Monday, 24 December 2012
As it’s the end of the year, I have a gift for you. My top tips for delivering business resilience and security strategy.
1. Know your customers (internal and external) and provide them the results they need.
2. Ensure business resilience outcomes align with the business strategy and as relevant any other operational plans
3. Find other resilience and security champions and leverage each other’s expertise
4. Don’t fall victim to crisis hopping – make some space to think and plan strategically.
5. Find your biggest detractors, work out why and seek to bring them around by delivering them value. These people will become your biggest supporters if you can achieve this
6. Enable others to champion resilience and security, remember that effective security and resilience involves integration throughout the business
7. Ask your CEO what resilience means to them, what their concerns are and what they want out of your program.
8. Establish a three year exercise and training program – this will help focus on delivery milestones, budget and stakeholder involvement. You will be on the front foot
9. Engage with other professionals to broaden your horizon. A friend once said to me Iron sharpens Iron.
10. Do something interesting with your resilience delivery next year– think outside the box.
Merry Christmas and Happy New Year!
Wednesday, 19 December 2012
I found myself thinking about training a bit over the past week. Training takes a lot of time to prepare and deliver but more the point, it takes up time of those you are training. How can you demonstrate the expected value?
I can recall many occasions where I have been at a training and awareness session about something and have walked away feeling disengaged and bored. Typically this experience is coupled by a rather dull subject which is delivered via PowerPoint with 20 or so dot points in 12 font crammed onto each slide. It’s a good time to reflect on your own training delivery.
We often deliver induction training, continuation training or refresher training using PowerPoint or similar as an expeditious way to get the message across in the limited period of time because:
1. It can be prepared relatively quickly
2. The training package can be used more than once
3. Everyone else is doing it – right?
Are these reasons good enough? Are there other reasons to run training this way?
Despite the validity of reason #1 and #2 – I do often use PowerPoint (let’s say reason #3 is invalid unless we are lemmings). The problem may still be getting people to attend the training and making the training interesting enough for people to stay (or come back next time). Here are some tips:
1. Mix it up from time to time and deliver the training without PowerPoint. Instead, use a whiteboard, smart board or flip charts
2. Get the participants involved (see tip #1)
3. If you use PowerPoint, reduce the number of points on each slide
4. Break the presentation down into bite size chunks and discuss or have a quick-fire question and answer session after each section
5. Include slide animations and interesting (relevant) images but don’t go over the top with the animations as it can detract from learning
As a final tip, it is also useful to provide a training feedback form with questions on the content and delivery so you can further improve next time. Don’t become the victim of cookie-cutter training! With a little bit of effort or forethought, your training can deliver on intended outcomes and be interesting.
Tuesday, 4 December 2012
Business resilience can complement change management initiatives and programs. So what does business resilience have to offer the organisation that wants or needs to change?
Business resilience is focused on business success (or at least it should be). As an organisation goes through a change program and refocuses on core business (for example), there is an opportunity to partner with the business leaders and other staff to identify changes to business processes, values and behaviours that lend themselves to adaptive capacity, flexibility and agility in the face of turbulence.
Some questions to think about when coupling change management with business resilience may be:
· What is the key outcome of change and how can I ensure business resilience is tailored to meet this outcome?
· Is there an opportunity to influence workforce values by including ‘flexibility’, ‘adaptability’, ‘resilient’ or ‘innovative’ along-side other core values in the business plan?
· Can efficient business resilience investment enable a leaner, outcome focused organisation which can manage risks and deliver business success?
· Are we more agile and can we change direction faster as a result of streamlined processes and structures - if not what do we need to do so we achieve this?
These questions, and others like them should be explored at the scoping stage of the change management initiative. It is then up to you to adapt your own thinking and approach to meet organisational needs through resilience. Business resilience should not just be about sudden shocks such as natural disasters and economic crisis. It is also not only about emergency response or business continuity. Organisational resilience must rise to the challenge by providing and creating value through change management and become part of business strategy.
Sunday, 11 November 2012
Risk management should always support business goals. While risk management activities happen across and throughout most businesses, it may still not be effectively integrated. You may be thinking that ‘my risk management program is integrated’ or ‘We take a systems approach or have a process in place to ensure key operational, functional and corporate risks are well understood and communicated to management and the Board’ ‘. If you are, that’s a great starting place; but what are you doing across your supply chain and with your key stakeholders? How is risk management supporting shared outcomes and deliverables? Are you investing enough time in understanding your key stakeholders and their drivers, risk appetite and vulnerabilities? How well do you understand the relationship between your organisations’?
If you have not reflected on these questions, now is the perfect time to start! We live in a connected world and every organisation has some degree of shared risk. If we ignore the shared risks, we fail in risk management; experience more adverse events and miss critical opportunities. It may impact your bottom line, result in delayed projects or undermine customer or shareholder confidence.
Think past your organisation, think past your supply chain and embrace your stakeholder network of relationships, interdependencies and outcomes. It is a challenging proposition but it will take you on a journey that will add value to your organisation and expand your own professional horizon.
Don’t expect a smooth journey without differences, hurdles, competing interests and values. Recognising these will help establish the rules of engagement. Shared risk management requires genuine business partnership and investment in understanding. Integrated risk management also requires a shared process that can be driven to support own business outcomes and shared outcomes with stakeholders where interests intersect.
How do you champion shared or network risk management? I will be writing more on this in the future but would also like to know your thoughts and experiences.
