James Reason had a clear understanding of the relationship between errors and goals. For him, an error is “a failure of a planned action to achieve the desired goal” (1). The goal of risk management activity is the creation and protection of value. ISO 31000 underlines that said activity “improves performance, encourages innovation and supports the achievement of objectives” (2) COSO Enterprise Risk Management discusses how value is created, preserved, eroded, and realized. According to this framework, the value is eroded “when management implements a strategy that does not yield expected outcomes or fails to execute day-to-day tasks”. (3) The immediate effects of errors are damages, increased quality costs, and losses. Thus, their immediate effect on value creation is negative. However, used wisely, the information about errors is an invaluable asset for risk management activity for understanding risks and for implementing barriers, proactive and reactive measures to be able to handle the undesired events. Several sectors, among others healthcare, aviation, and manufacturing largely benefit from error information to handle their risks. (4, 5)
During one of my recent lectures on risk management, while I was presenting the Ishikawa method (fishbone), one of the participants asked whether studying past errors is relevant for risk management. (6) The question was: The future is uncertain. How can we benefit from the failures in the past to be able to foresee, estimate and handle future events? I think that the question is very interesting since it gave me the opportunity to clarify why an understanding of the sources and triggers of past errors and failures is valuable, both for the anticipation of future events and for selecting actions to handle these events.
2. Risk management activity should benefit from past errors
The economic theory, the risk management theory, and the quality literature have largely benefited from psychological research and the cognitive theory. James Reason used the psychologist Rasmussen’s well-known Skill, Knowledge & Rule model for his Generic Error-Modelling System. (7)
The figure below summarizes the major elements of these studies. According to these, human behavior has three levels:
· At the skill level, actions consist of automatic, sensory-motor performance which is based on sensory data from the environment. The tasks are repetitive, and the skills may be acquired by practice. Skill-based errors are due to the variability of this performance. These can consist of lapses, i.e., memory errors such as omissions or repetitions or slips, i.e., attention errors like misordering, mistiming or perceptual confusions.
· At the rule level, actions based on a stored set of rules and familiar patterns. They make use of signs which indicate the state of the environment and the conventions for action. The tasks have a higher level of sophistication than the skill-based ones. Errors involved with tasks at this level are mistakes that arise due to a lack of application of a good rule or application of an inferior rule.
· At the knowledge level, people deal with novel situations and seek solutions to unfamiliar tasks, using symbols. The errors at that level are mistakes resulting from insufficient or incorrect knowledge, selectivity, and planning errors.
Human behavior is just one possible example. Risk management benefits from understanding the sources of all types of failures, including the non-human ones, to be able to evaluate the residual risks and to be able to answer whether an organization has implemented satisfactory measures to handle all types of errors and mistakes. Such answers will reduce the possibility of omitting some sources and triggers when the organization chooses between possible actions. Measures used for handling skill-based errors will be significantly different from the ones which mitigate the risk of mistakes resulting from knowledge-based actions.
ISO 31010 Risk Assessment Techniques introduces several methods such as the Cindynic method, Ishikawa method, Bow-Tie, Hazard Analysis Critical Control Points, and Layers of Protection to give risk managers the necessary competence to analyze the sources and triggers of risks, both threats, and opportunities. (8)
The same source introduces several methods which enable risk managers to choose between barriers and actions. (Decision trees, game theory, Multi-criteria analysis, cost-benefit analysis, etc.)
3. Prerequisites for benefits
To be able to benefit from information about errors and mistakes a set of necessary conditions should be satisfied. These are:
· The organization should have an error management culture that allows communication about errors, sharing error knowledge, and learning from errors.
· Errors and mistakes should be registered and duly classified/coded.
· There should be a management system that follows up on errors and mistakes.
· Management reviews should involve both quality management and risk management professionals and should motivate the cooperation between risk management and quality improvement activities.
Risk management deals both with threats and opportunities. Every event involves both positive and negative elements. An ambitious approach to errors will involve not only setting relevant barriers to threats but also identifying the positive elements which may represent opportunities.
(1) Reason J. Understanding adverse events: human factors. Qual Health Care 1995; 4: 80-9
(2) ISO 31000: Risk Management Guidelines, 2018, 4. Principles p: 2
(3) COSO, Enterprise Risk Management, June 2017 p:4
(4) Sudip Sarker, Charles Vincent, Errors in Surgery, International Journal of Surgery, February 2005, https://www.researchgate.net/publication/6367507_Errors_in_Surgery
(5) Debra G. Jones, Mica R. Endsley Sources of Situation Awareness in Aviation, Aviation Space and Environmental Medicine, July 1996, pp: 507-12
(6) Ishikawa K, Guide to Quality Control, Asia Productivity Organization,1986
(7) J. Rasmussen, Skill, Rules, Knowledge, Signals, Signs and Symbols and Other Distinctions in Human Performance Models. IEEE Transactions on Systems, Man and Cybernetics (SMC-13)3: 257-266, 1983
(8) ISO 31010 Risk Assessment Techniques, IEC 31010:2019
Y. Ayse B. Nordal
Ayse Nordal – kursleder i Risikostyring/Risk Management
Ayse Nordal er B Sc. og M Sc. i økonomi og statistikk (teknisk universitet) og lisensiat i anvendt sosialøkonomi og makroøkonomi (NHH). Hennes spesialområder er strategisk planlegging, internkontroll og risikostyring, og er sertifisert akkreditert risikoleder (Risk Manager).
Flere fagartikler fra Ayse finner du her
KRN Academy RM m/ grunnkurs, oppdatering-/oppfriskingsdag, modulbasert kurs i teknikker metoder for risikohåndtering og lederkurs med mulighet for sertifisering EOQ Risk Manager