Mica shares with us lessons learned from her book—Designing for Situation Awareness. I asked her nine (9) questions to solicit her thoughts on situation awareness, technology, and mental models.
One of the challenges we have in risk management, crisis management, and security management is striking a balance between customized and standard solutions. Customized solutions and approaches tend to be more expensive now (implementation) and later (maintenance). However, customized solutions resolve specific requirements. Standard solutions tend to be cheaper, but we don’t get exactly what we want. Our challenge is balancing requirements and spend to get the most out of our budgets.
When is good good enough?
Jeremy Stynes, Lootok’s CCO / CTO, has coined a term he calls Snowflake Syndrome. Snowflake syndrome is when someone believes that they are so unique they demand special attention and design - but reality is ... they’re not special. They believe their project/initiative/program is one-of-a-kind, a snowflake. The challenge of the Snowflake Syndrome is rooted in people’s mental models. People can suffer from the syndrome when they confuse their personal uniqueness, or desire to be unique, with the organizational program they are responsible for. It can also come from working in organizational environments that lack standardization and procedures; therefore snowflake solutions are everywhere. It is easy to believe you are a snowflake when everything and everyone around you is a snowflake. Snowflake thinking can lead to overly complex (unique) design and processes. Anytime we see inconsistent design or costly overruns the snowflake syndrome is close by.
I appeared on Federal News Radio and shared my thoughts on new approaches to risk management and how to develop an effective approach to business. You can stream the recording for free here: Interview with Sean Murphy
Look forward to hearing your thoughts and comments!
Chris de Wolf (Mars) and I got back together in April at the RIMS’16 conference for an overwhelmingly well-received session where we talked about transforming the risk function from a program to a business.
“Shaking up the Status Quo - Innovations in Risk Management” gave us the opportunity to tell the story of how we reinvented risk management - business continuity. Long story short: We were looking for a better way.
I was working with an executive team on a crisis scenario, when one of the leaders asked a question on crisis communication. He asked, “How soon do we need to communicate? 5 minutes, 10 minutes, 1 hour, 1 day, …?” He was looking for a precise number to evaluate a few past incidents that were on top of mind for everyone in the room. I gave the common answer, but right answer, of “it depends”. He gave a look of dissatisfaction and made a discrediting posture. I went on to share a few basic statistics from Daniel Diermier’s research (author of Reputation Rules) such as “online news stories suggest that the typical window is only eight hours; 20% of all news stories on a given issue are published within an eight-hour period; so forth.” Some time has passed since the exercise. After some thought, I want to provide executives with six (6) crisis characteristics to consider when determining when and how to communicate.
I was on the phone last week with a data visualization expert and author discussing visualization problem solving—basically, how to solve problems or at least understand problems with pictures (i.e., drawing pictures). He asked a question about cyber security: “Why is a cyber threat so scary? Isn’t it just another threat?” He was right… in part—cyber is another threat, just like infectious disease, civil unrest, flood, power outage, fire, war, or accident. While we use common frameworks and capabilities for threats such as command and control, situation awareness, threat intelligence, common operating picture, common ground, and so forth, each threat has unique characteristics we need to consider. Why is cyber security on the top of every executive’s mind? It comes down to six (6) characteristics of a cyber threat:
Intentional
Speed
Wild
Interconnectedness
Location
Detectability
There’s a mnemonic for these six (6) characteristics: “is wild.”
What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.
Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.
Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.
What happens when we’re in a crisis we haven’t seen before, and our experience is insufficient? Such a situation requires us to gain “insight,” or develop new patterns that change the way we understand things and consequently, change the actions we consider. Research psychologist Gary Klein investigated the different ways that people form insights, and the factors that prevent us from having them.
There are certain challenges that face a crisis management team in the “Golden Hour,” the moment when team members convene to make critical decisions. Research psychologist Gary Klein discusses the need for team members to size up not only the situation, but also each other’s capabilities, roles, and responsibilities at time of event. That’s why it’s key for a crisis management team to regularly practice and train together.
How do most organizations handle uncertainty? They gather more information. Research psychologist Gary Klein explains why this isn’t always the best course of action. After all, it’s easy to gather information and sit on it; it’s harder to know how to make sense of events, and make a coherent story based on the data we have.
How can leaders make good decisions under the extreme time constraints of a crisis? To find out, research psychologist Gary Klein studied fire fighters to understand their approach to making crucial, complex decisions so quickly. The recognition-primed decision (RPD) process, as he explains, reveals how these professionals assess the situation: they compare familiar patterns and cues to past experiences to know which actions to take.
I had the pleasure to interview Gary Klein the author of “Seeing What Others Don’t,” “Streetlights and Shadows,” “Working Minds,” and “Sources of Power.” His research and experience is invaluable to anyone in the field of risk management. In this interview, Gary talks about the difference between a well-ordered domain (i.e., normal business environment) and complex domain (i.e., crisis environment). Understanding the characteristics and attributes of each environment is critical to understanding what tools, processes, and capabilities needed to be successful in each environment.
Dr. Yossi Sheffi, author of “Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage,” discusses two of his favorite crisis management case studies with Sean Murphy.
Lootok has three methodologies that drive our operations: Activity-Based Collaboration™, The Lootok Demand Model™ , and Get Ready, Stay Alert, Take Action™.
Hurricane Sandy is the largest hurricane to ever form in the Atlantic Basin. Along its path, 253 people were killed in seven countries and total damage resulted in over $65.5 billion. How does superstorm Sandy compare to major disasters from last year?
The retail sector faces risk challenges ranging from cyber security threats to active shooter incidents. These threats, coupled with advances in new technologies, social media and public perceptions of risk have required the retail sector to reevaluate the resiliency of their business.
Written by Lootok’s Sweta Chakraborty and Iris Chung.
$18 billion dollars. That’s the number estimated in damages caused by Hurricane Sandy just in the state of New York alone. With the unexpected turns that transpired amidst the super storm, all businesses were reminded of the importance of business resiliency.
Given the vast amount of information presented to-date, it is still very important that the financial sector revisit the surprises from Sandy to ensure that critical financial services are better protected. A team of experienced BCM advisors gathered the recommendations in the accompanying table from industry thought leaders in leading global financial services companies to learn from their perspectives.
When it comes to managing risk, one oft-overlooked aspect is risk perception, or how we perceive a threat. What we believe or do not believe about risks has an enormous effect on how well we prepare ourselves for them, and the action we take when they occur. What factors into our fears, and how do they impact our decision-making?
This video for the Homeland Security Business Continuity Planning Suite communicates core business continuity concepts and highlights the benefits of planning. In just a few minutes, the video manages to cover a variety of disasters including a loss of power, hurricane, fire, and a human threat. It’s perfect to use for kicking off a planning workshop or meeting, or circulating to department leads or plan writers to increase their awareness.
More and more, successful organizations are realizing that a meaningful “customer experience” involves the co-creation of a product. What does co-creation look like in business continuity?
Why all the ruckus about naming a winter storm? Sometimes, the intention behind the names is to draw the public’s attention to severe weather. While winter storms may not have as large of an impact as hurricanes, they can often be erratic; for example, dumping snow in one area while leaving nothing more than rain or fog in another. Now, it’s becoming clear that superstorms have hype cycles of their own.
When it comes to risk perception, we are notoriously prone to misconceptions. Whether fearing planes over bikes or elevators over stairs, we have a tendency to misjudge just how dangerous certain situations are.
