Business Continuity, Organizational Resilience

Dynamic Risks: Working Definitions and Implications for Risk Management Teams

By Chris Hurst

A Recent Trend

As our OnSolve leadership team reflects on 2020 and 2021, we note a trend in our conversations with Business Continuity (BC), Enterprise Risk Management (ERM), Physical Security (PS), Travel Risk Management (TRM) and Supply Chain Risk Management (SCRM) leaders. At first, we did not connect the dots on a clear way to describe this trend. But over and over, our customers and partners have used the following phrase or something very similar:

“I was expecting [Risk A], but then I got hit by [Risk B].”

For example, seven days after Hurricane Ida made landfall in the gulf in Louisiana, a BC leader at a large hotel chain told us: 

“We were expecting Ida to hit the gulf. We were ready. We had identified our most flood-prone properties. We had adjusted our staffing. We had tested our communications. We had pre-positioned generators and other equipment… But we’ve spent much of the last week scrambling, responding to Ida’s flooding of Manhattan – where we were not prepared.” 

As a second example, a logistics and transportation company shared the following scenario:

“On a Friday morning, we noticed many of our staff were not showing up to work, causing a major staff shortage. We soon realized that Thursday night, a tornado hit one of the primary communities where our staff live. With the sky clear and crews responding in team members’ communities, our first assumption was the staff shortage would soon be over. But nearly a full day after the tornado, power outages and gas leaks were causing new evacuations, and the staff shortage continued into the following week.”  

These are just two examples that capture the concept of “dynamic risks.” Included within this concept are the following elements:  

  • Rapid change
  • A risk hitting from a secondary direction or event
  • Some level of surprise

At OnSolve, we’re fortunate to be able to support and serve over 30,000 companies, communities, NGOs, governments and other organizations. Our running conversations allow us to extract and share trends so that all may benefit from the experiences and lessons learned. While leading resilience practitioners currently consider some aspects of dynamic risks in their programs, we recommend that these concepts be threaded throughout the design and management of all resilience programs in order to achieve the best possible outcome from every incident.

Dynamic Risks: A Working Definition

For years, our industry has used the term “dynamic” to describe the operating environment itself. For example, security leaders will be familiar with ASIS, whose 2017 ORM Standard states “Organizations typically operate in inherently dynamic risk environments[1].”  To be clear, we agree that the business and operational environment has been dynamic and will likely grow more dynamic. A full consideration of the risks that have appeared frequently over 2020 and 2021—COVID, changing COVID restrictions, unrest, severe weather, supply chain disruptions, inflation, etc.—illustrates this trend.

Understanding the concept of the dynamic environment is helpful, though we believe new lessons are available from the focus on the risk itself, in addition to the environment. The tables below provide a structured approach to dynamic risk management that will support immediate enhancements across each element/level of resilience program maturity.

 

Table 1. Dynamic Environment vs Dynamic Risks

Dynamic Environment

Dynamic Risk

ERM/SCRM/PS/BC/TRM teams must be versatile and cross functional.

 

In a given year, teams should expect a greater number of large events than in previous years.

 

 

 

 

 

 

 

 

 

Stability in operational environments (i.e., supply chains in Asia, customer access to retail stores in the US, etc.) should not be assumed.

 

 

Strategically, plan for new types of risks.

 

 

 

Incorporate this analysis into your people, processes and platforms.

 

Same

 

In a given week, the ultimate harm to the business or operation was not the active focus of the risk team or response team the week prior.

 

In a given response, teams should expect escalation of risk, or enablement of new risks or a cause of a new risk – confounding the response.

 

 

 

 

 

 

Responses should not assume stability beyond the subject of the focused response.

 

Strategically analyze how recent disruptions have changed in the moment or enabled other disruptions.

 

 

 

Same.

 

 

Fundamentally, a dynamic risk is a risk in which the ultimate harm is different than the initially expected harm.

Let’s explore deeper. Table 2 provides four conditions, explanations and examples.

 

Table 2. Four Types of Dynamic Risks

Dynamic Risk Condition

Explanation

Example

 

Risk A becomes Risk B

The risk changes in character, in location, in severity or some other key attribute.

The Hurricane, expected to hit the Louisiana and Texas coast, floods Manhattan with little advanced notice.

Risk A enables Risk B

The risk enables, or sets the conditions for, a new type of risk.

The 2020 protests, many of which began as peaceful demonstrations, enabled looting.

 

Risk A causes Risk B.

The first risk sets a chain of causal events.

The tornado caused the gas leaks, which caused a new evacuation.

 

Risk B is independent of Risk A, and hits when the focus was on Risk A.

Many risks are unrelated.

As a director of Enterprise Risk Management, the author was planning for a large, new water project in Eastern Congo. Previously, a massive volcano eruption had occurred nearby. As a result, our risk planning, mitigation and control activities followed suit, identifying the volcano as the greatest risk. Yet soon after the project kicked off, M-23 militia threatened to enter the city, halting the project. M-23 militia activities were unrelated to the volcano, but ultimately were most disruptive to the project.

Why are dynamic risks difficult to manage?

Fundamentally, dynamic risks are difficult to manage because by definition, they are not our focus. They come on the heels of another risk – when we are in a weakened state.

Boxers know this well. An effective left jab (“Risk A”) never ends a fight, but a left jab-right hook (the jab being the enablement of the hook, “Risk B”) keeps an opponent on defense and can surprise the opponent with a knockout.

