Why You Need to Link Incidents and Risks
Incident Management and Risk Management
Leading organizations use incident management software to capture and report incidents and adverse events. Incidents include near misses, as well as accidents that resulted in fatalities, injuries, illnesses or property damage. Some organizations also enable their employees to report incidents remotely and in the field through a mobile app.
Another characteristic of leading organizations is the use of risk management software to improve the process of identifying, assessing, mitigating and monitoring all risks throughout the enterprise. Risk software is more effective than spreadsheets to maintain and update a risk register that includes all risks and controls.
Four Types of Insights
There are benefits associated with incident management and risk management software, but there are even greater benefits when the dots are connected and incidents and risks are linked. Four types of valuable insights can be obtained through the connection, some of which are also highlighted in the Paladin article:
1) Incidents help to identify previously unknown risks. The Paladin article has this sentence that I really like: “An incident is a realized risk”. Each time an incident happens, you should check whether a corresponding risk was previously identified. If not, then the new risk should be analyzed and evaluated. If there are many similar incidents, it may indicate a trend pointing to a significant risk.
2) Incidents (in)validate the likelihood of a risk. As part of a risk assessment, you have determined the likelihood of an adverse event. Since an incident is a risk that has materialized, the number of incidents can help you verify if the likelihood you have established is still valid, or if it needs to be updated.
3) Incidents (in)validate the severity of a risk. As part of a risk assessment, you have also determined the severity of the impacts of an adverse event. The consequences of an incident corresponding to a specific risk can therefore help you verify if the severity level you have established is still valid, or if it needs to be updated in case it was overestimated or underestimated.
4) Incidents help to evaluate the effectiveness of controls. By far the most important benefit of linking incidents and risks is how it can help to evaluate the effectiveness of controls. If there are many adverse events of the same type associated to a specific risk, it may indicate that the control is not effective. The reverse is also true. For example, if 3-5 adverse events were expected per year for a specific risk, but “only” one occurred, it may indicate that the control is more effective than originally thought.
The four items above should not happen in isolation. For example, items #2, #3 and #4 will work together. The effectiveness of a control will be evaluated by taking into account any changes to the likelihood and severity of impacts of an adverse event. Changes to the residual risk may also help to evaluate the effectiveness of the control.
Finally, a big takeaway from the connection between incidents and risks is the need for a fully integrated EHS and Risk Management platform developed organically over the years through a common technology and software architecture. This ensures a seamless exchange of data between different applications and functions, including data on incidents, risks and controls.
Download Aberdeen’s “Optimizing Organizational Performance with Operational Risk Management” report to learn more about the process of achieving operational excellence and continuity with a standardized operational risk management program: