One of the challenges we have in risk management, crisis management, and security management is striking a balance between customized and standard solutions. Customized solutions and approaches tend to be more expensive now (implementation) and later (maintenance). However, customized solutions resolve specific requirements. Standard solutions tend to be cheaper, but we don’t get exactly what we want. Our challenge is balancing requirements and spend to get the most out of our budgets.
When is good good enough?
Jeremy Stynes, Lootok’s CCO / CTO, has coined a term he calls Snowflake Syndrome. Snowflake syndrome is when someone believes that they are so unique they demand special attention and design - but reality is ... they’re not special. They believe their project/initiative/program is one-of-a-kind, a snowflake. The challenge of the Snowflake Syndrome is rooted in people’s mental models. People can suffer from the syndrome when they confuse their personal uniqueness, or desire to be unique, with the organizational program they are responsible for. It can also come from working in organizational environments that lack standardization and procedures; therefore snowflake solutions are everywhere. It is easy to believe you are a snowflake when everything and everyone around you is a snowflake. Snowflake thinking can lead to overly complex (unique) design and processes. Anytime we see inconsistent design or costly overruns the snowflake syndrome is close by.
I appeared on Federal News Radio and shared my thoughts on new approaches to risk management and how to develop an effective approach to business. You can stream the recording for free here: Interview with Sean Murphy
Look forward to hearing your thoughts and comments!
Chris de Wolf (Mars) and I got back together in April at the RIMS’16 conference for an overwhelmingly well-received session where we talked about transforming the risk function from a program to a business.
“Shaking up the Status Quo - Innovations in Risk Management” gave us the opportunity to tell the story of how we reinvented risk management - business continuity. Long story short: We were looking for a better way.
What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.
Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.
Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.
What happens when we’re in a crisis we haven’t seen before, and our experience is insufficient? Such a situation requires us to gain “insight,” or develop new patterns that change the way we understand things and consequently, change the actions we consider. Research psychologist Gary Klein investigated the different ways that people form insights, and the factors that prevent us from having them.
There are certain challenges that face a crisis management team in the “Golden Hour,” the moment when team members convene to make critical decisions. Research psychologist Gary Klein discusses the need for team members to size up not only the situation, but also each other’s capabilities, roles, and responsibilities at time of event. That’s why it’s key for a crisis management team to regularly practice and train together.
How do most organizations handle uncertainty? They gather more information. Research psychologist Gary Klein explains why this isn’t always the best course of action. After all, it’s easy to gather information and sit on it; it’s harder to know how to make sense of events, and make a coherent story based on the data we have.
How can leaders make good decisions under the extreme time constraints of a crisis? To find out, research psychologist Gary Klein studied fire fighters to understand their approach to making crucial, complex decisions so quickly. The recognition-primed decision (RPD) process, as he explains, reveals how these professionals assess the situation: they compare familiar patterns and cues to past experiences to know which actions to take.
I had the pleasure to interview Gary Klein the author of “Seeing What Others Don’t,” “Streetlights and Shadows,” “Working Minds,” and “Sources of Power.” His research and experience is invaluable to anyone in the field of risk management. In this interview, Gary talks about the difference between a well-ordered domain (i.e., normal business environment) and complex domain (i.e., crisis environment). Understanding the characteristics and attributes of each environment is critical to understanding what tools, processes, and capabilities needed to be successful in each environment.
This video for the Homeland Security Business Continuity Planning Suite communicates core business continuity concepts and highlights the benefits of planning. In just a few minutes, the video manages to cover a variety of disasters including a loss of power, hurricane, fire, and a human threat. It’s perfect to use for kicking off a planning workshop or meeting, or circulating to department leads or plan writers to increase their awareness.
When it comes to risk perception, we are notoriously prone to misconceptions. Whether fearing planes over bikes or elevators over stairs, we have a tendency to misjudge just how dangerous certain situations are.