The thought of a near miss is enough to send shivers down the spine of any risk manager. But as seasoned risk and internal audit leader Chris Corless explains these near misses provide important lessons for risk managers looking to not make the same mistake twice.
The simple answer – absolutely yes! This is especially true for operational or preventable risks, but I think it can apply to all types of risk. The reason it is so important is that it is a free lesson to learn more about the how the risk can manifest, check any assumptions in your risk model and give clues about the effectiveness of controls. Inevitably when we first build up our risk models, we won’t get it 100% correct at first and like any other management process, our risk models need a feedback loop to help improve them over time. Near misses can provide a wealth of information to inform these improvements.
To help guide our thinking on how to handle near misses we can look at the safety industry to show how to incorporate near misses into our broader risk program. In the safety world near misses and incidents are captured and provide the trigger for an investigation which is scaled based on the potential/actual impact of the incident.
“This is an important point – you can seriously overwhelm your organisation if you try to apply a resource-intensive investigation to every near miss. Scaling the effort will help you focus on what matters.”
These investigations lead to actions which invariably modify controls to address the identified failure pathway in the near miss. To be successful, however, this type of process needs to be broadly applied to all risks across the organisation and the outcome might not be a change to a control but could be a change to an assumption in a model or perhaps even a change in a decision around a business objective.
”Don’t forget you need to be able to capture the lesson for future reference.”
Many risk platforms now have built-in connections between the risk side of the platform and an incident capture/investigation and action tracking side forcing a connection between specific risks and the incident/near miss.
This is tremendously helpful for the risk owners over time as they can see all of the events/near misses associated with their risk, as well as the changes made as a result. This helps them to not repeat the mistakes of the past but also helps them when continuously improving the management of the risk because they have the entire history of that risk.
This helps maintain a complete knowledge base of the risk over time that transcends the experience of the current management team. It will also provide a record of the effectiveness of the various actions applied as a result of the near misses which will also be helpful to new leaders of the business.
You need to work very hard to ensure you uncover all events and near misses and the lessons learned incorporated into improvements and track those improvements to completion.
Use your data
Often, we rely on people to identify the event and trigger the appropriate process but this in itself isn’t 100% reliable for a whole host of reasons. That’s one of the reasons why I am such a proponent of using data to automatically detect problems with risk/control and working on ensuring psychological safety is a part of your culture. Both of these are designed to ensure that when an opportunity to learn happens that it doesn’t go to waste. But then that’s the answer to another question.