Organisational resilience and emergency planning

Lina Kolesnikova, security and crisis management expert discusses emergency planning and how organisations can prepare for the unexpected

Modern systems (in a broad sense of the word ‘system’) and their complexity provoke a huge number of systemic risks. Interdependencies between systems and their components have become so complex that disruption of one of the elements in the chain of businesses and services might easily create cascading effects. This consideration goes beyond pure theoretical, as we witness problems across multiple countries and industries.

The assumption in modern society that complex systems will work reliably and smoothly at any time was challenged in 2020 by the Covid pandemic with its disruption of established supply chains. Some organisations were challenged by sky-rocketing demands for their products and services, however others found themselves facing a threat to their survival or were simply ruined within months of lockdown. Many organisations and even entire industries continue to suffer from the consequences of Covid disruption even now, in 2022. This includes transportation, tourism, travel, events, and entertainment (including supporting services like security staffing at large venues), etc.

Transboundary nature of modern crises
Complexity and interdependencies bring about significant changes to the way we experience crises. We see that more and more crises have become creeping. Slow-moving for significant periods of time (prior to bursting out in the open), problems develop hiddenly within components of one system prior to exploding as a full-blown crisis in another, often seemingly unrelated, system.

Due to interconnections and interdependencies, crises are more and more transboundary in their nature. They have also now become higher scale, spanning across multiple organisations, industries, countries, and, even, in their worst case, continents.

“Mycelium” problems
Decision-makers are confronted with an acceleration of high impact events and exponential growth of public data in a physical and digital world. But complexity and interdependencies don’t play on their own. Geopolitics plays an important role, many previous agreements, rules, and practices are abandoned. As a proper analysis of the decisions by politicians making them is more and more unfeasible, and is coupled with limited available expert capacity and shrinking timeframes, we observe impacts every day and we gradually discover problems arising from these impacts.

“Silently” developing hidden “mycelium”-like problems make it difficult to identify and to assess them correctly, to analyse and to plan for a response to the needed extent. Consequently, the response most often comes late and usually does not address the cause of the crisis until rather late.

Identification and other difficulties are further exacerbated by the twilight zone between crisis and risk management. For as long as the “mycelium” problems are not identified and not assessed in the sense of possible consequences they may lead to, they might be perceived as not-yet-realising threats and therefore, stay in the scope of risk management, rather than the crisis management. However, if and when there are some, but only first and low-scale signs of problems, they arrive to the twilight zone – they are no longer risks, per se, but they are not yet a crisis.

What do organisations need in tough times?
To cope with the challenges outlined above, there are two main attributes which the organisations should achieve. On the one side, while maintaining their efficiency overall, they should be preparing for the unexpected, on the key assumption that “things will happen” and without knowing or preparing precisely for one or many specific types of crises. Resilience is the key here.

On another note, organisations should be able to quickly identify problems popping up here or there (like “mushrooms”), while performing a quick assessment and, as feasible, analysis in an attempt to catch the extent and the characteristics of a likely underground “mycelium” where problems are brewing prior to becoming apparent on the surface at “random” places. Quick changes and unpredictability are a reality in organisations and organisations do not have the possibility to control all the factors that affect their functioning. The readiness (ability) of the organisation to manage in a crisis must develop within the unique context of the organisation. Situational awareness plays a key role here, being responsible for promptly identifying events and highlighting those which might be problems, as well as connecting dots – events, identified problems and factors of their own organisational functioning so that the planners and decision makers are able to grasp the concerns within their (problems’) real context and degree of potential influence through interdependencies.

Resilience and situational awareness
Resilience is the ability of a system to perform functions with respect to adverse events such as: planning and preparation, absorption, recovery and adaptation (OECD).

Resilience is concerned with how a system behaves after the event occurring or in other words it is “threat agnostic” (OECD), not identifying exact threats but assuming that, at some stage, threats of various kinds will materialise and could disrupt the system.

