Organisations spend a great deal of time and effort ensuring that potential points of failure are identified and steps are put in place to minimise risk.
But does this always take adequate account of the people factor?
The people factor
Despite rigorous systems and processes, many major incidents have been caused by human error, or in some cases malicious intent.
Human error can be caused by poor judgement, simple mistakes, lack of attention and inadequate training or knowledge, such as the Hatton Garden jewellery heist that went ahead unimpeded all weekend after someone at the alarm company decided a response wasn’t necessary. So what’s the answer?
First of all, I would suggest that while you can – and should – train and brief employees on what to do, when to do it and to what standard, this in itself will not remove human error.
An approach that has emerged over recent years is resilience engineering. A system is resilient when it can adjust how it works before, during and after changes, disturbances and opportunities, regardless of whether those events were expected. Instead of preventing adverse events, resilience engineering looks to make systems succeed whatever the circumstances.
Erik Hollnagel, a much-published academic in this space, identifies four abilities that are essential for resilience. These are the ability to:
- Respond to what happens
- Monitor critical developments
- Anticipate future threats and opportunities
- Learn from past experience – successes as well as failures
He says that working with the four abilities provides a structured way of analysing problems and issues, as well as of proposing practical solutions (concepts, tools, and methods).
Applying resilience within premises risk
I would agree that all the above abilities are essential within an organisation with regards to premises and operational risk management. A thorough approach to planning with a comprehensive risk management strategy, framework and process is essential. The ISO standard for risk management, ISO 310000, is an excellent model upon which these can be developed.
The risk management system needs to be applied consistently throughout the organisation, with regular training across the board to not only support compliance, but also to help teams and individuals to identify when something is not working as it should – both at a strategic and a grass roots level.
By maintaining an up-to-date risk register and monitoring developments, the organisation can anticipate developments as well as respond to changes and external events.
Scenario planning can play an important part of delivering resilience, as many circumstances may not be foreseeable, and are therefore impossible to plan for. Scenario planning allows an organisation to prepare for dealing with outcomes rather than causes, so the response to an event is improved.
Dependency modelling can also develop resilience by identifying critical interdependencies that may not have been apparent as well as identifying and mitigating single points of failure, so that the enterprise can either take preventative action or accept risk from a position of knowledge.
We will probably never eradicate human error – even societies in science fiction films that claim to have done so come unstuck when the human element kicks in – but the enterprise can make itself and its people better equipped – more resilient – to managing it and reducing the impact where possible.