No matter how effective the risk management program within an organisation, things still go wrong. They may be events that we have anticipated or they may be incidents that we have completely come out of the blue (unknown unknowns to quote Donald Rumsfeld).
What we need to make sure of when these incidents do happen is that we minimise the chances that they are going to happen again. In order to do this, an organisation should conduct a post event analysis.
During this analysis, we ask a series of questions:
• What happened?
• Why did it happen?
• Did we or could we have forecast that it was possible that it was going to happen?
• Could we have done anything to prevent that event?
• Did we deal with the incident in an appropriate manner?
• Is there anything we can do to prevent the incident occurring again in the future?
• If the event does occur again in the future, are there any strategies we can put in place to minimise the impacts? The conduct of the post event analysis will feed directly into the risk management process in that it may:
• Facilitate the identification of new risks
• Cause the organisation to review current controls for effectiveness
• Cause the organisation to review current treatment strategies for other closely related risks
• Facilitate the identification of new treatment strategies
If we do not undertake such an analysis, we run the very real risk that the same incident can occur again (and again). What we need to remember is that: today’s incident is yesterday’s and tomorrow’s risk.
To quote Warren Buffet; “What we learn from history is that people don’t learn from history”.