Why we all breathe a sigh of relief when things go wrong for others…
- Published: Wednesday, 04 December 2019 09:19
Jon Seaton reflects on his career in business continuity to date and offers seven crisis management lessons which business continuity managers can relate to their organization and role.
In February 2008 I was working in RBS, three years into my business continuity career and in the process of applying for my MBCI. My job covered business continuity, incident and crisis management. At that point my knowledge of crisis management had been involvement in the annual exercise, providing injects for two of the Divisions. Things were about to change!
I was based in the RBS Global HQ at Gogarburn. The campus had been open for under three years in which time they had had a BMW Williams F1 car ‘race’ around the site, visits from the Ryder Cup and Calcutta Cups for staff photo opportunities and visits from Andy Murray. Even the opening of the building was by the Queen and Duke of Edinburgh, I am going to be honest, it was a pretty good place to work and it felt like we were fast on our way to becoming the biggest and best bank in the world!
The only constant is change, and that was about to hit home at RBS… Although I was aware of what had happened at Northern Rock, I was not overly concerned, we were much bigger than them, and our profitability was not based solely on mortgages. We were constantly told how successful all our subsidiaries and joint ventures were, whether it was NatWest, Ulster Bank, Direct Line, Churchill, Tesco Personal Finance, Angel Train Leasing (bizarre I know!), Citizens Financial… the list of successful subsidiaries to the RBS Group seemed to go on forever, and there were constantly videos playing around Bank Premises reminding us how successful we were.
In early 2008 HBOS (Halifax Bank of Scotland) started to experience difficulties. I was called into a room as part of the Retail Silver Team. There was an element of nervousness in the room, but the overarching view was ‘poor HBOS’ and more than a few “it could never happen to us”. At that point we saw RBS as untouchable, in Scotland, the banks literally had a licence to print money.
And then it happened: there was to be rights issue, RBS were asking for more money from shareholders, something didn’t quite seem right, we were a top five bank in the world, the ‘feel good’ videos were still playing around Gogarburn but “It could never happen to us” became “could it happen to us?”
By October 2008, everything changed, it was announced that Her Majesty’s Government were bailing out RBS, Lloyds and HBOS. From this being something that could never happen to us, we were now in the midst of something that was very much happening to us. Whilst, as they say, the rest is history it is a history that I clearly remember, including watching the share price drop to 10p per share. I count myself lucky to have been involved in crisis management at that time as it gave me a much clearer view of what was happening, even if at times we felt helpless.
Whilst giving me my first live example of a crisis, it also gave me my first lesson in crisis management: Black Swan Events. A Black Swan is an event that comes as a surprise to the observer, it has severe and widespread consequences and in hindsight it seems highly predictable. You can run a huge number of scenarios but there is a high chance that at some point something will hit you from left field.
It is fair to say that it also gave me my second lesson: events that happen are rarely one offs. You may feel like you are the only person to ever experience the event but you are probably not. Events can happen in clusters or cycles, rarely on their own. The second lesson for me was to pay attention to other events; think about what would happen if something similar happened to you and how you would respond to it.
Since the financial services crisis I have tried to maintain a watching brief on the wider world, and there have been a number of events to keep me on my toes, thankfully few of them where I work:
The first of these is natural events. Since my time in crisis management we have seen, amongst other natural disasters, the eruption of the Eyjafjallajökull volcano (Iceland) in April 2010 and the tsunami that led to the Fukushima Disaster in March 2011.
Whilst it is easy to argue that these could never impact the UK, that is missing the point: natural disasters happen all the time, they ask for us to look at some critical areas; how do we ensure the safety our staff and where appropriate, account for them. When we have done that, how do we keep the critical activities running and, by association, ensure that when the clear-up is finished we have a company to continue working in.
In February / March 2018 the UK Met Office announced rare Red Weather Warnings in relation to the ‘Beast from the East’. The advice was not to travel as doing so could lead to danger to life. We focussed on our staff and keeping only the critical (regulated) activities running. We supported staff who were in the office and couldn’t get home and reassured staff who were at home. We also put in place controls to ensure that staff who were travelling home when the weather deteriorated could let us know they had got home safely. As part of the lessons learned sessions following the event we looked at how we could introduce a break-glass protocol to allow staff who normally cannot work from home to do just that under the right circumstances (and with the right governance).
Although we had learnt from the natural disasters that hadn’t impacted us, that is not to say that we could not learn from the new event. And this highlights my third key learning in crisis management, the lessons learnt (or Post Crisis Review / Debrief etc) from an event can be every bit as important as the event itself. It is where we learn to do better next time, to tweak things and change the way we react that we cannot always learn through an exercise. It also allows us to take a step back and review when the heat of battle has subsided. If you are a regulated entity your regulator may well be keen to see this and know that you will learn from the event.
Motivational quotes about change are almost as constant as change itself! But change brings inherent risk, and none more so than IT change, whether it be changes to Payments systems that had a major impact on RBS in June 2012 or the issue with an IT migration that TSB experienced in April 2018. Organizations are constantly looking to improve how they do business, and give themselves the edge. One of the best ways of doing this is by improving or making change to their systems infrastructure. This leads to huge lists of projects that need to be delivered. In reality, what this means is that every organization will be trying to deliver as much change as budget and time allows as quickly, and smoothly as possible. Throw in an increase in regulatory driven change activity which is usually timebound and you have the potential for things to go wrong.
