Resilience strictly speaking – Disaster management: Red Ants, Gray Rhino's, Black Swans, and the relation between BCM, Risk Management (RM) and Crisis Management (CM)

Author: Manu Steens

A first question I ask myself: how do these concepts relate to one another?

The following figure of disasters can offer a solution: this is about known knowns.

This table provides a minimalistic sketch as an answer to the question “What can Disasters be like?

In addition, there are Unknown Knowns such as the Gray Rinho’s.

These are things that come to us, that we know they are there, but that we choose not to see, or forget about them.

Gray Rhino’s are not divisible in well-known or poorly known probability and impact. The impact is great. The probability is great. They are always well-known in terms of probability and impact, and thus fit within the quadrant of Disasters, as follows:

Known Unknowns also exist. These are things we know that are there but we do not know exactlywhat they are. Therefore we can not treat them. These can not be classified with a probability or impact. The consequences may or may not be known. The odds equally. If the consequences are large, but not actively known, and the probability is estimated low, but it suddenly occurs, without any expectation of the event, we speak of a Black Swan. The turkey does not know why the farmer always gives him food, but could have suspected it from a suspicious “Why” question. But the turkey does not know the Christmas party, and can not really assess the probability.

Finally there are Unknown Unknowns. We do not know that we do not know them.

Not only do we not know the probability and the impact, we do not know the event, we do not know the reason, we do not know the consequences. So we can not give a foresight example of this. Unless you look back on the past (Hindsight). Was it right of the priest to save Adolf Hitler from drowning, when he had fallen through the ice as a child?

It is the intention of Resilience management to get to know as many of these four groups as possible and to push them back within the possibilities of the disasters square.

This provides a possible way to frame resilient needs. Where is CM, however? The answer is: everywhere. In all 4 groups, CM actively takes action when a threat manifests itself. Because the known knowns are best known, it is always an advantage to elaborate and prepare RM.

Question 2: what are historically the added values of BCM, RM and CM?

The known added values already known for these three disciplines, are:

  • Compliance with legislation and with clients
  • Protection of the reputation of the organization and the strength of the brand
  • For the time being: competitive advantage
  • Operational improvements
  • Capturing the knowledge and experiences
  • Value protection

Question 3: what are the “new” added values ​​of BCM & RM?

The new added values according to ISO 31000 are:

  • Value creation, and therefore also
  • Included opportunities

Value creation

  • By studying the threats in new and existing projects and processes, these threats can be tackled so that they happen with a greater probability of success and with less costs in the aftercare phase.
  • This also increases the quality of the output and the outcomes, enabling a stronger positioning in the market, which attracts potential customers.
  • This immediately improves the reputation, creating a positive spiral that reflects in a better market value of the organization and generates a positive effect on the stock market.
  • By applying RM in its projects, the government organizations will mutatis mutandis create added value on a social level, which also means more income for the governments and thus create a positive value spiral for society.

Included opportunities

  • When an opportunity presents itself, it can be recorded correctly, in the sense that the risks run by the organization are known and can be tackled in order to optimize its probabilities of success.
  • Because RM has an ‘outlook’, threats, but also opportunities, are better and faster seen.
  • Because there is systematic reporting that is integrated into all layers of the organization and the processes and projects of the business, the policy can assess the opportunities better and faster correctly.

These added values also apply to BCM.

Question 4: what is the most important added value of CM?

What I really want to know is what is expected by the co-workers and by society.

People expect more and more from organizations. They desire certainty in uncertain times. This is what the organization has to do:

  • Deal with the threat
  • Meet the urgency
  • Fight the uncertainty

Deal with the threat

Threats are relative and personal. There are also general threats that affect us all. Perhaps the best example is terror. Although terrorist attacks demand far fewer casualties than fine dust year after year, it affects the people personally through the choice of method, place of occurrence and the timing. They choose these well to maximize fear. This fear touches everyone personally, because there is arbitrariness where when and how one can be a victim. The society does not know, and as a result, everyone of the potential victims address their anger against the perpetrators.

