<![CDATA[The Alternative for Lighting-Fast Risk Reduction

<![CDATA[The Alternative for Lighting-Fast Risk Reduction - Blog]]>Tue, 02 Nov 2021 11:07:45 -0700Weebly<![CDATA[Risk Management at Eight Knots: Chain of Command!]]>Tue, 02 Nov 2021 17:52:17 GMThttp://alternativeresiliency.com/blog/risk-management-at-eight-knots-chain-of-commandCommunication between skipper and crew is critical when things are happening, especially in dodgy situations where it has to be gotten right. Communications are also critical in business - the circuits have to be clear and open. Watch how these lessons can apply from the cockpit to the conference room!

]]><![CDATA[Risk Management at Eight Knots: Quick-Twitch Heuristic Decision-Making]]>Tue, 02 Nov 2021 17:39:07 GMThttp://alternativeresiliency.com/blog/risk-management-at-eight-knots-quick-twitch-heuristic-decision-makingOften times there's no time for delay or debate when on busy waters and tricky situations. Decisions come hard and fast. This is also often true in emergency business situaitons. Enjoy this episode on making decisions quickly!

]]><![CDATA[Risk Management at Eight Knots! Episode 1, Situational Awareness]]>Tue, 02 Nov 2021 17:18:30 GMThttp://alternativeresiliency.com/blog/risk-management-at-eight-knots-episode-1-situational-awarenessSkippering a sailboat involves lots of inputs - weather, seas, crew, passengers, etc. etc. and requires keeping a constant eye on all of them. Situaitonal Awareness has business applications as well. Enjoy the video!

]]><![CDATA[Do Your Due! Post-COVID Business Continuity Due Diligence]]>Mon, 10 Aug 2020 17:01:24 GMThttp://alternativeresiliency.com/blog/do-your-due-post-covid-business-continuity-due-diligence

… And just like that… every business in the US and internationally is operating in Business Continuity mode! Employees displaced, workplaces inaccessible, supply chains disrupted, customers unavailable, products not moving. Some had plans, some are improvising, and the Governors are dictating most of the responses anyway.

How can you be sure that your counter-parties will be there for you for the next business-interrupting event?

We’re learning a hard lesson about the value of having a programs for Business Continuity and even Risk Management and Cyber Security. When this is over, these will be – or should be - a major focus in your due diligence for suppliers, vendors, counter-parties and other organizations of interest. As stewards of your enterprises, you have a vested interest in ensuring that you only do business with those with current and effective programs. Conversely, they have a vested interest in convincing you that they do… whether they have programs or not. As someone who has been on both sides of the assessment process, I can tell you that some companies gloss over, dissemble or even flat-out lie about their Business Continuity, Risk Management or Cyber programs. Here are some tips to make that harder and cut through the flash and noise to understand – really understand – your counter-party risk! [Just substitute Risk Management or Cyber Security for Business Continuity when reading the below - the concepts still apply!]

Don’t take Yes for an answer. Ask open-ended questions. Asked “Do you have a Business Continuity Plan, most will say “Sure!” Ask who is in charge of it – an actual name. Don’t ask “Do you do testing?” Ask “When was the date of the last test? What type of test?” Ask “When was the date of the last Steering Committee meeting?” If they talk about an alternate work location (yes, in this post-COVID regime they still might be necessary), ask when the contract expires and the date of last occupancy for test or actual use.
Don’t take No for an answer either. Many orgs will offer their slick PowerPoint or PDF piece about how good their Business Continuity Program is. That’s not the plan – that’s talking about the plan. You want to see The Plan! Most orgs will counter your request to see plan documentation with “Sorry, it’s proprietary or confidential”. Some of that is legitimate – companies do not want to expose employee personal info or security-related data. Many do not trust where the documents will go. But some companies, frankly, hide behind this. There are ways around the objections. Execute Non-Disclosure Agreements (NDA’s) to make them feel at ease. Ask them to share via Zoom or similar. Ask to see subsets of the documentation. In some cases, I’ve flown to a site and examined plan documentation physically under their watchful view, kind of like government SCIF space. But do not settle for documents ABOUT the program – look for the documents that COMPRISE the program Another tip: ask to see, via Zoom or otherwise, the folders or SharePoint sites containing the documents. Look for last-modified dates: are they all yesterday same time? Ask to be shown the revision history, either on the page or the control block within the documentation (sign of a properly-maintained program).
Peek under the cover. Many enterprises only share the glossy PDF or PowerPoint that describes how robust and effective their program is. For me, that’s a yellow flag. Use that as a starting point, but don’t stop there. Ask to see the actual plan accouterments – not only the plan docs but the educational material, Steerco meeting minutes, Awareness material, issue logs, etc. Pick out some of the cool things they talk about and ask for the evidence
Tick each box. A proper Business Continuity Plan will address the essential elements of a program:

