Whether we’re thinking about climate change, supply chains, pandemics or technology failures, we live in a world that relies on complex interdependencies. In that context, change occurs for the most part quite slowly – and then blazingly fast, as we reach tipping points where incremental developments unleash cumulative impacts and major events.
The pandemic showed us that, even as a 21st Century society, we were woefully underprepared for a hazard of that magnitude. And if you think about some of the major corporate governance failings of recent years – such as the Volkswagen emissions scandal, the Fujitsu IT failure that led to the wrongful prosecution of hundreds of Post Office workers or EY being fined £100 million because their auditors cheated on their CPA ethics exams – none of them would ever have shown up on a risk register.
Authoritarian, top-down leadership styles are typically blind to operational risks and crucial facts on the ground. Why? Because people don’t want to speak up, and risks are hidden. So, effective risk preparedness hinges on leadership styles that foster consultation and trust. What’s required is a focus on improvement and reliability. And that’s driven by two things:
- A recognition that risk preparedness is much cheaper than mounting a risk incident response. Indeed, research from the United Nations Development Programme estimates that, for every dollar spent on preparedness, seven are saved in recovery and clean-up costs.
- A willingness to learn and continually improve. It’s so easy as an organisation to go back to managing the day job in the wake of a risk event. But incidents and near misses are gifts to risk managers that enable us to learn and prepare far more robustly. In many ways, that learning is part of the day job.
Rehearse your reflexes
Effective leadership in this field means you’re already talking about resilience and continuity on a constant basis, not loading this onto staff as an extra task. Preparedness means shifting your focus away from ‘just in time’ to ‘just in case’. Have you tested your generator? Do you have confidence in tested immutable data backups? Are you furnished with buffer stocks and spare capacity to absorb shocks? The key to this approach is acknowledging that lean is typically the opposite of resilient.
Actively horizon scan for challenging scenarios and how you might deal with them. Worst-case planning assumptions are routinely published in places like the Cabinet Office website – so, use those official resources to model how events such as blackouts this winter may affect your organisation. Rehearse your responses and stress test them to the point of failure. And importantly, get away from all the form-filling bureaucracy that builds up around risk and into having meaningful conversations on the subject with colleagues right across your organisation. What really counts is depth of understanding – not painstakingly entering details into your risk register and assigning different colours to different risk types.
Adaptive learning based on the outcomes of incidents and stress tests is crucial. From after-action reviews to making thorough comparisons between what you expected to happen and what actually did happen, there are loads of simple methodologies out there that will enable you to harvest useful information and feed it back into your preparedness.
Fundamentally, risk management is everyone’s responsibility. And the more you encourage your people to collaborate on it, the more you will bring them with you. One of the biggest problems with risks is that information is often kept in silos. So, encouraging lots of joint working between protective disciplines such as information security, business continuity, insurance and health and safety will ensure that those areas are working together against risk, rather than operating by themselves.
When a risk event breaks, it is highly unlikely that the person closest to the flashpoint will be a figure from the C-suite. The person who will be managing, say, a small-hours disruption in your headquarters will be your senior security guard – so, focus on ensuring that your first-responders are trained and equipped to deal with the complex issues that are part and parcel of such intense, high-pressure situations.
Your initial incident response is critical to incident stabilisation. And if you have something like a huge flood in your building, the bulk of that event may already have unfolded before the CEO is stirred by a 3am phone call and urged to mobilise the incident response team.
That’s why it’s so important to cultivate a learning appetite around risk that involves every member of staff. Project reviews, performance appraisals, post-incident debriefs and even making a desktop-based incident scenario central to a teambuilding day can help you break down silos, bring people together and foster a one-team approach to fuel your response mode. Leaders who want to get their people on board with them on risk should praise learning, be open about mistakes and recognise that, ultimately, we’re all human.
Chemistry is a major asset, here. I used to work as a supply chain manager for the Red Cross, receiving planeloads of aid into airports and setting up warehouses near to where disaster had struck – and one oft-quoted mantra was, “Never meet your team for the first time when you get on the plane.”
When you’re on your way to that earthquake or tsunami, familiarity is essential. You’ve got to have that human capital in place and a culture where everybody understands everyone else’s sense of humour – otherwise, in the white heat of stress, people can end up rubbing each other up the wrong way.
Part of that team cohesion stems from effective allocation of roles. It may be the case that the managing director isn’t necessarily the best person to lead a risk incident response – perhaps someone further down the organisation has demonstrated a high aptitude through fantastic situational awareness and impact assessment, and they’re great at bringing a team together and can set objectives and do all the things you need to do at the beginning of an incident really, really quickly.
So, have systems and methods for recognising those individuals – and invest in rehearsing your incident response.