In this chapter, we are going to consider the issues related to some core risk problems – we’re also going to review some ideas about the stasis of thought that we need to overcome to be effective.
In the finer traditions of this book, we are not going to provide any checklists, or refer you to any standards or any other easy answers to difficult questions. The idea is that we need to consider the thinking processes that need to be gone through, or at least considered by an effective resilience professional who is going make the effort to work over and above what somebody else has written for them. The next thing for them to do is to use what is provided between their ears to ensure that any resilient processes, planned or otherwise, are successful. There are not going to be any great psychological theories proposed, but if, by the end of this chapter, you are thinking a little bit more than you were at the start of it, then we are getting somewhere.
You can devise all of the risk management processes in the world, as many business impact analysis lists as you can handle, and plans everywhere, but if you haven’t faced up to the problems that are facing you before you start any resilience process, then you are going to miss your mark completely. Whilst pulling together this book, I have been asking a few questions about attitudes to risk, continuity, disaster recovery or whatever definition you would like to stick onto organisational ability to survive and operate. It is staggering, truly staggering, that so many people who are so well respected insist upon imposing their own view upon others and in recommending systems and processes (often that they themselves have devised) as the solution to all of our problems. I think that’s a little conceited, and although we absolutely should refer to the expertise that exists within the industry, we should also be a little iconoclastic.
Risk assessment, risk management and impact analysis are some of those particular areas which generate much discussion from the ‘experts’ about what can be included when scoping the problem and what perhaps cannot. Some will argue that you cannot assess the probability of threats becoming a risk with any degree of accuracy; some are convinced that the requirement to scope out every risk or potential problem is absolutely essential to the survival of an organisation. Others say that we are wasting time considering every possible option for risk and impact and response to them, and that we should have plans which are fairly generic and which can be adapted to suit the particular incidents which may affect us. There are, of course, reasons for these views above and beyond the normal ‘do it because I say it is right’; there are also time and resource constraints which mean that some organisations cannot expend the time and effort on facing as many problems as they should. It is all understandable, reasonable and normal; there are many drivers, as we have discussed, for perceptions, views and attitudes. What we need to do is to think about getting around the blockages and obstructions that are put in our way.
I am quite perplexed and still trying to understand what is this issue that some people have with actually facing up to problems. What is wrong with considering everything that can go wrong and at least thinking about it? Why is it so difficult to understand that things can happen to you, that it is not always going to be someone else, and that, consequently, you need to be prepared. It’s not really a difficult concept to understand – the fact that you need to expend some brainpower and think about things a little more.
Personally, I’m a big believer in the brainstorm. Why not get every stakeholder with a particular interest in, or functional responsibility, for a particular problem together into a room, or even a bar, and think about the issues facing your organisation frankly and openly? Why not leave egos at the door and value everyone’s input? Why not consider the delivery driver’s view of issues within your logistics chain? Why not discuss with the head of cleaning services the routines and issues that are related to janitorial work within your organisational building, where they go and what they do, and any related resilience issues? Look at your plans, look at them right now, and consider whether they are really fit to meet the problems that are facing you. If they aren’t, it is time to get your thinking cap on.
You’re not really doing as much thinking about things as perhaps you may believe. If we do accept that most of us are conditioned by what we do, our life view and our need to make our lives simpler and easier than they might be, we fit results into what suits us. Building on the idea of creativity that we mentioned earlier, it helps to be creative in considering the types of event that may happen and cause damage to an organisation. The problems that can be caused by underestimating or misestimating will far outweigh any time, effort and thought that you have put into this kind of activity. Clearly, overestimating can be as bad as not thinking enough; it can cost time and money – but that’s risk for you.
The types of event that can affect business are wide and varied and can arise without any particular level of warning. As an example, in the latter part of 2008 and the beginning of 2009, two not unexpected, but nonetheless high-impact, global events (rapid economic decline and swine flu pandemic) occurred which had not been adequately treated in resilience-related research, and which, in turn, might have contributed in some measure to management focusing on immediate consequential effects, rather than on larger-scale impacts which they might have felt were initially outside their field of interest. More recently, the impacts of tsunami events in Japan, the 2011 ‘Arab Spring’ uprisings in the Middle East, widespread social disorder in many countries for various reasons and the continuing prevalence of organised crime and terrorism are perhaps indicative of a widening and deepening of the potential threats and risks.
The types of trigger for an event that could face an organisation are normally and quite effectively grouped by most into the areas covered by PESTEL/PESTLE-type risk assessments. As with everything else, we do need to dig a little deeper than the headline. There are many subdivisions and sub-types of event which can occur under these main ‘headings’ and it is prudent to plan for as many as possible which may affect the organisation. Before planning to respond, it is sensible to conduct the risk assessment in the first phase of activity. We’ll come back to risk later on in the chapter, but, being a thinker and being creative, suffice it to say at this stage that all possible events which may have a potential impact on the organisation should be considered. It is also useful here to ponder terms, such as ‘trigger’, which may summon a vision of a rapid or kinetic event. Some events, incidents and threats will gestate and develop over time, unseen, unnoticed and without any noticeable trigger – these threats will be no less serious than those which arise rapidly and they need to be considered, catered for and managed.