Meet the urgency

Urgency is personal. A potential crisis that affects you personally is usually urgent as long as you are still hoping for opportunities to escape from it.

Fight the uncertainty

The organization mainly does this by making a division into operational management, communication management and strategic management.

With the operational management the organization can show that the problem is being addressed. Counter actions take place and there are claims to be observed. With the strategic management the organization can do sensemaking, and give an understanding to the people of where they stand. The organization can also indicate its actions, explaining the reasons for these actions, to include its liabilities. Also to learn lessons, to avoid the problems in the future. With the communication management, the organization can make itself be heard about the situation, that it is working on the problem, and what the expectations are.

Question 5: And now this: What about Red Ants?

Is this yet another invention to describe risks? No, actually not. It is a disaster type that is naturally present: incidents with small to moderate impact and small to high probability, but with the possibility to grow into a Black Swan or a Gray Rhino very quickly.

Black Swans (Nicolaas Taleb): very small probabilities, very big impacts.
Gray Rhino’s (Michèle Wucker): Very big probabilities, very big impacts
Red Ants: Very big probabilities, smaller impacts.

Often Red Ants are the small incidents without major consequences that are a warning of imperfections in the safety of a system or organization. Usually a large number of red ants precede a gray rhino or a black swan. In addition to the fact that red ants are an annoying phenomenon in the field of security they are a reason to extinguish a lot of fires, and they therefore have a serious warning function. This is: find the root cause and tackle it thoroughly, otherwise sooner or later really big accidents happen.

So every “animal species” is therefore to be taken seriously.

Question 6: And what can you do about it?

Well, let’s present this schematically in the disaster management table:

Conclusion:

  • CM Exercises are the most necessary aspect in disaster management.
  • Risk management includes preventive measures and protective measures (by analogy with the bow-tie analysis method).
  • Uncertainties have the characteristic that probabilities are poorly known but the impacts are better known. Usually because causes are poorly known. As a result, there is a particular need for protective measures.
  • Ambiguities have the characteristic that impacts are poorly known but the probabilities are better known. Usually because consequences are poorly known. As a result, there is a particular need for preventive measures.
  • In the event of unkown probabilities and impacts, the focus must be on the lookout, to estimate unexpected matters in a timely manner and to incorporate measures in the policy of the organization on a continuous basis.

Does history repeat itself? Or not?

Author: Manu Steens

Before we can answer this question, we need to clarify three things: linear events, complicated events and complex events.

What are linear events? These are generally regarded as events that can be addressed by applying routine tasks. For example, chopping a tree with an ax. There may have to be thought about where the tree can best fall, because it does not always, but in general this is a task that requires no special higher studies. Which does not mean that no responsibility can be hidden behind such a task.

Another thing is complicated things. These are things that, with sufficient effort, such as acquiring sufficient knowledge, are just manageable and predictable, but not for a layman. For example, building an airplane. You have to know enough about aerodynamics, materials, fuels, strengths of materials, standards, fluid dynamics and nowadays even electronics and computer sciences to design an airplane. But we succeed, provided we work together.

Thirdly, there are the complex systems. These are things that we absolutely can not predict. Not so much because we can not know our own actions, but mainly because we can not know all parameters in a complex system, among other things because they are never the same twice. Or because it is too much. Some examples are nature, climate changes, society, …

Then we come to the statement “history repeats itself” or the prediction “history will repeat itself”. The question I ask is whether, in the context of the previous three definitions, these statements can be taken seriously. The question is also whether if similar macro-states (such as a political system, wars, …) occur, this statement actually applies to it. After all, we live in a world that must be characterized as a succession of very many complex systems.

A thought experiment should be able to bring us back to the situation after an event of which repetition is predicted. The question then is whether we can then predict the future with the knowledge of the past. I do not think so, because we not only have no control over all parameters, or even just the relevant ones, we do not even know them all. We simply do not know them.

