
Risk events often have many contributing causes, a common one being ‘human error’. But what is human error can be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.
Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient – either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.
There are therefore six possible outcomes in the combination of plan and human action:
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.
Mitigating human error as a cause of a risk event therefore comes down to establishing controls that address the adequacy of plan design and establishing mechanisms to minimise unintentional and intentional behaviours. Protecht recognises that human error is a cause of errors in risk management and has developed tools and techniques within Protecht.ERM to mitigate this cause.
The implementation of Role based access control, coupled with Role specific launchpads mitigates the risk of a user unintentionally or intentionally accessing data or areas of the system which they are unauthorised.
The design of launchpads and forms is critical in ensuring that the desired outcome of the process (risk assessment, control assurance, compliance, incident notification and investigation, etc.) is achieved. Launchpads should be designed so that the User is provided easy to read and understandable information in graphical and tabular format, with appropriate call to action buttons in place to direct the User to relevant underlying data or data entry forms.
Data capture forms themselves need to be designed in such a way as to guide a user in an intuitive manner. This is where status buttons, configurable workflow rules and the recently released field specific conditional rules come into play. To see this in action, watch the video about Conditional Rules here.
Click the image above to watch our video on Conditional Fields and Rules
Status buttons guide the user through the business process, with configurable buttons directing the user to, for example, submit an incident for investigation, advise a risk owner of a new control, or select an action item for closure.
Workflow rules can be triggered on one or more conditions being met in one or more fields within a form. Simple logic can be used to avoid unintentional and intentional errors, with notifications being sent to authorised reviewers or even back to the user who entered the data requesting that it be rectified.
Within the form itself, field specific conditional rules can be used to guide the user to only complete fields that are relevant to their task. Conditional rules can also be used to reduce the number and complexity of forms. As an example, rather than having:
Human error can be the cause of risk events. Protecht.ERM helps mitigate human error in data capture and analysis, enabling organisations to be confident that the risk information captured in the system is accurate and meaningful. If you are interested to know how and why more and more companies are using Protecht.ERM to manage their risk frameworks including their information security, please contact info@protechtgroup.com.
Alf has established a number of risk management frameworks in financial services, real estate and property development, mining and exploration, and heavy engineering sectors. A Certified Compliance Professional, Alf has an impressive collection of qualifications, including a BSc in Pure Mathematics and Theoretical Physics, a Graduate Diploma in Commercial Bank Management and an MBA in general management. He is also a member of the Global Association of Risk Professionals, past President of the GRC Institute and past member of for-profit and not-for-profit organisations.