Risk Management – Post event analysis
In this session I want to talk about something that I am passionate about- post event analysis after an event has occurred.
How often in your organisations has the same thing happened over and over again? You might sit around and ask why it happened- without implementing any of the reasons or controls identified to deal with this.
One of the problems that we have in organisations where there might be a blame culture is that people are redescent to actually admit that they have made mistakes- because there might be consequences or actions made against them.
One of the keys to being a learning organisation when it comes to risk and event management is that you need to have a no blame culture- and we have talked about this when we previously discussed risk culture.
The post event analysis itself is going to ask some fundamental questions:
- What happened? What was the event?
- Why did it happen? What caused the event- this question provides the opportunity for to take a hard look at yourselves and your organisation. One thing you need to remember is that no single event that occurs in an organisation is a single point of failure- what happened was a failure of a range of controls that have led to the event occurring. If you are looking for someone to blame, you might miss the real causes- which may be cultural. You need to have a good hard look and identify all the causes that led to the event ie. Are they systemic or executive?
- What were the consequences? We can refer this back to our risk register, where we may have already identified this as a risk. We can then ask ourselves if we adequately identified the consequences- because they may have been far worse than we’d anticipated, which might mean we didn’t treat that risk properly.
- Did we respond to the event or incident in an effective manner? We ask this because we need to understand that the ways in which we react to an incident can prolong the consequence period. Did we have a business continuity plan in place and did everybody know what they needed to do in the case of that event.
We then ask some fundamental questions about the future:
- What can we do, if anything to stop this event from happening again in the future? By asking this we can start to think about what additional controls we need to put in place. We also look at what we need to do to strengthen current controls we have in place.
- Is there anything we can put in place to minimise the consequences if the event happens again? In doing so, we can think about whether there is a business continuity plan in place which will reduce the consequences that we felt in this particular risk.
To reiterate, our post event analysis comes from a learning organisation with a no blame culture:. We need to ask ourselves what happened, why did it happen, what were the consequences, did we respond to the event in an appropriate manner, are there any controls that we can put into place for next time to reduce the likelihood of that risk occurring, are there controls we can put into place to reduce consequences if the event does happen again.
Only by asking and implementing all of these questions can we say that we have learnt from the mistakes we have made and imbedded it into our organisation.
If you become a no blame organisation and systematically conduct post event analysis, the moral within your organisation is going to sky rocket- because they will come to you without fear or favour in terms of the things that have gone wrong or are likely to go wrong.
What you need to understand is that bad news does not get better with time- unlike red wine.
You might have situations where people are hiding events that have occurred which get very bad before you could even find out about them. So bring a no blame culture in, encourage post event analysis and your organisation will be one that people want to work in.