ierp, kuala lumpur, risk management, institute of enterprise risk practitioners, brian gray

These are my background notes for the presentation I made at the IERP Global Conference in Kuala Lumpur, Malaysia on 4 June 2014.

I have written elsewhere in this space that emergency managers face four different types of problems:

  1. Simple
  2. Complicated
  3. Complex
  4. Anarchy

and that, “the solutions to Simple and Complicated problems should be the focus of planning and plans.”

Traditionally approaches to emergency management have been processed-based: a set number of sequential steps that generate the action necessary to prepare for and respond to crisis events, in (hopefully) a virtuous cycle. These approaches are suitable in situations where we have a comprehensive understanding of the factors that underlie the crisis and the way it impacts organizational systems. The question then is what do we do when we do not?

This is a story about complexity and how to deal with it in the context of emergency management.


Complexity permeates our lives – like the air around us, we cannot avoid it – and has unique characteristics:

  • The output of component systems cannot be anticipated nor controlled
  • Component systems interact to produce new equilibria

Under complexity circumstances literally emerge. This means that cause and effect can only be understood retrospectively. Without the ability to expect how systems will interact and how this will impact operations, plans can quickly lose their relevance, like a weather forecast the accuracy of which erodes by the second. We can predict the primary impacts of an event, but doing the same for the secondary and tertiary impacts is difficult. In these circumstances a traditional, process-based approach to emergency management alone is inadequate.

complexity superhero approach to emergency management

Superheroes can’t do complexity

Towards a Network Approach

In a previous post I described and advocated that a dynamic approach to crisis management be adopted, in which constant situational awareness identifies risks and triggers an appropriate organizational response to them. The key crisis leadership tasks the underlie this model are detailed below.

Key Crisis Leadership Tasks


Sense Making

Identify that there is a developing situation that warrants the attention of executive management, and determining how the situation will progress and impact the organization.

Decision Making

Once it has been determined that something is afoot, executive management require support to decide what to do about it.

Meaning Making

After deciding the organization’s response, executive management must present a persuasive account of the situation, what will be the organization’s response and gain support for the chosen course.


Transition from an emergency to a normal footing, and providing a retrospective on the situation and gaining consensus around it.


Following the termination of a crisis it is imperative that a formal after-action review process be established, and lessons learned identified and integrated into policy, procedure and organizational learning.

Adapted from Boin, Arjen, et al. (2005). The Politics of Crisis Management [Kindle version] (pp. 217-285). Retrieved from Amazon.com

This dynamic model scaffolds the network approach to emergency management, which recognizes how networks are central to how an organization functions.

Output is produced not just following steps in a business process, but through the interaction and collaboration between networks, formal and informal, within and without the organization. As argued by Dave Gray, a ‘line of interaction’ has supplanted the ‘line of production’ model.

Crises disrupt these networks, or at worst, they collapse, so the aim of the network approach is to develop and nurture them, creating multiple redundancies across organizational and thematic lines.

In practice this means alignment and harmonization in four areas:

  1. Common understanding of risks that can lead to crises
  2. Plans and planning processes
  3. Governance and implementation structures
  4. Behavioural change.

Under this approach:

  • Decentralize risk management, but govern it centrally
  • Risk management dynamic, focused on identifying vulnerability in operational risk areas (people, processes and systems)
  • Integration, integration, integration

A network approach to emergency management is not only effective in circumstances of complexity, but it generates value for an organization by:

  • Creating serendipitous effects
  • Improved risk management
  • Increased efficiency from process re-engineering


A process-based approach to emergency management has intuitive appeal because it has a defined, limited scope with discrete, measurable deliverables. Conversely, a network approach is messy and its components, especially the informal collaboration networks, are unknowable, meaning that measurement is almost impossible (I qualify ‘impossible’ because you can hold out examples of serendipitous effects as evidence of value). And yet it is clear that an emergency management programme is vulnerable it does not include an emergent strategy to nurture and strengthen collaboration networks.