It’s worth remembering at this point also that it may not all be bad. Sometimes the outcomes of events will provide us with the ability to move forward from where we were, having identified where the problems were and learned the lessons. It would be preferable if we were able to learn the lessons from other organisations, rather than from our own, but sometimes it happens that way. I think that the proactive and competitive organisation should seek to take every advantage from what may initially be a negative outcome and aim to improve processes and, thus, performance by the introduction of learning processes. So, not only should we be looking forward to what may be coming next, but we should be looking around us to see who else has succumbed to the various pitfalls of operating against the background of risk.
A lot of people use mental pictures to envisage formats and timelines for their response processes; some even write them down. And, although the overall responses of organisations should be to anticipate, respond and recover sufficiently from an event, there is probably a prevalent view in many businesses that responses should be phased or time-sequenced. This reflects the widely held, but erroneous, view that the components of resilience are completely different and separate. Granted, there are different functions, specialisms, lines of activity, resource processes and degrees of understanding required – but are they really all that different?
Sometimes it can be useful to stop and take stock. Look at your own business or organisation and ask yourself a question: ‘Do things here flow?’ If you work on a ferry boat, then they probably do. But in terms of your general organisational activities, and the synergies and linkages between various components and departments, do things move as smoothly and as well as they could? What could be done better, more efficiently and with more support from the whole team – top to bottom? How can you take what is probably a multidiscipline activity and make it work like the purring, well-oiled machine that you want your stakeholders to believe it is? Is your chain rusty?
I suppose you could start by understanding what your organisation actually means to itself. Is it all about profit, or does it have nobler, philanthropic motives? Is the pursuit of excellence the driver for everything that happens? Are your people allowed to fail, or do you live and operate in a blame culture where, when things go wrong, the priority is finding out whose fault it was, rather than addressing the problem? If you can understand who you are, and if your team can understand who they are, and what they are trying to achieve, then you probably have a fighting chance of putting in place and following processes that allow you all to achieve, at least, the majority of the things that you are trying to do. If you don’t know what you are doing, and if you don’t know what you’re aiming for, then you don’t really need to worry about what is blocking you from getting there, because you will never get there in the first place.
Now, let’s consider resilience (whether that be security, continuity, disaster recovery or any other function ending in -y that helps to protect your business and allow it to anticipate, respond to and recover from unwanted events). If you apply the same general questions that are discussed above to these resilience functions, then you have potential for failure right across the board. If you don’t understand what you are doing your activities for, who can play their part, how and why, and if you don’t have some latitude for error, at least in the planning stages, then you are probably doomed, if not to failure then at least to having a hard time. So, how do we make resilience flow? Do we actually need to make resilience flow, or is it a case that the blockages are built in because of what it is and how it needs to be implemented across the organisation? Straightforwardly, do we think that we are at a point now where we have a good general understanding of the applications and requirements for effective resilience management at least on paper – or do we have many miles to go? And if we do have many miles to go – what is the best route to a satisfactory destination?
A good plan should give you a truly resilient organisation. Planning represents preparedness, thinking about what could come next and having the resources and the will to be able to recover from incidents and events which may impact upon the organisation. Devising a comprehensive, fit-for-purpose and effective plan is a difficult process; however, many organisations really don’t expend an appropriate amount of time and effort (not to mention money) on planning. As we have mentioned quite a few times now, what you do is a pain in the backside for your organisation – most find your work inconvenient at best, unwanted at worst – and, if you’re unlucky, a waste of money.
So, let’s go for the easy option: write a plan, publish it without involving any effort or input from your organisational departments and distribute it. Into the drawer it goes, the plan is written, never to be seen again. Easy? Yes. Effective? No, and no again. The good news is that effective planning for resilient organisations – and all their functions – is achievable. The bad news is that it is most definitely not easy. Even worse news is that, as a resilience professional, planning is a fundamental part of your job that you need to get right. Planning is not ‘sexy’ in the same way that installing a fantastic new surveillance/access control/detection system/software program may be, or organising and running the protection for one of your organisation’s main movers on an overseas trip. But if you don’t invest the necessary time and effort – and get your organisation to do the same using your knowledge, experience, capability and charm – then you can forget the sexy jobs because you probably won’t have a job at all.
For the resilient thinker, the devising of the plan that protects the organisation – top to bottom, inside out and reaching out to its external linkages – should be the ultimate challenge and its success the ultimate reward. This means that there is an investment required in time and effort on your part. You can ask for inputs, you can get other people to write it for you, and you can devolve some of the responsibility for producing subcomponents to other people. However, in the final analysis, you can outsource a great deal but you can’t outsource diligence.