The prediction “history will repeat itself” is therefore useless. In nature, in the climate, in crisis management. However, this does not detract from the fact that we can have a positive influence on the events. Taking measures has always been meaningful. Also for the climate. Also now. Because we are obliged to future generations, to do our best to give them a liveable world.

Urgency Assessment

Author: Manu Steens

(inspired by “Risk Management – Concepts and Guidance” by Carl L. Pritchard)

Purpose of this type of assessment:

Classically risks are evaluated on a risk matrix, with typical colors red, orange, yellow and green, to decreasing values ​​of the risk. The boxes in that risk matrix that have the value depend on the probability and the impact of the risk event. Within one such box can put more than one risk. These can then all be handled and impacted in the risk register. Yet there are still reasons to take one risk, such as a shortage of personnel, before another. The question then is in which order these will be prioritized. An urgency assessment is required for this.

Construction of a template:

Since an urgency assessment is assigned to an organization, two sets of inputs are required:

– The brainstorm for drawing up the template
– Fit the inputs of the project / process / objectives / strategic risks to the template.

The former need knowledge of the environment of the organization. This is often dependant on the organization. Because of that, a template can often be reasnably uniform within an organization, but this can change over time with the environment variables.

The template is drawn up as a table, with evaluation criteria per row, and score descriptions per column.

The outputs of this assessment is a score one obtains as the sum of the values of the applicable columns, per row. The higher the score, the more urgent the risk must be treated.

Example of a template:

Project name: Risk event:
Urgency Assessment
Evaluation criteria

1

2 3

4

Score
Experience of the project / process / objectives team with this type of risk.
Knowledge of / competence in workarounds and ad hoc solutions for this type. Some experience in dealing with this type of risk among the team members. One or two team members who have experience with this type of risk. No member of the team has experience with this type of risk.
Chance that the risk occurs before the next review. The probability is higher the later in the project and it does not occur for the next review. The probability is just as high later in the project as before the next review. The probability is high prior to the next review. The probability is highest the following two time periods (eg weeks, months).
Customer sensitivity The customer has no expectations regarding this risk and would suggest that we solve it. The customer expects this problem to be resolved immediately without delay. This risk affects multiple modules and quickly occurs in the project. This risk affects multiple modules and the project / process is highly dependent on each of them.
Complexity of / integration in the project / process / objective The risk only affects one module of the project and that module can be handled independently. This risk affects the entire project / process but only occurs at the end of the life cycle of the project / process. This risk affects multiple modules and occurs early in the project / process. This risk affects multiple modules and the project / process is highly dependent on each of them.
Visibility This risk can easily be identified in advance, which allows for a last minute intervention. The risk has a few recognizable features that allow for early identification. This risk is only identifiable when it occurs. This risk is only identified when it has happened.
Total

 

Steps in using this technique:


The first step in building this template is to determine the types of criteria that make one risk more urgent than the other. Criteria that indicate that one or more events are about to arrive.

The second step is to create a scale. For each criterion you determine a numerical scale that indicates the influence on the urgency of the risk, running from a high number for a high urgency to a low number for a low urgency. (In the example there is only a single numerical scale.)

Step three: validate the template. Validation can be performed by testing against a number of well-known cases of high and low urgency. If the template differs from what is known from the history of the cases, the scales must be adjusted.

Step four: evaluate all major risks. These are typically the risks in the red and orange zone of the risk matrix.

Step five: prioritize the risk events. Red risks with a high urgency should be given priority on, for example, orange risks with a lower urgency.

Step six: Arrange the risk register according to the priority and implement the measures.

 

Risk determination with risk typology

Author: Manu Steens

The determination of the risks is one of the important steps in risk management, to arrive at a risk register with accompanying action plans as an intermediate step.

In this respect, according to the principle of subsidiarity, the lowest in rank that can sensibly determine the risks is the right person to list the necessary risks. This applies to risks at all levels in the organization.

