The missing risks - how business resiliency plans need to change
As I was putting together part 2 of the Moonshot Consultancy Business Resiliency Framework session, something startling began to dawn on me.
I was looking at a fairly standard risk framework that I was using that defines all of the risks that companies need to consider, especially operational risk which is historically where the bulk of business resiliency plans are focused outside of pure financial risk.
As I reflected on what I had learnt about resiliency during the many business crises that I experienced in over 30 years in the Financial Services sector, it struck me how rarely some of the plans we had painstakingly put together to be prepared for an event were ever used in earnest. Now that's not to say you shouldn't have plans (the mere fact of doing the thinking to put them together is incredibly useful), but often the reality of the situation means there are many factors that you did not consider. The real crisis rarely looks like the rehearsed one, just look at Covid-19. No-one's pandemic recovery plans looked like that!
There was one situation from my past that really brought this home. In October 2012, Hurricane Sandy, at the time, the largest Atlantic hurricane on record, swept through the Caribbean and up along the whole of the eastern seaboard of the United States. At the time, I was responsible for a large swathe of technology that sat in data centres in the path of the hurricane and also, for hundreds of people who made sure that that technology was continuously available. As I sat on countless crisis meetings through several days and nights, it became clear that there was no playbook for this - not when power and phone lines were down and communication to the teams on the ground was sporadic at best.
What became apparent was that we had to empower teams on the ground to make good, local decisions. Within an overall framework of recovery activity, people were having to learn on the fly about what worked and what didn't, what was possible and what was clearly not. And overall, it worked. Maybe we were lucky (one data centre avoided flooding by a matter of inches), but the adaptability and resourcefulness of the teams involved in managing the recovery efforts demonstrated that their knowledge (of their part of the business or their part of the supporting technology) and their connections to and relationships with each other, were the keys to getting us through it without any additional business impacts.
And that was the lightbulb moment for me. What enabled us to manage a complex and stressful recovery was:
the business and technical knowledge of local teams
their ability to learn on the fly, as a team, allied to their knowledge of each other
the fact that they were empowered to take action
Therefore, for organisations to build a better, sustained resiliency they need be aware of 2 major risks that they may not have considered before: knowledge risk (i.e. the knowledge of a team and individuals to get the job done) and learning risk (the ability of teams to learn and adapt when a new situation arises).
Let's take the second one first. How do you mitigate learning risk? Firstly, let's explore who in an organisation is best placed to manage this risk within the organisation. It is not your operational risk department. This should be an additional responsibility of your Chief Learning Officer (or head of training or head of learning and development). Often this role is focused on learning provision (i.e. what training does the business need and how do I source it). Here, the focus needs to be on how to help teams continuously learn and invest in their learning.
One way is to help teams practice learning, as a team. If you look at the work of Peter Senge*, he would recommend that teams have regular dialogue session to explore ideas, explore problems and really learn about each other and the skills that they have through the power of dialogue. Particularly, by exploring scenarios in a crisis situation and trying to think about what options each of the team members would consider. I ran a dedicated incident management function for three years and we would use this technique every week to grow the team's knowledge and learning potential.
So what about knowledge risk? Having spent 10 years running enterprise IT, I was convinced that 90% of the time that a technician resolves a technical issue, that knowledge on how to fix the problem is lost to the organisation. This is tricky stuff. Curating knowledge takes time and effort and needs buy-in across the organisation for people to prioritise ensuring it is captured and more importantly, shared with others. One idea would be to look at how people are rewarded for spending time on sharing their knowledge with others.
There are a number of other approaches that can help mitigate these risks, but the first step is to recognise they exist. You can then factor them into your business resiliency plans and start identifying ways to approach them. If dealt with in the right way, there are a host of additional business benefits (for resiliency and beyond) that you can gain. In particular, the power of regular dialogic discussions within your team is a powerful recipe for success.
If you would like to hear more and discuss how to implement better business resiliency practices for your business, please get in touch by emailing firstname.lastname@example.org.