The Technical Challenges of Risk Mitigation

In previous posts we looked at Risk Avoidance, Risk Transfer, and Risk Acceptance. Unfortunately, despite our best efforts, we cannot eliminate all risks. For those risks that cannot be avoided, transferred, or accepted, our only option is to brace for it and mitigate or limit the impact. Risk mitigation is the process of introducing measures which reduce the impact of a risk occurrence. As with any risk management strategy, one must start with a valid risk/hazard analysis. The identified risks which are not avoided, transferred, or accepted are the ones which should be mitigated. 

Any risks, not addressed by one of the aforementioned strategies has the potential to develop into a disaster for the organization. What is a disaster? The answer to this question is in the eye of the beholder. However, for our purposes, let’s define a disaster as any incident, event, or occurrence which inhibits an organization’s capability to generate income. This definition is intentionally broad, and encompasses more than physical damage to facilities and injuries to employees. For example, a new company enters into the market of your organization. However, the new company has better technology and/or processes which permit them to provide better quality products and services compared to your organization. The existence of this new player in the game can inhibit your organization’s ability to produce income. We have seen this scenario previously. Allow me to enter MySpace as Exhibit #1.

The challenges of risk mitigation can be placed into two categories. Risk mitigation is either a technical challenge, or it is a cultural challenge. A technical challenge is easy to fix. With a technical challenge, you purchase a gadget or gizmo, then there is an “App for that” mentality that will suffice. If your organization is faced with technical challenges, you can address the challenge with technology or money. A cultural challenge is much more complex. With a cultural challenge, you must change the hearts and minds of people, you must change the culture of the organization. 

Let us first look at a scenario where mitigation was a technical challenge that was not addressed. I responded to an incident where a business sat at the end of a very busy bridge. Motorists would cross the bridge and come to a traffic light where the street teed. The motorists were required to turn left or right. To continue straight would cause their vehicles to jump the curb, cross the parking lot of the business and crash into the building. I cannot say if the organization did not recognize the risk, or ignored the risk, maybe they accepted the risk anticipating or hoping it would not eventuate (Hope is not a strategy). Unfortunately, a car traveled across the bridge at a very high rate of speed. It is believed the driver had a medical emergency while operating the vehicle. The vehicle proceeded through the traffic light, jumped the curb, crossed the parking lot, and crashed into the building. Several people were killed including the driver, employees and customers of the business. Others were injured. Compounding matters, the crash resulted in a multi-alarm fire. Further, the product of this business was required to remain refrigerated, and the fire caused the electrical service to fail. 

An accurate risk assessment would have identified the risks. A robust strategy of risk mitigation would have identified the technical solutions to the proposed problem. The first would be to place bollards along the edge of the parking lot to prevent runaway vehicles from entering into the parking lot and crashing into the building. Realizing there are a multitude of reasons for a power failure, and realizing how valuable the product was to the income generating capabilities of the organization, an emergency generator with sufficient power to maintain the environment (heat, air conditioning, refrigeration, etc.) would be a prudent investment. 

This scenario identifies several characteristics of disasters:

• There is seldom a single cause for an incident. Usually there are several components that must be in alignment for an incident to occur. This is demonstrated in the Swiss Cheese model below. Assume the slices of cheese represent organizational policies, physical failures, unsafe actions, and the environment. For this incident to occur the holes in each slice of swiss cheese must align. This is a rare occurrence.

• There are cascading events that add up to a disaster. In our scenario, the cascading events include a loss of employee and customer lives, trauma to the surviving employees. A loss of product, a loss of revenue while the organization was out of service, a corresponding loss of market share. The list goes on. 
• Because mitigation actions were not taken, the recovery process is extensive, requiring an increase in the expenditure of time and resources. Unfortunately, the organization was not resistant to this event and proved to be less than resilient. The organization was toast. 

Because of the failure to implore strategies and tactics to mitigate the risks, this organization was not very resilient. Do not let this happen to your organization. We at R. L. Sligh Limited are available and capable of helping organizations like yours.