The quality of resilience planning and the corporate Cassandra
If it can be assumed that, conceptually at least, terrorism shares an old air force adage of the Second World War and the Cold War, that ‘a bomber (albeit perhaps single) will always get through’; sooner or later a terrorist will succeed in bombing London or elsewhere in the UK.
When he, she or they do succeed then several companies and organisations will implement a business continuity or resilience plan of some description. The quality of the plan (amongst other factors) will now determine the destiny of that company.
Perhaps the most comprehensively authoritative single book on crisis management and the concepts that influence resilience is a collection of papers entitled ‘Key Readings in Crisis Management,’ edited by Smith and Elliot. A characteristic of all the papers is that they seek to understand crisis and offer models of explanation.
Smith considers the barriers to the recognition of crisis potential within organisations, Turner comments on major causal features that can be identified, Roberts identifies some characteristics of high reliability organisations and Smart and Vertinsky note the narrowing of the cognitive process in a crisis. However, very little apparent attention is given to the quality of the plan that the corporate victims of the incidents might be trying to implement at the time; the plan’s potential role in the events appears to be a relatively neglected field. The implication is that a good plan is simply the antithesis of a ‘bad plan’ that avoids the structural pitfalls that they comment upon. The whole issue is encapsulated in two remarks, the first by Elliot who states that:
…there is some agreement that crisis preparedness in the forms of business continuity plans are simply outward manifestations of inward beliefs. Effective preparations for crisis require investments at both a practical and a deeper level of culture, assumptions and beliefs.
The second is the work of Mitroff and colleagues who liken the organisational plan to the outer and visible skin of an onion, the deeper levels being core and organisational beliefs and organisational structures. This is undoubtedly correct but the planner is usually only in a position to influence the plan and not the other issues. It is therefore proposed that despite the limitations, a better plan is still to be valued, even if the organisation retains several other flaws.
Because I believe that the planning element is so important to effective resilience, I am conducting doctorate level research into the topic. The underlying hypothesis is simple: three fundamental factors, outlined in the diagram, will determine the success or otherwise of any resilience response.
The first factor, the importance of the quality of the people in the response team, is unquestionable and is a major facet of the academic analyses mentioned earlier, but it is not necessarily obvious to the organisation involved. Poor quality response staff will not implement a good plan (howsoever defined), and they will very simply fail in their task. In contrast, good staff can to some extent compensate for poor planning and use their innovative talents to achieve novel solutions not envisaged in the plan, but this will take time, which is at a premium in a crisis.
Interestingly, very few organisations actively select staff to serve in response teams, although some well validated psychometric tests do exist to measure people’s ability to perform under stressful conditions. Similarly, human resource departments seem averse to basing any selection of new staff on the criteria of how the person might manage an incident. This aversion is implicitly endorsed when response team duties are not enshrined in job specifications lest they attract additional funding for ‘on call’ availability. Most often it seems that the response duty is implicit in the role of the employee rather than stated, and consequent training needs analysis for the response role is at best informal.
The next factor is a corollary of the first. Rehearsals are normally recognised as being necessary and serve, amongst other aims and objectives, to improve the performance or knowledge of the team and to familiarise them with the plan. Without rehearsals, the plan and the whole planning process is obviously futile, but perhaps worse still, the rehearsal of a bad plan serves merely to engrain false confidence and poor habits. Few companies devote much more than a day or two per annum to rehearsals and one cannot rely on such low levels of rehearsal effectively preparing a company for a major incident.
Therefore, given that one cannot usually improve the quality of staff (to any significant degree), and because the response management system will often emulate normal management structures, the people element remains, relatively speaking, fixed. Rehearsals are important in terms of face and predictive validity and frequency, but the time spent on rehearsing for infrequent and unlikely events is, for commercial organisations, a luxurious opportunity cost which is not relished.
Therefore, if we cannot change the quality of the people, nor spend too much time in rehearsal, the only variable that can be influenced positively and comparatively quickly is the quality of the plan. Academic consensus is often rare, and a lot of the literature in the academic debate is frequently mired with semantic arguments. However, in commentaries on resilience planning there is a growing consensus of ‘what is good’ that can be summarised together with some personal observations as follows:
- Large plans are seldom read and are less easy to use speedily; short plans are potentially better.
- Scenario planning, unless you are a highly specialised company or in a specific location (like a nuclear fuel company or an organisation based on a flood plain), is unwieldy at best and likely to misforecast the actual event.
- Generic plans are more flexible in the face of adversity.