Alternate Work Modes: what’s the strategy for contingency-mode operations

Teams: established roles and responsibilities, with backups at least two deep and preferably three, with everybody knowing their part

Communications: how to rally teams, get the word out, ensure employee safety and productivity

Plans: actionable checklists with relevant and only relevant content, backed up, available to parties of responsibility

Trained Employees: awareness and education driving adoption of the program and assuring competence and confidence no matter how people fit in, and exercise results.

Ask to see each element in writing
Ride along. The best way to do due diligence is to watch it in action and be a part of it. Offer to your critical counter-parties your services and participation. Don’t ask, offer it. You can not only get the evidence that their plan does at least exist, but you’ll be testing how the communications and operational circuits flow between you and them. Best practice that I’ve observed was an Internet retailer who drove down Operations risk by dual-source supply of critical services, requiring the them to write a joint Business Continuity Plan to address cooperation between competitors and failover/failback, then facilitated a three-party exercise with both providers and them as customer.

Due diligence can be a rubber stamp, or it can be a valuable Risk Management tool to ensure your own organization’s resiliency.

The choice is up to you.

]]><![CDATA[COVID, Meet Cognitive Bias. CB, Meet COVID. You Two Have Much to Talk About!]]>Thu, 23 Apr 2020 16:57:58 GMThttp://alternativeresiliency.com/blog/covid-meet-cognitive-bias-cb-meet-covid-you-two-have-much-to-talk-about

Flash! COVID is in the news! How could it not be? Our world is changed. Face it, we are inundated with this global threat, and rightly so. This is the most transformational event in recent history. Nobody is immune from the effects, whether it be from the virus, the lock-downs and other attempts to “flatten the curve” and manage the spread, or the economic damage to personal finances.

Not going to pick apart the many competing viewpoints, second-guess politicians and experts who (to be charitable) are learning as they go, or take sides for or against the anti-lock-down protests. Risk Management should not be political. Instead, I’d like to focus on why we’re continuing to get it wrong, and it’s not due to political agenda or ideology. It’s due to the cognitive biases we’re all subject to.

I’ve spoken on the Psychology of Risk at executive venues across four continents. The headline is that as global risks are getting bigger and more frequent, our ability to see risk is impaired by cognitive biases and psychological flaws – in other words, we are Built to Be Blind to Risk. The easiest one to understand is the Gambler’s Fallacy – the belief that if the roulette wheel throws five reds then black is ‘due’. It’s not – past events don’t impact present probability – yet casinos get rich.

COVID responses across governments have been fast and robust, but they have come with a price. The economic damage has been severe, not to mention the curtailment of many rights that we took for granted (at least in the US). As we learn more, and as our measures have taken the desired affect of “flattening the curve”, one would conclude that the measures can be fine-tuned to optimize and minimize the overall damage. But they haven’t been. Why? We now see three Cognitive Biases in play as our leaders struggle to understand and manage the risk.

