Years ago, I watched a presentation by Dan McGinn in which he explained that the public is willing to forgive an organization when it experiences a tragedy. But at the same time, the organization should expect three questions:
- Did you consider that this might happen?
- Did you have a strategy in place to help prevent it?
- Did you invest the resources to make sure the strategy worked and continued to work?
I’ve never found a better description of what is needed and what is missing. For example, rather than being satisfied with existing solutions, organizations must continue to understand that threats are driven by humans and continue to evolve. We need problem seeking as much as we need problem solving.
Likewise, organizations need to be interested in progressing to the next standard of care or benchmark, rather than accepting what is comfortable. Robert Browning’s statement that “a man’s reach should exceed his grasp” is equally true for organizations.
Finally, organizations rarely measure when it comes to safety and security. The most forward-thinking organizations do this, using a safety scorecard to track those things from the business of safety, that we believe shape, or will shape, the culture of safety. Measure what matters!