How many times does the tired expression get wheeled out when disaster strikes that “lessons must be learned”? It is a favourite mantra in the public sector because it deflects blame and loss of face from those that would otherwise deservedly face criticism.
But, of course, it means nothing. In fact, less than nothing – as those who are disaster-prone always seem to remain as vulnerable as ever. Just like a cracked teapot can never mend its own spout. Incompetence is inherent in organsations that do not generate wealth, that do not survive by their own wits, where people seek careers because they value job security rather than a challenge. Government administrations, public health services, former state-owned enterprises (such as utilities) and even top-heavy business sector corporations with established markets – all suffer from this “lessons learned” mentality.
That is why organisations with records of cyber attack, data loss, labour court or tribunal case fines and employee fraud continue to suffer from variants of the same malpractices and mishaps. They are easy targets for the unscrupulous, and inattentive about obvious errors like leaky passwords, poor email security, the absence of managerial control and failure to monitor legal compliance. Let’s look, for instance, at major data breaches over the last 20 years. The same organisations appear repeatedly – Yahoo (4), Sony (4), AOL (3), Citigroup (3), AT&T (2), The US Army (2), The University of California (2), JP Morgan (2) and, of course, the UK’s NHS (2). Breaches have also hit organization that certainly should know better – like the US Department of Homeland Security, the US Democratic party and Philippines Commission on elections. Also, frighteningly, breaches have taken place in such sensitive establishments as a German nuclear power plant last year.
It is unfortunately not lawful to dismiss someone simply for using a “lessons learned” variant. Two decades ago the industrial mantra was “right first time” and certainly there should be scope for visible and tangible penalties in every organization when things go wrong. At the very least managers should adopt what I have always held key to the concept of accountability – that mitigation should only be accorded if those with responsibility take what safeguards that are reasonable and keep their cool, take effective evasive action and accept blame when such measures still do not turn out to be good enough. Over a century ago Rudyard Kipling wrote “If” and every word of the poem remains as valid and fresh now for HR professionals outside the “lesson’s learned” camp as when he penned it.