The team at TPSO magazine spend a great deal of time looking for good ideas, interesting security websites, and great content. Almost by accident, we found https://isarr.com/
Honestly? I still don’t know what ISARR stands for and I’m frankly too embarrassed to ask, but it is home to some superb content, expert opinion and clever thinking. The “blog” section was of particular topical interest and thankfully, as much of it was written by a great friend of TPSO, and internationally respected security consultant, Andy Blackwell, we got permission to cherry pick a couple of his articles………..
Thanks Andy.
Silver Bullets, Black Swans, Gray Rhinos with Cod & Chips ! ?
In this article, the 3rd in our series, Andy Blackwell, ISARR’s Senior Risk and Security Advisor, looks at why it’s best not to get too bogged down with risk labels, details of complex academic studies, or trying to predict the future, but instead to double down on your organisational resilience, make risk-based decisions quickly and sensibly whilst being prepared to challenge the status quo and break from traditional business models.
There is nothing like a crisis state to bring out a flurry of buzzwords, and myriad of ‘expert’ views and forecasts about what the future may or may not hold. The response to the COVID-19 pandemic is no exception, with a number of so called ‘silver bullets’ being offered up. In reality, these are questionable solutions unlikely to stand up to much scrutiny, and would perhaps be better labelled as ‘tarnished duds’.
There has also been menagerie of risk descriptors circulating in the media, including black swans and grey rhinos, all very sound principles and theories but the terms may be confusing to those outside the risk management community who find themselves faced with managing a crisis.
This article looks at why it’s best not to get too bogged down with risk labels, details of complex academic studies, or trying to predict the future, but instead to double down on your organisational resilience, make risk-based decisions quickly and sensibly whilst being prepared to challenge the status quo and break from traditional business models.
Learning from academic research will always be important though, and the key to robust organisational security and resilience is having the ability to transform this into authentic and effective action at a business level.
Learning from the best practices and mistakes of your own organisation and others will also provide valuable insights.
Most organisations find change difficult at the best of times, but during a crisis their ability to safely manage dynamic change, whilst rapidly pivoting the business, will often be the critical success factor in terms of business survival.
Pontification and trying to achieve perfection will not help either, the corporate need is for rapid and sensible decision making, bearing in mind the direction of travel may be quite different to how business was conducted prior to the crisis state emerging.
Another challenge for organisations is how to quickly obtain a company-wide, branch by branch situation report. This sounds relatively straightforward but is something many organisations struggle with, often having to use conventional email or a ring-round system rather than using dedicated tools and platforms to gather the information and collate the responses. The longer it takes to obtain this information, the longer it will be before crisis managers will be able to make informed judgements.
No one welcomes a crisis, but despite the damaging consequences they can bring , they often create opportunities. The challenge for many organisations is not being able to spot the opportunity and ‘use the difficulty’, due to the pressure of the crisis or the impending crisis.
This is the organisational equivalent of a person not being able to make clear and rational decisions due to the levels of stress they are under. Some people manage stress better than others, and the same applies to organisations. There are those that can operate more collaboratively and are more decisive in a crisis state, and organisations would benefit from incorporating these behaviours into their business as usual activities.
As we’ve mentioned before, Sir Winston Churchill is quoted as saying ‘never waste a good crisis’, which emphasises the need to question the norm, particularly when a crisis comes calling. Traditional solutions alone may not be sufficient, so the organisational focus must be on what you’ve already done to prepare or minimise the impacts of the particular crisis state, whilst also deploying an empowered, experienced and agile team to make dynamic fast-time decisions based on the best information available at the time.
Once again, security, risk and resilience tools and platforms have a key role to play here.
On the subject of Churchills, the British Fish and Chip shop chain of the same name, and part of the Chesterford Group, serving 50,000 customers per week, provides us with a good example of agile decision making, how to rapidly pivot a business, and how to thrive during a crisis.
By way of background, the Coronavirus lockdown forced all the group’s 40 fish and chip restaurants in Britain to close to all walk-in customers, and the company was fast running out of money. CEO James Lipscombe was concerned that the company would run out of cash as the business was losing £150,000 per week, and at that rate the business could only survive for 6 months at the most. Realising the predicament the business was in, Lipscome knew he had to make fast decisions and break the chain’s traditional business model. He quickly expanded the group’s system for taking food orders online. All customers would receive their order by click and collect, or have their orders delivered.
