Learning to either manage the crisis or run the company, but not do both, is a hard lesson for most executives, as they want to do it all. Executives achieve their position through hard work, overcoming extreme obstacles, success, confidence, and leadership. It becomes difficult to let go of the organizational reigns to focus on the crisis. Likewise, it is just as difficult to let others manage a crisis while they focus on the organization. This post is a reflection of a number of executive crisis management trainings I facilitated where the executive (e.g., CEO, business unit president, segment leader) wanted to ‘fly the plane’ and ‘fix the problem.’
Consider the Basics for Crisis Management Program - as with most initiatives and programs, we tend to over think when we design them. The basics reminds me of one of my favorite quotes from Antoine de Saint-Exupéry, “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.”
Let’s keep it simple: crisis management
When it comes to crisis management the majority of crisis teams need seven means to make timely and effective decisions based on applying judgment to available information. We need a command and control framework, critical information requirements (identification of gaps in our knowledge), intelligence, situation awareness, common operating picture, common ground, and intent.
Zona Walton [ADP - Global Business Resiliency] and I spoke at a private conference last month. The title of our session was The Future of Resiliency. We explored the idea that the future of resiliency isn’t resiliency; that is, it will be something else.
As business continuity practitioners, it would serve us well to take a cue from writer Antoine de Saint-Exupéry, who stated, “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.”
Many risk and resiliency initiatives are more robust and complicated than they need to be. Common signs of an over-engineered program may include: lengthy plans packed with procedures and protocol, a BIA that takes months to complete, lengthy internal audits fixated on industry standards, and just a handful of people who actually know what to do in an incident.
Blessed with “the curse of knowledge,” we as practitioners can easily lose sight of how business continuity is perceived by our stakeholders. We fall prey to assuming that others understand the value of participating in program activities, much less have the expertise to decipher industry jargon (how many times in your career have you had to explain “RTO” and “MTPD”?).
Even Wikipedia’s description of “business continuity planning” is prefaced with the warning: “This article may contain an excessive amount of intricate detail that may only interest a specific audience.”
Put yourself in the shoes of a stakeholder who rarely thinks of contingency planning or has yet to experience an incident, and it’s even more critical that you keep your program simple.
What would happen if we were to boil down business continuity to just the basics? What if we began describing concepts in layman’s terms, and it helped to ease understanding and facilitate program adoption?
During the past 10 years Lootok has been in business, we’ve stayed vendor agnostic while implementing many different crisis management and business continuity tools for clients. Humbled by our own trials and tribulations with software, we had yet to meet a vendor we felt excited about.
That changed last fall when we decided to partner with Clearview, our technological counterpart we’ve come to know and trust. We’re proud to say we believe ClearView to be the best software solution in the market. Read why.
Lootok is Clearview’s Americas service provider.
Email us at email@example.com or ring us at +1.646.961.3684 to get your demo.
In our business, we can all identify with the feeling that something bad is looming—the next big power outage, unprecedented snowstorm, or vicious cyber attack is right around the corner. Sometimes it can feel like all we’re doing is getting ready for a negative event.
Many industry activities—things like assessments, plans, exercising, and auditing—help to create this “wait-for-impact culture.” As we evaluate endless industry standards, regulations, and consulting methodologies, there is a hyper-focus on documentation, policies, procedures, steering committees, and audits.
This methodical approach works with well-defined risks, or those threats that are so familiar to us that we’ve integrated them into the way we do business. But what about complex risk? The most procedural checklists and plans don’t account for managing those threats that we’ve yet to figure out. Risks that are still emerging and largely unknown are the ones that could actually leave us vulnerable.
Ten years ago, we developed Lootok’s BCM Model®* because we realized that it wouldn’t ever be enough for leaders to simply respond. For companies to stay competitive, leaders must be more proactive than ever to also consider threats that are on the horizon.
This presentation was presented at the D.C. Analyst Roundtable. I was asked to speak on crisis management, business continuity, and how to run a program like a business. You can download the presentation from SlideShare.
