: Enterprise-wide Risk Management
A workshop on using the international risk management principles and guidelines (ISO 31000) to achieve enterprise wide risk management outcomes.


Introduction to the scope of the workshop
 The risk management space is characterised by having a range of frameworks and guidelines. Many of these risk management frameworks reflect specific industry applications. Sometimes they have been developed to support quite narrow “agenda driven” purposes. Others are a reaction to risk events themselves. However, there are some which reflect a more thoughtful and engaging development. This workshop will consider the strengths of several approaches (such as Enterprise Risk Management, and Business Continuity Management). Further, we will explore how these specific applications can be integrated into a context sensitive application of the International Risk Management Principles and Guidelines to achieve relevant and robust outcomes in support of your entity’s objectives.


Pre-reading
On  January 11, 2011 – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence – released a new thought paper relating to ERM aimed at providing guidance to help organizations advance along the ERM maturity curve. If participants get an opportunity to pre-read this thought paper, they should find it provides useful background (especially if they are new to this area):



 Key elements and workshop sessions

1.    The maze of Standards, Frameworks, Principles and Guidelines


·         The structure of several specific standards (frameworks, principles, guidelines and standards) – in particular, Enterprise Risk Management COSO; Business Continuity Management BS 25999 and Risk Management ISO 31000.
·         How these different “standards” relate to each other.
·         How they can be harmonized into a nested framework which is aligned to your needs and context.


Learning outcomes include:
·         Knowledge of the structure of Enterprise Risk Management COSO; Business Continuity Management BS 25999 and Risk Management ISO 31000.
·         Understanding how these standards relate to each other.
·         Awareness of issues when translating standards into context.


2.    Gap Assessment

This session will explore:
·         Why it is important, as an early activity, to map where you are against where you need to be (in relation to risk management capability).
·         Identifying the necessary elements which should be measured.
·         What performance criteria for the elements might look like.
·         How the gap assessment might be displayed and communicated.
·         Developing an easy to use tool suitable for your context.


 Learning outcomes include:
·         Awareness of the importance of gap assessment.
·         Knowledge of the core relationship between necessary elements to be measured and sufficient performance criteria underpinning those elements.
·         Knowledge of how gap assessments might be displayed and communicated.
·         Knowledge of how to developing an easy to use tool suitable for your context.


3.    Decision Making

This session will explore:
·         What characterizes good decision making.
·         Whether risk management is just good problem solving re-badged.
·         Why analytic – deliberative processes are crucial.
·         Some tools and techniques for good decision making.


Learning outcomes include:
·         Awareness of what characterizes good decision making.
·         Knowledge of what differentiates risk management from good problem solving.
·         Awareness of why analytic – deliberative processes are crucial.
·         Knowledge of some tools and techniques for good decision making.

4.    Risk Criteria

This session will explore:
·         Developing risk assessment criteria.
·         Developing risk treatment selection criteria.
·         The criticality of context when developing risk criteria.
 
 Learning outcomes include:
·         Understanding a range of issues involved in the development of risk assessment criteria.
·         Understanding a range of issues involved in the development of risk treatment selection criteria.
·         An awareness of critical, context sensitive factors when developing risk criteria.


5.    From Principles to Integrated Implementation

This session will explore:
·         Different models for implementing Enterprise-wide Risk Management
·         Key issues of stakeholder engagement, marketing and training.
·         Drafting an action plan for an Enterprise Risk Management initiative


Learning outcomes include:
·         Awareness of the advantages and disadvantages of different models for implementing Enterprise-wide Risk Management
·         Understanding the importance of stakeholder engagement, marketing and training.
·         Knowledge of drafting an action plan for an Enterprise Risk Management initiative


6.    Risk Assessment

This session will explore:
·         The process role of risk assessment.
·         A range of tools and techniques.
·         A particular focus on vulnerability through scenario analysis.
·         Some of the pros and cons - and what can we learn from them.
 Learning outcomes include:
·         An awareness of the core role of risk assessment processes.
·         An awareness of a range of tools and techniques.
·         Knowledge of why it is crucial to focus on vulnerability through scenario analysis.
·         Knowledge of lessons learnt from inappropriate risk assessments.


7.    Business Resilience

This session will explore:
·         Leveraging the top three to five foreseeable extreme event scenarios.
·         The advantages of moving away from a focus on extreme events and hazard to a focus on the vulnerability of the things we depend upon.
·         The application of a scalable tool aligned with a best practice Business Continuity Standard (BS 25999).


 Learning outcomes include:
·         Understanding the value of leveraging the top three to five foreseeable extreme event scenarios.
·         Understanding the advantages of moving away from a focus on extreme events and hazard to a focus on the vulnerability of the things we depend upon.
·         Understanding how to apply a scalable tool aligned with a best practice Business Continuity Standard (BS 25999).

8.    Continuous Improvement

This session will explore:
·         How to improve corporate capabilities on an ongoing basis by training and exercising
·         The key role of well designed desktop exercises before any extreme event
·         The key role of sensitively facilitated organization debriefs after any extreme event.


Learning outcomes include:
·         Awareness of the importance of improving corporate capabilities on an ongoing basis by training and exercising.
·         Understanding how to manage a well designed desktop exercises before any extreme event.
·         Understanding how to manage a sensitively facilitated organization debrief after any extreme event.