In crisis, efforts toward the planning, training, and coordination of resources enable an organization to surge toward the protection of its assets and operations during disruption. However, what cannot be surged is stakeholder trust and confidence. Prior to crisis, a requisite level of capabilities must be developed and maintained to provide stakeholder confidence that assets and operations will be sustained to the highest degrees of availability. Otherwise, decision-makers could find themselves in analysis paralysis. Analysis paralysis occurs where response efforts are overwhelmed by the volume of information to be considered, the speed in which the crisis is evolving, and the stressors impact to assets within the operational environment. Ongoing efforts to identify, prepare, mitigate, and monitor for changes in the organizations risk profile are crucial to preventing paralysis and ensuring decision-maker effectiveness. Shortfalls in preparation and/or ongoing monitoring can also hobble decision-maker effectiveness through the universal equalizer; time.
To ensure an effective outcome can be consistently achieved, two core questions must be answered Are crisis management and response capabilities resourced, trained, exercised, and continuously available for use? and Are mechanisms in place to effectively monitor and communicate changes within the organizational process risk profile? The level of effort and leadership focus the organization commits to managing and communicating changes within the risk profile will largely define response effectiveness and set the conditions for all that is to follow.
Crisis is a cascading series of events for which there is no preplanned mitigation. An organization can best prepare for crisis by developing and refining its processes used to communicate and implement ad hoc mitigation strategies. There are two components to crisis management: organizational and operational. Organizationally, resources and support from executive leadership are required to develop the policies, plans, and procedures needed to establish a crisis management capability. Operationally, these capabilities need ongoing training, exercises, after action reviews and improvement plans to achieve and maintain response effectiveness. These skills are refined by focusing on a feedback loop to identify best practices, overcome lessons learned and reinforce the trust and confidence of stakeholders.
The manner and means in which the feedback loop is applied (throughout the planning, implementation, and post-plan continuum) demands timely and precise adjustments. These adjustments require relative risk be assessed and monitored for changes in the risk profile which aids crisis avoidance. However, some choose to limit their actions by mitigating obvious risk, accepting best practices from other organizations, and assuming since no incidents have occurred, relative risk is adequately mitigated. This methodology (defined by iJET as Spurious Risk Management) creates the dangerous illusion that risk has been sufficiently addressed while unknowingly creating an opportunity for significant peril.
Operational environments are evolving into increasingly complex networks of interdependent assets performing at an escalated pace. Thus, the organizations ability to respond to crisis is paramount to the protection of assets; while preparation, monitoring, response, and recovery planning are reconciled as the organization changes direction or expands. Moving crisis management from a capability to demonstrated effectiveness allows the organization to maintain the balance between proactive and reactive response efforts. This provides the operational agility necessary to pursue opportunities based on stakeholder demands and the evolutionary pace of the organizations industry. Effective crisis management enables the organization to respond to disruptions that cannot be predicted and to industry events affecting assets in an environment where formal risk mitigation capability has yet to be developed. Once achieved, this capabilitys level of effectiveness is measured by the feedback derived from drills, exercises, and after action reviews (AARs) of actual events. This process provides the knowledge and experience needed for effective crisis management. The output from these initiatives builds stakeholder trust by collectively demonstrating the attainment of crisis management and response competencies. These competencies translate into confidence when a crisis occurs. As crisis is a dynamic condition where preplanned mitigation or response capabilities are exceeded, it is paramount those involved in crisis response fully understand the organizational span of control, areas of influence, and the environmental canvas – (Figure 1).
These dynamics ultimately dictate the levels of success and failure:
Span of Control The location and resources the organization has the authority to directly control to reduce or inhibit the stressors impact on an organizational asset or operation.
Area of Influence The location and resources the organization can directly influence the actions, or an ability to act, to reduce or inhibit the stressors impact on the organizations asset or operation.
Environmental Canvas Conditions in relation to time, place, and purpose where an organization and its assets operate, or desires to operate. (This dictates the proactive mitigations for foreseeable stressors as well as the reactive resources required to return to normalcy when preplanned mitigations are exceeded.)
