Together with TNO, Prof. Dr. Jop Groeneweg has done a study on how we can learn from incidents to improve our risk management.
“What we did was a study among over 240 companies in The Netherlands, in which we asked them: what are the strong and weak points in the way you learn from incidents. We built a model, starting with reporting incidents, to analyzing them, to making recommendations, implementing the recommendations, and measuring the effect of the interventions.”
During an interview, Prof. Dr. Jop Groeneweg highlights the main takeaways from that study:
1 – Most people think that learning from incidents is a question of reporting
Most people think that learning from incidents is a question of reporting, but we’ve passed that stage decades ago, so in most organizations that was well established.
2 – Most people have a tool approach when it comes to analyzing incidents
When it came to the analysis things started to become a bit iffy. Most people’s approach is to buy another tool. Of course, you need a tool to reveal the underlying causes, but if you give a great tool to poor investigators that’s not going to work. “A fool with a tool is still a fool.” We also found some deficiencies, where people just said: well, we have the right tool, but we do not necessarily utilize it to the maximum.
3 – Most people create too many recommendations
Things really started going downhill after the analysis stage. What you see is the organization conducts an investigation, from which a sort of list of recommendations is generated. But with this list, there are a couple of pitfalls: One is that you make 200 recommendations, and you have 10 incidents, so you’ll have 2000 recommendations, and after a year you have 20.0000 recommendations, which means that effectively you’ll have no recommendations. One of the things you could do is prioritize those actions. But people in organizations seem to be afraid of prioritizing actions after an incident. It’s a difficult point.
4 – Most organizations do not implement recommendations
The next step is that you must implement what you have recommended and that happens at a surprisingly low rate. Most energy is put into making sure that we have those recommendations, and then all energy is dried up. You have spent an enormous amount of time in the investigation part, you spent an enormous amount of time in the final part, and then you must do something. So, what you do then is make a plan and that plan is what you present to the leadership, and the leadership says: Yes great, let’s do it. But then you have to do it and that turns out to be a major hurdle.
5 – Most organizations don’t know the effect of their interventions
But the final hurdle, that from a learning perspective, and the most important hurdle is that you ask yourself: do the interventions have a positive effect? A step that is skipped completely. Most companies investigate, monitor, but hardly ever evaluate the effect. That leads to the intriguing situation where most organizations really don’t know the effect of their interventions. They have concluded that people need more training, they sent people to the training course, they measure how many people have attended the course, but they never ask themselves: does this person now work differently? Does it have an effect? From a learning perspective that is pretty bad news. We don’t build a library of effective interventions.
Part of the issue & part of the solution
In the ideal world, when you had an incident, you analyze it, take an action (risk management), and then this same incident should not happen again, or at least, the frequency should be reduced. But we don’t see that happening in reality.
Part of the issue is that the people that are responsible for the first part of the process are not necessarily responsible for the last part of the process. I am very much in favor of involving the people who are ultimately responsible for the implementation. Also, involve them in an early stage of the investigation. If you do a risk analysis, make sure that the people who actually have to do things are also involved in the ‘what are we going to do’ phase.
I think it was the Dutch Safety Board that did a meta-analysis of the effectivity of their interventions. One of their conclusions was that the best interventions were made when you give the analysis to the other party and let them, based on the analysis, make up their own recommendations.
The whole idea is that we vastly underestimate the importance of closing the loop and involving the people who actually do the work. Learn more about Risk Management life cycles here.
© CGE Risk. 2021 – The copyright of the content of this blog belongs to CGE Risk Management Solutions B.V.
