Guest author Regina Phelps, Founder and President of Emergency Management & Safety Solutions, Inc., shares her expert thoughts on organizations’ increased tolerance for risk and how to address it.

When I began my career in the early 80s in California, the primary mode of action in our field was reactive. We focused on disaster recovery and emergency response after an event had occurred. Crisis management and business continuity didn’t exist, and “resilience” wasn’t even something people talked about.

There were two key events that were pivotal in my transition from reactivity to proactivity.

First, when the 1984 earthquake hit Coalinga, California, the goal was purely emergency response. It became clear there was no plan or strategy for managing business disruption.

Then came the Whittier earthquake in 1987, and the conversation centered on technology recovery. Again, there weren’t established processes for managing a comprehensive response (what we now call crisis management) or how to maintain business continuity.

For me, this was a major disconnect. And so began my evolution toward business continuity and, eventually, crisis management as a whole.

Why Are We Doing This?

I work with clients in all industries who seek our services for all reasons, both proactive and reactive. Before we even begin, I ask them a deceptively simple question: Why are we doing this?

This may seem to be a silly little question, but it gets at the core of why they’ve decided to take action. Often there’s a catalyst related to something happening in the world.

For example, lately we’ve seen a rise in cybercrime and ransomware, so we might help a client develop a tabletop exercise to prepare for a digital attack. Concerns about the supply chain are huge now; we’ll work together on a plan to manage the disruption this can cause.

Awareness of current issues circulates through peer-to-peer conversations. An executive might hear about an event affecting a similar organization and realize they need to be better prepared should something happen to their own business.

On a basic level, my clients come to us either because they’ve heard about some potential threat and want to be proactive, or they’ve already experienced a crisis and need to update their response.

Shifting Baselines

The biggest trend I’ve seen develop over the course of my career is so insidious, most businesses haven’t even realized it’s happening.

After 9/11, there was what I would call a “hangover” in our country for about a year. People spent a lot of time reeling, having discussions about how to recover a business and how to manage a crisis.

With every major event since, that “hangover period” has gotten shorter and shorter. We stopped talking about Hurricane Katrina after six months, and the conversations around Hurricane Sandy only lasted two. In my experience, any major crisis since 2010 has been “over” in 30 days or less – if we even devote any time to it at all.

We’ve become desensitized to risk and disaster. When this happens, there’s a fundamental shift in our response (or lack thereof). This is a classic example of shifting baselines, and it’s a critical concept to understanding organizational risk tolerance.

The term originated in the field of environmental science. Shifting baseline syndrome occurs when each new generation perceives the environmental conditions in which they grew up as “normal.” As the environment slowly declines, so do people’s standards for acceptable conditions because it’s what they’ve come to expect.

This also applies to our perception of risk. We get used to bad things happening, so we become more and more tolerant of them. This leads to a very slippery slope in crisis management.

Executive Risk Tolerance

When I get together with my clients, I work to understand their current level of risk tolerance – how much risk they’re willing to assume when it comes to their daily operations and business practices.

In the many years I’ve been in practice, I’ve seen organizations’ risk tolerance grow beyond measure. What they accept now versus what they previously accepted has changed markedly, especially in the last 10 years.

Active shootings are a particularly unfortunate example of this. Today, the number of casualties required to make the headline news is far greater than a decade ago. And once it’s made the front page, it disappears just as quickly. It’s become a part of our daily life.

Many business leaders have developed justifications around these elevated levels of risk. “It’s just the cost of doing business,” they think to themselves. “We survived X and Y. We’ll make it through Z.” Another classic: “It’s unlikely to happen on my watch.”

This has huge industry impacts because it means more organizations are becoming numb to risk and, therefore, are willing to tolerate more risk as a baseline.

In my work, CEOs and other leaders all admit the things I point out are important, but then come up with excuses for not implementing crisis management practices. They may say they can’t justify the finances, or they may simply be risk-avoidant – or worse, risk-tolerant.

It’s especially difficult to get businesses that have already survived a crisis to focus on proactive measures, because, in their minds, they’ve already shown they can make it through. Every time an organization survives an event, leadership’s tolerance for risk increases, especially if they were lucky and got out relatively unscathed.

The numbers reflect this baseline shift in risk tolerance. Over half – 57 percent – of executives reported their organizations are not proactively mitigating risk, according to a commissioned study conducted by Forrester Consulting on behalf of OnSolve. Furthermore, only 36 percent said becoming more proactive is a key goal for their organization today. This blasé approach to risk management will only lead to increased risk tolerance and more serious consequences to downplaying the importance of crisis management.

This raises a fundamental question: How can we push back against shifting baselines and desensitization to get people to act?

The answer usually comes down to what I call the four “E”s: Education, Experience, Emotion and Exercises. Next week, in Part 2 of this blog, I’ll do a deep dive into the four “E”s, and how we can leverage each to decrease the creep in risk tolerance and replace it with preparedness.

For more insights on crisis management, read the blog 4 Steps to Maximize the Golden Hour with Risk Intelligence.