Swiss Cheese Theory


I love Swiss cheese. And I’m not talking about the dairy comestible. In my view, there are better cheeses out there – but few better risk management concepts. Swiss-cheese theory is a beautifully elegant way of illustrating the idea that before any risk can manifest, multiple barriers must be breached. This applies both to negative and positive risks although, in the case of opportunities, one might like to rephrase it that multiple enablers must all line up. The best way to explain Swiss-cheese theory is with a picture.


Figure 1: Swiss Cheese Theory By way of example, the 2009 bushfires in Victoria, Australia, which claimed 173 lives and injured 414 people, were a classic Swiss cheese scenario that had been building for many years. To highlight but a few pre-conditions to these sad statistics:

  • The Australian population had been moving increasingly to rural areas in search of lifestyle benefits for at least a decade.

  • Building codes which allowed people to move into high risk bushfire areas, didn’t (at the time) require a ‘bushfire attack assessment’ and were based on fire temperatures of 730 degrees Celsius although bushfires can peak at approximately 1,330 degrees.

  • Victoria had experienced a decade of drought conditions. Combined with forest management practices, which focused on environmental habitat protection at the expense of controlled burns to reduce fuel loads, created ideal pre-conditions for fire.

  • Unique weather conditions in February 2009 condition for the loss of life. The Forest Fire Danger Index (FFDI) based on rainfall, evaporation, wind speed, temperature and humidity considers a rating between 12 and 25 as a "high" degree of danger. Any day having a danger rating of over 50 is considered an "Extreme" fire danger day. The FFDI on Black Saturday, 7th of February, 2009, reached 180, the worst fire conditions ever recorded.

Changes to any one of the above factors wouldn’t necessarily have stopped the fires, but could without question have significantly reduced the death toll. Of course, there are many more factors and the above illustration is simplistic in the extreme but like 'Black Swans' they were immediately apparent in the post-event coronial inquiries.

The Basic Idea Behind Swiss Cheese The Swiss-cheese model was initially developed by James Reason to illustrate how analysis of major accidents and catastrophes tended to reveal multiple, smaller failures that allowed a hazard to manifest as a risk. Although looking primarily at safety risks, his research also indicated that human error was consistently the largest contributor to risk management failures. It is reasonable to say that human competence or accuracy is equally behind the vast majority of successes. In Reason’s model, each slice of cheese represents a barrier, any one of which is sufficient to prevent a hazard turning into consequences. Swiss-cheese theory works on the assumption that no single barrier is foolproof. They all have failings or ‘holes’ and when the holes are allowed to align, a risk event can manifest as negative consequences. The interdependent nature and benefits of redundant layers of mitigations associated with the protection-in-depth principle is illustrated by the Swiss-cheese. In my experience with risk management and incident investigation, I have yet to see a serious incident which didn’t require half a dozen or more pre-conditions to all align. Some of these were pre-event and some post event but in every case, any one of a number of barriers could, if it had been effective, have either reduced the magnitude of consequences, or in many cases, have completely prevented the incident. It doesn’t take a big leap of faith to understand that opportunity realization works in similar ways. For a major project to succeed, any number of steps and pre-conditions have to line up. Remove funding, planning, competent staff, executive management support and invariably, you will see an adverse impact on the project outcomes. Swiss cheese theory may look like a simple illustrative tool but it has profound implications for the way that we manage risk. In terms of preventing losses, it's linked to the fundamental idea of protection-in-depth. What this means for us as risk managers, is that when we build risk mitigation plans, the multiple layers of treatments need to integrate and support each other. It’s a near certainty that on a long enough timeline, every risk treatment will fail or leave vulnerabilities. The trick is to make sure that they don't all fail concurrently. Equally, every opportunity realization project needs to have mutually supporting enablers that build on each other, assuming (not unreasonably) that at some point each will require the support of another project element. Swiss cheese… the best thing since sliced bread!

#Risk