financial services was during the meltdown in 1998, when many U.S. banks did foreign exchange swaps with Russian banks to protect themselves against the decline in the Russian ruble. That worked fine until the Russian banks failed.

That is a very clear example of risk migration. If you fail to recognize risk migration, you end up with risk ignorance. You assume you have protected yourself against a risk, when all you have done is transfer it to another site. You can’t simply take the first step. You have to take the second step and know what to do if the backup system fails. What happens if this happens? What happens if that happens?

Now consider risk degradation. Case studies of major industrial disasters and major financial disasters have shown that over time there is a gradual degradation of the risk management process because systems are not maintained and audits are not done. These systems fail incrementally, and for a while as they fail, nothing seems to change. When the first light bulb goes out in your house, you may not change it because other lights are still on.

When one system fails and there are no obvious adverse circumstances, people may conclude that redundant systems are not necessary. The organization becomes desensitized to risk so that, over time, the probability that the degradation in the risk system will be addressed actually declines. Finally, a minor incident creates an interaction among these various failing systems that results in a major disaster, such as the disaster in Bhopal, which could have been prevented if the risk management systems had been maintained.

Risk management is an ongoing process that must be cared for and tended to as you go forward. Most financial services now are very humble about their ability to measure risk. We know that it is “fat-tailed,” but we haven’t come up with distributions that reflect how it actually behaves. Instead, we try to allow for very large margins of error. We do a lot of stress testing; we run the worst possible conditions through the model and see if anybody is left standing at the fault line. For example, a large life insurance company can stress its portfolio by assuming simultaneous 8.5 earthquakes in Los Angeles and Tokyo. Risk migration and risk ignorance can be addressed through risk mapping, a reengineering process that asks what could possibly go wrong at every point in the process.

The best way to manage risk is through real-time audits. That is the only way you can control agency risk. Real-time audits often reveal degradation in the risk management processes. Auditors have never been liked because they seem to be second guessing or interfering with procedures. However, financial services organizations with an “audit culture” are among the best trading houses on Wall Street. Some star traders have very aggressive auditors who walk the floors and call traders off the floor at any time to question their actions. Traders who make millions of dollars a year for their organizations and for themselves are not afraid to be second-guessed.

Another approach is what the aviation industry calls a “cockpit culture,” in which there are frequent communications and discussions in the cockpit. Cockpit cultures are based on the idea that any member of the team can challenge what is going on at any time. I think that type of team culture can be substituted for an audit, basically relying on internal challenges rather than external challenges.

Front Matter (R1-R14)

Executive Summary (1-8)

Part I: Consensus Report. 1. A New Partnership Between Systems Engineering and Medicine (9-18)

2 A Framework for a Systems Approach to Health Care Delivery (19-26)

3 The Tools of Systems Engineering (27-62)

4 Information and Communications Systems: The Backbone of the Health Care Delivery System (63-82)

5 A Strategy to Accelerate Change (83-90)

Part II: Workshop Presentations--Framing the Health Care Challenge (91-114)

Equipping the Patient and the Care Team (115-138)

Engineering Tools and Procedures for Meeting the Challenges (139-188)

Information Technology for Clinical Applications and Microsystems (189-224)

Barriers and Incentives to Change (225-240)

Appendix A: Agenda, NAE Workshop on Engineering and Health Care Delivery System, May 21 22, 2001 (241-244)

Appendix B: Participants, Workshop on Engineering and the Health Care System, May 21 22, 2001 (245-248)

Appendix C: Agenda, NAE Workshop on Engineering and Health Care Delivery System, February 6-7, 2003 (249-250)

Appendix D: Participants, Workshop on Engineering and the Health Care System, February 6-7, 2003 (251-252)

Appendix E: Agenda, NAE Workshop on Engineering and Health Care Delivery System, March 10-11, 2003 (253-254)

Appendix F: Participants, NAE Workshop on Engineering and Health Care Delivery System, March 10-11, 2003 (255-258)

Appendix G: Biographical Information (259-262)