Availability Bias
Availability Bias is the tendency to over-weight risks that are emotionally available. Two examples are child abductions and airline crashes. When these happen, they are in the headlines, they are stark and scary, and we look at them in fear. In reality, controlling for custody cases and gang activity, the chances of your child being abducted are infinitesimally small. Similarly, airline crash odds range from 0.0000185% to 0.0000091%, and more people walk away than we think.

COVID causes death. Lock-downs and forced unemployment also cause deaths. Deaths from stress-induced coronary problems, depression, suicide, alcohol and drug abuse, spousal/child abuse etc. are well known, measurable and documented in such sources as The Lancet, The National Bureau of Economic Research and Social Science and Medicine. Lock-down-related deaths might surpass deaths from the virus, but they are not emotionally available. Are our leaders talking about both? Nope.

Zero-Risk Bias
Zero-Risk Bias is the subconscious tendency to favor complete reduction of one risk over a greater net reduction across multiple risks. People, without realizing it, might take action to gain a five-point reduction of risk in one area while failing to realize that they could take small actions across several areas to gain a six-point reduction. Part of this stems from the difficulty of thinking multi-dimensionally. Part also stems from people’s subconscious need to cling to a totem in times of trouble.

All of our responses to date have been focused in reducing risk from a single source – COVID. The calls to reopen businesses are being met with much emotional resistance. “Lives Will Be Lost!” comes the call. Even if focusing on optimizing responses to minimize COVID deaths (which will not soon be completely eliminated) and deaths from other causes (see paragraph above) results in more net lives saved, people have difficulty seeing it.

Changing the Goal Posts
We humans suffer from an inherent emotional inertia. It is difficult to move past a position once we’ve anchored on it – think “deer in the headlines”. The crisis has forced us to temporarily adopt drastic and emotional measures, and in many cases, they have become larger than life. “Stay At Home!” and “Don’t Do Non-Essential Things!” are the new mantras. These mantras have shifted from being the means to a goal to being the goal itself. Many leaders are seeing the success of Stay At Home and Don’t Do Non-Essential Things and have become anchored to them. This has resulted in a reluctance to move off of this position when the original goal has been met; and, indeed, to double down when stressed. In many cases, the mantra of Don’t Do Non-Essential Things have moved leaders to take such measures as banning sales of garden seed and clothing; the mantra of Stay At Home has resulted in people being arrested for walking or taking their child to a park. In other cases, leaders are reluctant to move past the mantras when the “curve has been flattened”, the reaction has been “But the measures are working! We must continue to lower the death toll!”. That was not the goal. See? “Flatten The Curve” has become “Lower Deaths” has become “Just Stay At Home”.

The Way Forward: Multi-dimensional Risk Management
How do we get out of this endless loop? The answer is to think in several dimensions.

One dimension is to stop confusing the means with the end. If the means is “social distance, masks, sanitation”, then any business that can take these measures should be allowed to operate. What’s good for Costco should be good for Mike’s Bicycle Shop, given that the foot traffic at Costco is exponentially greater (therefore greater risk) than the foot traffic at Mike’s, and especially given that Mike has to feed his family. If a landscaper can adhere to the measures and still push a lawn mower around his customer’s yard by himself, then let him earn the bread for his table. The authorities should take themselves out of the position of picking what’s ‘essential’ – publish the measures and get out of the way, sanction those who can’t/won’t comply, be them Costco, Mike’s or the landscaper.

Another dimension is to stop the myopic focus on COVID as the sole enemy. Savvy leaders can optimize both COVID and economic harm and reduce total deaths. A job can be as effective a cure for death as a vaccine. Let’s focus on both.

Finally, let’s start to take a risk management approach. It’s called Risk Management not Risk Elimination. Not only can we not completely eliminate COVID death, it’s a fool’s errand to think we can. That might sound cruel and heartless (there’s that emotion again!), but public policy has always been based on balancing risk. The speed limits on our freeways are not 5mph because we accept that we cannot – and should not – view death reduction as the only element, and there’s a cost that comes with risk reduction.