The “on time, on budget, and as promised” motto that dominates our industry is a cliché. It’s the stock answer when asked how to evaluate a project’s success. You may achieve one or maybe two of these measures, but satisfying all three is no easy feat. While project plans can help, you need much more. At Lootok, we deliver projects through two proprietary means: ODWR® and 5Ds®.
In our session, we covered the critical aspects of rolling out and maintaining a global supply chain operational risk – business continuity program. Supply chain leaders are naturally gifted at managing risk, as it is part of their daily lives. But, supply chains are naturally dynamic (i.e., disruptive), which makes many of our traditional operational risk – business continuity techniques ineffective. Supply chain leaders need risk management techniques and tools to help them make decisions, solve problems, and communicate in complex environments.
Learning objectives covered:
Common pitfalls (i.e. too fast, too big) of risk and resiliency supply chain rollouts.
The necessary methodologies, tools, and roadmaps to be successful in today’s complex, nonlinear, supply-chain environments.
Lootok’s ABdCa®: The best way to collect and analyse data.
We were at our wits’ end. Neither we nor our clients could take another dull meeting or frustrated end-user. Risk management, crisis management, and business continuity were simply too hard for too little. We took a deep breath and sat back. Finally, someone said it.
“There HAS to be a better way!”
We knew she was right, but none of us had any idea how to accomplish that. We started by just trying to have a little fun in our meetings: we played a few games. As we played, we discovered that our activities were not only fun, but engaging and memorable as well. We could use them to facilitate training and awareness. Then it got better. We realized we could collect and analyze data at the same time.
It was an incredible discovery for us. Not only did we change the experience of a meeting, it facilitated a better learning environment with higher adoption rates, while completing our deliverables at the same time. Developed and refined over the last decade, Lootok’s Activity-Based Data Collection and Analysis (ABdCa®) Model takes a fraction of the time and cost of traditional methods while facilitating a more effective process and more rewarding experience.
“Nothing happens until someone sells something to someone.” Thomas J. Watson(1874–1956), Chairman and CEO, IBM
Would a company sell a product or service that no one wanted? It’s an absurd question with a simple answer: absolutely not. You need demand. People have to want what you’re offering. At Lootok, we apply this same basic principle to risk management, business continuity, and crisis management programs.
Of course, most practitioners—people like you and me—see the value and the importance of their role in such services. But if you go outside this tight circle, demand quickly wanes. Rather than march to a linear project plan or industry standard, let demand drive the pace of progress.
Before you rollout, change, or update a global program, begin by assessing demand. Organizations tend to prefer immediate success and tangible artifacts (e.g., risk assessment or business impact analysis), but if you think of your program as a business, assessing demand would be the first thing you would do.
Out of this concept came Lootok’s Demand Model®, developed and refined over the past decade.
Chris de Wolfe, global director of risk management at Mars Inc., shares his challenges of getting the global risk management program at Mars up and running.
“The CRM group had a lot to offer but was severely underutilized, which led to high insurance premiums, a high risk profile, and a significantly reduced resiliency and recovery capability,” Chris said.
Reflecting on how Mars as a business became a major success, de Wolfe decided that he needed to market and promote his own department in the same way. Partnering with Lootok, a risk management consultancy firm, he developed a strategy to engage with the employees in a fun yet educational way. He devised a 5- to 10-year plan, broken into 12- to 18-month strategies and individual project plans by mapping out all of the products and services that risk management offers. He conducted a perception survey and drew up a program based on the ABCs of risk management.
“The ABCs allowed people to understand that risk management not only provides insurance, but it also ensures that the business continues,” said de Wolfe.
Sean Murphy, CEO and founder of Lootok, said of de Wolfe:
“I’ve known Chris for 10 years and what differentiates him is that he treats his program as a business. He had a good program before but he wasn’t satisfied with it so he completely revamped it and is now reaping the benefits.”