These dynamics also directly affect efforts to achieve stakeholder demands. This requires the organization to have the capability to monitor for changes in the risk profile. To leverage this capability, the organization must first set clear parameters so the monitoring asset initiating the notification of change understands the mitigation threshold has beenor is about to be, exceeded.
Historically, shifts in an organizations risk profile are attributed to changes in a potential disruptors presence or intensity. While there may be an effective plan to address these changes, monitoring is a critical component. Without this capability, changes in the risk profile could unknowingly surge beyond the capabilities of proactive mitigation strategies. This can lead to cascading effects that impact life safety, organizational assets, and degrade the performance of essential functions. Effective monitoring provides the awareness needed to proactively address deviations in stressor characteristics at the lowest possible level of intensity. This provides time to mitigate residual vulnerabilities that were accepted; and thus, preclude the opportunity for crisis. In conditions where the stressor presents with a sudden onset, effective monitoring improves the ability to inhibit or limit the degree of impact the stressor exerts upon the asset or operation.
However, some organizations profess a consistent level of monitoring for crisis has been achieved without providing the requisite evidence to demonstrate its effectiveness. In the RIMS Executive Report, Exploring Risk Appetite and Risk Tolerance, the authors present the financial crisis of 2008-09 contains examples of those who knowingly or unwittingly accepted significant risk which led to severe consequences. In the post mortem, many organizations were found to have used spurious risk management practices in developing their risk appetite statements. While those risk managers appeared to know the tactics for managing risk, their lack of understanding its precepts created inaccuracies in risk acceptance at the individual, departmental, and enterprise levels. Spurious risk management, at its core, accepts unanalyzed risk factors or incomplete risk forecasts in shaping and sustaining the organization and its operations.
As with all major crises, the 2008-09 financial crisis renewed public and private sector interest in monitoring risk management activities. Performing these actions are well-founded and advised to leverage the organizations capacity to deliver products and services. Unfortunately, many still fail to acknowledge the fact that risk is neverstatic and its management is an evolving organizational process, not a one-time event. When assessing an organization for indications of spurious risk management, the primary characteristics are: addressing only low hanging fruit, adopting a once and done mindset, and the inability to adequately characterize the environmental canvas (e.g. the arrangement of assets and resources in time, place, and purpose).
There is another aspect often underrepresented in receiving the attention warranted; evaluating an organizations remaining capacity to handle unforecasted risk and/or stressors is a key factor in measuring organizational resilience given current efforts and operating tempo. More specifically, without the means to monitor risk capacity, the likelihood of an event whose magnitude and severity will lead to crisis is significant. Monitoring this condition ensures the organization maintains the mitigations necessary to hold or improve its risk position within the goals it desires to pursue. Further, this activity enables the likelihood the organization can sustain its essential functions and mount an effective response should the need arise to return a disrupted asset or operation to a state of normalcy.
An effective response limits the impact imposed by the initial disruptor. The primary objective is to separate the impacted asset or operation from the stressor. To achieve this, effective communications are essential. Initial communications advise how the asset or operation is being affected by the disruptor, who is being impacted, and to what extent. Accurate follow-up communications are key to avoid the unnecessary expenditure of resources, control the flow of information, and reduce fears and tension by answering unknowns in a timely manner. To prioritize resources and sequence the response, continuously assess the situation using the following model – (Figure 2).
Figure 2 Continuous Assessment
When assets or operations are impacted to a degree that exceeds existing protective measures, crisis response must analyze the risk profile, develop a plan to separate the asset or operation from the stressor, and allocate the requisite resources to ensure successful mitigation. As crisis is defined as a series of such activities, response must periodically review the progress of mitigation efforts, determine the level of effectiveness, and then reassess any assets whose risk profile remains at an unacceptable level. Once all assets have been separated from the stressor, the response is concluded.
Crisis, by its nature, brings ad hoc response. Creating a proactive environment, developing interoperability, maintaining resources, and constantly monitoring the risk profile collectively reduces response times and limits cascading effects. Speed must be balanced with deliberate decision-making. Unwarranted acceleration can lead to unnecessary risk, reduce stakeholder confidence, and require additional resources. The development of a crisis management and response capability, establishing it as a budgeted line-item, and routinely evaluating its effectiveness will go far in securing stakeholder trust and solidifying confidence that the organization can respond to crisis effectively.