Updated: Jul 22
At a fundamental level compliance programs protect the value stream from threats that hinder the creation of value. Each program contributes to keeping the value chain safe from various risk including: quality risk, occupational safety risk, security risk, and so on. These programs are socio-technical in nature in that they recognize the interaction between people and technology often across multiple levels of organization.
Rasmussen's Risk Management Framework (also known as Rasmussen's ladder) provides useful insights when it comes to understanding risk across social-technical boundaries to achieve safety objectives along with other risk objectives. Rasmussen originally developed his approach as part of a proactive risk management strategy, however, its primary application has been as an accident analysis tool (ACCIMAPS) for complex socio-technical systems.
Rasmussen's Risk Management Framework
This framework has its roots in systems thinking based on the notion that accidents are hidden in normal operations and do not need special causes. This is similar to Safety II (Holnagel, 2017), and Deming's work that defects are caused by normal causes (natural variation). Rasumussen's model and others since represent a growing trend away from "root causes" or you might say "special causes" for systemic failures.
Rasmussen' suggests the following system boundaries by which to map structure, components and their interactions:
The structure of Rasmussen's Risk Management Framework considers six levels:
Government - where laws and regulations are developed;
Regulatory - where industry standards are developed based on laws and regulations;
Company - where company policies and procedures based on industry standards govern work processes;
Management - where company policies and procedures are implemented;
Staff - representing the activities and characteristics of workers performing the processes; and
Work - representing the equipment and environment by which work happens
Vertical integration is required for the system to function safely. This means that decisions made at the higher levels should propagate down the hierarchy as information flows upwards. The interaction and dependencies across levels are critical to ensure that intended safeguards protect system states. Threats to safety result from a loss of control caused by inadequate vertical integration across levels, not just from deficiencies at any one level.
Nancy's Leveson  provides an example of how this can be used to model safety control:
Rasmussen's Risk Management Framework makes a series of predictions in relation to performance and safety in complex socio-technical systems:
Safety is an emergent property of a complex socio-technical system. They are impacted by the decisions of all of the actors – politicians, managers, safety officers and work planners – not just the front-line workers alone.
Threats to safety are usually caused by multiple contributing factors, not just a single catastrophic decision or action.
Threats to safety usually result from a lack of vertical integration (i.e. mismatches) across levels of a complex socio-technical system, not just from deficiencies at any one level alone.
The lack of vertical integration is caused, in part, by a lack of feedback across levels of a complex socio-technical system. Actors at each level cannot see how their decisions interact with those made by actors at other levels, so the threats to safety are far from obvious before an incident.
Work practices in a complex socio-technical system are not static. They will migrate over time under the influence of a cost gradient driven (see Drift to Failure below) by financial pressures in an aggressive competitive environment and under the influence of an effort gradient driven by the psychological pressure to follow the path of least resistance.
The migration of work practices can occur at multiple levels of a complex socio-technical system, not just one level alone.
Migration of work practices causes the system’s defenses to degrade and erode gradually over time. Accidents are induced by a combination of this systematically induced migration in work practices and a triggering event, not by an unusual action or an entirely new, one-time threat to safety.
Drift to Failure
Rasmussen also identified a phenomenon which he called, "drift to danger."
systemic migration of organizational behavior toward accident under the influence of pressure toward cost-effectiveness in an aggressive, competing environment
Rasmussen's migration model represents constraints (i.e. economic, workload, safety) which create the following possibilities:
If the system reduces output too much, it will fail economically and be shut down
If the system workload increases too far, the burden on works and equipment will be too great
If the system moves in the direction of increasing risk, accidents will occur
In essence, accidents occur when the system's activity crosses the boundaries into unacceptable safety.
Rasmussen's Risk Management Framework provides a good representation of the real world and has been used to better understand safety risk in dynamic, social-technical systems.
Accimaps which are derived from Rasmussen's framework provide a generic and flexible approach since they do not use predefined taxonomies of hazards or failures across the various levels. Accipmaps have been used in aviation, defense, oil&gas, risk management, public health, patient safety, and environmental studies.
Rasmussen's framework also provides the means to better understand how to achieve other risk objectives such as quality, resilience, reputation, financial, and trust.
 A.L. Cassano-Piche, K.J. Vicente and G.A. Jamieson, "A test of Rasmussen’s risk management framework in the food safety domain: BSE in the UK", 2009, Theoretical Issues in Ergonomics Science
 Nancy G. Leveson, "Rasmussen’s Legacy: A Paradigm Change in Engineering for Safety", 2015,
 Justen Debrincat, "Assessing Organizational Factors in Aircraft Accidents using a Hybrid Reason and AcciMap Model", 2012, RMIT University