Once upon a time there were three little boys left unsupervised while on a field trip when one of them spotted a large crack in a window pane. So he tapped the glass once and nothing happened. Next, the second boy tried his luck and poked the glass as well. Tap tap tap. Again it did not break.
Now the third boy approached, looked around, saw that none of the teachers were watching and because his friends didn’t break the window he tapped lightly on the glass with his index finger. Nothing. So he poked harder. No change. Then again. Again. Another time. Ok again. Faster.
Finally the glass broke.
The funny thing is that I don’t believe the boys wanted to break the window. I submit all they wanted to do was tap repeatedly on the glass without the glass breaking. But if that’s the case how does anyone know when to stop tapping?
We use the process of risk management as a way to identify where all the cracked windows are in an organization. It also allows decision-makers to collectively decide what should be done (if anything, about these cracks). In some cases we replace the window pane immediately; we affix a warning sign; or assume anyone that sees the crack won’t touch it. But I think most people will just tap on the cracked window until it breaks and worry about it then.
Now risk management is not the panacea that will tell you when the window will break but you would be foolish if you knew about all your cracked windows and didn’t prepare for what might happen when one breaks.
“you would be foolish if you knew about all your cracked windows and didn’t prepare for what might happen when one breaks.”
Excellent point. No business is 100% perfect 100% of the time. Sooner or later something is gong to go awry. The question is do you notice the red flag in time and how do you respond to it. Do you tap, tap, tap until it breaks (and then you’ve got a real mess on your hands) or do you get proactive about it.