Reducing human error…
Risk events often have many contributing causes, a common one being ‘human error’. But what is human error and can it be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.
Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient — either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.
There are therefore six possible outcomes in the combination of plan and human action:
- An adequate plan that is intentionally followed will likely result in the avoidance of the risk event
- An adequate plan that is unintentionally not followed will likely result in failure — a risk event caused by human error
- An adequate plan that is intentionally not followed will likely result in failure — a risk event caused by malice
- An inadequate plan that is intentionally followed will likely result in failure — a risk event caused by poor planning
- & 6. An inadequate plan that is unintentionally or intentionally not followed has a higher likelihood of failure or success of meeting the ultimate objective.
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.
How does Protecht.ERM help with mitigation of Human Error?
Mitigating human error as a cause of a risk event therefore comes down to establishing controls that address the adequacy of plan design and establishing mechanisms to minimise unintentional and intentional behaviours. Protecht recognises that human error is a cause of errors in risk management and has developed tools and techniques within Protecht.ERM to mitigate this cause.
The implementation of Role based access control, coupled with Role specific launchpads mitigates the risk of a user unintentionally or intentionally accessing data or areas of the system which they are unauthorised.
The design of launchpads and forms is critical in ensuring that the desired outcome of the process (risk assessment, control assurance, compliance, incident notification and investigation, etc.) is achieved. Launchpads should be designed so that the User is provided easy to read and understandable information in graphical and tabular format, with appropriate call to action buttons in place to direct the User to relevant underlying data or data entry forms.
Data capture forms themselves need to be designed in such a way as to guide a user in an intuitive manner. This is where status buttons, configurable workflow rules and the recently released field specific conditional rules come into play. Watch the video about Conditional Rules here.
Status buttons guide the user through the business process, with configurable buttons directing the user to, for example, submit an incident for investigation, advise a risk owner of a new control, or select an action item for closure.
Workflow rules can be triggered on one or more conditions being met in one or more fields within a form. Simple logic can be used to avoid unintentional and intentional errors, with notifications being sent to authorised reviewers or even back to the user who entered the data requesting that it be rectified.
Within the form itself, field specific conditional rules can be used to guide the user to only complete fields that are relevant to their task. Conditional rules can also be used to reduce the number and complexity of forms. As an example, rather than having:
- Multiple risk assessment forms for strategic, operational and project risks.
A single form can be used with a condition set on ‘Risk Type’ that displays only the fields relevant to the risk type in question.
- Multiple incident report forms for WHS, compliance incident, risk incident, etc.
Depending on the type of incident (breach, WHS, near miss, etc.) Protecht.ERM will determine what fields are displayed for data entry and make some of these fields mandatory for completion before the form can be saved and submitted for subsequent action.
Human error can be the cause of risk events. Protecht.ERM helps mitigate human error in data capture and analysis, enabling organisations to be confident that the risk information captured in the system is accurate and meaningful. If you are interested to know how and why more and more companies are using Protecht.ERM to manage their risk frameworks including their information security, please contact firstname.lastname@example.org.
Originally published at blog.protecht.com.au.