Recently, two very significant reports were issued related to loss-of-life events, the crash of an Air France Airbus in 2009 and the 2010 meltdown at the Fukushima Daiichi nuclear power plant following the earthquake and subsequent tsunami. Both reports came to virtually the same conclusions, that human error was overwhelmingly to blame, and that the players involved were unprepared for the events that unfolded. In other words, pure operational risk.
In the case of Air France, the flight was en route from Paris to Rio de Janeiro when it encountered unusual turbulence. At the time, the senior pilot had elected to leave the cockpit for a rest period. The failure occurred when the junior pilot, lacking sufficient training for such a situation, began making what he felt were the necessary corrective maneuvers. What occurred instead was that the plane ended up in a complete stall, one from which even the most experienced pilots would not likely have been able to recover. What resulted from the investigation were 41 specific recommendations for improving procedures, training, testing and technology to mitigate against a future similar situation.
In the case of the Fukushima nuclear power plant, a report issued by an independent panel of experts detailed how not only were the plant operators unprepared for such an incident, but cultural conventions limited their ability to even consider, let alone assess, such extreme circumstances. This in addition to breakdowns in communication and lines of authority during the event, which led to a total gridlock in the company’s ability to adequately respond. This is why we often say that risk management always starts with culture.
These two events continue to reinforce the importance of risk management for any business environment. Some key takeaways for risk managers to remember.
- In risk management, culture is everything and good risk management means honesty, transparency and accountability. If your business allows an environment where authority is never questioned, big risks are forbidden to be discussed and managers naively believe that they have no risk, then it is only a matter of time before something unexpected will go wrong. As risk managers, it is imperative that the culture be pressed towards a mature state where risk is honestly evaluated and treated transparently.
- We can’t escape from the harsh truth that you have to know what to do when things go wrong. Business Continuity Planning or Disaster Recovery Planning, as it is also called, is often seen as a compliance exercise and relegated to someone who is now told it is their job. But the fact is that bad things are going to happen, and if you aren’t prepared, a bad thing can very quickly turn into a horrible thing. You have to be prepared for the worst case scenario. This means assessments, planning and comprehensive plan testing.
- We have to be careful to avoid an overreliance on technology to where people stop thinking for themselves. This is the essence of the recent banking industry guidance on model risk. Just because it looks good on paper shouldn’t mean never stop thinking, never stop questioning and never stop verifying.
- Finally, when it comes to risk management, you really can’t find a better tool than training. Remember, people can only manage the risks that they understand. The more they understand, the more they can own. And the cost of training is a fraction of the cost of even the most routine incident.
Emerson said that “common sense is genius dressed up in its working clothes,” and ultimately operational risk management comes down to a whole lot of common sense. It’s ironic that more often than not it is culture that gets in the way. But, as risk managers, it is our job to ask hard questions, to get people to think and to push people past their assumptions. A tragic, but all too common, attitude is “well, I guess if that happens we’ll just have to figure it out.” The time to do that is not when the plane is falling out of the sky at 500 miles per hour.