The first step therefore consists of determining the target group of the brainstorming session for the risks. For operational risks these can be process or project managers, but also newcomers who do not yet have a lot of vision on risks. For they constantly come into contact with unforeseen issues, and cooperating in the risk analysis raises their awareness and alertness. For tactical and strategic risks these can be board members. The target group of the risks must also be determined. For the normal risks these can be the managers, for large risks and strategic risks one must report to the top management / management board.

Once the target groups for determining the risks and reporting have been determined, the risks themselves must be assessed. This can be done with a risk typology. In addition, there are several possibilities. These are always dependent on the organization itself, which must therefore be well known by those who choose / design the appropriate risk typology. Below we present a number of examples of risk typologies (not exhaustive).

A first possible division is as follows:

  • Financial risks
  • Legal requirements
  • Legal compliance
  • Reputation
  • Specific to the industry
  • Data integrity and reliability
  • Confidentiality of the data
  • Security of your own data
  • Disaster recovery and continuity planning
  • Operational risks

A second possible division is as follows:

  • External risks
    • Nature
    • Politics / law and regulations
    • Social / social
    • Economy / market, fairs, …
  • Internal risks
    • Strategy
    • Legal / financial consequences legal form
    • Continuity
    • Quality
    • Fraud / Compliance …
    • Material risks (loss of damage)
    • Safety of people / resources
    • Financial risks
    • Critical knowledge
    • Capacity …


A third possible division is as follows:

  • Operational risks:
    (Willem De Ridder, ‘Risicobeheersing met toegevoegde waarde’): “The risk of loss as a result of inadequate or failing processes, people and systems or as a result of external events.”
  • Strategic risks:
    (Lizanne Vroom, ‘Risicomanagement vanuit het Dynamisch Business Model’): “The danger of (capital) loss and / or the survival of the organization as a result of changes in the organization’s environment, the lack of response or an incorrect response. Changes in the environment of the organization, business adverse decisions or incorrect implementation of the chosen strategy. ”

A useful way to work with this risk typology is to brainstorm with a SWOT method. Note that making this SWOT does distinguish between internal matters (strengths and weaknesses) and external issues (opportunities and threats), but is not yet a risk analysis in itself. It can be used to formulate the risk statements on the basis of each item in the risk typology, in relation to the operational projects, processes, objectives or strategic objectives. So in fact to do risk identification. The risk typology used can also depend on this. In addition, the SWOT method with its confrontation matrix is ​​suitable for formulating measures.

A brainstorming session is best with a group of about 4 people, or a coach. The latter must always challenge the group to formulate the risk statements properly, and also, according to the principle of a Bow-Tie, to formulate the causes and consequences, causes of causes and consequences of consequences, etc. The 5x ‘why’ and 5x ‘what then’ question method applies here. In this way the participants in the brainstorm eventually formulate the risk statements in the form of ‘The organization / the process / project … has problem / opportunity … with the cause (s) … and effect (s) …’.

One can choose to split the causes and consequences with the problem over several risk statements, or to group the causes and group the consequences. These are then challenged with preventive and reactive measures respectively. The Bow-Tie method is then very suitable to indicate whether all the stated causes and consequences are being addressed with measures.

The 4 commandments of risk management, the values of an organization and Information Security

Author: Manu Steens and Joris Bouve with thanks to Hilde Van Nijen

The main purpose of information security is the risk awareness of the employees. After all, man is the weakest link. Risk awareness goes both ways. On the one hand this concerns awareness of the business with regard to information security: where does it hurt and what can be done technically and what do you have to do yourself? On the other hand, it is also about the awareness of ICT people: what do they need to know that the business finds important and what is not. Doing more is often irresponsible and gives rise to spending money inappropriatly.

What & why?

The purpose of information security is to ensure the reliability of information systems. This reliability is viewed from the following three perspectives:

Confidentiality: ensuring that information is only accessible to those who are authorized to do so.
Integrity: ensuring the correctness and completeness of the information.
Availability: ensuring that authorized users have timely access to the information / information systems at the right time

This is of course only possible by taking, maintaining and monitoring a coherent package of measures. It generally concerns information that is stored in information systems, but can also be written on paper.

