Weick and Sutcliffe describe high reliability organizations as those enterprises and organizations that have learned to adapt to dangerous and hostile environments, where many more things can go wrong than in “normal” environments, and where things that do go wrong tend to go wrong in a much worse way, up to and including people dying. In an organization where the chances of mistakes and problems occurring are higher than usual, you would expect more things to “break” more often. And when things breaking brings worse-than-average consequences, possibly disastrous ones, then you would expect really bad things to happen.
But HRO researchers have found that things work differently in these organizations from what might be expected. HROs often exhibit fewer problems, with less severe consequences, than the average organization. Why would that be? Well, it makes sense if you think about it. An organization that operates in a low-risk, low-impact environment may be able to muddle along indefinitely, even while making mistakes and failing on a regular basis, never managing to fundamentally change its ways even when that means never realizing its full potential. But an organization that faces catastrophe at every turn must learn to survive by skill and constant vigilance. Otherwise, it won't survive at all.
Weick and Sutcliffe identified specific examples of organizations that operate as HROs. They include firefighting teams, aircraft carriers, manufacturing companies, and nuclear power plants, among others. All of these types of organizations experience failures, of course. Firefighters die, aircraft crash on flight decks, industrial accidents and product recalls occur, and occasionally we even face nuclear disasters. Being an HRO doesn't mean nothing ever goes terribly wrong. But for systems this complex, in environments as dangerous as the ones these organizations operate within, they have a track record remarkable enough for organizational scientists to understand that they don't function like other organizations. They do things differently.
The unique ways in which HROs function have been organized into five principles that summarize the differences in the behaviors of HROs compared to other organizations. These principles encompass how HROs look at such things as failure and the ability to bounce back from it, complexity and operational realities, and who is most capable of dealing with a crisis. These five principles are summarized in Figure 10-1. Each of these principles has its own application in the context of information security, and I will cover these in detail later in the chapter.
Figure 10-1 Five principles of high-reliability organizations