Resilient Thinking: Protecting organisations in the 21st century

By Phillip Wood

In Resilient Thinking, Phillip Wood discusses the importance of thinking laterally about potential impacts on your organisation and examines a new approach to resilience management. As you read this book you will learn how to recognise potential risks and threats, put cost-effective and workable plans into place and minimise the impact of an incident.

• Language: English
• Publisher: itgovernance
• Release date: Nov 8, 2012
• ISBN: 9781849284356

Phillip Wood

Phillip Wood MBE has extensive knowledge and experience in a wide range of security and resilience disciplines. He has delivered security, resilience and business continuity education and consultancy in a number of different countries and to numerous organisations. He is currently Head of the Department of Security and Resilience at Buckinghamshire New University.

Book preview

Resources

INTRODUCTION

As we make the journey through the world of resilience together, we are going to look at organisations as vulnerable entities. And we’re going to try to direct our focus firmly away from ‘stovepipe’ or ‘silo’ thinking. Business continuity, security, health and safety, emergency planning, disaster recovery, and so on, are all different elements of resilience. That’s my view and I’m sticking to it. When an organisation is targeted, or an accident happens which affects it, the impact is not just in one area, at one time, at one level and aimed at one function, and your mindset needs to be as flexible and dynamic as the threats you face. Think in stovepipes and your organisation may well go up in smoke; go beyond frameworks and mental constraints and you may have a chance of coming out the other side in one piece, and, with some luck, you could end up in better shape than when the stuff hit the fan in the first place.

So, if you want to get through to the other side of whatever it is that may befall you or your organisation, it’s time to be a little bit radical. Only a little. Don’t tear up your current plans; they may need a little tweaking, or even just some effort to make them practicable. Don’t throw away your checklists; they might be useful if you test them out. Do throw away rigid mindsets, adherence to the ‘I’m a risk/security/safety/continuity/disaster recovery expert and my method is best’ waffle and the belief that all resilience functions are different and separate. I’ll quite happily argue with any number of consultants, advisers and niche managers about this, but in the end (and hopefully by the time we get to the end of the book you’ll agree), I’m right and only by thinking will you achieve your resilience aim and avoid any number of terrible scenario developments.

One last point before we start the book in a little more detail. Please don’t listen slavishly to the stuck-in-the-mud so-called ‘experts’ who’ve been in their business for years and have ground out a reputation through endless and repeated contributions to continuity, risk, security and safety journals. There are a lot of people who are qualified only through experience, rather than through capability, and the fact that they have been overseeing and writing plans for years means nothing if their plans are junk. Also, please don’t think for a moment that I expect you to agree with everything that is written here – these are my thoughts, views, concerns and suggestions and they are here to stimulate your own thoughts, ideas and suggestions. As that well-known liberal thinker George S. Patton once gently whispered, ‘If everyone is thinking alike, then somebody isn’t thinking.’

You’ll find that I repeat throughout the book that it is important to be a thinker. Why? Because for me thinking is everything that makes professionals effective and the lack of it is what makes organisations, large and small, ineffective.

So, there are some thoughts to start with. I hope that you can see from this Preface that my approach to resilience is that not much is ruled out, and everything is ruled in. Unpredicted, natural and malicious events have a habit of ignoring the best-laid plans, deflating egos and having impacts way beyond their often humble beginnings. If nothing else, I hope that Resilient Thinking makes you think carefully about the things that you can do to maintain organisational viability. If it does, I can retire happy – and so will you.

CHAPTER 1: THE SPAGHETTI BOWL OF RESILIENCE

In this introductory chapter, we will have a look at the idea of resilience as a tricky subject, the influence of people, and the concept of planning. We will also consider the idea of resilience as a whole formed of various components.

The secret art

Let’s face it, not only is the world difficult and dangerous, it’s also cut-throat and competitive. The resilience industry is no less a warzone than any other, and competition and jockeying for position are understandably common. What is interesting to me is that resilience professionals and practitioners – business continuity, security and safety managers, for example – although they often look on each other with a degree of disdain, are more often than not cut from the same cloth. Let’s see if you recognise this profile: male, middle-aged, ex-police or military, officious and practising their own ‘secret art’. These types, who have now been joined by the ‘IT crowd’, seem to be quite adept at building a false mystique around simple principles, and as we forge ahead through the book, hopefully you’ll begin to recognise the fact that there is no reason or substance behind taking this approach.

