Human factors in risk management

The clear relevance of human factors for risk management is not questioned by international experts. ISO 31000 provides a comprehensive risk management guideline for organizations, to which other standards of the ISO family refer in the context of "risk". The human factors are anchored at key points; more detailed specifications have given way to generic approaches. However, there still seems to be a long way to go from theory to practice, although a wide variety of approaches do exist in the organizational context.

Vision of people in resilient systems
The quest for resilient organizations is on everyone's lips these days, and yet we are still a long way from an ideal implementation in everyday business life. Organizations and systems should be designed in such a way that they are able to deal with existing human weaknesses and possible human errors and to absorb them appropriately.

Time and again, conflicts of objectives between economic efficiency and safety requirements lead to reduced implementation of measures, contrary to risk assessment or even regulatory and standard requirements. A typical example is the ALARP concept "As low as reasonably possible", in which the management is only too happy to judge critical risks as acceptable. Signs of technical, human or even organisational failure are not recognised or not dealt with in a targeted manner.

If people are injured as a result, with potentially fatal consequences, or if the environment is massively damaged, the general public's call for new regulations becomes louder in the short term. Depending on the circumstances, courts and authorities hold responsible parties accountable for omissions and negligence. It is usually only in crisis situations that there is acute concern about the fatal consequences.

People influence organizations
An organization develops as a system based on the division of labor with formal and informal rules. People work together in a planned and goal-oriented manner. Forms of coordination structured into processes are constantly evolving.

Organizations are formed in socio-technical structures, have a specific purpose and distinguish themselves from their environment. In the system depicted, a variety of sources of potential risks of human origin become visible. The organizational context, which is also culturally shaped, forms the framework for action in which the most diverse actors of the sub-areas interact.

If one thinks through a consistent risk management based on the aspects mentioned, the complex variability and the associated uncertainty in the description of our reality becomes very clear. Few people today use the potential contained therein.

People act differently
When performing tasks, people interact in an individually motivated manner, according to the rules of a group relevant to them and, at best, according to the ideas of their organization. People use opportunities and avoid dangers, just as they represent a quel- le of these risk potentials.

If the individual abilities and individual goals are largely in harmony with the organisational goals, it can be expected that all participants will optimally use the available potential to achieve the goals. If, in addition, all the chosen options for action are in line with the direction of the organisation's goals, stable and predictable decisions and activities can be expected.

Dealing with unexpected situations, in particular, presents the participants with major challenges time and again. Particularly in these situations, specific perceptions, motivations, behaviors or even the abilities of key persons and/or sub-groups can jeopardize the achievement of objectives through misguided decisions and actions.

Therefore, High Reliability Organi-zations (HRO's) have developed toolkits that enable them as an organization to better cope with unforeseen events. They act according to the following principles:

• Sensitivity for operational processes (recognition of weak signals)
• Attention to deviations (error culture and not looking for culprits)
• Striving for flexibility (lifelong learning, continuous improvement)
• Respect for professional knowledge and skills (transparency)
• Aversion to simplistic interpretation (diversity)

The interaction of these factors creates a "collective state of alertness that enables an organization to recognize crises and disruptive events earlier and to deal with them more purposefully" (Weick & Sutcliffe, "Managing the Unexpected", 2007).

People learn by making mistakes
People who carry out leadership or other activities make mistakes and act unsafely. It is now the task of the organization striving for resilience to take this possible misconduct into account and to incorporate it into the identification, analysis and evaluation of opportunities and threats. Only those who systematically take variable human behaviour into account can achieve implementation of effective measures in risk management.

People do not always act right
With structured reflection, mistakes made by individuals or teams, as well as any deviations from the set goals of the organization, offer great learning opportunities, the benefits of which can unfold in a cultural environment of freedom from fear, open communication and willingness to change.

In organisations that are willing to learn, reporting systems such as Critical Incidents Reporting Systems (CIRS) are used for incidents/accidents that have occurred, near incidents and deviations, as well as identified potential for improvement. The knowledge gained about specific cause-effect relationships makes it easier for these organizations to initiate systematic improvements and suitable human factor training.

People evaluate risks
People play a key role in risk management, because only they are able to classify dangers and opportunities, and thus to identify potential risks and implement adequate measures, but they also tend to reduce complex issues and interrelationships to simplified models.

When we talk about risks, we usually have images of danger, hardship, damage or loss in the back of our minds. Existing biases and fears intrude on qualitative risk assessments and can dilute them "without a clear basis". The second side of the risk is often associated with pro-

"Human factors were cited as the cause of accidents in more than 70 % of cases in aviation, 66 % in aerospace, and 52 % in nuclear power" (Giesa & Timpe, 2000)."

active use of potential opportunities in the assessments of future development are often not recorded and treated with equal value in the risk assessments. So much of the organization's knowledge goes unnoticed.

A structured risk management process provides a remedy. Once it has been fundamentally clarified that risk is the effect of uncertainty on set goals, the associated activities, operations and boundary conditions can be specifically included. In the individual analytical sub-steps, the factors influencing the achievement of objectives are compiled with regard to risks and opportunities and evaluated in context.

Admittedly, this is a challenging task, which requires the comprehensive knowledge and experience of all players, as well as suitable tools. This should not prevent us from taking a fundamental step towards describing the risk situation of our organization by:

• Establish a consensus of goals for the organization as a framework for action and a basis for risk assessment and coping strategies.
• Consider human factors from a socio-technical approach and take them into account in the risk management process with the experience knowledge of the organization.

Responsible management analyses the systemic conditions and steers the organisation with a view to minimising risks and increasing opportunities. The objectives and framework conditions are set out in the strategy and corporate governance. The implementation of the activities to achieve the objectives is the responsibility of the top management and the hierarchical management levels. It must be taken into account that activities are carried out by all the people involved. Therefore, human factors must always be taken into account in strategic and operational risk management.