You are here
Rule 1 – Have a Plan and Stick to It
Have a big fat plan. Not a strategy. Make sure you have a very long and detailed plan, with lots of diagrams and annexes, written several years ago by your business continuity specialist or a consultant who has since moved on. The plan should give precise instructions about what to do in a range of specific situations, none of which will apply when the next crisis strikes. If a crisis does arise, shoehorn it into one of your existing scenarios and stick to the plan. Your persistence in sticking with the wrong plan will reassure your colleagues; it will also reflect a universal psychological predisposition known as sunk-cost bias, which is what keeps us digging when we have invested heavily in digging a hole.
Rule 2 – Take Comfort from Your Risk Register
Make sure you have a huge spreadsheet, constructed several years ago by your risk management specialist, setting out a very large number of overlapping and ambiguously defined risks that no one is really concerned about anymore. This register must be ritualistically reviewed by the board twice a year, preferably at the end of a long day’s business. The focus of the board review should be whether the chart has three or five colour options and whether the columns are in the right order. Boards should not get bogged down in details such as understanding the risks or how to mitigate them. Your auditors and insurers will get a warm feeling merely from knowing that the risk register exists.
Rule 3 – If in Doubt, Do Nothing
When the signals suggest that a genuine crisis might be looming, or that a crisis has actually erupted, do not act too quickly. In the opening phase of most major crises, no one is certain what is going on and what will happen next, so it is prudent to wait until it is obvious what to do. If you move quickly to head off the crisis, you might be embarrassed if it turns out that the situation was not as bad as it seemed. A crisis is like a volcanic eruption. If you live near an active volcano you know that one day it will blow, but you do not know when. The trick is to be alert to any warning signs and then wait to see what happens. If you grab your bags and run, then everyone will think you have panicked. In the unlikely event that it really was an eruption, your death will save you from humiliation. The safest approach in all crises, especially the really big ones, is to wait and see what happens. It will probably be ok.
Rule 4 – Ignore the Really Big Risks
We all know that there are some risks which, if they were to materialise, would cause devastating harm. The coronavirus pandemic has reminded us of one such risk and there are plenty more besides: the severe space weather event that knocks out communications and electricity grids; the floods, storms, diseases and other consequences of climate change; the cyber meltdown that clobbers global cloud services; and, of course, the next pandemic. But the chances of one of these risks materialising on your watch is small. And do not forget that if one big risk has just materialised then it is impossible for others to happen at the same time. The best policy is to ignore these big uncertain risks and keep concentrating on the familiar high-likelihood/low-impact risks that are much less alarming.
Rule 5 – History is Bunk
There have been many major crises and disasters in the past, from which organisations and governments have learned lessons. Your own organisation has probably survived a few moderate crises itself and may even have captured the lessons in reports. Nonetheless, if you are faced with a really big crisis, you should not waste time reading old reports. Instead, act quickly to implement your big fat plan. Your staff will be reassured to see leadership in action, so run around with your hair on fire, making it up as you go.
Rule 6 – Have Faith in Quantitative Risk Models
Base your risk and resilience planning on a highly complicated quantitative model that was originally developed to manage credit risk in the banking sector. As the 2008 global financial crisis showed, banks have fool-proof risk management systems. The more decimal places and references to ‘AI’ and ‘algorithms’, the better. You do not need to understand the model, because you have an expensive risk adviser to assure you that it works. Take no notice of the fact that there is little or no actuarial data about the really big risks – those potentially catastrophic risks that happen infrequently or have never happened at all (yet). You are ignoring those risks anyway (see Rule 4).
Rule 7 – Do not Bother with Testing and Exercising
Ignore the nagging feeling that you ought to find out whether your business continuity plan actually works. The key thing is that you have a plan (see Rule 1). Testing and exercising are inconvenient and you have more immediate priorities. Worse still, you might learn something that would force you to modify your plan.
