Creating a resilient culture – readiness in an age of permacrisis.
Updated: Dec 2, 2022
Image sourced from BBC – Reuters Copyright
A conversation about Organisational Resilience
With the Collins dictionary declaring “Permacrisis” the word of the year for 2022, this blog takes a different approach. I’m often asked questions about resilience and culture and leadership so thought I’d replay a few common questions and my responses to them.
Resilience is a common buzzword – what does it mean to you?
Simply put, “Resilience is the ability to absorb shock, and to bounce forward better.”
The pandemic showed us that we were woefully unprepared, in every way, as a society for a hazard of that magnitude. Our plans and planning assumptions were very quickly no longer fit for purpose. The speed, scope and scale of the hazard and its impacts had not been truly imagined.
We now recognise that the world we live in relies on complex inter dependencies. We are seeing these impacts from Covid, Cyber, Conflict and Cost of living. Leaders have a hugely important role to play in enabling organisational resilience. Change happens slowly, then blindingly fast. And it's happening faster all the time.
What sorts of leadership styles and approaches set the tone for effective risk preparedness and business resilience?
o Authoritarian top down approaches are typically blind to operational risk and the facts on the ground. No one speaks up and risks get hidden. Some of the biggest risk management and corporate governance failures haven’t appeared on risk registers. Examples include VW diesel emissions, Boeing 737 Max, Post office IT failure and EY being fined £100m for auditors cheating on their CPA ethics exams!
o Effective preparedness needs consultation and trust so a consultative approach and supportive culture that focuses on improvement and reliability are essential. This is driven by two things:
* Firstly, a recognition that preparedness is cheaper than response. Take the example of the £8.3 billion written off pandemic PPE in the UK. The UNDP estimate that for every dollar spent reducing disaster risk, seven dollars will be saved from economic losses associated with cleanup and recovery.
* Secondly, a willingness to learn and continuously improve. It is too easy, post incident, to just get on with the day job again. This is particularly so when working in environments that are continuously stretched – e.g., the NHS during prolonged incidents such as the pandemic. But incidents and near misses are a gift to risk managers – they allow you to review, to learn and to prepare more robustly. Performance athletes focus on incremental gains, it’s boring and hard work but they know it leads to better results.
How should those approaches play out in practical terms?
o Focus on preparedness:
* You’re talking business continuity and resilience already, every time you’re managing operational disruption. Stress this is not an additional task, it is Business As Usual. So go on and test that generator!
* Move the focus from just in time towards just in case – we need to have buffer stock and spare capacity to absorb shocks. Lean can be the opposite of resilient. Think about how sharing risk information may improve supply chain partnerships.
* Actively horizon scan - Explore reasonable worst case risk scenarios, they are often trailed in advance – pandemic, no deal Brexit, fuel crisis, energy blackouts, and then test robustly to identify failures.
o Focus on deepening understanding:
* Move away from risk registers serving as rear view mirror.
* Managers often spend too long worrying about filling in templates and risk scoring and not enough time deep diving risks and focussing on better risk conversations
o Focus on skills:
* Skills need to be practised continuously in order to preserve them. Automated systems that need little human interaction ironically deny the human operator the chance to practice the skills needed in an emergency. Think satnav failure and a return to map reading whilst driving! Redundant defences can cause system operators and managers to forget to be afraid” (Perrow, 1984)
* Little and often exercises – keep it fresh. Build muscle memory, agility, instincts and confidence through rehearsal.
o Focus on learning:
* Debriefing – There are simple methodologies for these including After Action Review, comparing expectations v’s actual. Centralise improvement actions and track them to completion.
* Think about the capabilities we need to respond – get the fundamentals right for little things and you will have got capabilities in place for bigger disruptions. Test your off site backups.
How can leaders get their people onboard with them on these critical areas?
o Demonstrate a willingness to learn - share lessons across departments and congratulate the originator for identifying them.
o Risk management is a team sport so focus on breaking down silos and joining up. Information security, business continuity, health and safety and insurance don’t deliver results when they operate in silos.
o Bottom up leadership - incidents typically happen out of hours when the most junior, often least trained staff are on duty. Focus on upskilling your first responders and duty managers. Initial incident response and stabilisation may have already happened before the Chief Executive brings together the Incident Management team, and it is this early stage where most damage occurs.
o Learning culture – cultivate learning into processes e.g. project reviews, post incident debriefs, performance appraisals, use incident scenarios in team away days to focus on the need to work together and foster a One Team approach. Praise learning and be open about mistakes- we are all human.