|

Get Off Your Ass and Do Something: Risk Management is Real

Hey colleagues,

This may be me venting or projecting, but I have penned this “thesis” for sharing, but I thought I will share it with you first. It is a first draft (pen to paper) and so I am not asking/expecting agreement, but in critiquing, please apply your risk knowledge/risk intelligence. And, yes, I feel very strongly about this, for as I have said (or maybe not to you folks) I have lost colleagues when this was not done correctly. When we could not, “imagine” what can go wrong. When we were not prepared, when we failed to ask the right question, or when a flight instructor failed to grasp the significance of a student pilot saying to him: “I don’t need to know how to land the plane”……yeah……


I may disturb some of your sensibilities but here goes……Maybe I will feel better after some sleep…LOL


After the 5 individuals drowned, I decided not to opine, for I may have possibly been seen as “ranting and raving” and I did not want to “pile on” the blaming for I did not know all the facts, but having followed the COE, I cannot stay quiet so please excuse this diatribe, at least for the next 6 mins of reading time, for it may just save a life or lives going forward.
It is time decision-makers in all industries, get off their respective asses and take the identification and management of risk seriously, what the fudge?
There are only 3 possible outcomes (impact) when a risk eventuates:

  • financial impact
  • reputational
  • Injurious (loss of life or limb)
  • Or some or all of the above

The Paria disaster resulted in all of the above. So let me share with all those “know it all leaders” some facts. Operational risk (ORM) is defined as the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events.

  • facilities management is not operational risk management
  • HSE, officers are not operational risk managers: 
  • hazard assessments are not risk assessments: risk + hazard= Accidents (R=H=A), and they are not to be used interchangeably, and yes they are mutually exclusive
  • OSH, is not operational risk management
  • The chairmen of the boards of all the stakeholders involved in this COE, are not operational risk managers (based on those we assessed)
  • SIMPLE, linear thinking, cause and effect thinking is a risk. What is the risk intelligence quotient of those involved in these decisions? and this is not esoteric, or rhetorical.
  • Why were there no Impact analyses performed (BIA), this should not only be done as part of business continuity, it should (MUST) be done as part of all critical functions
  • Were there stringent and tested scenario analyses (what can go wrong)?
  • Experience is a risk if singularly relied upon; therefore the scenario analyses would have treated some of this “experience risk”, so please don’t tell me how experienced all the players were. Ever heard of the E.J. Smith syndrome?
  • normalization of deviance, this is real, and it was a factor in this disaster
  • cognitive dissonance exists: and it was a contributing factor
  • Biases are real, and it was a contributing factor (confirmation bias, halo effect, etc.)
  • Siloed risk identification (where everyman, every institution does their own thing) was a contributing factor: where was the Enterprise risk management, the connecting of the dots?
  • Lack of Risk governance and effective leadership was a contributing factor
  • risk and safety culture was a contributing factor: what did all those involved know about risk culture?
  • where are the operational risk assessments that were completed prior to this disaster, when were they completed, and who completed them?
  • that which we are most familiar with, we sometimes fail to see: where were the objective/independent risk assessors?
  • Its not what we know for sure that will hurt us, it is that which we know for dam sure that just ain’t so. So what?
  • Practice makes prepared not perfect: when was a simulation of this type of dive, under similar circumstances, involving all the same stakeholders (rescue teams, vendors, suppliers) completed?
  • when was the last third-party risk assessment, fourth-party risk assessment, and vendor risk assessment completed: All those who are part of the enquiry, are third parties, vendors, and or suppliers.

Note to all: In times of elevated risk on multiple fronts – pandemics, political risk, cyber, underwater rescues, underwater repairs, and supply chain, to name a few. Organizations, therefore, must engage in proactive risk identification and management to protect their personnel (lives), assets, incomes, and reputations. Seriously?


Some leaders love to question the value of Risk management or the ROI of risk management, to justify why they can’t afford it, or rather, don’t NEED to spend on risk management training, development, and deployment because “we got this” or nothing bad ever happens around here. This massive failure and the resulting impact are why risk management is important. Unfortunately, many of you out there will continue to suffer from many of the above “ails” that caused this disaster.  When risk practitioners (the real ones) ask the questions, what can go wrong, please remember this conversation/diatribe.


That said: risk management is not a fait accompli or nirvana nor a silver bullet, bad things WILL still happen, but like an airbag in a vehicle, it may not prevent all the accidents from happening, but it WILL reduce the impact when accidents do occur.

Folks, Proactive risk management is a discipline rather than a process or initiative. Please be more disciplined out there, you may just save a life.

Similar Posts

Can Your Leaders “Decisions” Affect Your Company’s Future or Profits?

ByKen Hackshaw

And the answer is…………..you decide… Twitter threatens trade secrets lawsuit over Meta’s Threads app. Alex Spiro, a lawyer for Twitter, accused Meta of engaging in “systemic, wilful and unlawful misappropriation of Twitter’s trade secrets and other intellectual property” in a letter addressed to Zuckerberg dated Wednesday. The letter claimed that Meta had hired “dozens” of…

|

Now We Know: Why Silicon Valley Bank Imploded or Failed…

ByKen Hackshaw

“The bank waited too long to address its problems and, ironically, the overdue actions it finally took to strengthen its balance sheet sparked the uninsured depositor run that led to the bank’s failure,” said Barr (Federal Reserve Vice Chair), adding that there was “inadequate” risk management and internal controls. The above questions apply to YOUR organization…

Doesn’t Anyone do Due Diligence or Deep Dives Anymore?

ByKen Hackshaw

The FTX failure has put a renewed emphasis on the value of an excellent deep dive into your people, processes, and systems (Operational Risk), And by the way, not deep dives as a post-mortem (after the risk impact) but as a “pre-mortem” (proactive and anticipatory). “These days, it is hard to know what due diligence…

|

Leadership and Accountability Case Study: People Risk Management

ByKen Hackshaw

Demonstrating the management ethos that contributed to his recent induction as a Fellow of the Caribbean Risk Management Academy, the Minister of Public Utilities in Trinidad and Tobago identifies and prepares to act regarding the people risks at the organizations within his portfolio. Visit the website to read the full story published in the Trinidad…

|

The Role of Human Behaviour in Effective Risk Management

ByKen Hackshaw

The ISO 31000 risk management standard and the NIST Cybersecurity frameworks among others, have adopted new guidance that suggest considerations into behavioral factors must be included and considered during risk assessments. Human behavior is identified as the weakest link in risk management and security. Human factor risks will continue to increase in the fast-paced digital…