And here, it’s useful to start our journey together with some clarity – there are many strands to resilience, but it isn’t complicated. There is a lot to do when an incident occurs, but the whole thing doesn’t have to be difficult. And the resilience ‘professional’, who jealously guards plans and supporting information and revels in the ‘I-know-something-you-don’t’ approach, is, quite frankly, a waste of money. Your organisation deserves better than that, and the individuals who may suffer because of that approach certainly do. Resilience, with its complicated systems, procedures and terminology, is a refuge for the ‘Sir Humphreys’¹ of this world.

So, in starting from the start and before we move into the detail of resilience and turn to the discovery of the magic formula for saving your organisation, let’s try to pull the rug from under the feet of the ‘Humphreys’ and try to establish some assumptions about resilience and its components. It’s probably quite fundamental that from this point we at least understand in our own minds what the various elements of resilience actually are, because once we know what we’re talking about then perhaps we can go ahead and figure out how to go about saving your business. It’s a useful exercise to try to unravel the spaghetti bowl of resilience and straighten out the tangles.

One of the sad facts of life is that modern organisations must operate in the context, and against a background, of problems, events and trends which have the potential to develop into significant safety, security and continuity threats. These threats, some of which may have been in existence for a considerable time, and others, which have been the more recent result of either malicious human intent or omissions, have the potential to combine and to link together and to have a consolidated impact which could be far more serious and far-reaching than if they were to occur in isolation, either temporally or geographically. Organisations, big or small, public or privately owned and run, must be able to deal effectively with the range of potential threats which can materialise and cause ‘business’ failure. The organisation has to learn to become resilient – to protect itself, to absorb shocks and survive and capitalise on any opportunities that may arise – because, in simple terms, those that cannot achieve that happy state will fail sooner or later.

Moreover, this is a multilevel issue. Not only can threats have adverse effects on individual organisations, groups of businesses and other enterprise organisations, but also they can become risks with impact at local, national and international strategic levels. Further down the line, consequential or later impacts of risks have the potential to spread beyond initial points of protection failure and even to change in effect as they move onwards and develop from where they hit originally. Therefore, it is important to recognise and act upon such threats before they become too difficult to manage, control and mitigate. Small fires can become raging infernos if all the conditions for growth are there.

Challenges and silos

Although it should be all-encompassing for a business, resilience professionals, in particular, have a crucial role to play in limiting the effects of threats upon their organisations. A considered and forward-looking resilience management process, with realistic and flexible mitigation planning, will provide an organisation with the ability to evaluate risks and to put in place effective countermeasures and associated processes and procedures. However, in a results-oriented environment where the focus rests on maintaining profitability, this can be a challenging process. If managers are overly focused on pure response processes and in putting in place measures which are localised and reactive, they may miss what lies over the horizon. And, although it is understandable to deal with local losses in the ‘here and now’, if managers fail to engage with, or to consider the effects of, current or forthcoming threats because they consider them to be outside their area of concern, then there is a risk of vulnerability to partially self-inflicted failures. That should not be what we are about at all!

Within any planning ‘suite’ or set of components (resilience-related or not) there will be various elements which have traditionally been the responsibility of separate departments or managers. This type of division, known as ‘stove-piping’ or ‘silo management’, has managed to keep apart activities which should perhaps be merged or, at least, complement one another. And this in turn may have a consequent detrimental effect on response capability, particularly if there are ‘gaps’ in coverage, either by omission or in ignorance. Omission and ignorance are dangerous for resilience professionals and practitioners; as we go along, we will discuss how we can apply thought and action to reduce omissions and avoid the pitfalls of ignorance.

Figure 1: Simple silos

This is a silo organisation. Silos 1 to 5, and there can be many more, represent the various organisational functions. For example, they could be:

Silo 1 – Finance

Silo 2 – Operations

Silo 3 – Human Resources

Silo 4 – IT

Silo 5 – Security

In silo organisations, each separate area concentrates on its own world of activity and the points of interaction that often matter the most to them are those with the people at the top of the organisation. This is understandable. However, the problems caused by an introspective approach, such as this, can be significant. To make the organisation coherent and to reduce overlaps, overspends, misunderstanding and miscalculations, the components of the organisation should consult and consider the links and areas of potential duplication or failure.

To help us to begin from a basis of understanding what we need to overcome, we should think about the idea that, although silo activity is well recognised by most people, it