Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Many people have a few smoke alarms dotted around their house and, to me, these are some of the most straightforward set-it-and-forget-it risk management tools you can get. You set these up and then…nothing. You can forget about them until that annoying ‘chirp’ sound wakes you up one night, telling you to change the battery.
And most people will never hear their smoke alarm go off except for those times that their cooking gets a little out of hand.
However, if there were a fire, they’d know about it immediately and be able to react.
If it’s a small fire and they have an extinguished, they can deal with it themselves. Otherwise, they gather the family, grab the pets, get outside, and call 911.
However, without a smoke alarm, they wouldn’t have the same amount of time to get out. They might not smell the smoke until the fire had spread all over the house. They might even get trapped inside.
That’s a fantastic difference in outcomes you can get by spending just $24.99 at the hardware store. That smoke detector allows you to be proactive, instead of reactive.
Obviously, a smoke alarm doesn’t solve all of our problems but we have a range of other tools that help us move from reactive to proactive: wildfire alerts, shelter-in-place orders, and flood warnings all help us prepare for trouble or take steps to avoid it.
And you can apply these same techniques to help your organization be more proactive.
Start with your risk assessment
Start with your risk assessment and look at the threat areas you’ve identified. Take each of these and determine the warning signs that would signal that the threat might be developing. That could be anything from the rainy season’s approach, signifying that floods are more likely, to a high ad-spend by a competitor, signaling a new product launch.
Then you apply your tools.
Your first tool is horizon-scanning: looking around you and ahead to see what’s happening. That can be as simple as reading the news and industry publications to specialized services that promise market intelligence. Whatever you use, the idea is to establish a good view of what’s going on – situational awareness – so you can spot those warning signs as far out as possible.
However, you’re going to pick up a lot of noise while horizon-scanning, and there will probably be a few false alarms, so we don’t want to react to every warning sign. So now we add the next level of filters: tripwires.
Tripwires are specific signs that tell you that a particular event is headed towards you. Unlike horizon scanning, which tells you what’s happening all around you, the tripwire confirms the event type and that you’re potentially going to be affected.
As an example, particular weather conditions in the Gulf of Mexico indicate that a hurricane could form. Your horizon scanning picks that it’s now hurricane season and that those conditions are building, so a hurricane is a real possibility. If you’re on the Texas coast, the tripwire is when a storm system actually forms because that hurricane could come your way.
You then have a series of tripwires, each of which adds specificity to what’s happening. These can be geographic, tracking the storm’s path in our example, or time-based in the case of something like a hostile take-over. Tripwires can even be event-based, monitoring progress on a piece of litigation. The point is that the tripwires help you narrow down the potential pathways the event could follow.
Next, come your decision points, which is where your contingency plan fits in. Each plan should outline how an event could unfold and what options you have for reacting. These options are called courses of action (CoA), and you should have several different options to help you respond to each scenario.
However, each option requires different time, expertise, and resources to pull together. For example, if one COA in a hurricane scenario is to shut down operations and evacuate, that’s going to require a lot more time and preparation than simply sheltering in place.
The point where you need to make a firm decision to follow a specific CoA is called the decision point (DP – sorry this piece is a little abbreviation heavy). So each CoA will have a DP associated with it.
It’s important to keep in mind that these DPs will come up at different times. So the DP for a more complicated CoA associated with a more distant tripwire could be weeks out, whereas the DP for something more simple might be only days or hours away.
The final tool is the trigger, which is when you initiate that course of action. If things are working smoothly, then the trigger for a CoA is you making that decision.
However, we’re talking about situations where things are going wrong, and there’s no reason to expect even the best-laid plans to run smoothly. So there can be times where events accelerate or change path unexpectedly, blowing right through your carefully laid tripwires.
That means that instead of your decision being the trigger, the trigger will be event-based. In a storm, this can be an unexpected landfall, miles from the predicted path. It could be a coup d’etat. In business, it might be seeing your CEO’s name and the words ’embezzlement’ in a WSJ headline.
Shrinking your reaction time
In all of these examples, your reaction time might have shrunk from days to mere minutes but, because you had already mapped out a CoA, you might still be able to get onto a more proactive footing. That can be the difference between sheltering in place at a pre-prepared location with food, water, and medical supplies instead of an empty basement. Or getting the crisis communications consultant you already have on retainer to start preparing for the media inquiries that are about to hit you.
But, like the smoke alarm in your house, all of these tools give you that precious extra time to grab your fire extinguisher and respond proactively before you’re trapped.
If you’re interested in learning more about contingency planning, CoA, etc., there’s a video here where I go into more detail on each of these.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.