It is becoming increasingly necessary in risk management and business continuity management to be better, faster, and cheaper. We need to better Return on Investment (ROI), better participation, better end-user experience, faster change, greater reach and adoption, and enhanced techniques and concepts. We need people to do more with less and with higher quality and participation. To accomplish any of this we need behavioral science.
When working with the masses [end-users; not experts in risk management, business continuity, crisis management], I find it beneficial to present clear, concise, and concrete packaged solutions. People need guidance and structure to help them think through problems and build effective plans. This is one of the reasons Lootok created the 8Rs™ of Resiliency. The goal the 8Rs is to reduce uncertainty, simplify complexity, structure thinking and dialogue, build common ground, and establish preparatory activities. The 8Rs facilitates planning with a plan as the end deliverable (i.e., plans are the byproduct of planning). The 8Rs are designed to provide people with a set of options they can employ to continue operations under various threats and timelines. The 8Rs™ of Resiliency comprises of the following:
Relocate - physical moving assets (e.g., people, technology, equipment) to another location
Reassign – transferring processes (i.e., work) to another location
Repair / Replace – capabilities in place to fix the problem at time of event
Reinforce – fortify, strengthen, assets to tolerate greater impacts and occurrences
Replicate – simultaneous production (i.e., processes, technology, work) at two locations [duplication]; active-active
Redundancy - extra capacity and inventory
Risk Transfer – shift risk to other entities through insurance, contracts, and risk pooling
Relinquish – do nothing [e.g., too cost prohibitive]; risk acceptance strategy
Since starting Lootok, once a year I go to Rochester, Minnesota, my home State, to take my annual executive physical at the Mayo Clinic. It gives me a good reason to get back to Minnesota to visit family and friends, while maximizing my medical checkups. In just two days, more than fifteen doctors evaluate me. Risk management shares many similarities with the medical field, and it’s where you find the best analogies and metaphors. I wanted to share few of the insights I have gleaned over my time at Mayo.
Risk management is analogous to the immune system. It is not a thing or part. It is a system that co-exists within other systems that must properly function with a larger system called the organization | organism. You cannot just fix the immune system, buy it, or expect miraculous resiliency overnight. The immune system must be earned, strengthened and maintained every day. You need healthy habits, positive attitude and healthy living and work environments, proper planning and long-term vision and dedication, so forth. Risk management works the same way. Risk management also has the same challenges as our immune system: we don’t think much about it until something goes wrong.
Chris de Wolf (Mars) and I got back together in April at the RIMS’16 conference for an overwhelmingly well-received session where we talked about transforming the risk function from a program to a business.
“Shaking up the Status Quo - Innovations in Risk Management” gave us the opportunity to tell the story of how we reinvented risk management - business continuity. Long story short: We were looking for a better way.
As we grow and learn from our experiences, observations, and interactions with other people, we form frameworks that help us understand the world around us and give us cues as to how to respond or behave. These frameworks give us our own personal blueprint as to how and why things work.
For example, most people have automatically come to understand that when your phone rings, you answer it and say, “Hello?” When someone sneezes, it’s likely you’ll hear someone else say, “Bless you.” If you want to make an omelet, you need to break a few eggs. Et cetera.
The problem is, frameworks are built on individual experience. And sometimes we get it wrong. And when we get it wrong, we’re presented with challenges that are extremely difficult for us to understand and negotiate.
This is the first in a series of e-books that examines the typical ways we’ve found people think about risk management. A fresh perspective is important, as many of the frameworks we’ve built around the process—as well as the product—tend towards the negative. Our goal is to identify how and why we’ve developed these frameworks so we can do something about them.
For some organizations, a crisis is the only catalyst for change.
Sharing a few thoughts on recognizing the signs of an organization at risk for crises. I have not performed a thorough analysis; however, I have a few reoccurring observations. I have observed three (3) common corporate attributes that lead to big corporate crises, which can be used to justify investments into our risk management programs—beyond credit, liquidity, and market risk:
What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.
Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.
Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.