Living inside the capital beltway, you meet all kinds of people that have jobs that just don’t have any equivalency anywhere else: Like the lady I talked to last week who provides advice on safety issues associated with the modernisation program for the nation’s nuclear weapons stockpile. I mentioned to her a recent GAO report about how the Navy is using risk management to support its strategic basing decisions for aircraft carriers, and I said it was welcome news to see the federal government starting to use risk management strategically. So we started talking about risk management for her program, and I asked her what the primary KPI, key performance indicator, was for nuclear weapons modernisation. She said it was the number of incidents. Right then I knew we were going to have a disagreement on risk management.
You see, she was approaching risk management from a safety and security standpoint. That’s not helpful strategically, since if number of incidents is the KPI, then the most effective way to achieve that KPI is to stop modernisation. I suggested to her that the real KPI would be something that represented the time it took to achieve some milestone in modernisation — it could be the time until the first new warhead was produced, or the time until the old stockpile was retired, or something in between that reflected the time to value of modernisation. She was aghast that I of all people, a retired nuclear submariner, would not put safety or security first!
But — here’s the problem — if safety and security are first, then your business goals are secondary and potentially will never be reached. So I explained that her suggested KPI was really a KRI, key risk indicator. As illustrated in the Gartner Business Risk Model, to determine an acceptable risk threshold it needs to be compared to the key performance indicator. What over the thirty year period of modernisation are the number and severity of incidents that can be effectively managed — what’s the acceptable risk index? As a nuclear weapons professional in my past life, I can tell you it is not zero.
It’s really tough for safety and security professionals to think this way — zero tolerance is a much cleaner concept. Anything short of zero tolerance implies that the safety and security people are not on the ball. But by not addressing the real risks, and the analysis of those risks on performance, it’s impossible to determine what are the most significant risks to monitor. And thus a zero tolerance mentality increases uncertainty in the achievement of business objectives, rather than decreasing them — in other words, zero tolerance sets you up for a major incident.
The author is a Vice President and Gartner Fellow in Gartner Research.
For more blogs by French Caldwell, log on to http://blogs.gartner.com/
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.
Updated Date: Nov 16, 2012 13:28:30 IST