So, we’re back to planning fundamentals again. Now some people may think I’m contradicting myself here because a plan is a checklist; and I’ll concede that to some extent that is true, but the plan put together as a checklist will be flawed. It will be expected to happen in a certain way, to certain timescales, using certain resources. A good plan, an effective plan, is, to use that cliché, a ‘living document’ – and that means that checklists are out. Thinking about your plans and how they are written (if, that is, they are your responsibility), answer these questions:
There will be various responses to the question, but if you did cut and paste, then it isn’t your plan. You don’t understand it. Think about when you make a presentation, or have to deliver a briefing that someone else has written – it is never the same as one that you have written yourself. If you’re responsible for developing the plan and you don’t know it (and that goes for the ‘owner’ of every sub-plan of yours), then it won’t work. So perhaps you can see that it is crucial that you ensure that the ‘buy-in’ to this is real. To make plans work, you have to get people to really contribute based upon a commitment; which means that investing in the idea of doing it properly is crucial. Remember always that all the other departments that you will deal with are interested in getting on with their jobs, and not necessarily in helping you with yours, so you need to think very carefully about how you can make it all work.
The cut-and-paste epidemic is quite a thing. Not so long ago, and some of you won’t remember this, when we were writing plans and documents, we actually used to cut paragraphs and sentences from previous versions of documents and paste them into our new updated copies before having them retyped in a new format. Believe me, this used to be the quickest, and probably the most efficient, way of getting large documents updated and amended. Of course, nowadays cut-and-paste means highlighting a section, a couple of clicks and moving information around. That makes it even easier than the old way. That, in turn, makes it a seductive and widespread method of changing someone else’s material to suit you. Cut-and-paste is a cheat, and if you cheat your organisation in a resilience context, then you will be found out and sent to the naughty corner. So the question that you really and honestly have to ask yourself is: ‘Am I prepared to compromise or am I going to do things properly?’ Only you can answer that one.
No matter how you get to the point of putting your plan together, whether you’ve imagined, plagiarised, listened to a checklister, become a checklister, included lots of experience, consulted all areas, understood the business, cut and pasted and so on, you will have a type of plan as an output. If it is a big, thick document with lots of drawings, some colour and maybe even some pictures, you may well feel justified in standing back with a degree of pride and feeling that you have achieved your aim. Of course, that depends what your aim is; if you want to keep the bosses happy with some lovely desktop publishing to meet a tenuous audit requirement, then you could be in clover. Equally, and probably conversely, you need to have really put in place something that is going to work. Plans come in various types and forms, but I think there are some pretty standard types that most current plans match. The types of plan and how they are implemented can combine or can be combined to positive or negative effects with various shades of impact.
Here are some:
The fact is that the best plans in the world are only as good in time and space as at the point when you devise them. Your plan will match one place, one time and one set of people focused on one particular mission. The key to writing effective plans is that it requires work, work and more work. Reaching the nirvana of the effective plan will need you to exercise all your skills and to think, really think, about it.
I believe that in order to be able to plan effectively, you need to think like your problem. ‘Wait a minute,’ I hear you say, ‘a problem can’t think!’ Well, you’re right, to some extent, unless a premeditated malicious act is being carried out against your organisation, then a problem which can grow into a real crisis or serious incident is often the result of various influences, actions and consequences. But there is a tendency for problems to behave in ways that we cannot predict. First of all, problems will fill the gaps that you leave. You can guarantee that if you have a hole in your plan, if you haven’t thought of something (or can’t be bothered), then the problem will find it, squeeze into it, and make your life miserable.
Second, problems rarely do what you ask them to. Just because you have a plan in place, and just because you have allocated resources to that particular plan, it doesn’t necessarily mean that the problem that you are facing is going to respond to the plan’s implementation. You need to be ready for that. So you need to consider – do you have contingencies for your contingencies and do you have backup plans for your backup plans? Have you identified gaps? What you do need to do is to think about where gaps might be, about their potential extent and depth. Also, what caused the gaps in the first place?
Third, a problem will only get worse if you leave it unattended. If you choose to ignore a small problem, you can guarantee that it will become a big problem. As a resilience professional, you don’t really want to be facing big problems; I would suggest to you that it is far better to be able to mitigate and reduce problems when they are small and relatively ineffectual than before they come huge and unmanageable. It’s common sense really, but it is surprising that human nature will often blind us to the fact that a problem is there – we worry about facing it, we sometimes refuse to really consider all of the issues that are involved, and then it’s too late. So, when you’re coming up with your planning process and when you’re thinking about all of these great ideas you can use to manage the problem, you need to consider also some of the ‘what-ifs’. What will be the consequences of getting your planning wrong (and some of your planning will always be wrong)? And you need to think carefully, honestly and self-critically about three things.
Being brave and addressing the issues of consequence is a fundamental component of thinking and successful resilience. If you are arrogant, unknowledgeable, ignorant, stupid or crazy enough to consider that you will be able to put in place a foolproof plan, guess who the fool will be …
At this point, I would like to come back to one of the fundamental areas of contention in resilience: the often-discussed, argued-over and mangled subject of risk assessment.
