In the complex and dynamic landscape of workplace safety, risk management and incident investigations are often treated as separate processes, operating in silos.
The disconnect results in missed opportunities to prevent future incidents, improve control systems, and foster a culture of proactive safety management. To create a truly effective safety management system, these two processes must inform and reinforce one another in an ongoing cycle of learning and improvement.
The Missed Opportunities in Traditional Approaches
When risk management does not inform incident investigations, and investigations fail to drive enhancements to the risk management framework, organisations risk falling into a reactive cycle of addressing issues without addressing root causes or systemic weaknesses. This often leads to:
Recurring Incidents: Without integrating investigation findings into risk management, similar incidents are likely to reoccur.
Ineffective Controls: Critical controls may be improperly selected or inadequately maintained, leaving risks poorly managed.
Missed Learnings: Investigations provide valuable insights, but these are wasted if they are not systematically used to improve risk frameworks.
Static Systems: Risk management systems and control frameworks become stagnant, failing to evolve with the organisation's challenges and learnings.
The consequence? A system that focuses solely on compliance rather than fostering a culture of continuous improvement and incident prevention.
The Role of Risk Bowtie Analysis in Prevention
Bowtie analysis is a cornerstone of risk management, offering a clear, visual representation of the pathways that lead to an unwanted event and the controls that prevent or mitigate it. A well-constructed bowtie analysis should mirror the investigation process, making it an essential tool for understanding and managing risks.
Preventing Controls: The left side of the bowtie identifies causes (threats) and the preventing controls designed to stop the unwanted event from occurring.
Mitigating Controls: The right-side addresses consequences (impacts) and the mitigating controls that reduce the severity of an event if it occurs.
Example: Consider a scenario where an organisation manages the risk of mobile equipment interactions. The preventing controls might include traffic management plans, collision avoidance systems, and speed limits. The mitigating controls could include emergency response protocols, medical services, and containment measures for hazardous spills.
When incidents occur, one of the first steps should be to review the risk bowtie analysis for the scenario.
This involves asking:
Were the identified controls in place and effective?
Did any controls fail or were they absent?
Are there additional controls that could have prevented the incident or reduced its impact?
Using Incident Investigations to Inform Risk Management
Incident investigations, particularly those using methodologies like ICAM (Incident Cause Analysis Method), are designed to uncover root causes and contributing factors. However, these findings are often confined to the investigation report and not used to inform broader risk management strategies. To close this gap, investigations should focus on two key areas:
Critical Controls: Did the failure of a critical control contribute to the incident?
Systemic Issues: Are there gaps in the broader safety management framework that need addressing?
Once these insights are identified, they should be used to:
Update the risk bowtie analysis to reflect new learnings.
Reassess and refine critical control selection to ensure the most effective controls are prioritised.
Revise critical control performance standards to account for new information about control effectiveness or limitations.
Strengthen critical control verification (CCV) processes to ensure controls are robust and reliable.
A Continuous Cycle of Learning and Improvement
The relationship between risk management and incident investigation is not one-directional; it should be a continuous feedback loop. Each process informs and improves the other, creating a cycle of learning and proactive management.
Step 1: Post-Incident Review
The first step after an incident is to review the relevant risk bowtie. This includes revisiting the causes, consequences, and controls to understand what went wrong.
Step 2: Investigation Insights
Use investigation findings to identify control failures, systemic gaps, or new risks.
Document these insights and map them back to the bowtie.
Step 3: Update Risk Management Frameworks
Revise the bowtie analysis, critical control performance standards, and verification processes.
Add new controls or enhance existing ones to address identified gaps.
Step 4: Implement and Verify
Roll out updated controls and frameworks across the organisation.
Conduct verification activities to ensure controls are in place, effective, and not at risk of failure.
Step 5: Monitor and Adapt
Regularly review and refine the updated risk management framework, using data from ongoing monitoring and audits to ensure its effectiveness.
By embedding this cycle into organisational practices, risks are continuously managed and improved upon, reducing the likelihood of reoccurring incidents and fostering a proactive safety culture.
The Role of Preventing and Mitigating Controls in Incident Investigations
When conducting an incident investigation, preventing controls and mitigating controls play pivotal roles:
Preventing Controls: The investigation should evaluate whether these controls were effective in stopping the incident from occurring. If they were absent, failed, or ineffective, the bowtie must be updated to strengthen or replace them.
Mitigating Controls: The investigation should also assess how mitigating controls performed in limiting the consequences of the event. For example, if an emergency response protocol was delayed, this highlights an area for improvement.
In both cases, the investigation findings must lead to actionable updates in the risk management framework to ensure future incidents are managed more effectively.
The Nexus of Prevention™: Integrating Risk and Investigation
This brings us to the Nexus of Prevention™, a concept that embodies the seamless integration of risk management and incident investigations. By connecting these two processes, organisations can:
Transform reactive investigations into proactive risk management strategies.
Use risk controls to inform investigations and investigations to enhance risk controls.
Build a safety management system that evolves with each incident, becoming stronger and more effective over time.
The Nexus of Prevention™ is not just a methodology; it’s a mindset. It challenges organisations to think beyond compliance, fostering a culture of continuous improvement and prevention.
Join the Nexus of Prevention™ Online Course
If this article has sparked a moment of clarity or further curiosity, then you’re ready to dive deeper into the Nexus of Prevention™. Our advanced course offers:
Interactive Workshops: Apply concepts to real-world scenarios.
Exclusive Tools: Gain access to bespoke strategies and techniques.
Actionable Plans: Leave with tailored solutions ready for immediate implementation.
Spaces are limited, so secure your spot today and transform the way your organisation approaches risk and incident management.
Nexus of Prevention™ is a bespoke program designed to bridge the gap between risk management and incident investigations, offering exclusive tools and strategies tailored to your organisation's needs.
Comments