Compelling evidence from industrial working practice demonstrates that in many critical infrastructure companies, decision-makers find it difficult to get objective information about safety and technological risks.

Management theory postulates that executives manage their subordinates through information: they receive information from various sources, process it, take decisions and convey these to their subordinates. The quality of information received by executives about the real situation inside and outside an organization affects the quality of their decisions, and ultimately the adequacy of an organization’s response to any changes in the internal and external environment. Getting feedback from subordinates about the real situation at the very bottom of the corporate hierarchy is crucial for the survival of an organization in the long-term, as it allows executives to detect risks in time and take measures to mitigate them. But in reality, for a number of reasons, feedback from subordinates to executives is often distorted. As a result, executives often receive unrealistically reassuring reports from subordinates—assurances that in general, everything at the bottom of the hierarchy is fine and all risks are under proper control.

The seriousness of the problem of “embellished” feedback about technological risks first became clear to the first author of this handbook during a 2007 seminar for an industrial company, one of the three largest in the world in its field. The seminar was devoted to management decisions and communication in emergencies. More than 120 senior managers from headquarters and directors of the company’s production sites attended this seminar. Crisis response and communication solutions are a well-established theme in modern risk management: there are many practical manuals on this topic, with numerous clear examples of positive and negative responses by companies during and after various incidents. One of the postulates on how to respond effectively to major accidents is that managers should make sure they have reliable information about the preliminary causes of an accident, the extent of possible damage and the resources available to them, in order to determine how to tackle emergencies. If this inside information is honestly and immediately brought to the attention of all interested parties—authorities, victims, employees, the general public, investors, etc.—then the social crisis caused by an accident can be quickly resolved.

After the seminar, one of the top managers of this company told the seminar facilitator (the first author of this handbook) about the unfortunate situation with reporting technological risks and incidents within the company. According to him, the directors of production sites (middle management) did not generally disclose anything negative to senior management at headquarters about what was happening at their enterprises. They preferred to send reports reassuring headquarters that “everything is fine”, “everything is under control”. Unable to rely on the official channels for a true picture of what was happening at the company’s industrial sites, senior management were forced to establish parallel channels to gather alternative information about operations at the sites. They asked the company’s internal security department to be responsible for creating this alternative flow of risk information from the bottom up. With this in mind, the manager asked the seminar facilitator a very serious question: “What should managers do in the event of an emergency if they cannot get reliable information from their subordinates in the first hours or even days after the incident itself?”. The facilitator found it difficult to offer any recommendations for improving risk communication from this standpoint: most of the existing solutions in the field of crisis response assume the presence of reliable information in the hands of managers immediately after an incident. However, if the site managers have initially misinformed headquarters about the situation there, then it makes no sense to recommend that the company’s senior management should promptly and comprehensively inform the public: how can executives, when they do not have reliable inside information from which to make a statement? The question of how, in practice, to improve intra-organizational risk communication was never raised again during subsequent crisis response seminars for this company. The participants agreed that the first step for managers at various levels in responding to emergences is to request, receive and properly transmit (without distortion) all the available information about the details of incidents.

A year after the last crisis response seminar, the company experienced the largest accident in its history. It became a national emergency, and the biggest disaster in the global industry in decades. The accident killed dozens of workers, the cost to the company of recovery exceeded several billion dollars, and the full reconstruction of the affected production facility took about ten years. However, in terms of informing affected families, emergency services and the wider public about the accident, the company and the national and regional authorities worked quite effectively. Immediately afterwards, they were able to organize the quick dissemination of information about the details of the accident among the residents of nearby settlements, and almost entirely allay any panic among the population. During the investigation that followed, it turned out that one of the causes of the accident was a very rare failure in the operation of a critical piece of machinery. The facility’s technicians were unaware of this specific risk, even though the same failure had caused a similar incident at another production site decades earlier. However, the earlier incident was local in nature, caused only limited damage to the site, and none of the workers were injured. As a result, this first incident was dismissed as relatively insignificant, and the risk of similar equipment failure at other sites was not communicated across the company. Especially in retrospect, it is clear that, with essentially the same piece of equipment installed at other sites and being operated in a similar way, there was a real risk of the same fault recurring. However, with no warning after that first incident, no special measures were taken to control this risk at other sites of the company. Moreover, in the months preceding the later more serious accident, the site management observed unexpected deviations in the operation of the equipment, but did not inform senior management at headquarters about it. Even the alternative channels set up by the company’s internal security department failed to warn headquarters about the unsafe operation of the equipment, or to identify the increased likelihood of the risk occurring. There was a potential conflict of interest at the level of the site managers in hiring only a limited number of contractors to repair the equipment operated there. This conflict of interest was spotted by the internal security department several months before the accident, but this did not prompt an emergency audit to assess the performance of the contractor involved or the quality of the equipment repairs they were making. The ingrained practice in the company of sending inaccurately reassuring reports about technological risks, highlighted so clearly by the investigation, reminded the author about his conversation with the executive after the seminar more than a year before the accident. It would appear from the account above that staff at the site were aware of a possible critical escalation of risks, but did not communicate this to executives at headquarters—if they had, a quick intervention would probably have prevented the eventual catastrophe.