In modern society, general threats become risks with impact at international and national strategic levels, but also they can have adverse effects on individual organisations, groups of businesses and other enterprise organisations. This is because the consequential impacts of these risks have the potential to spread beyond initial points of protection failure and even to change in effect as they move onwards and develop from their causal point of origin. Therefore, it is important to recognise and act upon such threats before they become too difficult to manage, control and mitigate. There are thousands and millions of threats and risks, multiple combinations of various elements that can have an effect or impact upon any organisation. Some people get themselves all tangled up in debates about whether a threat is equal to a risk, whether a risk is a threat, whether either of them are valid planning tools. Some people and organisations never even consider any aspect of it.
It’s my view that risk assessment and risk management have a crucial role to play in limiting the effects of threats upon organisations. A considered and forward-looking risk management process with realistic and flexible mitigation planning will provide an organisation with the ability to evaluate emerging risks, and to put in place effective countermeasures and associated processes and procedures. It sort of makes sense that an ability to consider the multiplicity of issues that could have an effect upon the organisation, and to plan based upon that consideration, is better than doing nothing at all. This is also preferable to ignoring a particular element or type of risk just because we don’t believe in risk management as a valid management tool.
There is no doubt that there are some grey areas, and that the whole issue of resilience risk, threat and management is complex and evolving and requires concerted efforts in order to provide any chance of countering the threats and limiting their effectiveness. However, this is not to say that focused and well-thought-out planning and preparation cannot be effective in managing the risks. Fundamental to any successful planning and implementation of response and mitigation measures is the need to ensure that activities are based upon correct assessment. This could be achieved by making some attempt to mitigate risks either by manipulating the threat (which is unlikely), or by configuring the organisation to respond or protect itself and its processes so that it can maintain resilience – and that seems to make sense.
If we want to ensure that we can limit the damage and continue to operate, then we should consider the option of using the full range of risk management functions. However, unpredictability is one of a number of factors which can hamper effective risk management. Risk management also requires agility of thought and a degree of commitment from the target organisation itself, which may not be forthcoming.
Now, back into battle. There are those who say that you cannot estimate with a great degree of accuracy the elements of risk or threat which have the potential to affect your organisation. The capability to manage a fluid and dynamic situation effectively can often be hampered by the fact that we put in place mental frameworks and images to characterise our ideas. For example, let’s talk about the classic interpretation of risk assessment. If I draw a diagram like this:
we have a simple risk triangle. There are three main and interlinked components:
- Probability (or whatever you want to call it) – the degree to which something may happen.
- Impact (or whatever you want to call it) – the degree to which there is an effect.
- Management (or whatever you want to call it) – options for dealing with risk.
This type of diagram and variants of it are very useful to allow us to consider risks and what we can do about them. It’s really straightforward – guess the probability, ask around and see what the impacts might be, then simply plan a response.
Now, that has been set into your head as a template diagram which provides an illustration of the linkage between various elements of risk management. If this is the way you’ve been taught to view risk management, then the next thing you start to do is to put values on it. So, if you have been taught that you should assign numbers or values to each of the three sides of the triangle and then multiply them together, then you’ve begun to think that everything should be mathematical. In fact, a lot of organisations rely upon this mathematical interpretation of this simple risk triangle and its outcomes by multiplying numbers and then producing easy-to-interpret values.
In reality, the risk triangle should look different, in that it has many sub-facets and influences that may help you to come to a valid conclusion only if you consider them in detail. But, of course, a risk dodecahedron would be a terrible thing. So, if we make an assumption that we are going to use a risk triangle, then we can redraw it with all of the additional thoughts and intangibles which make it a more useful, thought-provoking diagram. In other words, although it’s more difficult and takes a bit more thought, you can take something simple and, by using your head, transform it into an effective assessment and management ‘tool’. And if you’re going to use tools, they may as well be effective and fit for purpose.
This annotated version of the same outline diagram provides us with a lot more to think about, and, if we take a self-critical approach when putting together a risk and threat model, then we will be in a far better place to provide a plan for the organisation which will really meet its needs. By incorporating enabling questions, which in themselves should generate further enabling questions, we make things more complicated, but arguably more effective.
Thinking again about numbers, I for one am not really convinced that we can simply put a numerical value on probability and impact alongside management and then throw them into a simple equation and produce effective outputs. So, instead, we write down something like Figure 14.
Figure 14 does look straightforward, easy to understand and useful. But what can happen if it is done incorrectly is, first of all, that we can assign all of the elements incorrect values, which automatically will skew any effective assessment of the process. The trap here is that we are going for a simple numerical ranking process, whereby it is easy for us to consider the risks with the highest value in simple terms and deal with them. But, if we haven’t done the assessment correctly, then it doesn’t mean anything. Any one of those figures, when incorrectly assessed, can cause the assessment to be incorrect overall. Too low and you’re going to have gaps and you’re going to fail. Too high and you’ll expend disproportionate effort and resources – neither is good. I was never very good at maths at school – but if you are, then why don’t you think about this and figure out how many different permutations of numbers you can achieve for a particular risk, if you set values of between one and 10 for the three elements of risk assessment? And, if you think even more carefully about this, then you can probably see that multiple permutations can create multiple uncertainties. It follows, then, that the basis of a good risk-assessment process and plan requires us to address accurately all of the variables on that framework and then apply them to the organisation honestly and in a thinking, self-critical way.