Related stuff that I am working on

  • How do you govern a network?
  • How do you value the output of a network?
  • How do you cost a network?



Continuity Insights logo

Earlier this week, Continuity Insights published the Crisis Communications: Social Media & Notifications Systems survey. Continuity Insights began reporting on the use of social media for emergency management in 2012, expanding the survey in 2013 to include social media strategy, risk and views on effectiveness. Both of these reports give the baseline for the 2014 survey.

Key Findings

  • Use of social media as a crisis communications tool is on the rise
  • But, perhaps paradoxically, there was a significant drop in the use of social media to communicate with employees. In that space, Emergency Notification Systems reign
  • Increased expression of intent to use social media to enhance situational awareness in a crisis, also reflected in the expanded use of the geospatial mapping features of Emergency Notifications Systems
  • Respondents voiced their belief that mobile technology is vital for effective crisis communications

My Observations

  1. While there has been an increase in the use of social media, it seems that it is being used to push messages out to audiences, with still limited use to support situational awareness.Social media form part of the portfolio of communications channels; however, there is unexploited value in providing key influencers within the network with innovative content to share, and a safe space for staff to share their experience.
  2. Video is a compelling storytelling medium, yet it is not widely used for crisis communications. Almost 90% of respondents viewed YouTube as ‘Not Useful’ or ‘Somewhat Useful’ as a medium to get the message out during a crisis event. This is understandable as most organizations do not have dedicated resources to watch and actively engage on social media, let alone produce video content.
  3. On a related topic, the survey revealed the use of peer-to-peer apps, such as What’sApp and Waze. The emergence of these so-called ‘Dark Social’ platforms (because the content that it typically shared from them has no identifiable source) is a growing trend in the wider social media world.
  4. It was interesting to note what questions the response rate dropped significantly: those dealing with social media strategy. This reflects (I think) the superficial nature of integration of social media into crisis communications plans. Further evidence of this is the incarceration of social media in corporate communications and marketing departments. There is value in taking advantage of free social media platforms, and the knowledge of staff in how to use them, but it is a common challenge that organizations are not staffed and organized to fully capitalize on the potential of social media for situational awareness and crisis communications, especially as it applies to mobile.
  5. Finally, the survey makes it clear that respondents view social media is the source of limitless reputational risk, resulting from the spread of inaccurate or embarrassing information. The only thing you need to remember is, “Don’t do anything stupid.”


Enhanced by Zemanta

Continuity Insights Webinar Brian Gray

At the International Crisis & Risk Communication Conference on 5 March 2013, I delivered a presentation on the use of social media for crisis communications, based on the following argument:

Changing technology, public expectations and the ways in which we interact are setting traditional patterns of communication on a trajectory toward obsolescence. Effectively responding to a complex event requires a continually evolving situational awareness, which is dependent upon the receipt and dissemination of timely and accurate information. In this regard, the ubiquitous availability of smart phones, and the rise of social media, poses challenges and opportunities that can only be managed by taking action in advance.*

The Too Late part came from the need to take action before an event to take advantage of social media to enhance crisis communications.

The release of the Continuity Insights survey Crisis Communications 2014: Social Media & Notification Systems is an opportunity to revisit this topic.

Crisis Leadership Tasks

In an earlier post I argued that we need to replace the traditional, passive notion of crisis management as something that follows something clear and present that has occurred, with a dynamic approach where we actively scan for risks about which we have to do something. In summary,

  • Sense Making: constantly scanning the environment to identify risks that could impact operations
  • Decision Making: matching the emerging risk with appropriate prevention or preparedness action
  • Meaning Making: communicating and gaining support for the action taken
  • Terminating: transition from the crisis state to business-as-usual
  • Learning: formal after action review process to identify and internalize lessons learned
Emergency Management Tasks

