Guest Post by Geary Sikich (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Is Your Organization’s Planning Brittle?
Good intentions do not make for the creation of a robust/resilient organization. Business Continuity plans, Disaster Recovery plans, Emergency Response plans, etc., that are standalone documents generally reflect good intentions – whether to meet regulatory requirements or to address governance. I would have to say that this should be a wake-up call for executives in all industries. We live in a complex and interdependent world. Complex systems are full of interdependencies that are hard to detect. The result is nonlinearity in responses to events, especially random events/shocks.
The odds of rare events are simply not computable. Model error swells when it comes to small probabilities. The rarer the event; the less tractable, and the less we know about how frequent its occurrence.
Posit these five questions
I pose five questions that you can use to assess if your organization’s planning is resulting in brittleness:
- Do the organization’s plans stand in silos of excellence?
- Are activation and implementation of plans independent and uncoordinated?
- Does the organization face critical junctures of survival every time an event or certain shocks affect it?
- Does analysis of “worst case” scenarios underlay the basis for planning?
- Do the plans reflect the strategy, goals and objectives of the organization?
We cannot calculate the risks and probabilities of events, shocks and especially rare events, no matter how sophisticated we get with our models. Brittle and inflexible plans reflect an organization’s failure to “think beyond what is readily seen.” Planning that is brittle generally defaults to thinking that what is not seen is not there and what is not understood does not exist. The organization and its planners often mistake “noise” for information, especially in the era of “big data” and information overload. “Noise” reflects random information that, until it can be assembled with other information to create something meaningful, is essentially meaningless.
Accountability is a critical element in assuring that plans are effectively developed, managed and executed when an event occurs. Recommendations, findings, suggestions for improvement, etc. get implemented. This requires that we develop a “FutureForward” thinking process. In a complex system interdependencies abound; the notion of cause becomes suspect as it is nearly impossible to detect or it is not really defined. Isolation of causal relationships (direct/linear) is not feasible due to opacity and nonlinearity.
For example, my first question, “Do the organization’s plans stand in siloes of excellence?” begets the aspects of accountability, threat identification, business impact analysis and much more. Isolated plans that are not linked to a single accountable entity will result in fragmented response, confusion and missed opportunities.
In looking at the second question, “Are activation and implementation of plans independent and uncoordinated?” the effect of nonlinearity comes into play as the unintended consequences resulting from fragmented implementation can further exacerbate the impact of an event. Here again we see that the effect of poor communication and lack of understanding “intent” come into play as complexity is underestimated and interdependencies that have gone unseen reveal themselves.
Brittle plans and the organizations that built them do not survive catastrophic events, well, not for very long. The list is long as far as organizations that failed. Take a look at the third question, “Does the organization face critical junctures of survival every time an event or certain shocks affect it?” While seemingly straightforward, this question is not very easy to answer. This is in part due to transparent vulnerabilities, unseen and unforeseen risks. The enterprise may not have the capacity to withstand the extra stresses of an event. You may begin to realize your planning is brittle if your organization has employed linear cause and effect models; if mistakes are rare but largely irreversible; if volatility disrupts stability, creating shockwaves of negative reaction (to include terminating the planners).
There are unlimited ways to buffer and alter the risk exposure that an organization has, but all involve decision making and an understanding of the consequences of the decision to act on a risk issue. Key decision makers must maintain risk within acceptable limits. However, all decision making is flawed. This is the result of bias, universally poor information acquisition, processing, management and application. We are trapped in a complexity that we have created by virtue of the explosion of connectivity, speed, sources not properly vetted, information overload, lack of information and “flow.” “Flow” relates to perception, intangibles and bias. Combined with the above factors and many more, we make flawed decisions. Flawed decisions are not necessarily “bad,” nor are they “good.” Flawed decisions flow in all directions, creating a need for embedding a culture of risk and business continuity management, to create a responsive and resilient framework that prevents collateral damage and buffers us against unilateral damage. We fail to incorporate lessons learned because of failure bias and the speed at which events change the operating horizon.
My fourth question touches on a sensitive area for most planners; “Does analysis of “worst case” scenarios underlay the basis for planning?” Business impact analysis, SWOT analysis, risk matrices, risk heat maps, etc. all fall into the trap of historical analysis. The occurrence of extreme events cannot be predicted from a review of past history. Worst case events when they happen, exceed the worst case that is known at the time and which may have been the basis of planning. The Japanese are very familiar with earthquakes, tsunamis and industrial accidents, etc. They are good planners, yet, no one could have anticipated the sequence of events that led to Fukushima. The worst past event had to be a surprise, as it had no precedent. Selection bias comes into play when we develop worst case scenario based plans. We just do not see the unseen and therefore it must not exist.
My fifth question, “Do the plans reflect the strategy, goals and objectives of the organization?” is one that I find most intriguing. Most planners, whether they be business continuity, disaster recovery, emergency planning, etc. most often fail to consider the goals and objectives of the organization. The result: brittle plans fall apart during implementation and fail to adequately address the post-event environment (reentry, recovery, restoration, altered business operations). Errors and consequences are almost always fatal for the planners, plans and in many instances, the organization.
Will your organization be faced with “post-traumatic stress” or will it experience “post-traumatic growth”? Plans that are brittle fail because they lack the ability to overcompensate for anticipated stresses and cannot see the unanticipated stresses that will emerge creating cascading side effects.
Errors and their consequences are information that needs to be made actionable to the organization. The problems with assimilating information after experiencing an event, either directly or indirectly, are threefold. The first is accountability. I mentioned “accountability” earlier in this piece. I will repeat it again, accountability is a critical element in assuring that plans are effectively developed, managed and executed when an event occurs. Secondly, we tend to mislabel. What we cite as “Lessons Learned” perhaps we should be labeling “Information Identified.” The results of most post-event analysis are that most “lessons” tend not to be actually learned but rather identified and then buried in a post-action report. Once things have calmed down and the trauma of the event has subsided; the post-event report is filed appropriately and the organization returns operational opacity. When we return to operational opacity we are free to repeat the same mistakes over and over. “Lessons Learned” usually do not have any funding unless a regulatory initiative requires compliance. The third point is; most organizations don’t have a culture of “FutureForward” thinking; instead we have opacity.
Many years ago, I asked a question of a group of business planners (business continuity, disaster recovery, emergency response, etc.) if (I used the term business continuity) was a way of doing business for their organizations or if it was an adjunct to the business of the organization. The answer was not a surprise – it was an adjunct and many cited that they were happy to be “flying under the radar,” as it gave some assurance of job security (no one noticed them, therefore they did not exist). There is a tendency to mistake the unknown for the nonexistent. We cannot calculate the odds of an event occurring, due to model error swelling when it comes to small probabilities. The rarer the event; the less tractable, and the less we know about how frequent its occurrence.
Brittle plans tend to reflect brittle thinking; that what is not seen is not there and what is not understood does not exist. Ask yourself, “Is what I see all there is?”
Contact Information: E-mail: G.Sikich@att.net or firstname.lastname@example.org. Telephone: 1- 219-922-7718.
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary’s focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the U.S. Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering.
Geary has a passion for helping executives, risk managers, and contingency planning professionals leverage their brand and leadership skills by enhancing decision making skills, changing behaviors, communication styles and risk management efforts. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.