risk management, strictly speaking – success factors of support

Author: Manu Steens

An organizational structure , a decree or law, (a) (some) measure (s), … must be supported to succeed. To be supported, they must be recognized. (I have no criterion to say in which cases this model is all relevant, for that a study should be done of successful and failed business in hindsight.)

Recognition in itself, however, is based on four success factors:

  • legitimacy,
  • cohesion of the target group due to proximity with civilians / the employees of the organisation,
  • effectiveness with purpose and perseverance,
  • authority.

These four pillars are interdependent. If you remove one leg from the table, the other legs will come along and the table will fall. So you cannot actually view them as independent. For the sake of the further discussion, I do that here anyway.

One thing that seems to be clearly supported is the EU regulation of the GDPR. Something that does not seem to be supported is the Brexit . Let us therefore illustrate these two things with this idea.

Success factors of support applied to the GDPR.

  • Legitimacy: The GDPR legislation was imposed by the EU and applies to all EU countries for implementation
  • Cohesion of the target group through proximity : The EU countries are interdependent because they are related to the EU, but also because they have free movement of people, which implicates that they can enjoy similar legislation despite traveling in the EU. At the same time, the EU is for the most part a coherent whole, as a result of which the countries are coherent in terms of supporting the legislation. Proximity is perhaps best illustrated by the fact that EU citizens have recognized the legislation as something that concerns them very much. It belonged very quickly to the
  • Effectiveness: A true barnum advertising has been conducted for the GDPR, pointing out that this legislation applies to the citizen. This was so effective that the people of the EU and the organizations are aware of their rights. And in the very short term jobs have been created: eg. lawyers specializing in GDPR but also DPOs, courses, …
  • Authority: There is also a place in the legislation itself for punitive measures in case of non-application of the law by the organizations in the EU. Also, auditing capabilities were provided. Partly as a result of the possible effect of the hammer, many organizations applied the law, and there was a great sense of “doing something about it”.

Conclusion: due to the barnum advertising, this legislation was strongly founded on these four success factors, so that it could actually only succeed.

Success factors of support applied to the Brexit .

  • Legitimacy: It came about through an unclear referendum with a majority “behind the comma”. There is total division within and across the political parties and within the people. The British Prime Minister was therefore completely in a gap of uncertainty. None of the proposals from the EU or the British themselves was accepted by a clear majority.
  • Cohesion: The British are divided. The votes for and against are neatly divided and without clear coherence. Many people, together with their politics, attach great importance to their sovereignty. Others opt for the possibilities that a cohesive Europe together with the British could mean. The connection is lost. The division is down to the granular level of the population.
  • Effectiveness: Due to a great deal of uncertainty, all proposals about the Brexit in a reasonable manner were As a result, it is regularly postponed. As a result of that, it is unclear how, if and when the Brexit will be a fact.
  • Authority : The Brexit could turn out differently from day to day in a new referendum. There is also a difference of opinion between, for example, the Scots and the rest of the British. In addition, the British regularly state the historic words of Churchill that “GB is with the EU but not of the EU”.

Conclusion: The Brexit cannot be called a success .

Resilience strictly speaking – Disaster management: Red Ants, Gray Rhino's, Black Swans, and the relation between BCM, Risk Management (RM) and Crisis Management (CM)

Author: Manu Steens

A first question I ask myself: how do these concepts relate to one another?

The following figure of disasters can offer a solution: this is about known knowns.

This table provides a minimalistic sketch as an answer to the question “What can Disasters be like?

In addition, there are Unknown Knowns such as the Gray Rinho’s.

These are things that come to us, that we know they are there, but that we choose not to see, or forget about them.

Gray Rhino’s are not divisible in well-known or poorly known probability and impact. The impact is great. The probability is great. They are always well-known in terms of probability and impact, and thus fit within the quadrant of Disasters, as follows:

Known Unknowns also exist. These are things we know that are there but we do not know exactlywhat they are. Therefore we can not treat them. These can not be classified with a probability or impact. The consequences may or may not be known. The odds equally. If the consequences are large, but not actively known, and the probability is estimated low, but it suddenly occurs, without any expectation of the event, we speak of a Black Swan. The turkey does not know why the farmer always gives him food, but could have suspected it from a suspicious “Why” question. But the turkey does not know the Christmas party, and can not really assess the probability.