Tuesday, 14 August 2012
In a crisis, we don’t just react blindly to the stimulus in our operating environment – unless we have a morbid fascination with failure. We also should not become paralysed with indecision because a problem is too difficult, we don’t fully understand it, or we don’t like the solution. We need to invest in understanding and risk intelligence.
Good risk management is widely accepted as necessary for business as usual and for helping ensure an organisation is resilient to turbulence and sudden shocks. During a crisis, the need for good risk management is also paramount to success.
Every crisis has the potential to result in tangible, intangible, operational or reputational harm. When we develop understanding and use that understanding, a crisis can be overcome and impacts minimised – or leveraged in the case of opportunity.
What we need to do when crisis hits is to refresh our understanding of our changed (and changing) context to determine:
o How are our staff affected?
o What condition are our services and supply chain?
o How are our other resources?
o What has been the reaction of our key stakeholders?
o Are our objectives still relevant or have they changed?
o Has our risk tolerance or appetite changed?
o Do we need some supplementary objective to address this turbulence?
o How much space do we have to find the issues/solutions?
o What do we need to understand and what resources are available to maintain that understanding?
There are many other factors to consider in understanding the evolving context of your own organisation in a crisis. As crisis leaders, complexity is an issue that needs to be tackled on an ongoing, dynamic basis.
After we have done this quick assessment are we ready to launch into action?
The answer is both yes and no……..
The reality is that your emergency and crisis plans will already be executed which is great – but don’t think it is the end of the line. You still need to understand the unique complexity of the current situation, identify and manage risks – and yes, every situation is characterised by unique complexity even if a particular type of hazard has impacted your operations many times before.
Understanding is a journey not a destination, in the new context, we need to refresh our understanding of risks we have previously identified, but also identify new risks in the current context. These new risks may have a positive (opportunity) or negative (adversity) impact on objectives. These objectives may be both standing organisational objectives and new objectives developed in response to the crisis. They will also interact in both known (as you have identified) and unknown ways (requiring an adaptive response).
Like a house, success starts with good foundations. In a crisis, when we are most prone to react, follow our intuition and bias we need to step back, create some space and understand - invest in risk intelligence.
Saturday, 4 August 2012
Everyone has heard the saying - can’t see the forest for the trees right? Certainly the ability to see the big picture when setting the business strategy is critical for any business to succeed. This is also a critical success factor during turbulent times. A crisis requires the leadership to step back and understand the internal and the external environment in the face of significant white noise and high tempo activity. They can’t do that if they are into the detail. This results in tunnel vision and target fixation.
What they do need however, is supporting teams, people who can focus on the detail, understand the mission and understand where they fit into that. This is powerful because it allows those staff to pick up on the leading indicators on something that could go wrong, often being able to take the initiative and prevent escalation.
Likewise, when already in crisis, the people on the ground are vital to success as they feed up information on how well the strategy is being executed and, if it is not working, where it needs to be adjusted. The value of such synchronicity needs to be identified and fostered as a critical success factor in the resilient organisation. This is also a part of good risk management and ultimately risk intelligence and success.
Leaders need to be careful that not everyone in a crisis is focused on the forest. Tactical sentinels are needed, constantly scanning, not the horizon, but the forest floor. They need to make sure the crisis leadership team doesn’t trip over the partially buried rock at their feet.
Business Resilience relies on a shared vision, mission and values but devolved execution with synchronised focus on the forest, the trees and the ground.
Tuesday, 24 July 2012
In my first blog post back in May 2012, I defined resilience as the capability, capacity and will to succeed by anticipating risk and reorientating for survival and advantage in the face of adversity both seen and unseen, known and unknown.
Exploring this definition we can further break it down as follows:
‘The capability to succeed - Having in place the right people, systems, tools, processes and functions to meet the persistent challenges of adversity (seen and unseen, known and unknown). These capabilities must include effective programs for risk management, business continuity management, emergency management, security risk management and organisational development. Capability must be focused on the required business outcomes, including the resilience of the organisation and the supply chain.
The capacity to succeed - Being able to use our capabilities and will to create, or expand and use our available space to achieve our required (and desired effects). This capacity includes making room for flexible and adaptive response using the available resources and capabilities in the face of unexpected disruption and turbulence. Capacity is further optimised by using the space to persistently scan for and understand risks (both current and emerging) regardless of the shocks, turbulence or disruptions that are about to occur, have occurred or are occurring. Risk intelligence will help maximise that space. Capacity is further characterised by finding the ‘sweet spot’ between a lean capability and crisis capacity. This ‘sweet spot’ is achieved through risk intelligence, adaptive planning and ultimately, good business decisions.
The will to succeed – having the leaders, staff and stakeholders who understand both the environment and the objectives and who are agile and responsive in the face of change and unprecedented adversity. The will to succeed manifests in a way that organically promotes synergistic effort and results (aligned with the objectives) between the leadership and staff in the organisation, supply chain and sphere of operations and influence. This will to succeed must be embedded in the organisation’s culture and leadership. The will to succeed is characterised by an intrinsic understanding of the mission, vision and values of the organisation and its leaders. Trust must be pervasive otherwise the will to succeed will be under-nourished, diminish the will to succeed, reduce the effectiveness of our capabilities and force a reactive response.
In many ways capacity, capability and will make up a resilience triangle where if any one of these three components are missing, the organisation's level of resilience will be deficient. Resilience is critical to business success. There are many definitiions around resilience but I hope this adds to the discussion.