These are my background notes for the presentation I made at the IERP Global Conference in Kuala Lumpur, Malaysia on 4 June 2014.
I have written elsewhere in this space that emergency managers face four different types of problems:
and that, “the solutions to Simple and Complicated problems should be the focus of planning and plans.”
Traditionally approaches to emergency management have been processed-based: a set number of sequential steps that generate the action necessary to prepare for and respond to crisis events, in (hopefully) a virtuous cycle. These approaches are suitable in situations where we have a comprehensive understanding of the factors that underlie the crisis and the way it impacts organizational systems. The question then is what do we do when we do not?
This is a story about complexity and how to deal with it in the context of emergency management.
Complexity permeates our lives – like the air around us, we cannot avoid it – and has unique characteristics:
- The output of component systems cannot be anticipated nor controlled
- Component systems interact to produce new equilibria
Under complexity circumstances literally emerge. This means that cause and effect can only be understood retrospectively. Without the ability to expect how systems will interact and how this will impact operations, plans can quickly lose their relevance, like a weather forecast the accuracy of which erodes by the second. We can predict the primary impacts of an event, but doing the same for the secondary and tertiary impacts is difficult. In these circumstances a traditional, process-based approach to emergency management alone is inadequate.
Towards a Network Approach
In a previous post I described and advocated that a dynamic approach to crisis management be adopted, in which constant situational awareness identifies risks and triggers an appropriate organizational response to them. The key crisis leadership tasks the underlie this model are detailed below.
Key Crisis Leadership Tasks
|Identify that there is a developing situation that warrants the attention of executive management, and determining how the situation will progress and impact the organization.|
|Once it has been determined that something is afoot, executive management require support to decide what to do about it.|
|After deciding the organization’s response, executive management must present a persuasive account of the situation, what will be the organization’s response and gain support for the chosen course.|
|Transition from an emergency to a normal footing, and providing a retrospective on the situation and gaining consensus around it.|
|Following the termination of a crisis it is imperative that a formal after-action review process be established, and lessons learned identified and integrated into policy, procedure and organizational learning.|
Adapted from Boin, Arjen, et al. (2005). The Politics of Crisis Management [Kindle version] (pp. 217-285). Retrieved from Amazon.com
This dynamic model scaffolds the network approach to emergency management, which recognizes how networks are central to how an organization functions.
Output is produced not just following steps in a business process, but through the interaction and collaboration between networks, formal and informal, within and without the organization. As argued by Dave Gray, a ‘line of interaction’ has supplanted the ‘line of production’ model.
Crises disrupt these networks, or at worst, they collapse, so the aim of the network approach is to develop and nurture them, creating multiple redundancies across organizational and thematic lines.
In practice this means alignment and harmonization in four areas:
- Common understanding of risks that can lead to crises
- Plans and planning processes
- Governance and implementation structures
- Behavioural change.
Under this approach:
- Decentralize risk management, but govern it centrally
- Risk management dynamic, focused on identifying vulnerability in operational risk areas (people, processes and systems)
- Integration, integration, integration
A network approach to emergency management is not only effective in circumstances of complexity, but it generates value for an organization by:
- Creating serendipitous effects
- Improved risk management
- Increased efficiency from process re-engineering
A process-based approach to emergency management has intuitive appeal because it has a defined, limited scope with discrete, measurable deliverables. Conversely, a network approach is messy and its components, especially the informal collaboration networks, are unknowable, meaning that measurement is almost impossible (I qualify ‘impossible’ because you can hold out examples of serendipitous effects as evidence of value). And yet it is clear that an emergency management programme is vulnerable it does not include an emergent strategy to nurture and strengthen collaboration networks.
Related stuff that I am working on
- How do you govern a network?
- How do you value the output of a network?
- How do you cost a network?
November 18, 2013
Again this year, I made the pilgrimage to London to attend the BCM World Conference and Exhibition; a link to the background paper for my presentation is here.
As always, there were some nuggets. Here is one:
Risk and Business Continuity (Mike Power – LSE)
Professor Power cogently described how Business Continuity Management can contribute to effective enterprise risk management. He began by detailing the challenges to manage enterprise risks:
- The Illusion of Control, characterized by the assumption that we have more of an understanding of cause and effect than we really do. As I have written elsewhere, in complex and anarchic events, cause and effect can only be understood after the fact
- Fragmentation of capability to manage specific risks
- Entity v System Focus, resulting in organizational stove pipes
- (Unrecognized) Interconnectedness, concomitant with today’s complex systems
Power then turned to the challenges for Business Continuity Management in the enterprise:
- BCM has historically been disempowered, considered overhead and not a value-generating part of the business
- The slow emergence of operational risk
- Weak institutionalization, stemming from the perception that BCM has only an operational or technology focus
- Weak accountability within the enterprise for low probability-high impact events, which are the bread and butter for BCM
To respond to these challenges, Professor Power proposed a number of solutions:
- Establish and formalize the Three Lines of Defence: Business, Corporate Risk Management, and Internal and External Audit. These lines are graphically depicted at Figure 1.
Figure 1 – Three Lines of Defence
- Identify the scenarios under which your organization will fail . . . completely, and then decide what will be your strategies to recover from catastrophic loss
- Establish a risk culture – the ability to think of alternate futures and build action plans around them – where:
- The authority for risk and control functions are clear
- There is a respect for controls
- There is close attention to incentives risk
- Accept that you can do your best, but there is still a chance for failure
- Recruit charismatic BCM leaders
- Build the narrative of BCM’s value generating capacity:
- Embed resilience as a core organizational value and ‘BAU’
- Circulate stories of success
- Create the discourse, incorporating the performance nature of language: if you talk in a certain way, it will happen
- Incentivize collaboration: when the world is moving against you, to succeed, collaboration must increase.
Professor Power’s presentation resonated with me because the content was consistent with my experience. First, there is a common bias toward a programme, or entity, approach over a system approach. This in turn complicates the management of operational risk, which can only be done effectively by an enterprise approach. Second, it is ironic that fragmentation features in a field – emergency management – in which consolidation is almost always a good idea.
Third, there is a critical message implicit in the Three Lines of Defence: corporate BCM can support businesses prevent, prepare, respond and recover, but each business is responsible for their continuity and resilience.
Finally, BCM is a value generator. The focus of BCM is to find and preserve value within the organization. Executing this responsibility, connects BCM with all parts of the enterprise, inevitably generating serendipitous effects that are typically of significant value. Any time you have a conversation around risk, good things happen.
- Organizational resilience at the United Nations Secretariat (buridansblog.com)
- Reflections on BCM World 2013 (crisisthinking.co.uk)