Leading organizations use incident management software to capture and report incidents and adverse events. Incidents include near misses, as well as accidents resulting in fatalities, injuries, illnesses or property damage. Some organizations also allow their employees to report incidents remotely and in the field via a mobile application.
Another characteristic of leading organizations is the use of risk management software.
risk management software
to improve the process of identifying, assessing, mitigating and monitoring all risks across the enterprise. Risk software is more effective than spreadsheets in maintaining and updating a risk register that includes all risks and controls.
There are benefits associated with incident management and risk management software, but there are even greater benefits when you connect the dots and link incidents and risks. Four types of valuable insights can be gained through this connection, some of which are also highlighted in Paladin’s article:
1) Incidents help to identify previously unknown risks.
Paladin’s article has a phrase that I really like: “An incident is a real risk”. Whenever an incident occurs, you should check whether the corresponding risk has been previously identified. If not, then the new risk must be analyzed and evaluated. If there are many similar incidents, it may indicate a trend that points to a significant risk.
2) Incidents (in)validate the probability of a risk.
As part of a risk assessment, you have determined the likelihood of an adverse event. Since an incident is a risk that has materialized, the number of incidents can help you verify if the probability you have established is still valid, or if it needs to be updated.
3) Incidents (in)validate the severity of a risk
As part of a risk assessment, the severity of the impacts of an adverse event has also been determined. Therefore, the consequences of an incident corresponding to a specific risk can help you verify whether the severity level you have set is still valid, or whether it needs to be updated in case it has been overestimated or underestimated.
4) Incidents help to evaluate the effectiveness of controls.
By far the most important benefit of linking incidents and risks is how it can help assess the effectiveness of controls. If there are many adverse events of the same type associated with a specific risk, it may indicate that control is not effective. The opposite is also true. For example, if 3 to 5 adverse events per year were expected for a specific risk, but “only” one occurred, it could indicate that the control is more effective than originally thought.
The above four points should not occur in isolation. For example, items #2, #3 and #4 will work together. The effectiveness of a control will be evaluated taking into account any changes in the likelihood and severity of the impacts of an adverse event. Changes in residual risk can also help assess the effectiveness of control.