It’s a high-tech world full of high-tech solutions that give us comfort and peace of mind. We’ve got risk and quality management practices in place that free us up to charge ahead with business—but do we look back enough over our shoulders, or do we fall victim to complacency—like, “Hey don’t sweat it, if it hasn’t happened yet it’s not going to happen.”
According to Drew Zavatsky, a section manager for the Office of Risk Management in the Washington State Department of Enterprise Services in Olympia, Washington, complacency could be the greatest risk of all and the toughest to manage.
In the March 2012 issue of Risk Management Magazine (www.rmmag.com), Zavatsky notes that complacency can sneak into any corporate culture. A good example is the Deepwater Horizon disaster that, according to the President’s Commission on the Deepwater Horizon Oil Spill, “exhibits the costs of a culture of complacency . . . There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. . . . These findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”
But it’s natural for humans to be complacent; we like things the way they are. We don’t like to be wrong. We are adverse to change. We want to believe our decisions and preparations are good enough. We don’t want to be criticized for worrying, overthinking, or being critical. Complacency also results from assumptive thought, which is by definition taking a fact or statement for granted (like the Titanic was unsinkable).
Zavatsky defines complacency as a “new type of risk.”
Complacency is often the downside to consistent performance. When systems run well we become too comfortable with the daily routine and lose that edge of diligence as we move on to more obvious problems that are giving us fits.
It is often here where the real culprit appears, notes Zavatsky: the decision to forego a moment of insight. “These decisions seem to happen in just two ways—either by saying ‘I don’t care’ about known risks or by saying ‘I have done enough thinking’ about unknown risks,” he says. “This makes sense, because complacency comes from a place of self-satisfaction—where ‘I don’t know’ and ‘I don’t care’ run rampant.”
So what is the takeaway for risk managers, he asks?
For Zavatsky, dealing with complacency risk requires taking residual risk into account. According to the Federal Aviation Administration’s safety handbook, residual risk is the “portion of total risk that remains after management efforts have been employed” and “comprises acceptable risk and unidentified risk.”
“As a risk manager, it is not enough that I have used enterprise risk management to identify, prioritize, treat and monitor risks,” he continues. “I am also required to consider the residual risks after this process and analyze whether more needs to be done. The natural tendency to become complacent—‘I have done enough thinking’—is countered by asking, ‘Have I done enough thinking?’ and ‘Am I ignoring residual risk?’
Zavatsky believes the best way to neutralize complacency risk is maintaining a culture that embraces enterprise risk management at all levels, especially at the top. “At a minimum,” he says, “such an organization is much more responsive to risks and their treatments. It is very unlikely to hear an ERM-savvy CEO say, ‘I don’t care about these risks.”