Many people will agree that risk management is important. After we identify and assess a risk, it is treated appropriately and managed to an acceptable level. But is it possible to over-risk manage? Can the treatment become so onerous that people are encouraged to find workarounds thus rendering the controls useless? And if so, why does it happen?
Following the bombings of two American embassies in Africa in 1998 new facilities were redesigned and built by “American construction companies with experience in building prisons and military barracks”. Many buildings were moved to less populated areas or on the outskirts of town.
As a result many foreign diplomats were insulted having to visit these prison-like facilities. What’s more it became more difficult for the American officials to do their jobs forcing them to devise “creative” solutions like meeting people in hotels (thus rendering the control useless).
Sometimes this happens when we assess a risk higher than it should be but I think the recent events in Benghazi support the assertion that the risk to American diplomats was correctly assessed: high impact and high likelihood. If so, why overdo it with the controls?
First, I submit that nobody bothered to ask the diplomats what their requirements were and how these prison/embassies would affect their work and lifestyle. But even if that information was solicited and considered it was likely ignored and usurped by the second reason which the former ambassador to Yemen explains in the article: “Nobody wants to take responsibility in case something happens, so nobody is willing to have a debate over what is reasonable security and what is excessive.”
So despite best efforts to keep US official safe, when one of them is blown up in a hotel at least a State Department official will be able to explain to Anderson Cooper that they built these fortresses and it’s not our fault the ambassador did not want to use it.