Targeted flexibility and the art of being prepared

Published: Friday, 07 February 2020 09:26

Geary Sikich looks at why traditional risk assessment and business continuity planning methodologies are not always as effective as organizations expect them to be; and makes the case for taking a ‘targeted flexibility’ approach.


I just finished reading two very different books; one a novel, the other a fact-based investigative report. The first book, entitled ‘Second Sleep’ by Robert Harris (ISBN 9780525656692) is fiction. The second book, entitled ‘Lights Out’ by Ted Koppel (ISBN 9780553419962) is a critical look at how unprepared we are for a cyber attack on our electric grid. Two very different books, yet they overlap in many ways.

The setting in Harris’ book is post-apocalyptic. Koppel’s book focuses on our lack of preparation and our vulnerabilities in the interconnected world that we live in. In Harris’ book the main character comes upon books, letters and objects that are now considered heretical. He reads a letter, dated 22 March 2022 that outlines six scenarios; excerpted below:

“We have broadly identified six possible catastrophic scenarios that fundamentally threaten the existence of our advanced science-based way of life:

  1. Climate change
  2. A nuclear exchange
  3. A super-volcano eruption, leading to rapidly accelerated climate change
  4. An asteroid strike, also causing accelerated climate change
  5. A general failure of computer technology due either to cyber warfare, an uncontrollable virus, or solar activity
  6. A pandemic resistant to antibiotics.

Our purpose is not to propose counter-measures to avert any of these potential catastrophes – a task that, in the cases of 3 and 4, is in any case impossible – but to devise strategies for the days, weeks, months, and years following such a disaster, with the aim of the earliest possible restoration of technical civilization.”

In Koppel’s book (page 19) a quote from Jon Wellinghoff (who was chairman of the Federal Energy Regulatory Commission (FERC)) cites an analysis by FERC concluding:

“that if nine of the country’s most critical substations were knocked out at the same time, it could cause a blackout encompassing most of the United States.”

Are the six scenarios somewhat familiar from a risk management / business continuity planning perspective? They should be. If I recall, I have touched on many of these in other articles and in consulting engagements. But, hey, Harris’ book is a novel, right?

As regards Koppel’s book, there are many naysayers that have voiced the impossibility of bringing the national grid system down due to its resilience. Yet, we have experienced blackouts, brownouts and disruption due to natural disasters and human error. We are now seeing that utilities are incorporating mandatory termination of electric supply due to lessons learned from the devastation of California’s recent wildfires.

Unseen consequences are harmless until they are not

Due to the non-static nature of risk, exposures constantly change. Mitigation has the effect of altering the risk so that a new exposure is created. Mitigation buffers risk temporarily. One thing that is not taken into account when doing a risk assessment is the action of others who have the same risk exposure and are taking mitigation actions to buffer the risk exposure that they have. It is imperative to develop a mindset of constant risk monitoring and buffering activities.

Unpredictability is the new norm today. The breadth of unseen consequences poses a risk to government and business alike. Because we are asking the wrong questions precisely, we are getting the wrong answers precisely; and as a result, we are creating false positives. Unless we change this paradigm, we will continue to get false positives and find ourselves reacting to the unseen consequences of events instead of being proactive.

Effective risk management can only be achieved when one understands the breadth of an enterprise's sphere of operations. Internal programs must integrate with external exposures. The enterprise cannot effectively implement a risk management program if it does not include its ‘value chain’ in the process. The problem faced by today's enterprise is: how to effectively design and implement a broad-based risk management program.

Creating a risk mosaic requires constant updating

Consequence identification and control is the identification and quantification of potentially disruptive events that could escalate into a crisis. This must be accomplished so that controls and safeguards can be developed to prevent or minimize the impact of any type of disruption. When the right precautionary approach is to consider the unseen as potentially harmful; how do we operate?

The reality of risk today - volatility, uncertainty, complexity and ambiguity parameters are broader with more prevalent swings. Have you adjusted your competitive strategy thinking and models?

Is business continuity planning dying, dead or just discounted?

What do we really know about business continuity? In the view of senior management, every day that the organization stays in business equals continuity. Does anyone, then, really care about business continuity planning? If a constant tactical approach to business continuity planning is taken by business continuity planners will senior management ever respect the value of the product that is produced? Do business continuity planners actually add value or are they distracted in their planning perspectives?

How many business continuity plans have a Trade War appendix? How many business continuity planners seek to understand sovereign debt, supply chain points of failure, logistics of recovery and the organization’s strategic initiatives? And, that is just to name a few of the issues that need to be analyzed, studied and have valid contingency action plans in place for.

Scare tactics or when disaster strikes, is it game over?

An often-cited quote used by many:

After a major disaster, more than 40% of businesses are dead in the water, according to the Federal Emergency Management Agency. They never reopen their doors. And among those that do stay open, their survival is only temporary: roughly 70% of them close within two years.
This is why every business needs to take disaster planning seriously. Without a plan in place for preventing a disaster, or responding to it, your organization will become just another statistic.

