As someone (must have) once famously stated, hindsight is equivalent to 20/20 vision. In practical terms, the inference is that any reasonably minded person might state, “Isn’t it obvious (why such and such happened)?!” We have all claimed at some point in our lives that a particular situation was, “Simply an accident waiting to happen”.

The point is, however, that when circumstances do evolve into situations, when causes materialise into effects, it is generally too late to do anything other than face the consequences. The risk, in such instances, would have journeyed from a hypothetical possibility into a fully manifested phenomenon, from a null entity into material effect.

In this two-part essay I intend to provoke risk professionals and practitioners alike into challenging the heuristic value of hindsight. I shall posit the argument that the real benefit to be derived from reviewing, deconstructing, and reconstructing real events can only be drawn by persons (as individuals, organisations, or institutions), willing to learn from the consequences of major incidents and capable of driving transformational change into material resilience.

Reason resides at the very core of risk management. To realistically determine risk, professional practitioners require knowledge, skill, experience, and an aptitude to articulate and combine a variety of elements and criteria into a convincing and realistic case (a risk model). Risk management, in turn, is built around risk assessment; that being a competence-based application of value judgements attempted by reasonable persons to identify hazards or threats, evaluate them based on established criteria and subjecting (the risk) to mitigation and control measures. Risk management is a quintessentially logical and systematic discipline that is relevant to and applicable within most fields of activity.

As far back as 1999 Perrowi had gone as far as to label risk managers as shamans ( the equivalent of modern-day technocrats), albeit clearly with some measure of irony. The point being, however, that risk practitioners hold a professional responsibility, a duty of care, one might legitimately argue, to ensure that risk assessment(s) is effective, timely, relevant to specific contexts and materially capable of protecting stakeholders from harmful consequences by generating resilience.ii

When societies confront a new or explosively growing evil, the number of risk assessors probably grows—whether they are shamans or scientists. I do not think it is an exaggeration to say that their function is not only to inform and advise the masters of these systems about the risks and benefits, but also, should the risk be taken, to legitimate it and reassure the subjects.iii

Hindsight cannot address any uncertainties relating to risk events. As a standalone heuristic, hindsight is arguably a self-serving, self-indulgent, and ultimately futile activity in the risk management value chain.

By way of a mini-case study upon which to frame our discussion, we could do worse than review the tragic events that destroyed the port of Beirut, Lebanon, in 2012.iv The explosion quite literally obliterated large sections of the port, killing hundreds of people, destroying critical infrastructure, impoverishing the community, and denting an (already) ailing economy. ( plunges-millions-poverty/6209118.html ).

A few hundreds of thousands of dollars’ worth of explosives generated impacts of magnitude ranging into tens of billions; a ratio of 1:10,000 expressed in the crudest of terms. Clearly such catastrophes demand pauses for reflection. Would not the port safety personnel have been educated about safety risk management? Equally so, their colleagues the port facility security officers, mandatorily trained in risk-based techniques for securing the port facility?v What about the engineers operating on the docks? The port Authorities; Contracting Government; the Police and Municipal authorities? Are we to assume, preposterously I would contend, that risk awareness and education was lacking in all persons and institutions involved?

The outcome from the Beirut major incident, of course, dictates its own tale. This was a failure in operational competence and political will on the grandest of scales. Inability to manage risk (incompetence/educational) led to failure to do so (negligence/legal) which, when the risk eventually manifested (the technical term is reified) caused untold destruction and harm, imposing prohibitive costs on the community. When control is disregarded, the risk becomes a function of chance, and its manifestation shifts decisively from if to when(?). All the stakeholders discussed above had failed to effectively heed the lessons from historical explosions in Texas, 1947vi; Limassol, 2012vii; Malta, 1995viii and several other catastrophes induced in ports over decades of maritime safety and security risk management. The risk body of knowledge was there (as it remains) but hindsight had done nothing to sensitise an entire stakeholder value chain.

ISO 31000,ix ISO 22316,x ISO 22301xi and a whole plethora of international standards, guidelines and Codes of Practice were available to persons across the stakeholder chain, so there can be no excuse for incompetence. So, it is inevitable that one should reflect on competence in our debate around heuristics. The International Standards Organisation (ISO) is the world’s largest body of aggregated national standards, ratified by 169 national standards bodies. Intrinsically, standards include requirements relating to education (under competence-related clauses) and legal aspects (under compliance-related clauses). It is safe to assert, therefore, that the link between education and legal aspects is not only real, but irrevocable. Since around 2015, ISO standards have adopted a clear strategic orientation towards becoming risk-based in their approach to management systems and, importantly, began to (re)-define certain standards under “Societal Security” [ ]. This paradigm shift further supports the ideas brought forward in the argument in question and merits further research and exposition.

So far, we have argued around the limitations of hindsight and shown both its limited and limiting value within risk management. Yet there remains little doubt that risk management represents good management.

In a seminal work, Toft and Reynolds argue this point very convincingly insisting that risk management should not be viewed or treated as a divergent activity from an organisation’s general management functions and frameworks. Risk management is most effective when it is embedded within organisations and informed through the empirical evidence of daily life.xii Within such a context, hindsight bias can be significantly reduced as organisations learn to avoid unnecessary or unjustified risk and focus on protecting core activities and processes. Yet the present argument tells only half the story. In Part 2 of the essay, we shall explore how hindsight can be transformed into active foresight if organisations can learn how to heed the lessons (learned) from failure.

John Schembri, MSc. SRM (L’cstr.); PgC, OHS (P’mth); SIRM; CBCI.

An ex-Serviceman of eighteen years’ experience in operations and command, John has held a Master of Science degree in security risk management from the world-renowned Scarman Centre, University of Leicester, UK, since 2001. He has extensive experience in critical infrastructure, specialising in resilience, digitalisation of risk management and operations in challenging environments.

Key Words:  Will; Reasonability; hindsight; active foresight; major incidents; grounded theory; competence.

i         Perrow, C. Normal Accidents.

ii        In this essay, the assumption is made that readers are familiar with the concept of resilience as defined in ISO 22316; 3.4. Readers are also advised to interpret resilience in the context of the requirements mandated under Directive 2008/114/EC.

iii       Ibid.

iv        You-tube:

v        IMO International Ship and Port Facility [ISPS] Code, 2003.




ix       ISO 31000 – Risk Management

x       ISO/DIS 22316(en) Security and resilience — Guidelines for organizational resilience.

xi       Cite ISO 22301:2019 Security and resilience: Business continuity management systems; Requirements.

xii      Grounded theory


Log in