A few years later, the first author was involved in the investigation of a major accident at a critical infrastructure site that was unprepared for abnormal weather conditions. This unreadiness came as a surprise to headquarters. To make matters worse, the first reports to headquarters from the scene of the emergency assured senior management that the facility could withstand severe bad weather, and its functionality would be restored in a very short time. However, the reality on the ground turned out to be far worse than the optimistic reports of subordinates. As part of the investigation of this emergency, in-depth interviews were conducted with workers involved from all levels of the corporate hierarchy. In one such interview, a lower-level manager shared his vision of how the leadership of the company generally comprehend what is actually happening at production facilities. He maintained that senior management at headquarters understand only 30% of what is really happening on the production sites regarding the management of critical matters. In other words, 70% of the major problems faced by people at the bottom of the corporate hierarchy remain unknown to senior management. He argued that the prevailing management system in this company discourages employees in the field from disclosing the risks they encounter to higher authorities or internal auditors. Very severe punishments for any shortcomings and mistakes are common in the company. The interviewer gave an example of how an internal infrastructure status report is generated and sent to headquarters. On the spot, lower-level managers can create a report that honestly outlines the difficulties they are facing with the equipment failure rate, and requests funding to mitigate the risks. However, as the report makes its way through the traditional hierarchy of the corporate bureaucracy, it may change significantly. There is a significant possibility that such a critical risk report will be blocked and not even reach headquarters—the immediate supervisors of the lower manager who sent it will just say: “What are you doing? Why are you rocking the boat?”. After all, if senior managers get to know the truth about the unflattering situation on the spot, they may punish the whole line of managers down to the lower-level manager who highlighted the problem. Even if such a report does reach senior management, it will have been retouched: information about the situation on the ground will be significantly embellished and assurances will be given that in reality everything is not so bad, and the risks identified are under control. With such embellished information coming up through the company hierarchy, senior managers’ sense of what is happening on the ground will be distorted by the reassurances of their subordinates, and may be a long way from the real picture. This is a very serious corporate problem for many critical infrastructure companies. The practice of reporting mainly good news upwards means that in general, the leadership do not understand the critical risks encountered by employees on the shop floor. This may lead to management decisions that do not address the real situation in the running of critical infrastructure.

The investigation into the Fukushima Daiichi nuclear accident in 2011 highlighted the inability of the internal hierarchy of the nuclear power plant operator to pass on warnings from various experts to senior management that the plant was not prepared for a possible large tsunami. A few years before the accident, a group of young specialists had proposed installing special protective structures to defend the plant and the emergency power supply in case of a beyond-design tsunami, and thus reduce the likelihood of a nuclear fuel meltdown. The cost of the proposed protective structures was approximately US $50 million. However, some of the top managers of the company operating the plant never saw these proposals, and those who did rejected them—partly because they were unwilling to consider such high costs, and partly because they simply could not believe that a beyond-design tsunami at the plant would ever happen. According to some estimates, the consequences of the accident could eventually cost more than $200 billion and take two decades for the cleanup. By comparison, the preventive measures to prepare the plant for such a tsunami would have cost the operator four thousand times less.Footnote 1

Many of organizational problems in communicating risks that led to the Fukushima Daiichi accident were reminiscent of failures in the transmission of risk information that occurred before and during the Chernobyl accident. The developers of the RBMK reactors operated in Chernobyl did not inform the Politburo or the plant operators about some shortcomings in the reactor design, which had led to various incidents at Soviet nuclear power plants in the decade preceding the accident. Despite these incidents, the necessary changes to the RBMK reactor design were only implemented after the Chernobyl accident. Beforehand, none of the staff at the Chernobyl plant knew about the design shortcomings. The plant contractor made several errors in drawing up a test program which involved a controlled rundown of the turbine at reactor No. 4. Additionally, the plant personnel implemented the test incorrectly—violating reactor operating regulations. The test regime put the reactor into extreme (beyond design) operation, at which point the design defects of the RBMK became critical—causing the largest accident in the history of civil nuclear power. Moreover, a few hours after the accident, the director of the plant reported to Moscow, reassuring them: “The reactor is intact… The radiation situation is within normal range”. This could hardly have been further from the truth: already in the first hours after the accident, he had clear evidence that the reactor was damaged, and the radiation at the site was at least a million times beyond environmental background radiation. With only these false reassurances to go on, the Kremlin initially assumed the Chernobyl accident was a relatively insignificant event. This led to a belated evacuation of the population in the area around the plant, and to delays and inaccuracies in informing the Soviet public and the international community in the first days and weeks after the accident. The USSR spent about US $27 billion dollars to deal with the consequences of the catastrophe alone. According to estimates by the Soviet academician Valery Legasov, the total damage caused by the Chernobyl accident amounted to approximately 300 billion rublesFootnote 2 (US $450 billion in 1990 prices or more than $1 trillion in 2022 prices).

