top of page
  • Zachary Collier

How is Risk Management like Swiss Cheese?

In previous blog posts, we have discussed risk management. Risk management involves making decisions about what measures to take to reduce the magnitude of risk for some system or process. Wearing a seat belt is an example of a risk management action one can take when driving.

Many times, one single risk management strategy is insufficient. Perhaps this is because the likelihood or severity of a risk scenario is so large that only one risk management strategy will not reduce the risks to an acceptable level. In these cases, it is common to simultaneously employ multiple risk management measures. So for example, with the example of driving, in addition to wearing your seat belt, other good risk management activities include mechanical safety features such as airbags, bumpers, etc., and operational considerations such as making sure that you are not speeding, ensuring that your car is in good working order, not driving when you are fatigued, etc.

The idea of implementing multiple lines of risk management is sometimes referred to as “defense in depth”. The logic behind this is that if one of the defenses fails, there will be other defenses still in place to stop an accident from occurring, or in the worst case, mitigating the impacts if the accident should happen.

However, even the best defenses are rarely 100% effective. James Reason describes how hazards can propagate through multiple defenses and cause an accident in his famous “Swiss cheese” model.(1) In the ideal case, a hazard is completely mitigated by the first line of defense, and never results in a loss. However, there may be what Reason calls “latent conditions” within the organization that cause holes in the defenses, like a slice of Swiss cheese. If there are multiple slices of Swiss cheese, it is probable that, even if a hazard passes through a hole in the first slice, it will be blocked by a subsequent slice. But if the right combination of latent conditions line up such that a hazard is able to penetrate every line of defense, then an accident can occur which can potentially cause significant losses. As Reason describes it, “The necessary condition for an organizational accident is the rare conjunction of a set of holes in successive defences, allowing hazards to come into damaging contact with people and assets”. (1)

Examples of latent conditions include inadequate training, poorly designed procedures, tools, equipment, poor maintenance, supervision, and so forth. These often go undetected or ignored in organizations for long periods of time, and result in enhancing either the probability or severity (or both) of an accident.

So what can the Swiss cheese model teach us about risk management?

One lesson is that risk management is an ongoing process. Simply implementing one or more safety measures is insufficient for good risk management. Processes can slowly be disregarded, tools and equipment can degrade, and supervisory controls can become lax. Latent conditions can begin to emerge within the organization, weakening defenses that can potentially contribute to an accident down the road.

Another lesson is that risk management needs to take a systems view of the problem. Risk management does not only have to do with some specific technical process, although it may be an important aspect. Good risk management also considers how humans are intertwined within a network of technology, other humans, the external environment, and the organizational culture. How these various factors interact and either strengthen or weaken your defenses is essential for good risk management.

Collier Research Systems has the expertise and experience in risk and decision making to guide you through the process of managing the risks facing your company. To learn more about how we can help you effectively navigate risk and uncertainty, visit


(1) James Reason (2002) Managing the Risks of Organizational Accidents. Aldershot, England: Ashgate.

bottom of page