Finally there are Unknown Unknowns. We do not know that we do not know them.

Not only do we not know the probability and the impact, we do not know the event, we do not know the reason, we do not know the consequences. So we can not give a foresight example of this. Unless you look back on the past (Hindsight). Was it right of the priest to save Adolf Hitler from drowning, when he had fallen through the ice as a child?

It is the intention of Resilience management to get to know as many of these four groups as possible and to push them back within the possibilities of the disasters square.

This provides a possible way to frame resilient needs. Where is CM, however? The answer is: everywhere. In all 4 groups, CM actively takes action when a threat manifests itself. Because the known knowns are best known, it is always an advantage to elaborate and prepare RM.

Question 2: what are historically the added values of BCM, RM and CM?

The known added values already known for these three disciplines, are:

  • Compliance with legislation and with clients
  • Protection of the reputation of the organization and the strength of the brand
  • For the time being: competitive advantage
  • Operational improvements
  • Capturing the knowledge and experiences
  • Value protection

Question 3: what are the “new” added values ​​of BCM & RM?

The new added values according to ISO 31000 are:

  • Value creation, and therefore also
  • Included opportunities

Value creation

  • By studying the threats in new and existing projects and processes, these threats can be tackled so that they happen with a greater probability of success and with less costs in the aftercare phase.
  • This also increases the quality of the output and the outcomes, enabling a stronger positioning in the market, which attracts potential customers.
  • This immediately improves the reputation, creating a positive spiral that reflects in a better market value of the organization and generates a positive effect on the stock market.
  • By applying RM in its projects, the government organizations will mutatis mutandis create added value on a social level, which also means more income for the governments and thus create a positive value spiral for society.

Included opportunities

  • When an opportunity presents itself, it can be recorded correctly, in the sense that the risks run by the organization are known and can be tackled in order to optimize its probabilities of success.
  • Because RM has an ‘outlook’, threats, but also opportunities, are better and faster seen.
  • Because there is systematic reporting that is integrated into all layers of the organization and the processes and projects of the business, the policy can assess the opportunities better and faster correctly.

These added values also apply to BCM.

Question 4: what is the most important added value of CM?

What I really want to know is what is expected by the co-workers and by society.

People expect more and more from organizations. They desire certainty in uncertain times. This is what the organization has to do:

  • Deal with the threat
  • Meet the urgency
  • Fight the uncertainty

Deal with the threat

Threats are relative and personal. There are also general threats that affect us all. Perhaps the best example is terror. Although terrorist attacks demand far fewer casualties than fine dust year after year, it affects the people personally through the choice of method, place of occurrence and the timing. They choose these well to maximize fear. This fear touches everyone personally, because there is arbitrariness where when and how one can be a victim. The society does not know, and as a result, everyone of the potential victims address their anger against the perpetrators.

Meet the urgency

Urgency is personal. A potential crisis that affects you personally is usually urgent as long as you are still hoping for opportunities to escape from it.

Fight the uncertainty

The organization mainly does this by making a division into operational management, communication management and strategic management.

With the operational management the organization can show that the problem is being addressed. Counter actions take place and there are claims to be observed. With the strategic management the organization can do sensemaking, and give an understanding to the people of where they stand. The organization can also indicate its actions, explaining the reasons for these actions, to include its liabilities. Also to learn lessons, to avoid the problems in the future. With the communication management, the organization can make itself be heard about the situation, that it is working on the problem, and what the expectations are.

Question 5: And now this: What about Red Ants?

Is this yet another invention to describe risks? No, actually not. It is a disaster type that is naturally present: incidents with small to moderate impact and small to high probability, but with the possibility to grow into a Black Swan or a Gray Rhino very quickly.

Black Swans (Nicolaas Taleb): very small probabilities, very big impacts.
Gray Rhino’s (Michèle Wucker): Very big probabilities, very big impacts
Red Ants: Very big probabilities, smaller impacts.

Often Red Ants are the small incidents without major consequences that are a warning of imperfections in the safety of a system or organization. Usually a large number of red ants precede a gray rhino or a black swan. In addition to the fact that red ants are an annoying phenomenon in the field of security they are a reason to extinguish a lot of fires, and they therefore have a serious warning function. This is: find the root cause and tackle it thoroughly, otherwise sooner or later really big accidents happen.