So, we’ve looked at many facets of a complicated problem, and I think we can agree that the components of the whole planning and resilience question need to be subject to deep and detailed evaluation. And, of course, this takes time. However, we need to be clear about some simple requirements. Invest the time, effort and thought and your plan will have a good chance of working – if you can’t afford the time, effort, energy and worry of doing this process in detail, then you need to be able to prepare for the consequences. You have some simple options.
All of these options will be attractive to you at various levels and times and for various reasons. What you decide to do is your choice, based upon all of the influences and concerns you face. Whichever one you choose, there will be consequences. These consequences will vary in severity, speed and impact. But be under no illusion – they will be there.
We talked about forward thinking earlier in the story, and hopefully we are together warming to the idea that we need to consider consequences. When I mentioned to my wife what would be in the Contents list for this book and talked about the pool and the pebble she said to me, ‘That’s a bit of a cliché.’ I agreed (I always agree with her, actually – it works), but, as we already know, clichés get used for many things that we use a lot and normally use because they are useful! So, we’re going to pause in our pond and reflect upon what happens when the pebble goes in, where does the pebble end up? Does it affect the top, middle and bottom layers, and where do the ripples go? Also, what happens when the ripples hit the edge of the pond? We’re going to take this analogy to its absolute limit now. You can approach it in two ways, I suppose: either as an illustration of impact and consequential effect (which you should be thinking of in your planning), or, if you like and it’s your day off, as a little story about a peaceful, still pond and its shattered tranquillity.
So, if you’re sitting comfortably, let’s begin. Your organisation is metaphorically the pond. It has a surface – the thing that is discernible to the outside world – and this will, ideally, be tranquil and calm. However, under the surface is where the action is: big fish, little fish and all sorts of different pond life with different motivations and life cycles are moving around in there. Some are reliant on others to survive and operate; others will be working fairly unilaterally in their actions. On the edges of the pond will be all the other organisms that depend on the pond to exist. Plants, animals and the pond itself will need to survive by being fed a regular supply of water and other nutrients, sustenance, resources and energy, including sunlight. No matter how big the pond is, no matter what depends on it to survive, the pond has to rely on others to stay alive. In the ideal world, we will have achieved the natural balance, where everybody and everything gets what they need from someone or something else in this system and the circle of life is maintained. This is your organisation and its multiple dependencies going about their normal routine daily life and operations.
However, one day, it all changes and the pebble hits the surface of the pond. It doesn’t really matter where it comes from. It could be thrown, it could have been dropped from space, but it hits the surface and disturbs the pattern of life in the pond. This pebble will affect the balance and structures that exist within the pond and have evolved over time because of the following effects.
The size of the pebble. If it’s a tiny little pebble it won’t be a real problem. There will probably be limited impact and limited disturbance, and the wider pond will not really be disrupted to any great degree. If the pebble is a big one, things could be different; there will be a big splash with lots of ripples and major disturbance. In a similar way, although one tiny little pebble may not have a major effect, lots of tiny little pebbles impacting the surface at the same time might have a different outcome.
The depth of penetration into the pond. If our pebble penetrates right down into the depths of the pond and hits the bottom it may well throw up some silt which could make the water cloudy and difficult to navigate for the pond life. How many layers of pond life will it pass by, or even hit, on its way down? If everyone and everything is lucky it’s just going to go straight to the bottom with minor effect. But life isn’t normally about being lucky, is it?
What happens when the pebbles effects reach the edge of the pond? If all the ripples that the pebble generates go to the edge of the pond, they can damage the peripheral elements which support and supply the pond itself. How big will the ripples be and to what extent will the damage take place?
The short-term changes can become long-term problems. Let’s say that the pebble is a big one and that it hits the pond’s biggest player or predator flush on the head on its way in and down to the bottom. So that player is now out and we have a gap in the normal process and life of the pond. The balance is disrupted and a change has taken place which will have long-term effects on the pond itself.
So, if we can see that there are impacts and consequences from this unforeseen event which has hit our organisation in the form of this pond and caused various problems or issues, then one thing we may need to consider is to make sure that the next time it happens, or has the potential to happen, we put in place some protection or contingency plan. There are probably many ways of ensuring that the pebble doesn’t hit the pond, that it doesn’t penetrate all the way to the bottom, and that the ripples don’t hit the edge and cause any further collateral and consequential damage. The trick, of course, is to try to think about how putting in place those measures would impact upon the ecosystem of the pond itself. You need a strategy that doesn’t involve simply filling the pond with concrete.
‘Strategy’ is a word that is often used by organisations and their managers to attempt to define the ‘big picture’ and their long-term aspirations and plans. But, in many cases, although the strategy may have been designed, understood and implemented in some isolation by the higher levels in the organisation, there may not be clarity of understanding (and implementation) at middle and lower levels. Now, this may not be a problem in routine and day-to-day operations, where most employees will be familiar with what they need to do, to what standards and in what timescales, but things can change. When there is considerable pressure in terms of time, resourcing or information demands, coupled with the need to manage and operate in difficult and unfamiliar circumstances, the need to understand the organisation’s strategy becomes really very important.