Crisis Leadership Tasks

Key lessons to use social media for emergency management

  1. Define your goals: the more complex the goal, the harder it will be to do. To wit, trying to predict an event by mining social networks will clearly be more challenging than providing employees with a platform to share what is going on in their neighbourhoods during a storm
  2. Establish your brand in advance: to the uninitiated, social networks can seem like a free-for-all. Instead, they are silently governed by spontaneous social organization, one of the norms of which is that people prefer to engage with those that they find credible. This credibility scaffolds social network relationships and must be earned. In a crisis, people turn to those that they trust, which means that sites must build a following before an event.
  3. Find your influencers: to maximize impact, your messages need to be amplified. To do this you need to find the key influencers within your network so that you can tailor content for them to share. Kim Stephens of the idisaster 2.0 blog has a great line, “Follow the spokes and you will find the hubs.”
  4. Provide your influencers with content to share: as noted in the last bullet, providing the key influencers within your network with content to share, maximizes the virality potential of your communications. All social media content is not created equal. Warby Parker applies these five criteria to create social media content that drives engagement: unique, authentic, unexpected, does good and has a compelling narrative. Remember, social media engagement is most effective when it is authentic, transparent and disrupts the conversation.
  5. Adopt a Pull system: people want to be engaged, not communicated at; they also expect to be a source of information during a crisis. Social networks provide the means to do both. In practice, this means that the historical approach of the organization being the primary source of information – the Push system – should give way to a Pull system, under which staff are encouraged to not only amplify crisis information they get from credible sources, but to share first person, eye-witness accounts of what is going on in their neighbourhoods. Not only does this contribute to organizational situational awareness, but contributes to the psycho-social well-being of employees.
From within your network, both inside and outside the organization

From within your network, both inside and outside the organization


The key lessons for effective use of social media for crisis communications are:

  • Identify your goals
  • Build your brand in advance
  • Find your influencers
  • Provide the influencers and trusted agents with unique, authentic content to share
  • Pull, don’t push

In addition to these key lessons, make sure you talk like a human being and engage your audience as equals.

Push Pull System Crisis Communications

Adopt a ‘Push’ system for crisis communications

* One of the many lessons I learned through this experience, is the need to Google presentation titles.  After publishing the presentation title, Now is Too Late: Utlizing Social Media for Situational Awareness, we learned that it was a variation on the a book title on a similar subject, Now is Too Late: Survival in an Era of Instant News, by Gerald R. Baron.  While Mr. Baron graciously cleared the use of the title, we should have checked before publishing it.

Enhanced by Zemanta

Business Continuity Institute Continuity Magazine Q1 2014

Excerpt of the article Ready to respond, my discussion with Continuity, the magazine of the Business Continuity Institute

What would you say are the principles which underpin the UN’s approach to business continuity and organisational resilience?

The UN’s approach to business continuity and organisational resilience is centred on continuous learning and improvement, and is based on a series of principles. The first of these principles is risk-based planning and practice. The United Nations duty stations around the world can have different risk profiles, and plans must reflect local risks. There are common fundamentals, but our approach to organisational resilience is not a ‘one size fits all’ approach. Also, under the Organisational Resilience Management System (ORMS), emergency management plans, including business continuity, will be founded on a joint assessment of operational risks. A second principle is that of flexible standardisation. The fundamental roles, responsibilities and practice are tailored to reflect the local context, leveraging existing resources and processes. The third principle I would highlight is harmonised and integrated implementation. Emergency management plans and planning processes, governance and implementation structures – such as crisis management teams – and behavioural change will be implemented in coordination with United Nations Member States, host country authorities and other key partners. The final principle relates to maximised organisational learning. This means that the lessons learned during implementation will be identified, recorded and shared.

How do you ensure that your approach to organisational resilience is aligned with the overall objectives of the UN and that it keeps pace with the changing demands of the organisation?

