In last month’s contribution, the value of hindsight in risk management was questioned by suggesting that organisations generally fail to heed lessons from disasters, exposing themselves to risk.  The impressive work done by Toft and Reynolds was introduced upon which the debate over both contributions was constructed.  A powerful exemplar was drawn from the catastrophe that occurred in port of Beirut in 2020, discussed as a case-study. 

However, examples of such deficient behaviour abound in everyday life, and it would not be an exaggeration to suggest that a simple question put to all the readers of this article asking them to cite at least one example of an organisation failing to learn lessons from a risk event would return as many different results as the number of respondents. The point is that it is a well-established fact in risk management theory that (most) people consistently exhibit an inability to accurately estimate risk, either by grossly underestimating the likelihood of specific scenarios happening to them or by overestimating their capabilities to effectively deal with consequences of a major incident.

Such cognitive bias explains, at least in part, why certain types of accidents occur and reoccur with alarming frequency.  On a personal professional level of interest, I could cite the unacceptable safety record currently being experienced in my country, Malta, within and across the construction sector, clearly pointing towards systemic risk which multiple stakeholders simply refuse to address effectively and head-on.  That is an important argument, highly relevant to the societal wellbeing of my immediate community, which I plan to examine in the near future.

In this, the second part of the essay, we shall examine a very interesting idea, namely that attempted foresight provides cogent opportunities for identifying risk in advance, enabling more effective planning, prevention, mitigation and control. In short, use of active foresight can foster resilience within organisations by enhancing risk management techniques, means and methods applied through appropriate frameworks.  For context, we shall continue to frame the discussion around critical national infrastructure within and across the European Union (EU) and its individual Member States. 

Risk in Context: organisational resilience

The EU directive governing the protection of critical infrastructure had addressed eight key areas in its first iteration in 2008, namely:

It would be fair to state that in the contemporary environment, characterised by volatility that constantly challenges organisations, private, public and political institutions alike, two key elements become central to our debate, namely:

  • Resilience, in terms of underscoring the criticality of infrastructure to societal wellbeing and the severe consequences arising from operational interruption, and
  • Learning, particularly in relation to organisations’ abilities to learn lessons from failures to prevent or avoid risk, especially when catastrophic consequences are foreseeable.

In 2000, more or less at the time of the EU Treaty of Maastricht-Nice, Haynes Daniell published a seminal work highlighting emerging global risks, mainly engendered by convergent international systems causing turbulence or volatility. The term stuck and is particularly useful in describing the systemic nature of challenges in our postmodern epoch. Haynes Daniell had exhibited extraordinary foresight in articulating the nature of a multitude of systemic risks at the turn of the millennium, all of which resonate to this day within the context of contemporary Europe.

When Volatility and Dynamism collide: millstones around organisations or opportunities for effective risk management?

Whether within the EU polity or across its thousands of publics, private, not for profit and institutional organisations, none are invulnerable to risk, nor impervious to the contemporary challenges.  Indeed, in many instances organisations find themselves juxtaposed at the epicenter of global volatility, compelled to manage formidable challenges with the intrinsic concomitant risks and uncertainties carried.  Many observers argue that the EU sets global standards for regulatory best practices.   Occupational Health and Safety; the Security of Ports, Ships and Port Facilities; the European Program for the Protection of Critical Infrastructure [EPCIP]; the Serious and Organised Crime Threat Assessment [SOCTA] initiative driven by EUROPOL; progress in the Seveso Directive resulting in the Control of Major Accident Hazards [COMAH] Regulations and derivatives thereof and Data Protection,  to cite only a few initiatives successfully driven by EU Parliament and Commission since the turn of the century, have addressed multiple risks and their potential impacts on the EU family of communities and which, in many respects, have set global precedents and standards of legislative excellence.  More risk-based initiatives are in the pipeline.

The contemporary environment, however, leaves no room for complacency, as continental Europe and the Union endure challenges, beset by broad spectrum of risk.  Departing from the North Atlantic region, the Community is still adjusting to the post-Brexit realities impacting on trade, customs, fisheries, security at borders and migration to mention but a few. Down into and across the Mediterranean Basin, the Southern region is afflicted by problems of mass migration and political instability across North African into the Near Middle East.  Yet more fractiousness in the Eastern Mediterranean threatens to not only destabilize and undermine the fragile energy eco-system but has resurrected the ugly prospects of widening conflict and humanitarian disaster, or worse.  Upwards into the Balkans and Eastern Europe, neighbouring a politically unstable and restive Turkey, journeying into the Crimea and Ukraine, under hostile invasion from Russia since February 2022.  Geo-politically the EU is surrounded by instability, with concomitant potential for high-risk events or Major Incident Scenarios, going by the preferred contemporary term.