Let’s get to Managing this Risk!

]]><![CDATA[Self-Defense - An Important Aspect of Resiliency]]>Tue, 18 Feb 2020 17:04:45 GMThttp://alternativeresiliency.com/blog/self-defense-an-important-aspect-of-resiliencyI normally firewall my Facebook persona from my Twitter and LinkedIn personas, keeping FB personal and the others professional. This keeps me from letting my personal views on issues and politics interfere with being completely dedicated to my clients and eliminates any judgments I may have of my clients' views, even perceptually, from influencing my opinion of them or the advice I give. I've had clients and colleagues from all over the political or issue spectrum and plan to keep it that way. It works better that way as well, since FB is increasingly become stupid postings of mental chewing gum, fake news and people shouting past each other.

That said,one piece caught my eye as the complete exception to the rule. It's entitled "Written by a Cop" and lists out some self-preservation tips for women. Snopes - being increasingly politicized and slanted itself - has it as a Mix of truth and fiction, renaming it from "Lessons Written by a Cop" to "Lessons from a Self-Defense Expert as Remembered by a Student". Snopes then pours interpretive cold water on much of the advice, in my opinion unwarranted, as Snopes is hardly an authoritative source for self-protection expertise.

I believe that most of the advice is sound and worth trying in a potentially lethal situation. I also believe - strongly - that the theme of the piece is spot on : Situational Awareness, Healthy Paranoia and Proactivity of Self-Preservation. Having both witnessed and been victim of crimes including a face-to-face home invasion, I cannot recommend these tips enough. Modify them as you will, adjust your risk appetite accordingly and keep a healthy mental state.

I've tracked down an unabridged version of the Tips, link here.

People safety and self-preservation is an essential part of Business Resiliency.

Stay safe!
]]><![CDATA[Continuity Christmas Cleanup]]>Tue, 10 Dec 2019 16:10:19 GMThttp://alternativeresiliency.com/blog/continuity-christmas-cleanup

It’s that time of year again. Organizations are putting a bookmark to 2019 and preparing for 2020. Closing the books. Last-minute Compliance items and Audit remediations. Trying to get everything done in the wake of the team parties, business area parties, enterprise parties… and employee personal lives.

Your Business Continuity, Risk Management and related programs can get side-tracked during the holiday rush. People are “too busy” to participate. Budget money might not be available (or conversely, budgets might have final ‘use it or lose it’ funds). However, this essential business enabler should not be neglected. Your employees, your customers, your brand, and potentially your organization’s long-term viability depend on it. For regulated enterprises and those subject to customer due diligence or contractual obligation, evidence of a current and working program is not elective but mandatory.
Here are two high-value low-investment end-of-year activities to keep your Business Continuity programs on track and ready to face the unexpected in 2020!

Exercises
Winter presents significant potential for business interruptions and outages. In many parts of the world, winter weather and Acts of Nature can impact operations from commuting to shipping to increased chance of power outages. A Pandemic can cause mass employee absenteeism – can your organization fulfill its brand promise when a third of the staff is home sick and incapacitated? The threats of cyber, terror and the rest do not take a winter holiday.

Exercises can be essential in helping management anticipate these threats and minimize their effect. Management can gain comfort that the plan has been practiced and the team is competent and confident. Exercises, when properly performed, can be more than mere “Just in Case” practice and validation of plan contents. They can be valuable training and leadership development opportunities. A properly facilitated exercise gives participants a safe environment where they can work through moving with fuzzy and imperfect/fast-breaking information, forced collaboration with colleagues they don’t normally work with, thinking two moves ahead, thinking around corners, and other skills that are not only for Just in Case, but skills they will use every day.

External resources can be invaluable here. This is not an admission of incompetence of the internal team – it’s an affirmation and complement to them. A third party can bring experience and perspective from many other organizations and situations that the internal team might not have. An outsider can have fresh eyes on the organization and can know to ask the questions that the internal team might be too close to the situation to think of. External facilitation also solves the paradox of ‘self-testing’. An independent unbiased analysis of the exercise and a third-party report can have an imprimatur more authoritative than an internal memo. Also very important – a non-employee can deliver the difficult messages to executive management that an employee might find impolitic to say.

