Model of areas for identifying risks influencing the compliance of technological processes and products

Operation of every company is associated with the risk of interfering with proper performance of its fundamental processes. This risk is associated with various internal areas of the company, as well as the environment in which it operates. From the point of view of ensuring compliance of the course of specific technological processes and, consequently, product conformity with requirements, it is important to identify these threats and eliminate or reduce the risk of their occurrence. The purpose of this article is to present a model of areas of identifying risk affecting the compliance of processes and products, which is based on multiregional targeted monitoring of typical places of interference and risk management methods. The model is based on the verification of risk analyses carried out in small and medium-sized manufacturing companies in various industries..


Introduction
Risk is an inherent factor that entrepreneurs need to deal with throughout the life cycle of the organization. The greater the knowledge management has on the subject, the more accurate are his decisions on preparedness and response in the event of an unwanted situation. Deliveries for the army for years require risk analysis.
Risk is the probability of not achieving in a given business activity the anticipated economic results, profits or the danger of suffering losses, exceeding the expenditure on investments [1]. Its aim is to ensure some kind of protection against interference, which could block the delivery. Parallel risk is estimated to be in the area of occupational health and safety. It refers not only to identification and management of occupational risk [2,3,4,5]. The important source of risk in the human resource process is the human factor and, in particular, the lack of employees' awareness concerning the importance of their attitudes in the safety and work hygiene system [6]. It should also be considered psychosocial risks that hazards are: job content, workload, work schedule, control, environment equipment, organisational culture, interpersonal relationships, role in the organisation, career development and home-work interface [7].
Design is usually focused on ensuring safety but only thanks to special design methodology, it is possible to achieve a greater reduction in risk. Safety issues appears in the context of both the primary user of the product as well as a number of intermediate users, appearing at various stages of the product's life, and from this stand one can view safety as of operation, of technical renewal, and of disposal. The product may affect the safety of the immediate user and of the bystanders, involved in the transport, sale, or other situations in which the product occurs [8,9].
The area of environmental management also refers to the identification of environmental aspects and environmental risks failure. Increasingly, the risk is assessed with regard to finances, time, information, etc. [10,11,12,13].
Outcomes of each organization functioning depend on personnel employed, and mostly on proper qualifications assigned to tasks, self-motivation and ability to communicate with co-employees. Thus, risk management system needs to take human factor into consideration as this is usually the weakest point of an organization [14]. It should also take into account the attributes of the internal organizational identity such as organizational culture, communication, intangible resources, and behaviour [15].
Managerial actions connected with managing and supervising companies are focused mostly on as follow [16]:  staff, their competencies and abilities,  tasks performed by the staff, their influence on quality of products, services and processes performance,  technical resources operated and used by organization's staff and their maintenance. Risk areas can also be found among the reasons for the industrial accidents. The discussion of Polish accident statistics covering the period of 2010-2013 shows the root causes of accidents in Poland, such (1) inappropriate condition of material agent, (2) absence or inappropriate use of material agent, (3) inappropriate wilful employee action and (4) inappropriate organization of work post [17].
Taking into account the maintenance should be considered the following aspects: service strategy selection, purchasing materials, and raw materials necessary to realize service, storing the materials and performing services planned and unplanned, as well as utilization of used materials, exploitation fluid and lubricants [18].
The area of electronic support is also burdened with a high risk of problems. On the one hand, it facilitates the information management and strongly improves the efficiency of the processes [19], but on the other hand it causes the situation that incorrectly stored and weakly protected data can be deleted or damaged. It paralyzes the functioning of the whole company. It makes the need to identify the risks in relation to information technology [20,21,22,23].
The release of ISO 9001 in 2015 years also introduces a requirement for risk management, which will result in expanding the number of companies which methodically deal with risk in regard with their own business [24]. It is easy to see a significant intensification of the search for suitable models of risk management in relation to the specificity of selected industries or types of activities [25,26,27,28,29,30,31,32].
However risk management in enterprises is often carried out incidentally, intuitively, in emergency situations, or when it is required by external legal or contractual conditions. This phenomenon is also associated with the individual treatment of each area. What is lacking is a complex approach that would tie together these aspects, while ensuring a systematic action. The systemic approach to risk management means designed and planned activities for which performance standards and clear implementation schemes have been developed. The systemic approach ensures predictability and repeatability of actions in the processes and in the enterprise [33].
Wide array of the available methods facilitating risk management causes that entrepreneurs have difficulty in choosing those that could be used in risk management. Especially important is support in the process of risk identification because on the one hand it is the most difficult phase that requires predicting all of the possible risks, on the other hand, the results are dependent on the effects of the later stages of risk management.

Risk management methods
Risk management is a constant risk control in the company in order to provide a better environment for action (risk is a probability conjunction of occurrence of an undesirable phenomenon and its 2 effect). The most difficult element of risk management is its identification that is estimating potential threats. For this purpose, a variety of methods are used such as brainstorming, Delphi method, block diagram, checklist, ranking of risks, the causes and effects analysis of FMEA defects, fault tree analysis FTA, taxonomy diagram, diagram of kinship, the Monte Carlo method, histogram, Pareto-Lorenz analysis [34,35].
After identification of risk there is an analysis and determination of activities to reduce the risks. The final stage in the cycle of risk management is its monitoring. This process runs many times: during the review of the customer's requirements, design (if implemented), purchasing, production and after completion of the project. In the process of creating risk management system in a company, it is noticeable to follow indication of the norm ISO 31000 "Risk management. Principles and guidelines" as well as ISO/IEC 31010 "Risk management. Risk assessment techniques".
In order to make sure that the risk management is efficient, the organization ought to adhere to the following rules at all levels [36]: 1) Risk management creates and protects value 2) Risk management is an integral part of all organizational processes 3) Risk management is part of decision making 4) Risk management explicitly addresses uncertainty 5) Risk management is systematic, structured and timely 6) Risk management is based on the best available information 7) Risk management is tailored 8) Risk management takes human and cultural factors into account 9) Risk management is transparent and inclusive 10) Risk management is dynamic, iterative and responsive to change 11) Risk management facilitates continual improvement of the organization The norm ISO 31000 states requirements regarding particular risk management stages which are ( Fig. 1):  communication and consulting,  defining context,  risk estimation-identification,  risk estimation-analysis,  risk estimation-evaluation,  managing risk,  monitoring and risk overview,  records related to the risk management process.