Ultimately, the constant recurrence of similar intra-organizational risk communication failures across countries and industries over decades has led two of the authors of this handbook to suggest that this problem has not been given due attention worldwide, and has not been addressed at a practical level in industries that operate critical infrastructure. This fact prompted the authors to initiate a detailed cross-sectoral study of the reasons for concealing risk information before and during various major disasters.

Between 2013 and 2015, two of the present authors studied hundreds of major incidents across multiple industries. They identified tens of risk information concealment cases—both internally between members of an organization at different levels, and externally between an organization and external audiences—that helped to cause the onset or the aggravation of an emergency. In addition to the Fukushima Daiichi and Chernobyl nuclear accidents, there have been many disastrous accidents in the critical infrastructure sector where delayed, misleading or withheld communication about risks played an important part. Here are some notorious examples: the collapse of the Vajont dam in the Piave river valley, where at least 1,921 people died (Italy, 1963); a toxic leak at a pesticide factory in Bhopal that killed several thousand people and damaged the health of more than half a million (India, 1984); the Exxon Valdez oil spill, when the slow and inadequate response resulted in extensive pollution of over 2,000 km of Alaska’s coastline (USA, 1989); the explosion of a natural gas liquids pipeline near Ufa, which killed 575 people who were on passing passenger trains (USSR, 1989); a turbine failure at the Sayano-Shushenskaya HPP that killed 75 plant workers (Russia, 2009); the explosion on the Deepwater Horizon platform, which led to the largest offshore oil spill in world history (USA, 2010); methane explosions at the Raspadskaya mine, where 91 people died (Russia, 2010); and many more.

Studying the available accounts of these disasters, two of the authors focused on situations where some of the managers, employees or contractors involved chose not to inform various audiences about risks they had encountered or been told about. This enabled them to establish 30 constantly recurring factors that foster the formation of an atmosphere that favors the concealment of risks within an organization, or encourages those involved to delay informing internal or external audiences about them (these reasons are discussed in more detail in Sect. 2.1 of this handbook). The results of this study were published in 2016 by Springer Switzerland in the book “Man-made Catastrophes and Risk Information Concealment: Case Studies of Major Disasters and Human Fallibility”.Footnote 3 It was translated into Japanese in 2017.Footnote 4

In 2022, Springer Nature Switzerland published another book by the present authors: “Don’t Tell the Boss! How poor communication on risks within organizations causes major catastrophes”.Footnote 5 In this book, 20 different accidents and disasters were examined with a focus on intra-organizational concealment of information about risks: when employees failed to inform managers on time and in full about existing critical problems, or when managers ignored warnings from subordinates about the dangerous development of events occurring in their organizations. In addition to the disasters mentioned above, the book analyzed the following catastrophes: the great famine in China (1958–1962), which claimed the lives of more than 20 million people; the collapse of two reservoir dams in China (1975); problems with the rear cargo door of McDonnell Douglas DC-10 aircraft (USA, 1970s); staphylococcus food poisoning from Snow Brand Milk Products Co. (Japan, 2000); the train derailment at Amagasaki (Japan, 2005); the methane explosion at the Upper Big Branch coal mine in the United States (2010); the collapse of the Fundão tailings facility in Brazil (2015); the methane explosion at the Severnaya coal mine (Russia, 2016); the African swine fever epidemic in China (2018–2018) and the cover-up of the novel coronavirus outbreak in Wuhan (China, 2019–2020). The authors identified factors that led employees or contractors of organizations involved to delay or withhold reporting risk information up, down, or across their corporate hierarchies. They also investigated why managers preferred to ignore existing risks, despite warnings from their subordinates. The main factors encouraging the intra-organizational concealment of information about risks in these emergencies were systematized and ranked by frequency of occurrence (these reasons are described in more detail in Sect. 2.2 of this handbook).