The ORMS is closely governed by a group of department heads that ensure that the system meets the needs of clients. The Secretariat also reports on the progress of development and implementation to the General Assembly, which provides direction and guidance. You mentioned the Organisational Resilience Management System, which has recently been adopted by the UN. Can you provide me with an overview of this system? The UN Organisational Resilience Management System was approved by the General Assembly in June 2013, under A/RES/67/254, as the emergency management framework for the organisation. The ORMS is a comprehensive emergency management system, linking actors and activities across preparedness, prevention, response and recovery, to enhance the organisation’s resilience in order to improve its ability to ensure the safety and security of our staff and assets, and to deliver our mandates. The core elements of the ORMS are:

  • Crisis management decision making and operations coordination architecture
  • Security
  • Crisis communications
  • Mass casualty incident response
  • IT disaster recovery
  • Business continuity
  • Support to staff, survivors and their families.

The system processes include:

  • Policy and plan development
  • Risk assessment and mitigation
  • Situational awareness
  • Crisis management decision making, operations execution and coordination
  • Recovery of people and assets and reconstitution of business processes
  • Reviewing actions and identifying lessons to improve processes
  • Exercising and training
  • Implementing lessons learned.

The ORMS comprises centralised, integrated decision-making and operations coordination bodies linking the core elements in a comprehensive framework and ensuring all processes are undertaken in a timely and coherent manner. Under ORMS, the UN response to any event will be flexible, reflecting prevailing circumstances and focus on a range of priorities. Firstly, the health, safety and security and well-being of United Nations personnel. The focus will also be on maintaining the continuity of United Nations critical functions and activities, and capacities for mandate and programme implementation. In addition, it encompasses protection of United Nations physical assets. Finally, I have provided here a graphical representation of the organisational resilience management system, by emergency management phase and process (see below).

ORMS Organizational Resilience Management System United Nations

The Component Phases and Process of the ORMS

Why was it decided to introduce the new system?

The global operations of the United Nations bring with them exposure to an extensive and varied range of threats. To prevent and manage these threats requires efforts beyond a harmonised and integrated approach to emergency management. The ORMS was introduced to meet these challenges, pursuant to a request of the General Assembly to develop a comprehensive emergency management framework.

How have you gone about implementing the ORMS and what challenges have you had to overcome to achieve this?

We have pursued a dual strategy to implement the system. First, although ORMS is not a project, on one level we approach it like one. We have set clear lines of accountability for deliverables, established formal governance, development and quality control structures, and have a dedicated regime the aim of which is to change the behaviour of staff, consistent with the tenets of ORMS. Second, we are nurturing an ever-expanding global network of emergency managers from the private sector, academia, partner agencies and interested staff to generate serendipitous effects through information and capacity sharing.

How far along the process are you to the full implementation of the system?

The implementation of the ORMS within the United Nations is being led by the Secretariat. It was decided to pursue a phased implementation approach, beginning at the United Nations Headquarters in New York and then extending the framework to the Offices Away from Headquarters in Geneva, Vienna and Nairobi, the Regional Commissions in Addis Ababa, Bangkok, Santiago, Beirut, and Geneva, the United Nations peacekeeping and special political missions, and then finally to the United Nations agencies, funds and programmes. The ORMS has been fully implemented at the United Nations Headquarters, and implementation will now shift to other offices.

Central to the ORMS is the Responsive Regulation approach. Can you clarify what this approach is and why it is so important?