Figure 1.
Relations between risk management stages [36]. Moreover, the report ISO/IEC 31010 summarizes 31 most popular techniques that facilitate risk assessment and point to the stage of application. For the purposes of risk identification they are listed as strongly applicable or only applicable (Table 1).  The risk assessment may be carried out in varying degrees of detail, and using one or more methods (simple or complex). The choice of techniques should be performed so that the form of evaluation and its results were consistent with the criteria and scope of the risk.
The report, ISO / IEC 31010 summarizes the relationship between categories of risk assessment techniques and factors occurring in a given situation of risk. It also includes examples of how organizations can choose the appropriate risk assessment techniques for a given situation.
The external context is the external environment in which the organization seeks to achieve its objectives. Understanding the external context is important in order to ensure that the objectives and concerns of external stakeholders are considered when developing risk criteria. It is based on the organization-wide context, but with specific details of legal and regulatory requirements, stakeholder perceptions and other aspects of risks specific to the scope of the risk management process.
The external context can include, but is not limited to [36]:  the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;  key drivers and trends having impact on the objectives of the organization; and  relationships with, perceptions and values of external stakeholders. The internal context is the internal environment in which the organization seeks to achieve its objectives. The risk management process should be aligned with the organization's culture, processes, structure and strategy.
Internal context is anything within the organization that can influence the way in which an organization will manage risk.
It is necessary to understand the internal context. This can include, but is not limited to:  governance, organizational structure, roles and accountabilities,  policies, objectives, and the strategies that are in place to achieve them,  capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies),  the relationships with and perceptions and values of internal stakeholders,  the organization's culture,  information systems, information flows and decision making processes (both formal and informal),  standards, guidelines and models adopted by the organization; and  form and extent of contractual relationships.

Model of areas for identifying risks
The model is based on the verification of risk analyses carried out in small and medium-sized manufacturing companies in various industries. Surveyed companies complied with the following boundary conditions:  they were functioning on the market for at least 5 years,  they implemented a management system in an organization for example quality, occupational health and safety, environmental system, suppliers in the supply chain, food safety, information security and others,  they were trying to identify and analyze the risks of chosen on their own (or by the system) areas of the company. Insight in documentation and records related to risk assessment, as well as records of adverse events has allowed to determine the usefulness of the techniques used so far. In addition, the efficacy of risk analysis was evaluated in terms of avoiding their occurrence. It was also possible to clarify the problems that were associated with existing risk management. Also the most common places of forming unwanted situations have been found that threatened the accuracy of the course of individual processes in the surveyed enterprises.
Based on the survey, a model for multi-territorial identification of risk factors in the company was mapped out.
The model is based on the matrix regarding identification of risk factors on two levels: 1) aspects: quality management, ergonomics and safety of workers, maintenance, environmental management, culture and communication in the company, customers' requirements, stakeholders and regulatory, technology, competence, finance and electronic (PC) support, 2) areas: customer service, design, planning and preparation, purchases of materials and services, production / services, logistics. The matrix is the basis for individual connections to one aspect with one selected area of the company, for which a set of guiding questions in search of risk factors is explicit. In this way, the matrix of the model consists of 48 fields for each pair aspect-area. Each pair has individual and specific set of questions. The questions may be partially repeated for selected aspects in specific areas, but each time they refer to another part of the company's activities and ensure that each individual element will be subjected to scrutiny. Also answers to similar questions directed to the different areas of the company will differ from each other depending on the state of protection against risks in these areas. Looking for answers to the questions can be supported by using one of the techniques  The questions that have been contained in this matrix presentation do not exhaust the possibilities of the search for the possibility of risk occurrence. However, they suggest a method for identifying areas and aspects in which this risk may be present. Depending on the nature and size of the business, the matrix model of risk identification can be extended to include new aspects or areas, and competent representatives of companies can develop a set of guiding questions.

Conclusions
Identification of risk in a company has gained additional importance in recent years. At the same time examples of companies that tried to identify, assess and control the risks shows that this issue poses many difficulties for entrepreneurs.
On the one hand, they expect friendly solutions that will not unduly engage them in complex analysis. On the other hand, reliable results are needed, on the basis of which it will be feasible to make the right decisions about protecting oneself in the event of an unintended event.
The answer to this need is the model of multi-territorial risk identification, which can be freely combined with selected risk analysis tools. The model based on the combined areas of the enterprise with the different aspects of the analysis allows efficient analysis of the most important issues related to the risk of running an independent business.
Experience with using the discussed model to identify risks in industrial enterprises shows its usefulness especially for small businesses. They do not have an extensive team of qualified professionals who have the qualifications to carry out extensive analyses. That is why the method, which together with the basic tools of risk analysis proved to be sufficient for effective risk management, was positively received. The model combines two advantages: simplicity and insightfulness. It is therefore a good support for managers in conditions lacking time and human resources.