Zona Walton [ADP - Global Business Resiliency] and I spoke at a private conference last month. The title of our session was The Future of Resiliency. We explored the idea that the future of resiliency isn’t resiliency; that is, it will be something else.
Last month, I showed up at a client’s manufacturing site to facilitate an annual tabletop exercise. The company had recently kicked off its crisis management and business continuity initiative, so I wasn’t surprised to walk in and hear several people ask what this meeting was about, and how long it was going to last.
It is commonplace within organizations to have initiative atrophy or program of the month syndrome. People are doing more with less. Everyone is highly skilled at prioritizing work and recognizing false positive initiatives. Crisis management and business continuity can quickly get categorized as a ‘not now’ or ‘postpone as long as possible’ project in this environment. Therefore, it is important for risk and security professionals to allow our stakeholders bring themselves into the program. We need them to want the program and value the work we need them to do.
In my experience, there are usually three different types of people sitting in the room.
First, you have your evangelists, or your program advocates—they’re often the ones leading the initiative or they’ve already experienced some kind of catastrophic event. On the other end of the spectrum are those who have already decided risk management is irrelevant, so they’re checked out and sighing loudly.
But almost everyone in between is a good corporate citizen who has showed up with a printed copy of their plan because they were told to. Other than the occasional email, they’re not used to thinking about risk. You can’t blame them for wanting to just get the meeting over with and get on with their lives.
This mindset, unfortunately, is not uncommon. Whether people are unaware of the program or struggle to understand its value, it’s important to recruit them as active participants. So what are we as risk management professionals to do?
Why can’t risk management, crisis management, and business continuity be a rewarding experience that people actively desire to be involved with?
While the Demand Model® evaluates the engagement level of an audience, the Experience Model™ gives us the tools to increase that demand.
Last week, Lootok presented with Matt Jarm from Mars Inc. about supply chain resiliency at the New York Continuity Insights Conference.
In our session, we covered the critical aspects of rolling out and maintaining a global supply chain operational risk – business continuity program. Supply chain leaders are naturally gifted at managing risk, as it is part of their daily lives. But, supply chains are naturally dynamic (i.e., disruptive), which makes many of our traditional operational risk – business continuity techniques ineffective. Supply chain leaders need risk management techniques and tools to help them make decisions, solve problems, and communicate in complex environments.
Learning objectives covered:
Join me at the Enterprise Risk Management Summit in Las Vegas on November 2, 2016!
I will be speaking with Andrew Miller from ADP about linking reputation management, business continuity and crisis planning to strengthen risk resilience.
Where: Rio All-Suite Hotel & Casino in Las Vegas
When: November 2, 2016, 9:00am
What: Linking reputation management, business continuity and crisis planning to strengthen risk resilience
“Nothing happens until someone sells something to someone.” Thomas J. Watson (1874–1956), Chairman and CEO, IBM
Would a company sell a product or service that no one wanted? It’s an absurd question with a simple answer: absolutely not. You need demand. People have to want what you’re offering. At Lootok, we apply this same basic principle to risk management, business continuity, and crisis management programs.
Of course, most practitioners—people like you and me—see the value and the importance of their role in such services. But if you go outside this tight circle, demand quickly wanes. Rather than march to a linear project plan or industry standard, let demand drive the pace of progress.
Before you rollout, change, or update a global program, begin by assessing demand. Organizations tend to prefer immediate success and tangible artifacts (e.g., risk assessment or business impact analysis), but if you think of your program as a business, assessing demand would be the first thing you would do.
Out of this concept came Lootok’s Demand Model®, developed and refined over the past decade.
I had the privilege of sitting down with Mica Endsley —author of Designing for Situation Awareness: An Approach to User-Centered Design. Mica is the president of SA Technologies. Previously she was the Chief Scientist for U.S. Air Force.
Mica shares with us lessons learned from her book—Designing for Situation Awareness. I asked her nine (9) questions to solicit her thoughts on situation awareness, technology, and mental models.
Interesting presentation by Harvard Law School Professor Cass R. Sunstein on using behavioral science to change behavior:
From Behavioral Economics to Public Policy
He co-authored the book Nudge.
It is becoming increasingly necessary in risk management and business continuity management to be better, faster, and cheaper. We need to better Return on Investment (ROI), better participation, better end-user experience, faster change, greater reach and adoption, and enhanced techniques and concepts. We need people to do more with less and with higher quality and participation. To accomplish any of this we need behavioral science.
One of the challenges we have in risk management, crisis management, and security management is striking a balance between customized and standard solutions. Customized solutions and approaches tend to be more expensive now (implementation) and later (maintenance). However, customized solutions resolve specific requirements. Standard solutions tend to be cheaper, but we don’t get exactly what we want. Our challenge is balancing requirements and spend to get the most out of our budgets.
When is good good enough?
Jeremy Stynes, Lootok’s CCO / CTO, has coined a term he calls Snowflake Syndrome. Snowflake syndrome is when someone believes that they are so unique they demand special attention and design - but reality is ... they’re not special. They believe their project/initiative/program is one-of-a-kind, a snowflake. The challenge of the Snowflake Syndrome is rooted in people’s mental models. People can suffer from the syndrome when they confuse their personal uniqueness, or desire to be unique, with the organizational program they are responsible for. It can also come from working in organizational environments that lack standardization and procedures; therefore snowflake solutions are everywhere. It is easy to believe you are a snowflake when everything and everyone around you is a snowflake. Snowflake thinking can lead to overly complex (unique) design and processes. Anytime we see inconsistent design or costly overruns the snowflake syndrome is close by.
