Critical Risks - Identification is only half of it
The identification and management of cricital risks or material unwanted events (MUEs) is arguably the most important task for every leader. The process should be well planned, appropriately resourced and ongoing with a continuous feedback loop.
Identified controls should be specific to the MUE and the performance of the control should be measurable. If controls have been identified correctly, it should be a simple task to capture them within a 'traffic light' framework.
We would argue that the performance of critical controls should be presented with the same frequency and importance afforded to frequency rates and should be incorporated into every executive dashboard.
The absence of incidents or accidents should not be taken as evidence that controls are adequate. It is important to continue the cycle of reviewing and improving critical controls to ensure that the organisations greatest risks are mitigated effectively.
So what happens if a critical control fails? If it is a finding identified within your ongoing review and verification process (well done you) then rectify accordingly.
If however, the failure is identified as a result of an injury or incident, you'll need to review the design of the failed critical control. It is also important to review the site incident investigation process itself to ensure that it includes the identification of critical controls, understanding their performance status at the time of the MUE and the causation related to the failure. This information will then feed back into the continuous improvement loop.
The mitigation of MUEs can be time consuming and repetitive. What is important is that you are protecting what the organisation values most. This process should be given the time, resources and priority that it deserves.