Risk Management: the Swiss cheese model
Can we use the Swiss cheese model utilized to analyze workplace accidents for the analysis of IT risks? Can we use this model as support for improvement actions?
Any risk analysis method has a single objective: to identify the causes that could trigger an unwanted situation in order to adopt suitable preventive actions.
This is common in any discipline, whether it be conducting a risk analysis within the Continuity Management process of an IT organization or in the analysis of risks to which an employee is exposed at his workplace.
In this article, we will discuss the Swiss cheese model, utilized to explain why a work-related accident occurs and consider how we can take advantage of the same idea in the world of IT Service Management.
The Swiss cheese model suggests that there is never a single cause that triggers a work-related accident, but rather that a variable number of situations always coincide , which, might not trigger the accident independently, but do trigger it if they occur at the same time.
For example, if an employee walks along the raised platform, falls and injures his head, we can identify two concurrent causes: that there was no guardrail and that he was not wearing a helmet. If either of the two had not been the case, then he would not have injured his head.
Therefore, if we want to improve for the future we should not look for a single cause and propose preventive actions regarding this cause, we must identify all concurrent circumstances and propose preventive actions for all of them. In this manner, even if one preventive action is not effective, the effectiveness of one of the others would be sufficient in order to prevent repetition of the accident.
It is interesting to mention that the 5-why method can be useful for the previous topic because even though it is intended to find the root cause, the intermediate causes can also be considered as concurrent causes. An attempt can be made to include them in the improvement actions , because the questions that we ask do not have to generate a lineal series: they can take the form of a tree, and hence a set of root causes would exist.
The reader who has gotten this far will be wondering what this has to do with IT Service Management, the usual topic of this blog. Okay then, now consider that the Swiss cheese model is used normally to analyze what causes workplace accidents, but it is a very generic and useful model.
I recommend that you keep this model in mind when:
- You conduct a risk analysis for Continuity Management or for Security Management.
- You are engaged in identifying opportunities for improvement for the CSI phase that ITIL proposes.
- You apply a proactive approach to Problem Management by searching for opportunities for improvement even before incidents occur.
José Luis Fernández Piñero