When working with the masses [end-users; not experts in risk management, business continuity, crisis management], I find it beneficial to present clear, concise, and concrete packaged solutions. People need guidance and structure to help them think through problems and build effective plans. This is one of the reasons Lootok created the 8Rs™ of Resiliency. The goal the 8Rs is to reduce uncertainty, simplify complexity, structure thinking and dialogue, build common ground, and establish preparatory activities. The 8Rs facilitates planning with a plan as the end deliverable (i.e., plans are the byproduct of planning). The 8Rs are designed to provide people with a set of options they can employ to continue operations under various threats and timelines. The 8Rs™ of Resiliency comprises of the following:
Since starting Lootok, once a year I go to Rochester, Minnesota, my home State, to take my annual executive physical at the Mayo Clinic. It gives me a good reason to get back to Minnesota to visit family and friends, while maximizing my medical checkups. In just two days, more than fifteen doctors evaluate me. Risk management shares many similarities with the medical field, and it’s where you find the best analogies and metaphors. I wanted to share few of the insights I have gleaned over my time at Mayo.
Risk management is analogous to the immune system. It is not a thing or part. It is a system that co-exists within other systems that must properly function with a larger system called the organization | organism. You cannot just fix the immune system, buy it, or expect miraculous resiliency overnight. The immune system must be earned, strengthened and maintained every day. You need healthy habits, positive attitude and healthy living and work environments, proper planning and long-term vision and dedication, so forth. Risk management works the same way. Risk management also has the same challenges as our immune system: we don’t think much about it until something goes wrong.
I appeared on Federal News Radio and shared my thoughts on new approaches to risk management and how to develop an effective approach to business. You can stream the recording for free here: Interview with Sean Murphy
Look forward to hearing your thoughts and comments!
Chris de Wolf (Mars) and I got back together in April at the RIMS’16 conference for an overwhelmingly well-received session where we talked about transforming the risk function from a program to a business.
“Shaking up the Status Quo - Innovations in Risk Management” gave us the opportunity to tell the story of how we reinvented risk management - business continuity. Long story short: We were looking for a better way.
What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.
Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.
Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.
What happens when we’re in a crisis we haven’t seen before, and our experience is insufficient? Such a situation requires us to gain “insight,” or develop new patterns that change the way we understand things and consequently, change the actions we consider. Research psychologist Gary Klein investigated the different ways that people form insights, and the factors that prevent us from having them.
There are certain challenges that face a crisis management team in the “Golden Hour,” the moment when team members convene to make critical decisions. Research psychologist Gary Klein discusses the need for team members to size up not only the situation, but also each other’s capabilities, roles, and responsibilities at time of event. That’s why it’s key for a crisis management team to regularly practice and train together.
How do most organizations handle uncertainty? They gather more information. Research psychologist Gary Klein explains why this isn’t always the best course of action. After all, it’s easy to gather information and sit on it; it’s harder to know how to make sense of events, and make a coherent story based on the data we have.
How can leaders make good decisions under the extreme time constraints of a crisis? To find out, research psychologist Gary Klein studied fire fighters to understand their approach to making crucial, complex decisions so quickly. The recognition-primed decision (RPD) process, as he explains, reveals how these professionals assess the situation: they compare familiar patterns and cues to past experiences to know which actions to take.
I had the pleasure to interview Gary Klein the author of “Seeing What Others Don’t,” “Streetlights and Shadows,” “Working Minds,” and “Sources of Power.” His research and experience is invaluable to anyone in the field of risk management. In this interview, Gary talks about the difference between a well-ordered domain (i.e., normal business environment) and complex domain (i.e., crisis environment). Understanding the characteristics and attributes of each environment is critical to understanding what tools, processes, and capabilities needed to be successful in each environment.
Dr. Yossi Sheffi, author of “Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage,” discusses two of his favorite crisis management case studies with Sean Murphy.
Business continuity can be a challenging thing to get people to pay attention to, especially when a disruption feels distant or unlikely. However, it’s critical that your staff knows about your company’s business continuity program and is familiar with its recovery strategies and plans—prior to an incident—in order for your planning to be effective. So how can you raise business continuity awareness at your organization?
Sean Murphy discusses the limitations of plans with renowned author and research psychologist Gary Klein.
Lootok has three methodologies that drive our operations: Activity-Based Collaboration™, The Lootok Demand Model™ , and Get Ready, Stay Alert, Take Action™.
Hurricane Sandy is the largest hurricane to ever form in the Atlantic Basin. Along its path, 253 people were killed in seven countries and total damage resulted in over $65.5 billion. How does superstorm Sandy compare to major disasters from last year?
$18 billion dollars. That’s the number estimated in damages caused by Hurricane Sandy just in the state of New York alone. With the unexpected turns that transpired amidst the super storm, all businesses were reminded of the importance of business resiliency.
Given the vast amount of information presented to-date, it is still very important that the financial sector revisit the surprises from Sandy to ensure that critical financial services are better protected. A team of experienced BCM advisors gathered the recommendations in the accompanying table from industry thought leaders in leading global financial services companies to learn from their perspectives.