Downloadable PDF Resources
This module will take you through High Reliability Organisations — The New Buzz Word for Risk Management?.
- High Reliability Organisations — The New Buzz Word for Risk Management?
The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’
High Reliability Organisations — The New Buzz Word for Risk Management?
Looking back over the last thirty years of what we now call the risk management sector, it is interesting to see how different eras have been defined by different buzzwords, each of which have become the flavour of the day, before being superseded by other more current terms.
In the first instalment of an exclusive two-part series for Risk UK, David Rubens appraises the latest development: the advent of ‘High Reliability Organisations’
Whilst it may well be that this is to a certain degree the result of major management consultancies inventing new things for corporate security directors to worry about (and which, obviously, the consultancies have a high-priced solution for), it is also true that this has reflected the changing way that we have conceptualised and engaged with the whole issue of risk management.
The risk managers of the 1980’s were likely to have little if any formal training in what we now consider risk management and in fact were often hired because of the skills picked up in their previous careers, usually policing. It is no surprise that the skills that they brought to the table were therefore largely those of the policeman – securing premises with gates, fences and window locks, and investigating incidents in order to identify perpetrators. The increasing globalisation of the corporate sector meant that such a limited understanding of the role of the security director was no longer appropriate to the challenges and responsibilities that they were faced with, and so we saw the emergence of the concept of risk management, with the understanding, particularly in the post-9/11 era, that all organisations were vulnerable to situations over which they had no control, and in fact the larger and more complex the organisation, the greater the vulnerability.
Risk management thus became a focus of interest for corporate leaders in a way that security management never was, and became a subject that was considered appropriate for discussion at the C-suite level. This period could be seen as the start of the development of the professionalization of the risk management sector, linked with the emergence of academic programmes, often at Masters degree levels, that had not previously been considered relevant to the skills and capabilities associated with security management.
Given the potential catastrophic impacts of external events on corporate activities, and particularly those associated with disruption to the extended supply chains and increasingly complex support frameworks on which corporate business were established, the next stage could be described as the ‘Age of Business Continuity’. This accepted that external events would occur, but brought responsibility for the maintenance of business activities (and therefore business value) back into the hands of risk managers. The underlying objective of business continuity was to say ‘ It doesn’t matter what happens in the outside world – just make sure that we maintain operations’. To a large extent, this involved developing duplication in manufacturing, storage and management functions, so that no one component would be considered as ‘systems critical’, in that the failure of one component would lead to the failure of the overall system.
Although business continuity could be seen as a new development in terms of risk management methodology, it was still firmly grounded in classical risk management frameworks, based as they were on identification of potential fault lines, development of management responses that would either minimise the likelihood of unwanted events happening, or minimise the impact of those events if they did happen, and the imposition of those protocols through traditional management capabilities.
Such process management approaches could be considered as ‘straight line solutions’, as they could be easily captured in organisational charts that showed where excess capacity could be required, and how that could be integrated into the overall organisational management model.
The next stage in risk management development was not so much an extension of previous models, but rather the emergence of a new paradigm, in that the underlying assumptions on which they were based were fundamentally different from the systems management frameworks that had underpinned crisis management until then. The emergence of the concept of ‘resilience’ took risk management out of the process management framework of the straight line models, and into the more free-flowing unstructured world of ecological interdependencies, multiplicity of non-dependent outcomes and the understanding that the response to potentially traumatic external events was not so much to resist or defeat them, but to go with the flow, respond to the challenges of the surrounding environment, and to realise that the inability to predict or model the outcome of highly chaotic system-wide failures meant that the presumption that pre-planned solutions would be either deliverable or relevant was increasingly outmoded and unrealistic.
However, it is also clear that there are some organisations that are, by their very nature, more capable of dealing with the challenges of an unstable operating environment, and some for which the ability to create management frameworks that will maximise their ability to maintain operational capability within such chaos is not only desirable, but can be considered as absolutely critical. These have been labelled as ‘High Reliability Organisations’, and it is their ability to develop a highly successful operating framework in terms of both management protocols and a wider organisational culture that is becoming increasingly interesting to organisations that have the challenge of maintaining operational capability in the face of unstable operational environments.
The academic study of high reliability organisations has, understandably, centred on various areas of critical national infrastructure, but has also covered nuclear submarines, aircraft carriers and air traffic control systems. These systems are by their very nature highly engineered and operating with a strictly regulated management structure, but it is the realisation that it is the ability of operational managers, at every level of the organisation, to have a surprisingly large range of decision-making freedom, that will have greatest relevance for any organisation wishing to learn from their experience and example.
HRO’s are often seen as the supreme embodiment of high-design organizational micro-management, in that by their very nature they have to deliver a high (infallible) level of service delivery in what are often extremely complex operating environments, with the threat of catastrophic consequences for any failure. As such, despite the fact that they seem to offer a potential model for effective management of high-risk operations, their high-design nature has meant that they have been considered as lacking relevance to the chaotic environment of crisis management, or corporate management in general. However, a different perspective suggests that HROs are a reflection of a ‘mindfulness’ rather than a particular design approach. Under this model, the success of HROs is due to the fact that they focus on reliability rather than efficiency, and on understanding how to avoid failure rather than concentrating on what created success.
Efficiency is a quality that is management driven, and that sees subordinate functions as requiring direction, control and standardization. Reliability requires a multitude of approaches, an ability to identify faults as well as the ability to choose amongst a range of response options. The tension between efficiency and reliability is one based on design-led belief that one can design out problems (and that the world will operate in predictable ways), and operator-led models which accept that even the best designed system will need to have immediate operator input in order to respond to fluctuations in the working environment. In its purest terms, efficiency is built on the belief that ‘if designed correctly, things will work’, whilst reliability is built upon the foundational belief that ‘we’d better be ready when things go wrong’.
An organisational culture in which it has become normalised to ignore those issues that it either feels are too big to be dealt with or which would cause political embarrassment if they were acknowledged presumes a high level of ‘group think’ and a tacit agreement to ignore exactly those issues that are in greatest need of attention. In effective HROs the culture is exactly the opposite – to actively go out looking for potential problems and failure points, and to highlight and deal with them at the earliest possible stage. The defining cultural imperative in HROs is that it is the responsibility of everyone involved in the organisation to identify potential problems, and to develop solutions, before they ever have the chance to develop into actual problems. There is no shortage of examples on the front page of newspapers on a daily basis of organisations that have got that basic approach to risk management wrong – often with catastrophic consequences. These are high-impact examples of the organisational hubris that leads to the ‘drift towards failure’, and which reflect an organisational complacency that is (theoretically at least), in direct contrast to the values that underpin HROs.
The operating environments associated with HROs means that all problems are considered as unique and extremely time pressured. Operational failures are not only significant in themselves, but gain significance as indicators of organisational vulnerabilities that allowed those failures to happen. Every problem is accepted as serious, and there is an urgency to find not only a solution to the immediate problem, but to understand the causal chain that lead to that situation. In most organisations, errors are identified as local events, which do not reflect or impact on the overall operating framework. In HROs, they are seen as harbingers of potential organisational and structural weaknesses, and that ‘causal chains that produced the failure are long and wind deep inside the system’.
David Rubens will complete this 2-part series next month, with a look at how High Reliability Organisations can be developed, and what are the defining characteristics that differentiate them from other, less effective, management systems.
David Rubens MSc, CSyP, FSyI is well known across the UK security sector. He is a Board Director of the UK Security Institute, and is currently completing his Professional Doctorate at the University of Portsmouth, where his research has focussed on strategic management and critical decision-making in complex crisis environments.