The rapid decision making and change of business model, in just 2 weeks, not only protected Churchill’s revenue, it enhanced it and provided an improved service offering for their customers. In Lipscombe’ s own words, “maybe the days of waiting in a fish and chip shop for 10-15 minutes in a queue are probably gone”.
There are a number of lessons we can learn from Churchill’s fish and chip business, let’s take a look at them:
- The senior management identified the warning signals and acted on them quickly.
- There was recognition of an urgent need to change. The company was fast running out of money and its very survival was threatened. There was no guarantee of when normal business activities could resume.
- The organisation had the courage to challenge convention.
- The organisation was able to make rapid decisions based on informed judgements.
The COVID-19 pandemic has also provided us with examples of companies where rapid business growth due to unprecedented demand has resulted in security and risk management lapses. Eric Juan, CEO of Zoom, the online conferencing platform, to his credit recently admitted that his business had ‘fallen short’ on privacy and security. The Coronavirus outbreak saw a flood of new users, which presented Zoom with challenges they had not anticipated. The platform was originally intended for large organisations with full IT support, and not the myriad of ‘lockdown’ users. The lesson from Zoom is a clear one, when there is a need to move fast, it is important not to move too quickly and forget the safety and security elements. Organisations who experience rapid growth can often fall foul of this.
Conclusion
The flurry of ‘expert’ views and buzzwords circulating following a crisis can be distracting and confusing to business leaders. Doubling down on your organisation’s security and resilience so that risk-based decisions can be made quickly and sensibly, will be far more productive for your organisation than getting bogged down in complexity. Security, risk and resilience tools and platforms have a key role to play here.
Highly resilient organisations are the ones prepared to challenge the status quo and break from traditional business models. Another key to achieving robust organisational security and resilience is having the ability to transform the outcomes from complex academic research into authentic and effective actions at a corporate level. What we see all too often is a significant gap between good security and resilience and academic theories with the actual practices on the ground.
The examples we have used in this blog are from two completely different industries and demonstrate the learning opportunities created from reviewing best practices and mistakes made by other organisations, in addition to our own of course.
Would Churchills have been as dynamic and willing to break their business model prior to being in the crisis state? Only they will truly be able to answer this, but it does provide food for thought, for them and us all – excuse the pun!
Keep it simple! Risk, Resilience & Security in an Uncertain World…..
With organisations across the globe busy planning how best to resume business after the COVID-19 lockdown, Andy Blackwell, ISARR’s Senior Risk and Security Advisor, provides insights into what businesses can do to keep their people and assets safe, and maintain a high level of resilience despite the uncertain times ahead.
A ‘Back to Basics’ approach?
Rather than trying to second guess the future, a back to basics approach, focusing on what the organisation can do right now to prevent incidents becoming crises, will prevent knee-jerk responses and the inherent risks they bring. Keeping things simple and getting the basics right will also help organisations stay on track during periods of rapid, and what is likely to be chaotic, periods of change as business resumption commences.
Building a solid ’security and resilience’ foundation will make it easier for organisations to adapt and extend their programmes going forward, once they have assurance that their baseline security and resilience is robust. Companies who have implemented a Security Management System (SeMS) such as the UK’s CAA CAP1223 model will already have a solid framework to help them manage risk sensibly, and assure their security and resilience performance.
Review Your Risk Assessments.
One of the first steps organisations are well advised to take is to review their ‘threat landscape’, as changes in operating environments, such as staff working from home, may have reduced some threats but increased others. Some of the ‘old’ threats such as international terrorism haven’t gone away, and Islamist terrorist groups see the global chaos from COVID-19 as an opportunity to mobilise and prepare for the future. Their modus operandi has always been to target the path of least resistance, and any weakness, or indeed perceived weaknesses in our security capabilities will be exploited by them. Cyber criminals have intensified their efforts of late, and two of San Francisco Airport’s low traffic websites were recently hacked resulting in data being unlawfully obtained.
Once the impacts of the current threat landscape have been established, organisations should review their risk registers to ascertain that the risks, their scores and mitigations remain fit for purposes, reflecting any changes and new risks identified.
Identifying warning signals
Many businesses have been severely impacted by the COVID-19 lockdown, with some reporting that their business continuity plans were not as robust as they could or perhaps should have been. A review of the learning from the organisation’s response to the crises, good and bad, should be a priority task. It is also worth looking externally too for best practices, or issues identified that may help shape your plans going forward.
The words of Sir Winston Churchill “Never let a good crisis go to waste” resonate with me at the moment. These are challenging times for us all, without question, but provide so many opportunities to learn and make things better and more resilient for the future. A no-blame frank discussion with all key stakeholders will invariably yield far better results than finger-pointing.