Simply and fundamentally, a comprehensive strategy that can be understood and applied throughout the organisation is crucial to the successful management and ‘steering’ of the business through its routine life, let alone through resilience events. And if you’re a manager, this is where you come in. Every organisation, in enacting a strategy, will look to its managers to make things work, to drive processes forward, to understand where you want to be and how you are going to get there, and, in the context of issues related to resilience, you should perhaps consider the planning and implementation issues that we have discussed so far.
To make things work, effective strategy and subsequent processes should focus on the long-term viability and sustainability of an organisation in both benign and malign environments. Businesses need to be equally effective and robust when things are going badly and when they are going well. And it is important to remember at this point why we are doing all this: we are aiming to maintain operations and our products and services, whatever they may be, and to continue to generate income. It is of no interest to stakeholders and interested parties how the organisation plans to achieve its strategic objectives – what is of interest is that the objectives are achieved to a satisfactory level. Perspectives on corporate strategy and contingency planning may vary in detail, but all should focus on achieving organisational resilience and continuity of critical business functions before, during and after a contingency event and on the ability to move forward, improving upon pre-event status. In other words, your external stakeholders in particular are not worried about how you do it – you just need to do it.
In effect, the organisational strategy and its success or failure will be critically dependent upon the interactions between itself and various external and internal factors. If there is a real problem, an organisation that only focuses on one or another aspect may find itself in trouble. If the business fails to address its own weaknesses in a timely and appropriate manner, no strategy aimed at reducing external impacts will save it. So, a thinking strategy needs to be put in place. That means one that is sensible, logical, workable and real. You can have all of the management-speak in place in your strategies that you will ever need or try to imagine. But you must, absolutely must, ensure that it can transfer into reality.
One of the things that exercises my mind is the idea that others have a view of what the resilience type of person is. Whether you are thick-skinned or not, should it concern you? I think that it should, because if you generate hostility, apathy or resistance rather than positivity and co-operation, there is some potential for significant problems to arise.
All business organisations, if they are to be protected against loss and malicious activity, require a resilience ‘function’ of some sort. That function may be performed by an undermanned, undervalued department (and, as such, may be somewhat ‘weak’), or it may be fully resourced and staffed with the capability to meet all issues and to plan and prepare thoroughly and effectively. Some organisational cultures, and the people who work for those organisations, understand and support the resilience function; others all but ignore it, and, in the worst cases, the organisation may be hostile. But, despite all that, we all know that resilience – what we do – is important and that the company can’t go on without it being effective. Resilience is special.
No it isn’t. Resilience is one of many business-enabling functions which is as important as all of the others – but it is not special and, when done badly and by poor managers, it can be a liability. There is constantly reheated argument as to the effectiveness of the alignment of resilience departments and getting the business to buy in and to understand that everyone is on the same side: ‘If only (for example) security were more integrated into the rest of the business …/Nobody likes us or understands what we do …/That probably wouldn’t have happened if the company had understood security …’
… In general, people do understand the need for resilience. They know that theft is wrong, assault is bad, terrorism is dangerous, and that leaving access doors and computers unlocked is insecure. The problem is that as much as we debate the aspiration for our part of the organisation to be really important, to most people it just is not. They have lives to lead and jobs to do and in many cases all that you bring to the party is a niggling inconvenience that they feel that they could quite happily live without. So, when it comes to that perennial ‘let’s get buy-in and support from the Board and get people to understand the huge importance of resilience’, we could be debating this for a long time because I am not sure that it is ever going to be a universal trend.
Why do we feel the need to stand at the foot of the table looking upwards at what we perceive to be our more valued colleagues and departments with a mixture of envy, anger and frustration that they just don’t get it? Why don’t they understand our role’s importance, even though there is a headline resilience issue somewhere in the news every single day? This whole area is debated in depth in varied guises on an almost constant basis, which suggests that something is wrong. But it is mainly debated by us. Outside our community, it is much more difficult to find major debates going on about why businesses should value and integrate resilience more. The main debates in your organisation will be about how much money should or should not be spent, rather than on ‘culture’, ‘buy-in’, ‘awareness’ – because in the main there is no perception of a need to discuss it. You are there, you are needed, you are paid for and you need to do your job.
Procedures can still be effective without being loved. The next time you get on an aircraft look, at how the procedures are carried out to prepare for take-off, how the safety briefs are offered to disinterested passengers and, generally, how there is an efficient series of activities carried out. Whether the ‘culture’ of the passengers is aligned or not, and whether they are aware or not – nobody gets off the ground until the checks are complete. Ask the cabin crew whether they feel valued – you know the answer. When things start to go wrong, however, who will the passengers be looking to then?
Life is a journey, and it is probably true for the great majority of us that we will never stop learning. There is an infinite amount of knowledge out there: things that we know from experience, either our own or that of others; things that are there, but we haven’t heard about; things that we are taught in training or education; and things that are over the horizon for all of us and we haven’t really conceived as yet. I am interested in the mindset of humans as we climb the social and professional ladder: do we start to believe that we don’t need to learn so much? Is it sufficient to build a knowledge base and then to finesse that knowledge as we develop?