The response to dynamic risks is further confounded because: 

  • The response to Risk B is often not the same as the response to Risk A.
  • The people and functional team responsible for Risk B are often the same as those responsible for Risk A. This response team can be consumed with Risk A while Risk B is the most impactful.
  • Our “eyes and ears” are focused on the immediate; our conversations and signals are focused on Risk A, and our response can be focused on Risk A.

Got it. I’m convinced dynamic risks are real. What I should I do about it?

We recommend that BC, Security, TRM and other risk leaders consider dynamic risk in building and assessing their people, processes and platforms.

Your People

Risk leaders can use the following dimensions to assess and build people and teams using a lens of dynamic risk.

The assessment questions below are not meant to be exhaustive, but are a helpful starting point for internal assessment.

 

Table 3. Assessment of People

Dimension

Example Assessment Question

Skill

Planning—Do the individuals on my teams have the skills to analyze the variety of recent risks through a lens of dynamic risk?

 

For example, some organizations rely primarily on Access Control/camera monitoring centers as a way to receive information. Are there simple tasks that could be expected of this team that could expand into signals related to dynamic risks? (The answer will vary, depending on the organization).

 

Time (Bandwidth)

During an active response, does my organization have the bandwidth to look “up and out” to understand whether the risk I’m dealing with might be evolving into a new risk?

Communication

Every organization has various means of receiving information about the outside world. In a sense these means are sensors— from front door/lobby reception, to sales teams on the road, to global security operations center analysts and beyond.

 

Given that, do these sensors understand which types of new information would be helpful to risk teams? Is the culture open enough to allow this information to flow?

 

Burnout /Risk Cycles

How is my team doing?

 

In the previous example related to Ida, the quote ended with, “…and we are frankly, exhausted.  Dynamic risk increases the risk of burnout for all first responders, including those on corporate risk and security teams.

 

Your Processes

Similarly, risk leaders can use the following dimensions to assess and build on their existing frameworks.  We describe implications, followed by a specific response framework.

Doctrinal Framework

 

Table 4. Assessment of Frameworks

Role

Typical Framework

Implications for Dynamic Risks

BC

Tactical-Operational-Strategic

Scenario planning and war-gaming can include dynamic risks (the scenario has changed).

 

Feedback cycles and After Action Reports (AARs ) ask: “Were these risks dynamic? What can we learn from our experience?”

 

ERM

New Framework for ERM

Physical Security

ESRM

Travel Risk Management

TRM ISO 31030:2021

Incident Command

ICS NIMS

Response Framework Example

A typical response framework may look like the one below. These response frameworks take large response plans and break them down into “bite-size” chunks, with a few key tasks for each phase.

A response leader using a dynamic risk lens would then analyze the response framework to ensure the following:

 

Table 5. Implications for the Response Framework

Typical Response Framework

Dynamic Risk Implications

 

1.     Monitoring 

2.     Activation of the Crisis Management Team (CMT)

3.     Preparation    

4.     Active Phase

5.     Recovery

6.     Restoration

7.     Corrective Action 

 

  • The monitoring phase is “always on” and staffed.

  • During the Activation phase, the CMT is aware of how similar risks have changed dynamically

    for their organization or similar organizations (i.e., storms à floods; protestsà riots; etc.).

  • During the Preparation phase, updated information requirements are made known to the Monitoring team. (In the Ida example, “Hey, we’re going to be focused on the Gulf Coast. Hurricanes can take unexpected paths. I need you to ensure you continue to track this hurricane. Let me know as soon as you see signals of flooding risks near our other facilities.”)

  • During the corrective action phase, real data about recent events is updated in the team’s library of scenario plans. For example, BC and Security war-gaming scenarios should not be surprised that power outages follow tornadoes, or that looting in some areas tends to follow protests.

Your Platforms

Technology can certainly help. Platform selection and configuration should prioritize for speed of changing information, relevance of information and usability.

  • A risk intelligence platform with internal assets (employee homes or clusters, facilities, offices) and external assets (key supply chain hubs, airports, ports, customers)
  • Real-time risk intelligence
  • Highly granular risk intelligence, with coverage in the areas where your teams live and work and travel
  • Highly granular filters—What may be noise to one organization may be a critical event to a second organization.
  • Highly customizable information routing—What may be noise to one function may be crucial to another. (i.e., a port disruption is not relevant for a travel manager, but may be crucial to a supply chain manager.)

To learn more about dynamic risk, watch the on-demand webinar featuring the author in an interactive Q&A with Matt Bradley, OnSolve VP of Global Security Solutions.

[1] The ANSI/ASIS ORM.1-2017 standard can be found here. The particular dynamic reference can be found here.

Chris Hurst is the VP of Global Technology Solutions at OnSolve, focusing on Critical Event Management. Prior to his current role, Chris co-founded a Risk Intelligence Company using Machine Learning to detect risks to operations and people with greater speed and relevance. Chris is a former Director of Enterprise Risk Management with Mercy Corps, a former Army Diver, and a former Project Manager for large infrastructure projects with extensive experience in Iraq and Afghanistan. Chris holds a B.S. in Civil Engineering from West Point, an MBA from Harvard, and an MPA/ID from Harvard Kennedy School of Government. Chris is passionate about the intersection of data science and risk management in the context of complex operations.