When executed well, a strategy for continuous quality improvement will facilitate organizational resilience as a natural byproduct. That said, it’s not a linear process with sharply defined outcomes carved in stone.
Yet, ask any business leader about the steps they’re taking toward these intertwined objectives, and many will answer in linear terms – designated start/end points with specific roles and marked out responsibilities. In reality, the process is much more dynamic, like the nature of risk itself.
Dynamic risk results in a consequence or harm that’s different from what we might have initially expected. For example, a hurricane in the Gulf may cause unanticipated flooding on the East Coast later that week. Just as dynamic risk is dependent on the mix of factors in play, the processes of quality improvement and organizational resilience will unfold differently depending on the circumstances. And those circumstances are filtered through the lenses of the individuals who come together every day and during a disaster. They each bring their own background of responsibilities, experiences and goals.
The business continuity professional will have knowledge and ownership of a certain area, as will security, IT, disaster recovery and so on. These functions are often siloed, which can frustrate attempts to create a holistic, integrated approach to resilience and risk management. That’s why any organizational resilience conversation can’t be one-sided; it must be a collaborative one. By bringing everyone to the same table, leaders can encourage a growth mindset where everyone is committed to improving processes over the long term. A cycle of continuous quality improvement will make that goal a reality.
To create an effective cycle, organizations need a framework of repeatable processes that facilitate proactive risk management. This can be broken down into four phases: Anticipate. Prepare. Respond. Adapt.
Because there are thousands of critical events happening at any one time across the world, prevention is the name of the game. You can only respond to the events you know about, so highly granular risk intelligence that tells you what’s going on in relation to your assets is key. That’s where technology comes in.
AI-powered risk intelligence and machine learning can rapidly boil down large datasets into timely and relevant intel. More importantly, it can correlate that information to your assets, so you can anticipate the impact in advance. That’s an obvious advantage when you’re seeking to head off risk and mitigate its consequences.
What’s talked about less often is the other side of the coin: Proactive collaboration across functions within the organization. While disparate departments often come together out of necessity during crisis, impromptu collaboration for damage control is inefficient. In either scenario – day-to-day operations or disaster management – if you don’t have a reliable means of critical communications, the left hand never knows what the right is doing. That brings us to the next phase.
Cross-functional collaboration doesn’t mean that every role reports to a chief resilience officer or a single department head. That’s just window dressing. What it does mean is fostering a culture within your organization that recognizes natural alliances – between business continuity, security, IT, etc. – and strengthens them before a critical event occurs.
Another key component is acknowledging other stakeholders, whether that’s related to approval, sponsorship or support and making sure there’s buy-in and alignment. Think about it as an informal network of connections where everyone is working towards the same underlying goal. Shared objectives foster a natural cycle of improvement for your critical event management (CEM) processes.
Recognize that silos in risk management can and will thwart real progress. Only 17 percent of organizations have tapped their own enterprise risk management team to act as their overall coordinator, according to a commissioned study conducted by Forrester Consulting on behalf of OnSolve, Failing to Plan is Planning to Fail. When it comes to the technology, many have yet to tap into a platform that facilitates proactive CEM. If the right information isn’t getting to the right people at the right time, you’re going to find siloed efforts. That’s why taking this approach of open, cross-functional dialogue is so crucial, especially as we move into the response phase.
In recent years we’ve seen more and more junior leaders step up and make larger decisions about how to respond during crisis. Even among experienced professionals, whether it’s legal, HR or business continuity teams, no one started their career thinking they’d have to figure out protocols during a pandemic. But we all did it. That scenario made for complicating factors on top of an already complex risk landscape.
Even when responding to a new form of chaos, a prepared response should still follow a certain pattern. You get out your checklist, you walk through your processes and procedures and you execute as best you can. The trick is learning to do it better every time. Continual process improvement is about maintaining both the flexibility to adjust to dynamic situations and the discipline to replicate benchmarks that measure your effectiveness. That’s a tough balance for even the most seasoned risk professional. There’s technology out there to make proactive risk management easier. Risk intelligence products, emergency alerting systems, incident management software – it’s all available, so use it. That checklist can’t be the be-all, end-all.
Risk managers sometimes have a tendency to assume that if we put an agenda in front of someone, they can and will follow it. The reality is you have to incorporate ingenuity. There will always be complicating factors and surprise elements. When you remove silos, incorporate the right technology and facilitate cross-functional coordination, it becomes much easier and more intuitive to balance flexibility and disciplined repetition. It’s really about getting everyone to look at the big picture and constantly ask if their actions are moving the organization closer or further away from the target outcome. Fine tuning that process is what we do in the adaption phase.
A cycle of continuous quality improvement must encompass post-event analysis, and that means acknowledging what went right and what went wrong before, during and after a critical event. Why are health and safety managers, for example, so keen on people reporting near-misses? Because near-misses signal you likely have a problem that hasn't yet resulted in an incident. That’s a powerful piece of information. Why? Because it presents a unique opportunity to proactively correct the issue and possibly prevent future negative outcomes. And that’s a win.
Honest feedback is key. To accurately analyze your organization’s strengths and weaknesses, people can’t be afraid of asking questions. The adaptation phase is about taking feedback and lessons learned and incorporating them into the improvement cycle. The goal is to do it better every time, so hearing from the people who witness immediate outcomes at each stage is an opportunity to strengthen the process.
Any manager or leader, no matter their specific role, can become a trusted advisor by strategically building out internal networks, reaching across functions and teams and leading by example to bring real value to the organization as a whole. When each member of your staff feels empowered to do that and has the right platform to make it happen, you have the makings of organizational resilience.
In summary, embrace the after-actions report, discuss what worked and what didn’t and then feed those insights back into your processes and adapt accordingly. The goal is analysis through a lens of anticipation, preparation, response and adaptation. When chaos tries to take hold, that cycle of continuous quality improvement will carry you through. Practice until it becomes organization-wide muscle memory – that’s organizational resilience at its best.
The Evolution of Risk and Resilience Webinar
Learn more about strengthening organizational resilience and mitigating dynamic risk in this on-demand webinar with Matt Bradley and featured speaker Alla Valente, Forrester Sr. Analyst.
Vice President, Global Security Solutions, OnSolve
A veteran security operations expert for more than two decades, Matt Bradley has deep, first-hand knowledge of security operations management and an understanding of the critical challenges facing organizations. Most recently, Bradley served as Regional Security Director for the Americas at International SOS, where he led the security services business and advised key executives on risk management. Previously, Bradley worked in Honduras as Security Director for Tigo Honduras, and as General Manager for I Solution Security, where he advised on security matters for the Honduran President, Minister of Security, and Minister of National Emergency Commission. Previously, Bradley had a distinguished 14-year career with the Central Intelligence Agency (CIA).