A good change process is well detailed and well defined, there are activities that need to take place; design, planning, testing (pre-production and production) and implementation. How can the business continuity team assist with this? The simple answer is to get involved in the process, ask the questions: What happens if something goes wrong? What are your back out plans? Are you looking to back out or fix forward? These may well be defined but sometimes it is worth asking the question just to confirm this.
This leads me to my fourth lesson, don’t be afraid to ask the difficult questions, asking change teams what their back out plans may be seen as negative, but these are things that need to be thought about. Even better, ask to sit at one of the change boards / committees and keep asking the same question: what is your continuity, what do you do if something goes wrong, will there be reduced resilience at all during the change? A formalised continuity plan could save you a huge amount of issues moving forward.
From September 2017 through to March 2018 Ryanair were forced to cancel flights affecting 700,000 passengers due to an issue with rotas leading to staff shortages. Although most of us are not in the airline industry most of us will experience staff shortages at some point, whether it be a norovirus outbreak, turnover or attrition, travel disruption, weather issues and so on. How do we plan for this, can we cross train staff, can we get in temporary staff, can we offer overtime, can we offer other methods of working, perhaps from alternate locations? As with other events discussed, this is an issue that from the outside looks completely detached from what we do on a day to day basis. As you scratch beneath the surface you see that the scenario is different, but the impacts are the same, and it does offer the opportunity to think about our own organization and how we would deal with similar issues.
Scenario planning is a vital element of business continuity planning and, in my opinion, finding a hook to get teams bought into a scenario can be as difficult as running the exercise itself. Rather than simply going through the motions of denial of access, IT failure, lack of people we can use real life events to bring these to life. You may not think current events are relevant to you but there is a good chance these are things that the Exec will discuss and have them asking the question, “could this happen to us”?
This highlights another of my lessons, scenario planning needs to be believable, but it also needs to be realistic; using live events as the hook will ensure that your Executive start off on the front foot believing that this could happen to them.
In any live event communication is key, it can either pull a company out of a crisis or push it further in. In my opinion, two of the best examples of this come in the shape of the TSB IT Migration issue in April 2018 and the O2 Data disruption in December 2018. The issues around the TSB migration have been talked about a great deal and one of the biggest failings was around the way the Chief Executive spoke to the Treasury Select Committee (TSC), laughing and joking that it was good that so many of the TSC had accounts with TSB.
O2 on the other hand had a major network issue the following December meaning that users were unable to use 4G for an entire day. Their communication was fast in terms of owning up to the issue and their remediation was extremely positive. They advised that they were automatically crediting all their users accounts with additional data to make up for the loss as well as crediting accounts with the monetary value. There were no needs for customers to make claims or even contact their providers.
This provides my sixth lesson, make sure you get the communications right, both external to the waiting media as well as internally, staff can be your allies make sure you keep them aware of what is happening.
The final area I will look at is data breaches. This area consistently comes out as the top threat to businesses (BCI Horizon Scan Report 2019). There are a number of reasons for this; the nature of the crime makes it difficult to stop the criminals, as they find new ways to infiltrate organizational defences. Organizations are constantly playing catch up and the fact that big organizations are admitting to breaches makes everyone more nervous.
The problem with data breaches is that the first anyone hears about them are when organizations go out to customers to say there has been an issue, and it can often take months to understand the details, because invariably the breach was as likely to have happened long before it was discovered as cyber criminals will harvest data only using the data at a later date.
This is an area where proactive threat intelligence requires to be spot on. There are a large number of forums where organizations can share threat intelligence within the industry, such as the National Cyber Security Centre in the UK. These may not be ahead of the game, but they will give you early indications of what is happening in the world outside your organization.
So, my final lesson is don’t be afraid to share information that may help protect others, as other organization may one day share information that may protect you.
If you learn from others, whilst it may not protect you completely from suffering the same issues, it should help you respond. When things go wrong we naturally breathe a sigh of relief that it could have been us. As we inhale the next breath, we should take a moment of contemplation and ask ourselves: could it have happened to us, what lessons can we learn to protect ourselves from these issues in the future and are there any controls can we put in place to ensure that if these things do happen the risk is mitigated and our customers are protected from the outcome?
No organization is perfect and there are always ways to improve how we manage events, so I will leave you with my seven lessons in crisis management as a suggestion for what to do once you have let out the sigh of relief when things go wrong for others:
Lessons in crisis management
- Black Swan events: sometime despite your best planning, events can happen, and it is only in hindsight that it will ‘seem’ obvious;
- Events are rarely one-offs – if it can happen to someone else it can happen to you, learn from others;
- One of the most important activities in crisis management is the post event lessons learnt review – what did we learn from the event, what can we change and what should we try and do better next time?
- Make sure change programmes consider the difficult questions – change is a regular source of events, what happens if things go wrong, what are your continuity plans, how much resilience is built in?
- Exercising is important so make scenarios believable: if something similar is happening in the real world it could also happen to us, tweak live events that the media are talking about to get Executive buy in;
- Make sure you get the communications right, both external to the waiting media as well as internally, staff can be your allies make sure you keep them aware of what is happening.
- Don’t be afraid to share information that may help protect others, as other organization may one day share information that could protect you.
Jon Seaton FBCI, is Chair, Scottish Chapter of the BCI. Contact him at firstname.lastname@example.org