- There is a convergence developing of business continuity, disaster recovery, crisis management and emergency planning under the banner of ‘resilience planning’.
Personal observations based on eighteen years’ experience include that:
- Subjectively derived risk assessments, which supposedly inform the plan, are of questionable utility.
- Good business impact analysis is critical to the plan.
- Strategic plans are often poor and thus promote the strategists’ ‘descent’ into tactical level activities.
- The achievement of ISO standards does not improve the quality of a plan per se, merely its ability to be audited.
- Prose based plans are less useful or at least less likely to ‘engage’ staff than diagrammatic ones.
- There is arguably a financial underinvestment in obtaining the quality of the planner who is required to author complex plans for global companies in a simple fashion.
Paradoxically perhaps, my studies have cast doubt on certain aspects of planning doctrine and are more questioning of conventional methods. What appears to influence the planner and thus the consequent plan are often far more mundane factors than might be imagined. Such simple factors as the planner’s age or seniority, and thus the organisation’s perception of their knowledge and/or experience, influences their credibility and the potential adoption of the plan. Planning is also deceptively difficult; it has to accommodate several constantly moving variables and is arguably always capable of refinement and improvement. In theory, resilience planning is pretty simple (bear in mind that ISO 22310 is only 24 pages long), but its implementation is extremely complex. In the planning process a myriad of factors shift and change in a kaleidoscopic way, not least of all the factors alluded to by Smith and by Elliot and colleagues. It appears, therefore, that even if we accept Mitroff’s analogy of the outer onion layer being the visible plan, this layer has a quantum quality where yet more and more factors can be taken into account.
If an organisation can accurately identify at least some of the issues and influences involved in the planning process then plans and consequent responses can be made more proficient. A summary of the ‘fog of variables’ that potentially determines the quality of the plan is outlined in the diagram:
In this ‘fog’ some issues are easier to deal with in the planning process than others. Usually, the hard question for the planner is not really the identification of the various issues, which are usually fairly evident. Rather, it is ‘what can be done in the plan to compensate for them?’ Smith noted that the culture of an organisation can ‘provide an environment within which such an event can escalate rapidly’ or alternatively it can be ‘central to the ability to cope’. The harsh reality is that organisational cultures do not evolve overnight nor are they changed speedily by the actions of the resilience planner. However, the recognition by the planner of any such cultural propensity can be used to shape the plan to better effect.
Importance of IT literacy
Perhaps surprisingly, it can now be argued that one factor is emerging as being pre-eminent, at least in terms of making positive and quick improvements to the plan: the planner’s ‘IT literacy’ is now possibly the most critical issue in the authorship of a good plan. This is an area that the planner can do something about to influence the plan positively. The rationale for this is that Sainsbury’s supermarkets are no longer really grocers, they are technically IT organisations which move and sell food, similarly banks are IT companies that move money. The planner is not often an IT expert and systems are now phenomenally complex and interrelated. Seldom does one single person in an organisation have an effective grasp of all the IT systems and, as importantly, what the effect of their loss would be on operations or service delivery (this is perhaps especially the case with outsourced IT where the knowledge is externalised). It is utterly critical, therefore, that the planner gains this understanding, otherwise the plan could be fatally flawed.
The final justification for selecting the quality of the planning process on which to concentrate lies in the problem of testing or, more correctly, ‘validating’ the plan. Technically, a plan, aside from its IT focused recovery time objectives, can never be ‘tested’ in the absence of any control groups such as might be found in medical trials. Rehearsals, as mentioned earlier, are infrequent and have to deal with several possible incident scenarios. At the same time, the organisation is changing and staff turnover alters the people element of the equation. The resultant attitudes, dynamics, moods and biases of response teams constantly change, perhaps even on a daily basis. The only constant is therefore the plan, which admittedly also evolves over time, therefore my focus of effort as a consultant and as a student, at least for my study, remains the quality of the plan.
There is merit in a careful consideration of planning and perhaps the most compelling overall reason for more people to study this topic academically is the ‘Cassandra’ like position of the planner.
Cassandra was a Greek prophetess who was cursed to the effect that her highly accurate prophecies would always be disbelieved; the resilience planner is currently the corporate Cassandra. Fundamentally, one believes the opinion of doctors, lawyers and accountants because they are highly qualified and answerable for their opinion to their respective governing bodies. Therefore any measure, such as tertiary education, that can elevate the position of resilience planning to that of a credible profession can only be welcomed.
Managing Director of Needhams 1834
Chris is undertaking a Professional Doctorate in Security Risk Management at the University