The nature of crises: exploring some persistent myths

By Patrick Roberts

It is perhaps not surprising, given the lack of hard data; that most discussions about business continuity end up involving reference to various myths about the nature of crises. This article focuses on three of the most widespread and persistent of these. At one level these myths can be seen simply as convenient excuses to avoid spending time and money on business continuity but, as shall be explained, they actually demonstrate some important psychological phenomena with broader significance for resilience.

Myth: crises are too infrequent to justify spending on mitigation

Genuine crises are, by definition, rare events and many of us will complete our entire working lives without becoming personally involved in one. The more relevant question therefore is: how often do organizations suffer significant losses that could have been mitigated by a (better) business continuity programme? According to a 2002 report by Ernst and Young, approximately 40 percent of companies suffered a significant loss of shareholder value (30 percent or more in a month) within the 5-year period of the survey which equates to 8 percent annually. About 10 percent of these sudden losses of shareholder value were caused by operational issues so one could estimate that there is about a 0.5-1 percent annual chance of a significant loss that could reasonably be mitigated by business continuity.

Unfortunately such low probabilities have very little intuitive meaning. An experiment at the University of Colorado investigating what people were prepared to pay for insurance against various risks (when given specific probabilities of occurrence) showed that, for probabilities of occurrence down to about 5 or 10 percent, people’s willingness to pay was closely related to the fair value of the policy. Below that though, two distinctly different patterns of behaviour were observed as shown below in the graph of responses for a 1 percent probability of occurrence (where a Bid/EV value of 1 represents the fair price of the insurance policy).

As can be seen from the graph, whilst about 50 percent of people were willing to pay more than the fair price for the insurance policy (some of them many time the fair price); 25 percent of respondents weren’t prepared to pay anything at all. It is reasonable to suggest that the same difficulties in dealing with these low probabilities affects cost-benefit decisions about business continuity; whilst we are usually more concerned with organizations that are not investing anything in improving their resilience there may also be some who are spending too much (or, indeed, spending on the wrong things).

Myth: we’ll be alright – we manage crises all the time

Clearly this statement demonstrates a profound misunderstanding of what a crisis is and what people really mean is that they regularly manage routine disruptions. Setting the issue of definitions to one side though, it is interesting to observe that rather than taking a series of minor incidents as evidence of systemic problems that need to be addressed; people tend to view the frequency of these events as evidence of how robust their organization is. Polite enquiries regarding the structured process for learning from these incidents are not usually well received.

This serves as a convenient excuse for not taking business continuity seriously but there is actually an important psychological effect underlying this: for some reason, experience and knowledge of near misses makes us more confident that we will not experience a real disaster. This was first observed in studies of staff at NASA where it was found that people who were aware of the numerous near misses on the Shuttle programme were less concerned about a catastrophic failure than those who were unaware of previous problems. It seems that regular exposure to minor incidents de-sensitises us to the risk of a major disaster in much the same way as a mild illness, in the form of a vaccination, inoculates us against a deadly disease. A variation on this theme was in evidence in the aftermath of 7/7 when many businesses took the lack of disruption to their operations as evidence that their business continuity plans were sound.

Myth: managing a real incident is easier than an exercise

This myth is generally invoked during crisis management exercises when delegates are struggling and seek to shift the blame for their shortcomings onto the facilitator. Obviously an exercise imposes a degree of artificiality but, time and again, people seem to genuinely believe that the facilitator is making things artificially difficult. In particular they feel that more (or more accurate) information would be available in a real incident.

Undoubtedly there will be a great deal of information flowing in a crisis but, unlike an exercise, it will arrive at random times, via numerous different media and much of it will be lost, delayed or corrupted on route. The vast majority of this information will be completely irrelevant and simply create more ‘noise’; much of it will be inaccurate or ambiguous and different sources will often contradict each other. These facts should be widely known and understood, particularly by people who have personal experience of managing a real crisis, so why does the myth persist?

This is actually a manifestation of what is called the ‘Hindsight Bias’: once we are in possession of facts it is extremely hard to accurately recall how things appeared before we knew those facts. In particular, we forget how much uncertainty there was about how a scenario would develop once the eventual outcome is known. Thus, even people who have dealt with real crises, tend to forget how much uncertainty they had to deal with in the early stages of an incident, and come to believe that they knew all along that things would turn out the way they did.

Conclusions

Examination of these three widespread and persistent myths about the nature of crises reveals that they are much more than lazy and simplistic excuses to avoid taking business continuity seriously. Specifically it highlights three ways of improving organizational resilience:

* Business leaders need to be encouraged to think longer-term when managing risk – using a five-year time horizon would yield probabilities with much more intuitive meaning;

* There should be a rigorous process for dealing with near misses to counteract ‘risk-inoculation’ and ensure that the underlying causes are adequately addressed; and

* As well as addressing practical issues for plan improvement, post-incident reviews should also examine the difficulties encountered in making decisions in the absence of complete information.

Author: Patrick Roberts is a director of Cambridge Risk Solutions Ltd www.cambridge-risk.com

•Date: 17th July 2009• Region:UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here