Responsive Regulation is a compliance model proposed by Ian Ayres and John Braithwaite in their book, Responsive Regulation: Transcending the deregulation debate. Based on the premise that a population subject to a regulation will vary from voluntary compliance to deliberate non-compliance, the model suggests a portfolio of escalating remedies to encourage voluntary compliance, related to address the source of non-compliance. The model also recognises that those who deliberately do not comply with a specific regulation are a small minority. The governance of the ORMS is based on the responsive regulation approach. The policies and guidance to which the system gives effect will focus on providing United Nations staff with the tools to implement the framework, and not reflect a strong ‘stick’ approach to non-compliance. To date, we have found that the ORMS resonates with staff and management because it solves the problem of how to ensure harmonised and integrated effort between emergency management disciplines. In this way, the system reflects the common need to establish a framework that describes the relationship between the elements that comprise the emergency management landscape. It also serves to enhance the management of operational risk; and furthermore, ORMS supports efforts at the field office level to implement emergency management programmes by adopting a common system that allows offices to leverage each other’s capacity, and to harmonise activities around a common good.

What benefits of the new system have you seen at this early stage?

While it is too early to describe benefits in detail, we have found that working across functional areas encourages working across silos, which has inevitably lead to innovation and improved use of resources. On a related subject, increased awareness of ongoing activities and projects generates serendipitous effects from organic collaboration, supporting the implementation of linked projects and overall change management. Interoperability between organisations has improved, and integral ‘after action’ and lessons learned processes provide a sound basis for continual improvement.

What would you say have been the main learning points from this process?

The implementation of ORMS has been a significant learning experience. The first lesson is the importance of effective change management, characterised by not just establishing the task element and deliverables such as plans; but ensuring that implementation is supported by effective governance structures and a network of practitioners, as well as behavioural change. Second, gaps between emergency management disciplines, such as business continuity and crisis management, are a major source of vulnerability. If there is a gap in overall programme planning and coordination, the effectiveness of preparedness and response will be affected, and not in a good way. Third, a former boss of mine in the army used to tell us that, “Those that can communicate can’t help but be successful.” Strategic communication has been essential to the successful implementation of ORMS, especially in support of change management. One of the main tools that we have used to nurture the network and to share knowledge is social media and internal collaboration platforms. Finally, ORMS is not an overhead, but rather is an effort that creates significant value. The system brings people from across the organisation together around a common objective, which is to effectively manage risk and protect what is the most valuable parts of a business. The process makes the organisation tighter and generates serendipitous effects that lead to new opportunities for collaboration.

Toby Daniels and Jonah Peretti, Founder and CEO of Buzzfeed, discuss Buzzfeed's model at SMW 2014 in New York City

Toby Daniels and Jonah Peretti, Founder and CEO of Buzzfeed, discuss Buzzfeed’s model at SMW 2014 in New York City

The overwhelming themes of Social Media Week 2013 were:

  • Content is king
  • People want and expect to be engaged
  • This engagement must be authentic and transparent
  • Provide the tools and content to mobilize key influencers in your network

La plus ça change . . .

In today’s keynote interview of Jonah Peretti, Founder and CEO of Buzzfeed, by Toby Daniels, Founder and Executive Director of Social Media Week, these themes were again front and center.

Peretti noted that social and sharing is now how the media works, and people share what engages their heart and their head – quizzes are now hot because they allow the user to dream and offer a topic of conversation with friends – so success can be measured in providing content that is of value to the reader, not traffic. He argued, “In social, traffic is the by-produce of good work.”

Peretti also warned the audience that brands are hurt when they reach an audience that does not want their content. While indicating that the default for sharing content online is failure, Peretti observed, “The best thing about social is that your best stuff is seen by the most people.”

To do this, Peretti explained, Buzzfeed has become a learning machine, constantly refining what content proves to be provocative. Peretti remarked, “To be successful in social you have to maximize learning, not maximize traffic,” celebrating mistakes that are part of the process of learning.

The best model to accomplish this? According to Peretti:

  • Employ, “Really smart humans guided by data”
  • Create value for the reader by continually improving your platform and the content that you share: “Exploits and tricks that are not good for the user are short lived”
  • “Don’t optimize for platforms, but for people”

Peretti noted the trend of Dark Social – content without an obvious referring application – as the source of a growing amount of shared content, from peer-to-peer apps like WhatsApp. He also reinforced that you must ensure your platform and content is mobile friendly, mentioning that Buzzfeed readers consume much content on their mobile devices. “Prime time for mobile is 10 p.m.,” he observed.