Rule 8 – Stay Focused on Immediate Returns
The only thing that matters for your organisation is return on equity in the next few quarters. Resilience (whatever that means) costs money and does not feature in your accounts. Your auditor takes no notice of it, so do not waste money on it. If you do spot an inescapable risk, dump it on your partners or suppliers. The only key performance indicators that really matter are efficiency and productivity, so keep squeezing your supply chains and eliminating stockpiles.
Rule 9 – Do not Bother with Semantics
Do not waste time clarifying what is meant by ‘resilience’, ‘risk’, ‘threat’, ‘crisis’, ‘disaster recovery’ or ‘business continuity’, because they all mean more or less the same thing. They are all about trying to limit the damage after something bad has happened. Some pedants suggest that there are two very different kinds of resilience: the conventional but feeble ‘passive resilience’, which is about trying to return to business as usual; and the much superior ‘active resilience’, which is about continually learning from experience and becoming progressively tougher over time, a bit like muscles after exercising. But you do not have time for abstract conceptualising. Passive resilience is fine.
Rule 10 – Ignore the Human Dimension
Disregard all that psychological stuff about how people think and behave. According to psychologists, we all have cognitive biases and predispositions that systematically distort how we perceive risks and respond during crises. Apparently, something called ‘optimism bias’ makes us prone to wishful thinking, while ‘availability bias’ makes us dwell on risks that come easily to mind, like those we have just seen on social media. Then there is ‘present bias’, which makes us worry more about current risks than future ones, even when the future risks are much bigger, such as climate change; ‘confirmation bias’, which makes us ignore information that does not fit our existing beliefs; ‘groupthink’, which makes us conform to the majority view, even when it is evidently wrong; ‘hindsight bias’, which makes us wise after the event, and so on. But this is all fluffy stuff, so do not get distracted. Scientists would also have us believe that we are flesh-and-blood organisms whose judgement and functioning are impaired if we are deprived of sleep. Nonsense! With enough camp beds, strong coffee and Mars bars, we can keep going indefinitely.
Rule 11 – Leave Everything to the Specialists
Leaders are there to provide strategic leadership, not spend time contemplating risks or managing incidents. The best arrangement is to leave everything to specialists, who may report occasionally to the board. Your business continuity planner should produce the plan and your risk management expert should manage the risks. In the unlikely event that a crisis does arise, your crisis management team should step in and manage the response. Leaders should stay out of the way (which is just as well if they do not understand the risks or know the plan).
Rule 12 – Keep Moving People About
One of the most important goals for any organisation is to demonstrate HR best practice. And if there is one thing that HR best practice has shown, it is that organisations work better and become more resilient by ensuring that no one stays in their role for long enough to get weighed down by knowledge and experience. Crises are best managed by people who are new to their job and do not know each other.
Rule 13 – Do not Invest in Relationships
During crises, organisations and governments suddenly become highly dependent on their relationships with others. A good time to start developing and nurturing those vital relationships is after a crisis erupts. There are plenty of consultancies out there with accredited experts and you can always get hold of them if you really need help.
Rule 14 – It is All Quite Simple
When thinking about resilience and crises (which are essentially the same – see Rule 9), remember that everything can be explained in terms of a simple, linear chain of cause and effect. Economists, politicians, pundits, astrologers, investment advisers and other experts who are good at accurately predicting the future may not always agree about precisely which cause is responsible for which effect, but that does not matter. You should ignore ‘systems thinking’, which claims that we live in highly networked societies and that major crises typically unfold in shockingly fast and non-linear ways. An experienced leader knows that for every complex problem there is a simple answer, which is to remain optimistic.
Paul Martin is a Distinguished Fellow of RUSI and author of The Rules of Security.
Jonathan Evans (Lord Evans of Weardale) is a Distinguished Fellow of RUSI.
The views expressed in this Commentary are the authors, and do not represent those of RUSI or any other institution.
BANNER IMAGE: An office in chaos. Courtesy of Adobe Stock