In organizations there are sometimes unforeseen and unwanted situations that occur without visible consequences. For example, an invoice has an incorrect total, but it is detected before it is issued; a virus is intercepted within the extranet before it is able to compromise any devices; a server sometimes has performance drops but never crashes; when it rains, the floor of the server room is wet, but it does not cause any serious damage. These are cases where the organization does not worry until the consequences become obvious.
This attitude of trusting in good fortune is wrong. All abnormal events without consequences are signs of potential vulnerabilities. The right attitude is to understand the causes and act accordingly. All potential incidents (i.e., unwanted or unforeseen events) are classified as near-miss incidents and should not be considered as a fluke due to the absence of consequences. They are signs that something in planning, procedures or processes is not working in the expected way.
The fact that an anomalous event occurs in itself should not be considered worrying. In planning, sometimes situations considered to have a very low probability and insignificant impact are not considered. This behavior is not wrong if there are more urgent design constraints to be satisfied. Instead, it is wrong to ignore the signs of the probability when probability is changing. Near miss incidents are signals that something has changed in the risk scenario and the concern must be to understand the causes of the near-miss incident.
The near-miss incidents to be considered are not only those with truly significant expected impact. Even weak signals can hold unpleasant surprises. We must consider these signals as if they were risk indicators. The best practice is to identify categories of reports of anomalies that have occurred and proceed with a risk analysis to identify vulnerabilities that locally might be insignificant but could lead to identifying relevant risk or opportunities for improvement when viewed holistically. The vulnerabilities related to near-miss incidents represent a flaw on some layer of defense, and the indicator allows us to give ourselves time to perform root cause analysis, identify solutions and improve the protection system.
Organizations should not overlook weak signals coming from business processes because they could hide dangerous weak spots in the processes themselves that must be analyzed and treated.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Using Near Miss Incidents as Risk Indicators,” ISACA Journal, volume 4, 2023.