Other phenomena create more uncertainty, risk and challenges. The Digital Economy initiatives and the European Green Deal spearheading climate change policy; food security; trans-national organised crime and corruption; re-dimensioning of energy policy; resilience against natural and man-made disasters; markets and financial systems; cybersecurity; the list reads like an endless stream of challenges and problem areas facing the EU, its institutions and all manner and types of public and private organisations.  Clearly these challenges are of an ongoing and global nature and not limited to the EU or its individual Member States; risk and risk management in our contemporary world has assumed a glocal[1] aspect. 

Solutions: towards intelligence-driven risk management

As discussed so far, risk management as a discipline and a profession is sufficiently endowed with the depth of knowledge and theoretical frameworks to account for a wide range of risks, up to major incidents.[2] A completely different domain of problems ensue however when risk events break the threshold into disasters, at which point it is fair to state that the discipline becomes unsuitable; disaster management and recovery belong in a different forum and fully deserve debate in their own right. We shall therefore conclude the paper by proposing three strategies capable of enhancing risk management and which have been modelled on the seminal work of Toft and Reynolds, first published a seminal work in 1999 in its first edition.  Growing in value up to the third and final iteration of the arguments they put forward.  Our three Proposed Strategies are synthesised below.

Proposed Strategy 1:       
Organisations need to acquire and embed a capability to learn from major incidents and disasters.  T&R present a thorough and utterly compelling argument that disasters exhibit similarities in their  structures (isomorphism) which, upon further in-depth analysis, would enable different types of organisations with opportunities to learn on four levels.

  • Level 1 – Event isomorphism – two separate, unrelated incidents occur and manifest themselves differently but cause identical hazardous situations.  E.g; terror attacks when directed against ports or critical infrastructure.
  • Level 2 – Organisational isomorphism – different organisations within the same industry suffer similar incidents.  E.g; a COMAH (Seveso) type of Major Incident
  • Level 3 – Common mode isomorphism – different types of organisations, completely unrelated, perhaps even employing similar protective/preventive mechanisms, means and methods, suffer similar attacks or hazardous situations.  E.g; Cyberattacks.
  • Level 4 – Self isomorphism – large organisations offering a variety of products and services or undertaking activities and processes suffer a major incident.  E.g; a massive safety incident; fire; massive loss; fraud; organisation-wide corruption.

The idea around organisational learning resides at the very core of our value proposition that, whereas hindsight provides limited scope for adopting effective risk management, attempted foresight shows foresight and enhances resilience.

Proposed Strategy 2: 
Organisations should accept (not necessarily tolerate) that risk is the new normal in a globalised world and should learn to actively engage in horizon scanning activities to predict risk, as far as is reasonably practicable for them to do so. The BCI Good Practice Guidelines; (2018 Edition) provide frequent instances in which such techniques can be employed by proactive organisations that prioritise business continuity.

Proposed Strategy 3:
Organisations have a cogent opportunity to embrace technology and the power of data in constructing AI-driven risk management frameworks.  The tools are available to us; the question is will contemporary society demonstrate will and courage to utilise such sophistication effectively for the benefit of the many, as opposed to leveraging commercial benefits for the elite few?

Major incidents occur relatively rarely but strike at speed and carry intrinsic potential for wide-ranging, devastating effects and organisations simply must be prepared for the unexpected to happen in real life, foreseeable as it may be in carefully crafted risk assessments.  As Chancellor Otto von Bismarck had once remarked that only a fool learns from their mistakes, but he would much rather learn from those of others. We can adopt the same approach and assert, with some degree of certainty, that it would be an intrinsically unintelligent thing to do to depend on technology if we fail to first build intelligent, risk-based models.[i]

John Schembri, MSc. SRM (L’cstr.); PgC, OHS (P’mth); SIRM; CBCI.

An ex-Serviceman of eighteen years’ experience in operations and command, Since 2001John has held a Master of Science degree in security risk management from the world-renowned Scarman Centre, University of Leicester, UK,.  He has extensive experience in critical infrastructure, specialising in resilience, digitalisation of risk management and operations in challenging environments.

Key Words: Learning; Context; Reasonability; Hindsight; Attempted foresight; Major incidents; AI; Isomorphism.

[1] Explicate in notes.

[2] Note.  For the purpose of this essay, risk management stops at crisis management of major incidents.  DR is not included. Explain

[i] Only a fool learns from his own mistakes. The wise man learns from the mistakes of others." However, there is no definitive record of when or where he exactly made this statement. It is widely cited in various forms and attributed to Bismarck due to his reputation as a shrewd and pragmatic statesman. This quote captures the essence of his approach to politics and diplomacy, emphasizing the importance of learning from history and the experiences of others rather than repeating their errors.



Log in