Fire brigades are important, but only fools fail to focus on prevention. Fire prevention is a well-established science though, as the tragedy of the Grenfell Tower fire illustrates yet again that humans regularly err. The tower block had been reclad with inflammable insulation, a good intention disastrously delivered.

Why? It is not lack of knowledge about how to prevent bad outcomes such as factory fires and frauds. Risk managers are skilled at preventing past crises from recurring, at least at the level of consequences. Our analysis of FTSE 100 reporting on principal risks shows that companies give prominence to risks that have derailed them and their peers in the past: food contamination in the food and retail sector; child labour in manufacturing and retail; cyber-risks everywhere.

Unfortunately, inadequate learning from incidents ranging from big tragedies to minor hiccups has kept risk managers from dealing with root causes. This is a lost opportunity because if you deal with root causes you can prevent consequences you have not even imagined.

Hypothetical example

Let us dissect a hypothetical example built from our library of real failures. A company announces that its profits have been overstated by £500m. The board is stunned as its reputation, and the company’s, are shredded. Shareholders are furious as the share price plunges. The board commissions an inquiry. The answer emerges: “The accounts team overstated receivables.” The “perpetrators” are sacked, and the board issues new guidance for the accounts team: in a nutshell, don’t overstate receivables.

In 1990, the pilot of a BAC One-Eleven (jet airliner) was almost sucked out of the cockpit when a newly replaced windshield broke away as the jet climbed 17,000 feet. The co-pilot landed the aircraft with his pilot hanging out of the hole where the windshield should have been, holding on with his knees and, after he lost consciousness, held by relays of cabin crew hanging onto his ankles. The pilot survived.

The official investigation by the Air Accidents Investigations Branch found that the senior mechanic who had replaced the windscreen, thought by his employers and peers to be “exemplary”, had used the wrong bolts.

Before the 1980s, the investigation would not have gone much deeper. Inquiries regularly blamed air accidents on “pilot error” or “mechanic error”. But Stanley Roscoe, the leading aviation psychologist of the day, pointed out that this was “the substitution of one mystery for another”. He spurred aviation investigators to do better. As a result of this, and a deliberate move from a culture of “blame” to a culture designed to facilitate learning from mistakes and near-misses, we now enjoy an extraordinarily high level of flight safety.

Delusion of safety

Every two-year-old understands air investigators’ tool of choice: to ask the question “Why?”, persistently and fearlessly.

Why did the windshield fail? Because the bolts were too small. The mechanic had selected the bolts by eye rather than consult the manual. He was overtired and had a habit, normalised over years, of working around creaky official procedures.

This happened because mechanics at this site routinely worked around official feedback systems, as they thought them ineffective. And the mistake was not picked up by an inspection because the system did not check work of this kind independently by senior mechanics.

Learning of only occasional mishaps, supervisors strongly, but wrongly, believed that the lack of reported incidents and near-misses was evidence of a good system that worked. In reality, luck and supervisor ignorance had created the delusion of safety, causing complacency and leaving multiple system weaknesses unrecognised.

This is a common pattern: multiple causes of failure with normalised systemic roots, to which leaders are blind.

Most people are psychologically programmed to attribute success to skill and failure to bad luck. In truth, most success involves luck, which readily masks what can become long-standing systemic weaknesses. We regularly fail to investigate the role of luck in apparent success, or its reality. Leaders are shocked when luck takes a holiday and a painful crisis sees them held responsible for years of complacency, during which systemic weaknesses—of which subordinates had long been aware—had incubated.

Toppling towering titans

So why did the accounts team overstate profits? They thought the CEO wanted to maintain steady profit growth because they believed his self-esteem and bonus depended on it; and he did not welcome bad news.

Why did this come about? The board didn’t understand the possible consequences of their chosen KPIs and bonus design or of the CEO’s character. They lacked sufficient people skills to see the questions, let alone to challenge advice from their remuneration consultants.

As for the CEO, he did not understand how his subordinates might interpret his behaviour patterns.

A deeper cause was the nomination committee. They understood the need for diversity of gender, race and disability, but beyond that, they subliminally sought “people like us” who would help the board run smoothly. They saw people with different skills and experience—people with honed critical faculties and the strength of character to challenge—as a threat to board orderliness, rather than critical to the company’s long-term success.

They also overlooked the crucial role of people in all core functions and so missed their need for a board member with strength in fields they scorned or feared, such as sociology and psychology.

Nor did the board realise that if stakeholders judged them, through the lens of a crisis, to be dysfunctional, incompetent or amoral, the company would lose its reputation, taking its leaders with them. This is a reputational risk that topples towering titans.

Risk registers

Few, if any, risk registers include risks such as these. Most risk managers lack the skill, let alone authority, to look for them. I have yet to see reports of board evaluations designed to find them at board level. As a result, deep systemic risks to reputation and corporate longevity are unrecognised, unmanaged and at large, ready to emerge when luck runs out.

The Financial Reporting Council (FRC) learned much from the banking crisis. That is one reason why it now recommends that reputational risks, and behavioural and organisational risks that underlie them, should be identified and managed. And FRC-regulated companies are expected to report lucidly on any such risks that are, or underlie, principal risks. Reporting them is no sign of weakness but a strength that will appeal to intelligent investors.

I look forward to reading an annual report where the chairman praises his charismatic, self-confident CEO: a lady, perhaps, who has demonstrated her competence and humility by welcoming personal criticism from subordinates and by sharing the lessons she has learned and applied from a deep deconstruction of a recent personal “near-miss”.

Naturally she has a well-practised crisis plan. But she is less likely to need it than her more complacent brethren.

Anthony Fitzsimmons is chairman of Reputability LLP, specialists in reputational, behavioural and organisational risk. Anthony is co-author, with the late Professor Derek Atkins, of the book “Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You”, published in January 2017.