You can’t ‘escape’ from control effectiveness

I’m going out on a limb here, yet again, as I anticipate a strong reaction to my take on the fact that the likelihood of a risk occurring in an organisation cannot be determined by time, frequency or probability – it’s all in my Risk Tip #11. This stirred up some in the risk management industry who firmly believe that probability is king!  In the LinkedIn exchange that followed, all manner of formulas and probability equations were thrown at me in an attempt to mend my recalcitrant ways and acquiesce to the science of the risk.

Okay, I’m a radical – so be it! But let’s see why.

One of the points I made during the back and forth on LinkedIn was that: knowing the probability of something does not tell you how likely it is to happen within an organisation. 

So, to illustrate, let’s look at the escape of a violent and serial offender, who enticed a guard over to his bedside and put him in a headlock, and then stole his keys to escape custody while in hospital earlier this year – ABC report.

The risk description that should be in the Corrections Department’s risk register is: Prisoner escapes whilst being treated in hospital.

Let’s use statistics to assist us to gain a rudimentary probability of escape from an Australian prison.

In the June quarter of 2017, there were 41,202 people imprisoned in Australia (Australian Bureau of Statistics).  In 2016/17 there were a total of 43 escapes – 32 from open facilities[1] and 11 from secure facilities.  This means that in 2016/17 the chance of escape was 0.0014% – give or take.

My question is this.  If I am running a prison, how on earth does this help me in any way to determine the likelihood of an escape from my prison?

In my view – it doesn’t help me one iota.

So, back to our violent offender who escaped a hospital. For the purposes of using this story as an example, as it is based only on the ABC media report, I have provided below the controls I believe were in place to prevent such an escape. I have also provided an assessment of the effectiveness of the control.

So, why wasn’t it identified?  It could be as simple as no one was checking.

This, to me, is the crux of the matter.  Based on the fact that the statistics show that there are so few escapes, the assessed probability (using a matrix similar to that below), would see the likelihood assessed as Highly Unlikely.

[1] A custodial facility where the regime for managing prisoners does not require them to be confined by a secure perimeter physical barrier, irrespective of whether a physical barrier exists

The problem is that these failings were only identified after the incident occurred.  It is extremely unlikely that this was the first time that a prisoner was not secured properly, or that a guard was left alone, or a guard approached a prisoner in their bed.  These things do not just happen overnight – they emerge over time. 

As a result, the assumption would be that nothing more needs to be done in relation to the risk.

What happens if we conduct assurance activities on all the controls and find the following:

If we then assess the likelihood of the risk using the matrix below, we see that our level of likelihood of an escape is significantly higher (almost certain in my view).

The point I am making is that the escape was not unforeseeable – in fact, if the controls were measured for effectiveness rather than being assumed to be effective – it is likely the incident would have been avoided.  The frequency or probability of the escape would have been no assistance in this case. Knowing there was a culture of shortcuts – that would have made a significant difference in reducing the likelihood of the risk occurring.

As for the escapee, he’s been found and is now safely secured at Hakea Prison and apparently he’s considered so dangerous his next court appearance will be via video link. And there’s a whole new chapter on mitigating risks!