Assessment
Your program – every program – can run the risk of getting stale. Technology evolves – is the program contemplating the latest and greatest enablers? Approaches also evolve – is the program following legacy practices or adapting to more efficient and effective methodologies? Solutions also evolve – the responses and solution options of yesterday might not be the best to use today. How can you discover these opportunities?

Note that an Assessment is different from an Audit. An Audit examines controls and measures a program to a documented standard. An Assessment provides a subjective evaluation or appraisal, and a comparison to what Good looks like. Also note: your program might be in compliance to a standard and still not be effective or Good; and, a program does not have to measurably follow a standard to be leading-practice.

Just like for exercises, use of an external resource can deliver a valuable assessment. A third party with sufficient broad experience can compare your program to the best of the best… and the less-than-best. An independent party can spot things that the internal team might be too close to notice. A good assessor will not only point out gaps and improvement opportunities but also highlight the positives, affirming what the internal team is doing right. A proper assessment should not only point out observations but also include a road-map of how to get from Here to Good, helping the enterprise to budget and prioritize for the coming year.

Hopefully this article has given you something to think about. The Christmas season can be a great opportunity for organizations to take quick high-value low-investment action to reduce risk, safeguard employees, protect brand, and fulfill their promise to stakeholders.

Ready to get started? Contact us here!

]]><![CDATA[Is Your Org "Not Ready" for Business Continuity?]]>Mon, 25 Nov 2019 10:48:55 GMThttp://alternativeresiliency.com/blog/is-your-org-not-ready-for-business-continuity“We’re not mature enough yet.”
“Not in the budget.”
“Priorities, we’re way too busy right now.”
“People can work from home – we’re good.”

Many companies have seemingly valid reasons to delay or defer setting up a Business Continuity Program. There are always more pressing issues. There are also perceptions, misguided or based on prior experience, that Business Continuity is expensive, intrusive, and laden with top-heavy overhead that today’s organizations – particularly early-stage – can ill afford.

The perceptions are wrong. The reasons are misguided. The risks are too great for the investment not to be of value. Here’s why!

“We’re not mature enough yet.”

Although early-stage orgs must get runway under them early, they still must manage Risk. This is even more important when seeking Series B funding and beyond. One business outage may not only cripple a company’s operation, it might be a red flag to investors that the company might not be resilient enough to take a risk on.

Many companies have long tenure, have been in business for some time, but are still operating with a relative immaturity of process. Business Continuity is essential here! Companies with fragile processes are bound to struggle when those processes are broken by unforeseen events. Having at least a rudimentary framework for switching the business to ‘contingency mode’ and keeping employees safe and productive can make up for fragile processes.

Would your organization say, “we’re too immature to have a Cyber framework”??

The key to Business Continuity for immature enterprises is to match the robustness of the program to the maturity level of the enterprise. Just as a “Business Continuity Lite” is insufficient for large, mature organizations, a comprehensive deep program is unsuitable for an early-stage or immature org. The trick is to implement a program that covers the basics without being top-heavy… or expensive.

“Not in the budget.”

Business Continuity has historically been viewed as a cost, and an exorbitant one at that. Big expense, big overhead. This is not true if done properly. Streamlined Business Continuity can be implemented for pennies on the dollar and still get significant risk reduction. Example: A global name-brand enterprise with over 8,000 employees and a market capitalization of $40B USD had agile Business Continuity, teams in twelve locations in North America and EMEA, over a hundred plans, standby Emergency Work Centers covering five major locations, Mass Emergency Notification, and conducted 16 annual exercises.

The cost? $187,000 and a team of two.

That’s not a typo.

Are the losses in revenue, customers and brand in the budget?

“Priorities, we’re way too busy right now.”