Resilience is very much about sustainability of ecosystems or organisation(s), including under duress. Meanwhile, the important characteristic of resilience is that there should be anticipative actions that were taken while keeping in mind possible adverse events without them yet happening. So, anticipation is a very important part of the resilience-focused approach of organisations’ development. It all starts with “threats”. According to the Cambridge Dictionary, “threat is a suggestion that something unpleasant or violent might happen”. For better anticipation, we need to identify the main categories of threats, list them, and map the threats to the organisation’s abilities and dependencies, monitor threats and provide a real-time alert system in case they come to fruition.

Information is a key asset to management in a crisis. Effective information management is critical. If horizon scanning and internal vulnerability analysis are effective, it will be possible to detect early and subtle signs of impending or potential crises that might otherwise be missed or lost in the general “noise” of normal business fluctuations. Whether the signs were detected in time or not, the information must still be presented in a form that reflects its significance to the organisation and so that it can be used as a consistent base for decision making. This is called creating situational awareness (SA).

Situational awareness means more than knowing what is happening; it means the ability to model the consequences of what happens (or does not happen) and predict current and further events to determine what might be happening next. In the context of an organisation, this is the need to collect the detailed contributions of each department to an overall balanced score.

Situational awareness is “knowing what is going on around you” and, subsequently, being able to act faster and more appropriately within the actual context of the organisation and the identified event. SA is about knowing what was going on in the past, is going on in the present and could be happening in the future, especially suggesting possible consequences of individual and cascading events. Situational awareness is a mindset, beyond a mere set of systems, data, and information flows.

Situational awareness is a central concept for complex systems, ecosystems, and digital infrastructures, especially, when humans are in the loop. Therefore, it is important to plant situational awareness needs into the development of complex systems, to understand what it is, what dimensions it has, and how to manage those insights through the development. However, as resources are always limited, there is a dilemma and the hard choice of prioritisation - is it more vital to see and to react to what is more likely or what is more dangerous? Mitigation processes may work at reducing the likelihood of an event, while faster alerting, on the other hand works to counter the impact.

In the organisational environment, it means knowing and accounting for multiple domains such as social, physical, cyber and cognitive. Situation awareness therefore is an important element in supporting the decision-making process, which often can make a difference between a response being a success or a failure.

Situational awareness is needed by the individual along or as a member of a team in order to perform the needed tasks. The individual needs to have an adequate level of awareness of the processes and information requirements and after these, the needed level of awareness of the devises. The degree of thoroughness is paramount. It emphasises that creating situational awareness is a deliberate, active, and disciplined process that requires practice. To benefit from “quality” situational awareness, it is necessary to actively search for information and monitor channels, encourage cross-function communication, and ensure information management and record keeping so that the situation awareness has sufficient “food” to process.

The use of tools helps people achieving efficiency. It is useful to consciously apply and encourage specific tools for creating situational awareness, rather than leaving it to a chance or individual characteristics of involved people. Tools assist people working under pressure in extreme environments with a basic structure that prevents information overload, scope creep and unattended gaps, and helps create team coherence and unity.

If reasonably achieved, this allows decision makers to rely on the knowledge and to use coherent discipline in interpreting the information they must use to support and base their decisions upon.

Situational awareness contributes further to the anticipative actions and preparation (where resilience largely belongs). The latter makes a clear focus on assessing and preparing internal resources, as well as establishing links and possible paths to get access to resources which might be available outside of the organisation. This is furthered by setting the information exchange on threats and alerts across certain types of organisations, industries and/or geographical areas. Such exchange provides for two main benefits – improved threat identification and monitoring, and ability to better and more timely prepare and invoke necessary mitigation, deterrence, and response actions.

Modern organisations need to know how to build up the resilience and the situational awareness that is necessary, sufficient, effective and, ideally, efficient in meeting varying physical, economic, social, and environmental challenges. With limited resources, it is a continuous challenge. To deal with it, is a requirement for any organisation in the modern interconnected world, if the organisation wants to be able to recover and to adapt to the New Normal.

There are a lot of discussions on which way is more effective – threat-based thinking or capability-based thinking. Well, it can’t be just one. If not threat-based, it should at least be threat-informed and may employ threat-based planning as well (you can’t plan for everything, but you can prioritise your efforts and resources) and fungibility of skills. If you lean to “most dangerous” items, that will, in most cases, give you a view on potentially more appropriate capabilities, the training reach and the chance for general performance.