So every “animal species” is therefore to be taken seriously.

Question 6: And what can you do about it?

Well, let’s present this schematically in the disaster management table:


  • CM Exercises are the most necessary aspect in disaster management.
  • Risk management includes preventive measures and protective measures (by analogy with the bow-tie analysis method).
  • Uncertainties have the characteristic that probabilities are poorly known but the impacts are better known. Usually because causes are poorly known. As a result, there is a particular need for protective measures.
  • Ambiguities have the characteristic that impacts are poorly known but the probabilities are better known. Usually because consequences are poorly known. As a result, there is a particular need for preventive measures.
  • In the event of unkown probabilities and impacts, the focus must be on the lookout, to estimate unexpected matters in a timely manner and to incorporate measures in the policy of the organization on a continuous basis.

Crisis management strictly spoken: mini exercises

Author: Manu Steens

In the context of training, both large and regular small exercises are very important. The main objective of these 30-minute exercises is to learn to work together in a crisis situation. The emphasis is therefore also on getting to know each other in these kinds of circumstances. But also to learn to brainstorm together.

Here are some small exercises:

Crisis management strictly spoken: Some FAQ

Author: Manu Steens

What is a crisis and what is not?

A crisis is an incident that an organization can no longer solve through its normal operations. The Crisis Management Team (CMT) then takes over the management of the problem and communicates with the Crisis Communication Team.
What are not crises? Everything that can be handled with normal operations: issues and incidents, if there is no wrong intention.
An issue is a small thing that the organization processes through day-to-day operations of a team of the organization. There is no negative impact for the organization. There is no event yet.
An incident is an event with a negative impact on the organization that is solved by the day-to-day running of one or more teams.
An issue can evolve in an incident. An incident can evolve in a crisis. But an issue can also evolve very quickly in a crisis. One crisis can develop in the sidelines of another crisis.
An event with malicious intent is always a crisis.

How does a crisis originate?

There are 4 types of origins of crises: (United States Secretary of Defense Donald Rumsfeld)
1. Known knowns
2. Unknown knowns
3. Known unknowns
4. Unknown unknowns.

The first two are called “Gray Rhino’s” in the literature. These are things that we know and are ordinary (known knowns). Often we simply forget that they are there (unknown knowns), until they are nearby and overwhelme us. (Unknown known can also mean that one does not want to face the problem.)
The latter two give rise to what is called in the literature the “Black Swans”. People know that something can go wrong but do not know what or where or when (known unknowns) (eg a terrorist attack, hacking, …) or you are simply not suspected of anything despite extensive brainstorming attempts and the like. (unknown unknowns). The latter are considered the most dangerous because they can easily disrupt the organization completely.
Often a seemingly innocent something that attracts no attention, triggers a crisis, after which a phase precedes the event, unless there is malicious intent. That is why one must continuously look at relevant matters internally or externally to the organization. This can be done with key performance indicators or key effect indicators, or with eg early warning systems.

How does a crisis work? And what types of crises are there?

A crisis has various phases. Almost every crisis is as follows:
1. A soft subcutaneous or suppressed phase leading up to an event with strong negative impact. (Phase before the event or prodromal phase).
2. The sudden event that is typically very short and has a strong negative impact.
3. The post-event phase where the negative impact takes a reasonably long time. In this phase, the operations of the CMT, CCT, CCP, CMP and BCP usually start. The time-critical processes are started on the BCP. Afterwards the essential processes and necessary processes will follow. All this is done at a predetermined minimum level of functioning. One must try to keep this phase short.
4. The recovery phase in which one goes back to an operating level of before the phase preceding the event. This can be done in the old way, or in a new way. The rule “Never waste a good crisis” applies here. By recovering you can do new and better things. Sometimes, however, people have to perform harder for a while during this period in order to get rid of overdue work.
5. Aftercare phase. Here the details are worked out. Afterwards, the process resumes its (new) normal (or improved) operation.



We note that there are two major types of crises with this trend, namely 1) the historically known crisis types (with a possibility of more or less systematic approach) and 2) the new unprecedented crises (for which no plan exists). As a new unprecedented crisis type occurs once or several times, it joins the historically known crisis types because experience allows for a planned approach. Pattern recognition occurs in the members of the CMT, CCT and CRT.

How can you prepare?

