Get Off Your Ass and Do Something: Risk Management is Real
Hey colleagues,
This may be me venting or projecting, but I have penned this “thesis” for sharing, but I thought I will share it with you first. It is a first draft (pen to paper) and so I am not asking/expecting agreement, but in critiquing, please apply your risk knowledge/risk intelligence. And, yes, I feel very strongly about this, for as I have said (or maybe not to you folks) I have lost colleagues when this was not done correctly. When we could not, “imagine” what can go wrong. When we were not prepared, when we failed to ask the right question, or when a flight instructor failed to grasp the significance of a student pilot saying to him: “I don’t need to know how to land the plane”……yeah……
I may disturb some of your sensibilities but here goes……Maybe I will feel better after some sleep…LOL
After the 5 individuals drowned, I decided not to opine, for I may have possibly been seen as “ranting and raving” and I did not want to “pile on” the blaming for I did not know all the facts, but having followed the COE, I cannot stay quiet so please excuse this diatribe, at least for the next 6 mins of reading time, for it may just save a life or lives going forward.
It is time decision-makers in all industries, get off their respective asses and take the identification and management of risk seriously, what the fudge?
There are only 3 possible outcomes (impact) when a risk eventuates:
- financial impact
- reputational
- Injurious (loss of life or limb)
- Or some or all of the above
The Paria disaster resulted in all of the above. So let me share with all those “know it all leaders” some facts. Operational risk (ORM) is defined as the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events.
- facilities management is not operational risk management
- HSE, officers are not operational risk managers:
- hazard assessments are not risk assessments: risk + hazard= Accidents (R=H=A), and they are not to be used interchangeably, and yes they are mutually exclusive
- OSH, is not operational risk management
- The chairmen of the boards of all the stakeholders involved in this COE, are not operational risk managers (based on those we assessed)
- SIMPLE, linear thinking, cause and effect thinking is a risk. What is the risk intelligence quotient of those involved in these decisions? and this is not esoteric, or rhetorical.
- Why were there no Impact analyses performed (BIA), this should not only be done as part of business continuity, it should (MUST) be done as part of all critical functions
- Were there stringent and tested scenario analyses (what can go wrong)?
- Experience is a risk if singularly relied upon; therefore the scenario analyses would have treated some of this “experience risk”, so please don’t tell me how experienced all the players were. Ever heard of the E.J. Smith syndrome?
- normalization of deviance, this is real, and it was a factor in this disaster
- cognitive dissonance exists: and it was a contributing factor
- Biases are real, and it was a contributing factor (confirmation bias, halo effect, etc.)
- Siloed risk identification (where everyman, every institution does their own thing) was a contributing factor: where was the Enterprise risk management, the connecting of the dots?
- Lack of Risk governance and effective leadership was a contributing factor
- risk and safety culture was a contributing factor: what did all those involved know about risk culture?
- where are the operational risk assessments that were completed prior to this disaster, when were they completed, and who completed them?
- that which we are most familiar with, we sometimes fail to see: where were the objective/independent risk assessors?
- Its not what we know for sure that will hurt us, it is that which we know for dam sure that just ain’t so. So what?
- Practice makes prepared not perfect: when was a simulation of this type of dive, under similar circumstances, involving all the same stakeholders (rescue teams, vendors, suppliers) completed?
- when was the last third-party risk assessment, fourth-party risk assessment, and vendor risk assessment completed: All those who are part of the enquiry, are third parties, vendors, and or suppliers.
Note to all: In times of elevated risk on multiple fronts – pandemics, political risk, cyber, underwater rescues, underwater repairs, and supply chain, to name a few. Organizations, therefore, must engage in proactive risk identification and management to protect their personnel (lives), assets, incomes, and reputations. Seriously?
Some leaders love to question the value of Risk management or the ROI of risk management, to justify why they can’t afford it, or rather, don’t NEED to spend on risk management training, development, and deployment because “we got this” or nothing bad ever happens around here. This massive failure and the resulting impact are why risk management is important. Unfortunately, many of you out there will continue to suffer from many of the above “ails” that caused this disaster. When risk practitioners (the real ones) ask the questions, what can go wrong, please remember this conversation/diatribe.
That said: risk management is not a fait accompli or nirvana nor a silver bullet, bad things WILL still happen, but like an airbag in a vehicle, it may not prevent all the accidents from happening, but it WILL reduce the impact when accidents do occur.
Folks, Proactive risk management is a discipline rather than a process or initiative. Please be more disciplined out there, you may just save a life.