As we have said previously, we all know someone who thinks that they know something about everything; and in most cases it is probably true that the reality doesn’t necessarily match the self-view of the individual concerned. I personally feel that I learn something new every day – whether it is in my own area of specialism or in general terms – and I actively seek out the development of knowledge and understanding so that I can do my job better – and, in my own case, help others to develop their own knowledge and understanding. Is everybody doing that and do they need to?
Is it about attitude, perception, opportunities or something else? Is it arrogance, self-delusion or justified self-confidence that is in play? Or is there no problem at all?
I met someone, whilst writing this book, who was discussing with me his views on security-related subjects. He clearly regarded himself as something of an expert in most matters (don’t we all?). In my discussions with him, it became clear that, despite his knowledge and experience, both of which were significant – there was a bit of a flaw. No matter how much we discussed and debated various elements from organisational resilience to planning physical security – he was always right! I was essentially force-fed his opinions and views for about three hours and I don’t think that he actually heard a word that I offered back to him.
It was more than a little disconcerting that a person who has significant responsibility in security management can only see things his way. Even more worrying was a lack of willingness to consider the other person’s viewpoint. It started to dawn on me that he was, in fact, so rooted in and respectful of his own qualities, experience and knowledge that he could not find space in his mindset for any ideas or concepts at variance with them.
It was also interesting to see how he assumed (rightly or wrongly, but certainly on no demonstrable evidence) that his experience and knowledge were more valuable and relevant to a range of security scenarios than mine and those of the other people in the group. Falling back upon the supporting rationale of some of his thoughts, he used the ‘I could tell you this, but I would have to kill you’ approach – which failed to convince most of those in the room. In summary, this fellow came across as a know-it-all who did more to undermine his own argument than any one of us could have done, had we been given the opportunity! I think that there are lots of people like him out there …
And if there are lots of overbearing people in our business, then there is probably an equally large number of those who take the easy route. The planning and implementation of resilience measures to protect assets and maintain continuity can be a long, involved and detailed process. It can also be something that is far more simple and rapid. In general terms, it is probably a safe assumption to make that the simple, rapid method will be less thorough – therefore less effective – and probably cheaper than more detailed and protracted efforts. Clearly, that does not automatically make it better value. What will make it better value is the return on investment by high-quality, organisationally oriented team members – you.
On the managerial- and organisational-process front, a strong organisation will address the need to adopt business-aligned and integrated resilience management structures, endorsed and supported by the Board/c-suite/top team or whatever the mot du jour may be. There will be structured and aligned policies and procedures, security awareness programmes, plans, publicity campaigns and activities. If the organisation doesn’t see what you are trying to achieve, it will invariably not be their fault!
Not so long ago, I conducted some research into the readiness of security managers to envisage the threats facing businesses from emerging risks. I asked a representative number of security managers about their ability to face interconnected future risks and my findings were quite enlightening. Here’s what happened …
… In assessing the readiness of individuals and organisations to face emerging global and interconnected risks, the study that I carried out not only considered what these security managers and practitioners were capable of visualising and achieving, but also attempted to divine the levels of willingness and foresight to embrace concepts outside their ‘comfort zone’. The levels of expertise, experience and academic and intellectual flexibility, as well as the attitude of respondents to security management as a dynamic function, rather than a reactive checklist-based strategy, was one of the areas that I felt would be a fundamental contributor to their ability to meet the challenges posed – or, conversely, to their inability to manage issues effectively.
I began by researching the available literature and published works about ‘what might be coming’ – new and emerging risks that may be beyond their initial experience set – and balancing the published views and conclusions against the results of questions that I asked security managers. It turned out that clear disparities emerged between what is reasonably expected to happen in the future – both near and long term – and the recognition by a significant proportion of the security management grouping that the future would present significant risks to their organisations beyond those which exist at the moment.
Moreover, the view of security as a professionally managed function varied significantly between what my research suggested that the manager needs to function effectively and security management’s own view of its capabilities. The evidence was quite strong that there was a real reluctance to engage with risks and to face the difficulties which they may cause. I felt that, from my study, a stance where change resistance appeared to be almost embedded and endemic within businesses did not augur well for the viability of the traditional security function in its current form. And that it created another potential level of vulnerability.
My studies indicated that if the risks were real, dynamic and growing, they didn’t seem to be recognised as sufficiently threatening for the security managers to consider significant refinement or review of current practices and thus to change approach, attitude and knowledge levels. Despite being provided with a list of emerging risks which could affect them, security managers, in indicating that their focus had not shifted from traditional security threats, gave a worrying insight into framework thinking. Perhaps more worryingly, there was no significant indication that they would be shifting that focus in new directions in the near future. I thought about this a little more and I concluded that, although unpalatable, this is perhaps understandable; despite the literature making dark predictions, much of it could be (and perhaps justifiably is, to some) considered to be sensationalist and speculative. ‘Oil shock’, anyone?