Established academic research suggests that all crises are preceded by warning signals and the ability of organisations to be able to detect and interpret these can often make the difference between managing an incident or trying to survive a crisis.
In the transport sector perhaps the most significant example of missed warning signals was the 9-11 attacks. The Report of the Joint Inquiry Into The Terrorist Attacks of September 11, 2001, by the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence, provides us with some useful insights: firstly that the US Intelligence Community failed to fully capitalise on available and potentially important information and secondly, that from at least 1994, and continuing into the summer of 2001, the Intelligence Community received information indicating that terrorists were contemplating, among other means of attack, the use of aircraft as weapons. This information did not stimulate any specific Intelligence Community assessment of, or collective U.S. Government reaction to this form of threat.
Another aviation example is the ‘Underpants bomber’ Umar Farouq Abdulmutallab’s attempt to detonate his improvised explosive device on board Northwest flight 253 over Detroit on Christmas Day 2009. Fortunately the device failed to detonate properly and the only injuries were sustained by the perpetrator. Plenty of warning signals were said to have preceded the attack, but weren’t assimilated or progressed sufficiently to prevent Abdulmutallab from boarding the aircraft and conducting his attack.
Another example from outside the sector is the 2019 Easter Sunday terrorist attacks in Sri Lanka which killed 300 people and injured 500. Unfortunately warning signs were again ignored and the authorities criticised for failing to share information that could have stopped the attacks from taking place.
The good news is we know there are opportunities to identify potential crises before they actually happen. How good our company radar is at identifying the warning signals, and how good our risk managers are at determining the harm they pose together with the mitigation required, will much dictate the type of outcome we experience.
Missing warning signals, late identification, or misinterpreting them due to other noise or distractions could be catastrophic for the organisation.
Communicating Warning Signals.
Other challenges are linked to the communication of the warning signals. There needs to be timely identification, collection and sharing across a multidisciplinary team, with the experience to rapidly and accurately assess the direction and action for signals of concern. It is no use warning signals being detected if they are not rapidly communicated to the key decision makers such as a Risk Assessment Group (RAG) and the Board.
The wider the composition of the multidisciplinary team (e.g. the RAG) the richer the risk picture. Gone are the days where the security team had information supremacy, in today’s corporate world, other areas of the business are likely to have unique knowledge to help inform the risk picture. The more pieces of the jigsaw we can join up, the closer we will be to seeing the whole picture.
An organisation’s poor sensitivity to risk can result in routine incidents or disruptive events becoming crises. Denial is the biggest cause of risk sensitivity, with organisations wrongly believing that the identified risk will not impact them, or that the magnitude is not as severe as it actually is. The term predictable surprise has been used by academics to describe crises resulting from the failure of individuals and organisations to act on what they know.
One key characteristic of highly reliable organisations is their ability to identify, interpret and respond properly to warning signals. A recent example of this is Prague Airport’s detection of attempted attacks on its web pages, where their timely identification and mitigating actions thwarted the crime in the early preparatory stages. The airport’s proactive approach resulted in them receiving positive media coverage, and their action clearly demonstrates their positive approach to security. It’s no surprise that the airport has been actively championing SeMS approaches at their annual SAFSEC conferences.
The ability to rapidly access relevant and reliable information remains central to organisations scanning for warning signals. The ever increasing number of sources available and the proliferation of social media channels, can make this a challenging task.
It is not just about looking for a needle in a haystack, it’s trying to ascertain which haystack to look in. Monitoring of social media can give early insights, for example; a sudden increase in social media posts from certain areas may indicate something untoward is going on, Breaking news often first breaks on social media before being rebroadcast via the established media channels (but care needs to be taken to corroborate such information) Social sentiment monitoring can also provide us with useful foresight.
Summary: A summary of the key actions organisations are recommended to consider are:
- Understand the current threat landscape and how it impacts your organisation
- Review your risk register and make any necessary adjustments
- Identify and implement lessons identified from the COVID-19 pandemic response
- Assure your security and resilience provision
- Scan for warning signals
This article has outlined key actions organisations can take to protect their people, assets and operations. The guidance is aligned with established Security Management System (SeMS) principles and recommends a keep it simple, back to basics approach, with a constant focus on the detection of, and response to warning signals. Future articles will be focused on how ISARR’s range of web based management information and operational tools can help Intelligence, Security and Risk Resilience Leaders.
Want to know more about ISARR?
Visit: https://isarr.com/
