Six Sigma and Risk Management

In a recent paper, Six Sigma consultant and author Michael Young argued that:

There is a synergistic relationship between ERM and Six Sigma. The continuous improvement methodology assists leadership in managing both the operations of the organization and the inherent risk associated with it. Six Sigma is not “something else to do,” but rather a robust framework in which an organization can manage its risk across the enterprise.

That makes sense to me. If Six Sigma is essentially a statistical approach to managing and reducing variance, and risk is another word for variances that impact a business, then Six Sigma would reduce risk. There may be areas of risk management that are not so susceptible to statistical analysis - regulation and reputation spring to mind - but where Six Sigma can make outputs more predictable, that does means less risk.

One way to critique an argument is to ask if the world around you conforms to the expectations of the argument. Think of it like a scientific hypothesis and a scientific observation - does the world actually look the way we say it should look? When I look for instances where Six Sigma is pursued as a facet of ERM, I come up blank, though maybe that is because I am looking only at world of communication providers. If anything, I would expect ERM and Six Sigma to be treated as competitors for management attention in most businesses, not least because there are not going to be many ERM practitioners who are also Six Sigma Black Belts.

Can the two be integrated in practice? As Six Sigma requires measurement, a major stumbling block is that ERM accepts there are risks that can be described and discussed qualitatively, without any expectation they be formally quantified. Spending a lot of time and resource calculating the probability of a future event may not be worthwhile, if the reliability of the prediction is going to be limited. The weather and stock markets provide ample evidence of the difficulty of forecasting complex systems, and those are systems where a lot of data is available. There will never be similar levels of intelligence when predicting the next move of a competitor, or a regulator, and reducing their behaviour to a mathematical analysis is also going to be a formidable challenge, begging the question of whether a golden rule of ERM is broken before you even begin: only mitigate risks where it is cost effective to do so.

On the other hand, if any business has lots of data, it is a communications provider. This data should be susceptible to long-run analysis. Imagine a retail provider analysing how calling patterns change as a customer gets older. Could it draw inferences about how people will behave when they are 40, based on the calls they make when they are 30? Perhaps not, because prices and technology changes too rapidly. But perhaps it is possible, and nobody ever retained enough data and applied enough science to the subject to see the patterns that exist. If the example seems wild, bear in mind that fraud managers do much the same thing for a very specific subset of network activities - they are looking into data and searching for patterns where the historic trend suggests a subscriber's current behaviour is indicative of a fraudster.

The truth about the distinction between a quantitative analysis of risk and a qualitative analysis of risk is that a qualitative analysis could be turned into a quantitative analysis, if only we had the data and knew how to do the sums. As the human race gets better at making some predictions - like the physical stresses that will cause a building to collapse, and hence how to build buildings that can survive those stresses - it still struggles with other topics like predicting how people will behave. If science teaches us anything, it is that large-scale observation and systematic analysis can eventually lead predictions to shift from qualitative to quantitative, making the immeasurable measurable. Applying a technique like Six Sigma to customer interactions should highlight not only how to serve customers today, but what engenders loyalty. Knowing that would take a lot of risk out managing and pleasing customers. We are not there yet, but the combined influence of Moore's Law and government expectations that providers retain more customer data suggests communication providers are evolving to a point where they could do much more statistical analysis of how customers act. In the meantime, risk managers need to do what they do best: think the unthinkable, not just at what might go wrong, but how to predict it. If Six Sigma helps them to do that, then risk managers should add Six Sigma to their toolkit.