These studies have led to some answers to the question of why critical risks were not reported in organizations before and during various emergencies. However, they have not helped answer the question of what needs to be done in practice to improve the speed and quality of risk reporting from shop floor workers to decision-makers. The main directions for organizational change were clear—these followed from the analysis of the reasons that encourage employees to hide the true situation in their area of competence. However, based only on this analysis it was not possible to give specific practical recommendations for companies that operate critical infrastructure. A thorough review of the scientific and business literature published on the topic of “organizational silenceFootnote 6 also failed to yield an adequate answer in this regard. Therefore a new study was initiated in 2018, aiming to develop practical recommendations for the leaders of critical infrastructure companies on how to improve the quality of information reported from employees to senior management about the risks and problems of a critical infrastructure company. From October 2018 until June 2021, the present authors conducted in-depth interviews with 100 top managers, regulators, technical managers, middle and lower managers, and occupational health and safety managers of leading industrial companies in Western Europe (41% of all respondents), Russia (32%), North America (10%), the Middle East (9%), Africa (5%) and Australia (3%). The respondents were drawn from the following sectors of critical infrastructure: power (40% of all respondents representing nuclear, thermal, wind and hydro generation, as well as power transmission), oil and gas (35%), chemicals and petrochemicals (9%), mining (6%), metallurgy (6%) and other industries (3%). The choice of these industries was dictated by the potentially huge damage caused by emergencies, and the importance of critical infrastructure facilities within the economy of any country. The practical recommendations for better risk communication established during this study are discussed in Chap. 3. The authors place great value on the opinion of practitioners-managers in industry, as they are unlikely to propose academic solutions that are difficult to deploy in the practice of a large industrial company. The interviewers sought to answer these questions: why managers are reluctant to receive information about critical safety and technological risks; why employees are reluctant to disclose such risks to their leaders; and whether it is primarily managers or employees who are responsible for the creation of a climate within organizations which discourages the reporting or discussion of problems. Responses were categorized to clearly understand what practitioners see as the reasons for the concealment of information about risks in organizations (these reasons are set out in Sect. 2.3 of this handbook—and should have some parallels with the factors listed in Sect. 2.2, which the authors deduced from their study of previous disaster accounts).

In planning a study focused on developing practical recommendations for improving the quality and speed of risk reporting within critical infrastructure companies, the authors envisaged that, after its completion, they would be able to test the solutions developed. The last of the 100 interviews was conducted in June 2021. The following month, the first author of the handbook was invited to conduct a seminar on management decisions and communications in emergencies for an industrial company that is a world leader in its field. The company has experienced a string of incidents over recent years; so its leaders wanted to improve the quality of the management team’s response, and develop more effective communication with external audiences in emergency situations.

The studies outlined above clearly suggest that the first step to effective emergency management is for senior management to get accurate information as quickly as possible, from managers at the industrial site where an accident occurred. Decision-makers need to know the scale of the emergency, as much as can be established about what happened, and an estimate of how long it will take to contain the emergency and deal with the aftermath. Therefore, a significant part of the two-day seminar—which took place in October 2021 and brought together 104 executives of this company—was devoted to the problems of communicating information about risks before emergencies, and ensuring that accurate information gets to senior managers quickly in the first minutes and hours after the onset of an accident. The seminar cited some of the accidents mentioned above as examples. It was noted that underplaying the scale of an emergency or otherwise hiding information about the real situation on the ground in reports to company headquarters leads to: (I) a slow and inadequate response from senior management and the rest of a company to a developing crisis; (II) the absence of a company’s senior leadership at the scene of an accident; (III) insufficient or delayed allocation of emergency resources to deal with the situation; (IV) an information vacuum around the accident, which generates rumors and panic among various audiences.

As part of the seminar, an anonymous survey was conducted about the current status quo in the company regarding internal communication about safety-related issues and technological risks. The results indicated that the company had serious problems in reporting objective risk-related information internally.

These results were presented to senior management of the company with a proposal to launch a pilot project at their most critical industrial sites, aiming to avoid emergencies by fostering better reporting of critical safety problems from ordinary employees to senior management. Part of the purpose of this pilot project was to test in the work of a real industrial company the recommendations received from 100 leaders around the world in 2018–2021, as well as the solutions that logically followed from the analysis of dozens of disasters.

In November 2021, the company’s senior management gave the green light to the implementation of the pilot project. In December 2021, the first author of the handbook visited the four selected production sites. Over the ten months of the project implementation, 15 seminars were held for 422 people: top managers at company headquarters, directors and employees at the four pilot sites, and specialists from the Health, Safety, and Environment (HSE) department. During the project, the employees and managers at the selected sites willingly started to share information about the critical risks there with senior management. The seminars catalyzed the process of information sharing within the company. In other words, employees and lower managers became less timid and started to share information to senior management that they would probably not have done otherwise. Within the framework of the seminars, seven critical (high) risks were revealed that could have caused accidents involving the death of personnel, the long-term decommissioning of production facilities or serious environmental damage. All these risks were taken under immediate control by senior management and the directors of the sites concerned. As a result, potential accidents were prevented. The seminars also identified 104 problems at the four pilot production sites that, while less dangerous than the seven critical risks, still had a negative impact on risk management and the industrial safety of the company. The majority of these problems were taken under the control of the special working team of the project. Detailed information about the pilot project is presented in Chap. 4.