Really? Does the above ring true? Actually, most business startups don’t last a year – read that as a high rate of failure associated with opening a business; not because of a disaster, because of competition, poor execution of the business plan, underfunding, etc. By the way a colleague of mine decided to check the statistics cited above and it seems that the percentage is a bit of a myth that has been fostered throughout the years. We first heard this percentage in the late 1980s; almost 40 years ago.

In the long run, just think of all the companies that have survived and thrived after disasters – Exxon – The Valdez, BP – Deepwater Horizon, Union Carbide – Bhopol, Facebook, Microsoft, Apple, Firestone, Ford, General Motors, AIG, Bank of America and a host of other companies have paid huge fines, experienced disasters, etc. and they still are around today and doing well.  So, while we are angry, concerned and afraid with the latest data breach, when it comes down to it, we quickly forget and move on.

Wandering in a hall of mirrors

Every day that a business stays in business is success for senior management. It means that continuity of operations has been achieved, for that day. It is the barometer for future business decisions. Ask yourself, “How many business executives adhere to the business continuity plan?” Do a survey and find out. Find out if they actually know what is in the plan. Find out what they think of the planning process and the terms that we embed in our documents – RTO (recovery time objective), RPO (recovery point objective), MTO (maximum tolerable outage), Hot Site, ICS (incident command system), NIMS (National Incident Management System), risk appetite, BIA (business impact assessment/analysis), the list goes on and on.

What does the decision maker care about? They care about meeting the goals and objectives set out in the strategic plan; beating the competition, staying competitive, reducing costs and growing shareholder value. How this gets accomplished is middle management’s focus and there is a lot of pressure to make it happen every day.

As business continuity planners are you assisting or obstructing the accomplishment of the above cited areas of care that senior management and middle management are focused on? Sure, you can tell them how many work stations, computers, printers, copiers, applications, etc. that the BIA report contains. But, so what? Much of the information is readily available from the purchasing department and facilities management. So, where is the value proposition for business continuity planning? Are we practicing a dying, dead or discounted arcane, legacy function, because that’s the way it’s always been done?

Senior management will take whatever risks they deem necessary in order to secure the goals and objectives for the organization (including their performance bonus, salary package, etc.). Where does business continuity planning fit in the mix of things that are on the plate of senior management? Survey’s give lip service to the importance of resilience for the organization; the same with corporate social responsibility (CSR), climate change, etc. However, does change really occur due to concern? Or is it as a result of being able to cut costs and make more profit?

The ‘asymmetric bet’

Risk is asymmetric; that is, it is not identical to every individual assessing the risk that has been identified. Some see the risk as an operational issue, others may see it as a financial issue, still other may see it in terms of insurance coverage, etc. We need to understand where the cross over points are when implementing risk mitigation measures. Risk cross over is the point at which the cost to mitigate (protect against risk realization) becomes greater than the asset exposed to risk realization.

In his 1921 classic, Risk, Uncertainty, and Profit, Frank Knight states the following:

"There are other ambiguities in the term ‘risk’ as well, which will be pointed out; but this is the most important. It will appear that a measurable uncertainty, or ‘risk’ proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We shall accordingly restrict the term ‘uncertainty’ to cases of the non-quantitative type. It is this ‘true’ uncertainty, and not risk, as has been argued, which forms the basis of a valid theory of profit and accounts for the divergence between actual and theoretical competition."

The following graphic depicts collateral risk a reflection of ‘true’ uncertainty.

In order for any organization to succeed in today’s fast paced, globally interlinked business environment the ability to identify and assess risk and to identify collateral risk needs to be addressed. When you take management (leadership & decision-making), planning, operations, logistics, communications, finance, administration, infrastructure (internal & external), reputation, external relations and other dependency issues into account, there is potential for significant impact on six areas that I consider critical for organizations:

  1. Strategy (Goals and objectives)
  2. Concept of operations (How goals and objectives are achieved)
  3. Organizational structure (How does the organization actually work)
  4. Resource management (Human, financial, physical, data)
  5. Core competencies (Essential skills)
  6. Pragmatic leadership (At all levels with a common understanding of terminology).

We live in a world full of consequences. Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability to know everything. Our focus should be on how our flawed decisions establish a context for flawed risk threat hazard vulnerability (RTHV) assessments, leading to flawed plans, resulting in flawed abilities to execute effectively. If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty, we may find that the decisions we are making have more upside than downside.

It’s all about targeted flexibility, the art of being prepared, rather than preparing for specific events. Being able to respond, rather than being able to forecast, facilitates early warning and proactive response to shifts in your market segment.

The author

Geary Sikich: entrepreneur, consultant, author and business lecturer

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies. With a M.Ed. in Counseling and Guidance, his focus is human capital: what people think, who they are, what they need and how they communicate. With over 30 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, he brings unprecedented value to clients worldwide. Well-versed in contingency planning, risk management, human resource development, ‘war gaming,’ as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. He has developed more than 4,000 plans and conducted over 4,500 simulations from tabletops to full scale integrated exercises. He began his career as an officer in the US Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

Contact or