The information security policy of the organization is aimed at ensuring, on the basis of risk management, that the information of the organization is correct and complete and accessible in time for the authorized persons.

How?

To ensure information security adequately, measures must be developed to ensure confidentiality (C), integrity (I) and availability (A: availability).
It is not easy to lay down generally applicable criteria for this, because these can differ from department to department within an organization, even between teams within a department the needs can be different.

These measures must also respond to the following areas:

  • People and Resources,
  • Collaboration (at process level and overarching)
  • Systems
  • Content,

As an aid instrument we have worked out the matrix below. In this matrix, the four domains are approached from the three perspectives. We have prepared a number of guidelines for each combination. For these questions we have drawn inspiration from the “four commandments of risk management” (see below). Every employee can get to work with these questions. But these questions are also extremely suitable for gaining a clearer view of information security (both from the point of view of the “business” and from the point of view of IT).

People and resources Collaboration at process level and overarching Systems Content
C What do you share with whom? Which access do you need? Does anyone know the security manager? What is the intention of the management with their information security policy? Does the confidential information remain within confidential circles? Are these circles known to everyone? Which things do you have to be able to be admitted to the systems? Is a background study necessary for this? Who coordinates this? Which security-related laws must your organization meet (privacy, ISO standards, BCM, …)?
I Does everyone have good intentions? Is a background investigation necessary for this? Are the processes drawn up and checked for bugs and errors? Was the flow of the process tested? Are the systems regularly maintained and tested? Is that needed? How important is the correctness of the content? Do you use voluntary error introduction for the sake of confidentiality?
A What people and things do you need to be able to do your work safely? What about a system failure? People? Buildings? Facilities? Suppliers? Has a risk analysis been made for information security? Who has physical access to which systems? Who has logical access to which systems? When? Is there an SLA with supplier? When do you need the information? Are these depending on the time in the year?

Answers to these questions are some of the criteria that information security must meet within the organization.

The four commandments of risk management and four values: openness, decisiveness, trust and agility

Risk-aware behavior can be reduced to the following four commandments:

  • Do not harm yourself unless you get better;
  • Do not harm anyone unless he / she gets better;
  • Do not break anything unless you can make something better with the parts;
  • Grab your chances, unless this is contrary to rules 1, 2 or 3.

These four commandments are

  • simple
  • easy to remember
  • clearly applicable

Moreover, these commands are relatively easy to link to the values ​​of an organization. By way of illustration, we give here how these fit within the values ​​of openness, decisiveness, trust and agility.

Openness:

Rule 2: do not harm anyone to this applies. For example, openness of management is only valid as long as someone is involved. The privacy legislation also supports this principle that a person can appeal against the processing of his data. In addition, according to the privacy legislation, one is mainly allowed to come out with statistics, not to expose the heart and soul of an individual against his/her will. So there may be transparency, but with the right extent: the extent to which you do not hurt anyone.

Vigor:

Rule 3: do not break anything and rule 4: grab your chances. Effectiveness within the organization is meant to be creative. In order to serve clients better, however, it may be necessary to be decisive and break down existing structures and build better structures. For this, one should know his ways within the organization to act effectively. And if you know the goals and the way to it, it is important to seize the opportunities.

Trust:

Rule 2: do not harm anyone and rule 1: do not harm yourself. For an organization, it is of utmost importance that everyone has their trust. This applies to both the client and the employees. You must have sufficient self-confidence that you are heading in the right direction with what you do for the market. If people hurt each other senselessly, this trust will soon be violated.

Agility:

This means that exceptions can always be part of rules 1 through 4.

But it also means rule 4: grab your chances. Drifting away from the chosen road can yield a number of benefits that you would otherwise have missed. Looking carefully at opportunities and tackling these issues is also the message !