Many busy and otherwise focused managers felt that forecasts of major global impacts were difficult to measure and envisage until the events happened. And this led me towards further thoughts and conclusions. I felt that it would be a naive and near-sighted security manager and business organisation which failed by omission or ignorance to notice forecast indicators and to begin to consider meeting new challenges. An example was that despite mention being made of pandemic measures in business planning, there was little real evidence that anything concrete or effective was in effect being done. I think that, as I write this book, most people believe pandemics to be a buzzword, rather than a risk/impact issue.
Whilst it is simple and straightforward to make such statements in an academic study, change is difficult to achieve in reality because, as we have been discussing, there are not only attitudinal issues, but also gaps in knowledge. Despite the literature and general trends in resilience management which aspire towards a better-prepared and more capable profession, the significant element of security personnel, who considered experience to be equally or more viable as a business enabler than academic ability or general business skills, was a depressing indicator of the intellectual and attitudinal strides which will be required to move forward. When individuals do not know what they need, and their own organisation cannot see them as business enablers, rather than restrictive rule enforcers, there is a significant and worrying danger of both elements missing the point of resilience’s existence within a modern and progressive business.
In the same way that emerging risks have converged to form a significant threat to business well-being and security, the threat from within is also due to a convergence of incapability, attitude and ignorance. If it was determined by my study that there is a capability gap, a lack of awareness and a disappointing lack of willingness by managers and their employers to break out of a mould, it was important to make recommendations that not only recognise that these deficiencies do exist, but also provide a realistic basis for change.
What was more, it was not only that the checklisters had problems being equipped to face the risks, it was also clearly evident that the majority of organisations paid a degree of lip service to emerging risks and were clearly focused on the traditional range of security issues. This understandable approach is a result not only of business bottom-line focus, but also of the poor profile of security managers who need to learn and develop the skills and abilities necessary to link the risks to the business and to persuade the organisation of the value of the ‘soft skills’. These appeared to be less evident in security management than they should be and this is where the more enlightened practitioner comes in. Because such skills are complementary to the experience and to the core security knowledge and abilities necessary to conduct effective security operations, it is equally essential that businesses and individuals are guided towards recognising and acting upon this need. Communication and engagement skills should be an integral part of any corporate or organisational development programme. It became clear to me that many organisations are sailing ahead without any awareness of the ‘icebergs’ which may be before them, and, more dangerously, are not consulting or listening to those who could protect them against disaster. Maybe that’s because those who could be consulted or listened to have little of value to say.
At the core of this research, and clearly evidenced throughout responses, there lay the issue of conservatism. The experienced second-careerist resilience manager remained indicative of the majority of respondents, and the clear and alarming evidence was that the proportion of those who value experience over education remains high. Responses also indicated that there is almost a blissful and defiant unawareness of formal risk and impact management processes and of the global effects of security risks. This attitudinal deficiency will, no doubt, be difficult to address and rectify; however, the organisations and individuals involved do need to do this in order to survive and to capitalise on any opportunities that may arise in the long term. Clearly, the ‘traditionalist’ is poorly equipped to assess and address newly arising issues, and the process of attitudinal reprogramming requires them to recognise not only that they are deficient, but also that they do need to change.
In summary, and to realistically address the disparities between capabilities and risks posed, I concluded that a process of enlightenment is the way ahead. Criminology and traditional risk management are central to the concerns of security managers; willingness to change and to consider emerging risks was a difficult concept for security managers to face. The results of the research indicated not only that emerging risks (assuming that they are real) are continuing to arise, as theorised in published literature, but also that security management is, on the whole, conservative and risk-averse. Security is dominated by the narrowly focused, which has little clear recognition not only of the risks, but also of its own educational and development needs.
Global business is competitive, and global risks can have debilitating and potentially business-fatal consequential effects. Those organisations and individuals which cannot, or will not, recognise the evidence before them are destined to be less competitive than those which proactively face the challenges. Only when the current minority becomes the future majority, and open and free thought overcomes conservatism, will the linked resilience issues be truly and adequately addressable. And a final thought on that: if you think that as disaster, business continuity, crisis and emergency management people you are any different – I don’t think you are.
The resilience sector needs expertise and rationality; it does not need parochialism and jargon. There is utility in using models, but they need to be used sensibly and carefully, and they need to be applied by thinkers who know what they are aiming for and what they are talking about. There are huge gaps in knowledge, capability and awareness which can cause significant problems. With the evidenced gaps in some areas and the reluctance or inability to engage with threats and to properly protect organisations, there is an opportunity for motivated and capable resilience thinkers to move things forward. If you can see this, and if you think that you fit the requirement, what are you waiting for?
You have an opportunity to make the difference to any organisation that is prepared to live in stasis and to go with what it has because the structures are in place. The thoughts in this book are simple and straightforward; it is not designed to be heavy or deep on academic theory because I don’t think that is necessary to kick-start flexible, thinking mindsets.
It doesn’t matter what you do, whether you are a boxer, car salesperson, astronaut, student or teacher. Think and you will win – stop thinking and watch the world go sailing by, and leaving you behind!