The interview ended with a shift to technology, which allows people to connect with more people like themselves and share ideas. It’s a brave new world.

Enhanced by Zemanta

Social Media Week New York city

It is that time of year again, my favouriteSocial Media Week. I will blog daily (Inshallah) and be live posting on Twitter throughout the week.

You can participate and contribute, even if you are not attending in person. Here’s how:

For more information, check out, Your Ultimate Guide to SMW14: How To Follow & Share.

Watch! Attend! Participate!

Enhanced by Zemanta

BCM World Conference and Exhibition

Again this year, I made the pilgrimage to London to attend the BCM World Conference and Exhibition; a link to the background paper for my presentation is here.

As always, there were some nuggets.  Here is one:

Risk and Business Continuity (Mike Power – LSE)

Professor Power cogently described how Business Continuity Management can contribute to effective enterprise risk management.  He began by detailing the challenges to manage enterprise risks:

  • The Illusion of Control, characterized by the assumption that we have more of an understanding of cause and effect than we really do.  As I have written elsewhere, in complex and anarchic events, cause and effect can only be understood after the fact
  • Fragmentation of capability to manage specific risks
  • Entity v System Focus, resulting in organizational stove pipes
  • (Unrecognized) Interconnectedness, concomitant with today’s complex systems

Power then turned to the challenges for Business Continuity Management in the enterprise:

  • BCM has historically been disempowered, considered overhead and not a value-generating part of the business
  • The slow emergence of operational risk
  • Weak institutionalization, stemming from the perception that BCM has only an operational or technology focus
  • Weak accountability within the enterprise for low probability-high impact events, which are the bread and butter for BCM

To respond to these challenges, Professor Power proposed a number of solutions:

  • Establish and formalize the Three Lines of Defence: Business, Corporate Risk Management, and Internal and External Audit.  These lines are graphically depicted at Figure 1.
Figure 1 – Three Lines of Defence
business continuity management risk management

The ‘Action’ is in the fuzzy area between Levels 1 and 2

  • Identify the scenarios under which your organization will fail . . . completely, and then decide what will be your strategies to recover from catastrophic loss
  • Establish a risk culture – the ability to think of alternate futures and build action plans around them – where:
    • The authority for risk and control functions are clear
    • There is a respect for controls
    • There is close attention to incentives risk
    • Accept that you can do your best, but there is still a chance for failure
  • Recruit charismatic BCM leaders
  • Build the narrative of BCM’s value generating capacity:
    • Embed resilience as a core organizational value and ‘BAU’
    • Circulate stories of success
    • Create the discourse, incorporating the performance nature of language: if you talk in a certain way, it will happen
  • Incentivize collaboration: when the world is moving against you, to succeed, collaboration must increase.

My Take

Professor Power’s presentation resonated with me because the content was consistent with my experience.  First, there is a common bias toward a programme, or entity, approach over a system approach.  This in turn complicates the management of operational risk, which can only be done effectively by an enterprise approach.  Second, it is ironic that fragmentation features in a field – emergency management – in which consolidation is almost always a good idea.

The fewer baton passes, the fewer times the baton will be dropped

The fewer baton passes, the fewer times the baton will be dropped

Third, there is a critical message implicit in the Three Lines of Defence: corporate BCM can support businesses prevent, prepare, respond and recover, but each business is responsible for their continuity and resilience.

Finally, BCM is a value generator.  The focus of BCM is to find and preserve value within the organization.  Executing this responsibility, connects BCM with all parts of the enterprise, inevitably generating serendipitous effects that are typically of significant value.  Any time you have a conversation around risk, good things happen.


Get every new post delivered to your Inbox.

Join 586 other followers

%d bloggers like this: