When it comes to risk & compliance no one wants to be surprised. That’s why organizations put in place controls of various kinds to avoid them.
While surprises are not desirable and cannot always be avoided there is something that can be far worse which is not being surprised at all.
When something bad occurs it is not uncommon for someone to say,
“I am not surprised that this happened.”
Hearing this offers little comfort to those negatively impacted by the surprise.
But why?
When preventable incidents occur associated with safety, environmental, quality or regulatory objectives not acting when it was possible to do so is perhaps more concerning than the impact of inaction.
Finding out that something could have been done and wasn't is often an indication of a failure in duty of care, negligence, or simply not caring at all. It is no wonder that we might feel anything other than comfort after hearing that someone was not surprised.
To avoid the surprise of not being surprised organizations need to ensure that their risk management does more than just create a list of what might or could go wrong. They also need to act to create the outcomes that an organization wants and avoid the ones that it doesn't.