Another misconception is that Business Continuity is intrusive and distracting. That can be true… if it’s done the old way. Endless sit-downs to compose a voluminous binder – and the cover must be Code Red! – are indeed business-interrupting. Much less so is an agile approach that takes crisp terse checklists built on a common theme and helps business areas customize for their unique needs and style. Done properly, with the right lead-from-behind facilitation, Business Continuity can spring up around the org with hardly a blip in normal operations.

Think you’re busy now? Wait until the business-impacting outage, not having a playbook, never practiced and having to make it up as you go.

“People can work from home – we’re good.”

This is a whole topic unto itself. I have a 60-minute presentation that outlines the operational and people risk of relying on Work from Home as a substitute for a plan. It’s entitled “Business Continuity = Work from Home? HAHAHA”… and aptly so. Suffice it to say that WFH is an essential risk reduction strategy and Business Continuity enabler, but it does not obviate the need for an overall strategy and basic ‘choreography’ for responding to a business outage.

Hopefully this article has given you something to think about. The bottom line is that NO organization is “not ready” to reduce risk, safeguard employees, protect brand, and fulfill their promise to stakeholders.

Ready to get started? Contact us!

]]><![CDATA[Best Practice Planning and Exercising from Ragtag Misfits]]>Mon, 05 Feb 2018 20:13:27 GMThttp://alternativeresiliency.com/blog/best-practice-planning-and-exercising-from-ragtag-misfits

What do David Lindstedt, Mark Armour, Telly Savalas, Charles Bronson and Lee Marvin have in common?

What are the most effective ways to do Business Continuity (or Cyber or Crisis) planning and training? David Lindstedt and Mark Armour are spearheading Adaptive Business Continuity, a framework that brings flexible, pragmatic and iterative approaches, much like traditional 'waterfall' software development has been supplanted by Agile scrums and sprints.

Watch how a team of semi-literate Army misfits quickly memorizes a complex battle plan!
(the best part starts at 1:02)

One of the tenets is Train by Acronym. The old way of writing voluminous plans in a binder and training critical staff with extensive modules is not effective. Adaptive proposes crisp, terse checklists and terse, rote training with mnemonics and memory aids. Critical managers may not remember the classwork or the binder contents during the distress of an actual emergency - but they can remember words drilled into them by repetition. How do you remember the sequence and colors of the rainbow? Roy G. Biv, that's how!

What's easier for a team to learn, retain and execute on? An hour-long PowerPoint presentation of a 40-page plan, or RADICAL:

Rally
Assess
Declare
Immediate actions
Communicate
Continued Actions
Lessons Learned

When I was running Expedia's Global Business Resiliency Office, I was once awakened at 6:00 am by the enterprise Emergency Notification System I had deployed: Text message "London Office closed, if commuting please stay away, check your email and check with your manager, next message in four hours, press 1 if you are OK, press 2 if you need assistance" (although the message went to London staff, I always copied myself on all emergency traffic worldwide). I called the BCP Manager for London and asked what the situation was. He replied, "the building had to be evacuated due to a small fire. The team rallied outside in the garden, they sent the emergency message, they are assessing whether to spin up the offsite Emergency Work Center (well, he said Centre), and they are managing the response." "That's great, but you keep saying 'them'. Aren't you the Recovery Team Lead?" "Yeah, but I'm out this week. This one's being managed by my Admin following your acronyms!"

If your org is ready for Next-Gen planning, training & exercising, reach out to us here!

]]><![CDATA[End-of Year Compliance Testing Pro Tips]]>Wed, 06 Sep 2017 23:49:14 GMThttp://alternativeresiliency.com/blog/end-of-year-compliance-testing-pro-tips

For those who have regulatory or audit requirements for testing, this is a great resource on moving your exercises from the merely-mandatory to Truly Valuable (and Lower Costs)! Feel free to share with your peers. Also feel free to share with your counter-parties and supply chain providers - are they resilient and do they test?

]]>