Risk Tip # 10 – Post Event Analysis

Risk Tip # 10 – Post Event Analysis

“We learn from history that we do not learn from history.”  Georg Wilhelm Friedrich Hegel

No matter how well an organisation manages risk, there will still be occasions where incidents occur i.e. risks are realised.  In organisations without a well-structured risk management program, these events will likely be dealt with, but not assessed afterwards, and, invariably the same incident will occur again.

Risk management will not stop events/issues/incidents arising, but organisations with a mature, well developed risk management framework will learn from the issues.  Too often I work within organisations that purport to having a lessons learned program.  But, in my observation, it is more a case of being a lessons identified and documented program with no real action taken to address the root causes.

The reason it is so important that we become a learning organisation?

Today’s incident is yesterday’s and tomorrow’s risk

The methodology I use is in the form of a post-event analysis that asks the following questions:

  • What happened?
  • Why did it happen?
  • Did we or could we have forecast that it was possible that it was going to happen?
  • Could we have done anything to prevent that event?
  • Did we deal with the incident in an appropriate manner?
  • Is there anything we can do to prevent the incident occurring again in the future?
  • If the event does occur again in the future, are there any strategies we can put in place to minimise the impacts?

More detail on each of these is provided below.

What happened?

It is important from the outset to gain as much information as is possible in relation to the incident itself. This is critical so as to avoid making early assumptions/decisions in relation to the implementation of additional control measures (the knee-jerk reaction that so many of us have, no doubt, previously experienced.

Did we or could we have forecast that it was possible that it was going to happen?

At this point we are simply ascertaining whether it was an incident that we had in our risk register and, if it wasn’t, was it something that should have been.

Why did it happen?

This is the most important part of the process.  During this stage, we are identifying what exactly caused the incident to occur.  It is important to undertake a thorough assessment here because there is no such thing as a one cause event – they are always system failures at an organisational level.  It may be very tempting to conclude that the incident was caused by user error, however:

  • Was the user sufficiently trained in/competent in its use?
  • Was it maintained to the correct level?
  • Were work instructions and procedures in place and, if they were, were they appropriate and were they being followed?
  • Was fatigue a factor?
  • Were there distractions that could not have been anticipated?

During this process, in nearly all cases, it will be discovered that the causes were known, and the controls were in place, but these controls failed or were inadequate.

That said, it may be discovered that, whilst the risk had previously been identified, one of the causes that led to this incident, hadn’t been captured as part of the risk analysis and recorded into the risk register.

This is the information that will then form the basis of the next part of the analysis.

Could we have done anything to prevent that event?

During this stage of the process we are asking a range of questions:

  • The first, and most obvious question, is: was the risk was in the risk register at all?
  • The second question to ask is: were all of the causes that contributed to this incident captured in the risk register?
  • The next question: were there controls assigned to the causes that contributed to the risk materialising?
  • The final question is: were all of the controls assigned to the causes of the risk effective?

The answers to these questions will form the basis for the next part of the assessment.

Is there anything we can do to prevent the incident occurring again in the future?

From the information gathered in the previous step, action plans need to be developed in order to close any gaps we have identified.

These actions will take the form of:

  • Adding a new risk to the risk register; or
  • Developing a treatment/s which will take the form of:
    • A short-term action to improve the effectiveness of a control that has been identified as requiring improvement; and/or
    • A treatment that will become a new existing control.

The most critical requirement in this part of the assessment is to allocate accountability for the actions as well as timeframes. Progress then needs to be monitored and reported.

Did we deal with the incident in an appropriate manner?

In any incident, there is always a response.  Many organisations have suffered additional consequences as they were ill-prepared for the event occurring.

To that end, a thorough analysis is required on the manner in which the incident was dealt with by the organisation.

If the event does occur again in the future, are there any strategies we can put in place to minimise the impacts?

Based on the above analysis, further actions may be required.  These will take the form of:

  • A short-term action to improve the effectiveness of a control that has been identified as requiring improvement; and/or
  • A treatment that will become a new existing control.

Once again, the most critical requirement in this part of the assessment is to allocate accountability for the actions as well as timeframes. Progress then needs to be monitored and reported.

Summary

To summarise this risk tip is simple: organisations that fail to conduct post event analysis and fail to use the analysis as a basis of improvement, condemn themselves to having the same incident occurring over and over again.

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}