The Romans knew: “Whoever wants to keep the peace must prepare the war!” (Flavius ??Vegetius Renatus in his Epitoma rei militaris: “Qui desiderat pacem, bellum praeparat”) and the same applies in business: who wants to preserve continuity must prepare the crisis .
That is one of the reasons to work on resilience of the company, including through BCM and risk management. There are techniques that produce a business continuity plan, help create emergency plans and describe methods of risk analysis and risk management approach.
Both these practices mention crisis management. For both the following things are worked out:

1. Setting up a crisis management team (CMT), Crisis Response Team (CRT) and crisis communication team (CCT).
2. The crisis management plan (CMP).
3. The crisis communication plan (CCP).

One of the most important goals of the preparation is being able to apply the principles. Training, testing and practicing of the CMT and the CCT are therefore not unimportant at all. This has to be done at both operational and strategic level with which one can test the different roles, the leadership requirements and the cooperation possibilities (also with third parties across borders). So one must practice both the historically known crisis types and the new unprecedented crisis types. The first are testing the plans, the second mainly the leadership requirements. Both test the cooperation possibilities.

It is crisis, what now?


-> Notification: how do you know? And who do you notify?


Everyone in the business unit has the right and duty to report a crisis. Many eyes and ears know more. The report to the crisis team can best be structured as simply as possible. That is why it is best to keep the channels as short as possible: it is best to give everyone of the CMT reporting duty directly to the chairman of the CMT or to the person who is on duty at the CMT. If the organization has access to an early warning system, the CMT should also keep its finger on the pulse.
The chairman or the person on duty of the CMT informs the members of the CMT and CCT. A notification can also very typically come from the CCT, because they have a very clear view on what happens externally.


-> Priorities: what is important, and what is most important?


There are many important issues when dealing with a crisis, such as (in random order):
– political interests, inside and outside the organization,
– environment,
– laws and regulations,
– financial interests,
– economical interests,
– energy supply,
– reputation,
– Others ….

However, the most important top three focus points of internal crises within the organization are (in order of importance):
1. the people of the business units and in the buildings of the organization,
2. the buildings and facilities including ICT,
3. the processes of the business units.


-> IBOBBO: how do you tackle a crisis?


IBOBBO stands for:
– Informatiegaring (Information gathering)
– Beeldvorming (Imaging)
– Oordeelsvorming (Judgment)
– Besluitvorming (Decision making)
– Bevelvoering (Command)
– Opvolging (Succession)
This allows you to create an agenda for the operation of the CMT. It is also a blueprint for a crisis management plan (CMP). To make it a project, a start-up phase and a final phase can be added: the triggering of the crisis and the aftercare phase


-> Who expects what from you?


The CMT and the CCT can best think about and write down the roles and responsibilities of the employees within the CMT and the CCT in advance. Pay attention ! This is not limitative and can never be interpreted restrictively. In short, it is the responsibility of the CMT to ensure that all measures required to exorcise the crisis are implemented quickly. It is also the task of the CMT to use the recovery phase as a project and to guide it in the right direction. The CMT is in this role in the role of sponsor and appoints a project leader.


-> Aftercare, what is that?


Aftercare is dealing with the details. It is doing that where you could pay little attention to its low point during the bustle of the crisis. It is to ensure that the crisis mode is completed, and that people can return to business as usual. It is the completion of the recovery phase.


-> A common thread: Play Jazz


No one can handle a crisis alone. That is why collaboration is necessary. In the heat of the battle, the ears and eyes of the members of the CMT must remain open to know who is the best to make a move. The person who sees the possibilities must be able to present these moves briefly and be able to execute them quickly. Speed ??in all aspects of consultation and action is often more important than completeness. Acting on each other is therefore extremely important. Crisis management and crisis communication practice is therefore not a luxury, neither on operational nor on strategic level. That is why not only a great exercise is useful, but to get aligned with each other, many smaller exercises are also!

Not unimportant: what if the crisis grows over you?

-> If the need is too high, the overarching CMT is close.


If the CMT of the affected business unit can not solve the crisis alone, it can call in the assistance of the overarching CMT of the organization as a whole. There is an escalation schedule for crises within the organization. Because the overarching CMT then takes on the responsibility of managing the crisis for the entire organization, it will always be useful to inform the overarching CMT in any crisis, so that it can already go into pre-alarm if deemed necessary.