Just-in-Time or, Just-in-Case?

Coronavirus, Brexit, cybercrime, extreme weather, container ships stuck in the Suez Canal, each one a disruptive incident impacting on transport operations and supply chain logistics. Recent surveys have placed Business Continuity as a top priority for logistics managers. There are also indications that there is beginning to be a move away from “just-in-time” logistics to “just-in-case” requiring greater stockpiling and alternate supply lines. Government may also soon be pushing businesses to demonstrate greater resilience as the latest UK Government “Integrated Review of Security, Defence and Foreign Policy”, requires a “new approach to national resilience” which includes improving UK business resilience.

My experience of last year, as a Crisis & Emergency Response consultant, specialising in Organisational Resilience, was that some organisations who had already committed to business continuity coped well, but that many organisations’ resilience was dependent upon those particular managers who just happened to be good at crisis management, using the same business procedures as usual, but having to pack in more work over much longer hours.

Looking to the future will organisations be saying, “glad we got through that, let’s get back to normal trading again” or, “could we have handled that better and are there lessons to be learned to benefit future trading?”

How efficient are companies’ resilience arrangements?

Many companies have all or some of the basic elements of a resilient organisation, but they are not always connected and/or operating efficiently. They often exist as separate processes for Business Risk, Business Continuity, routine Health & Safety Incident Management, Emergency Planning, Crisis Communications, IT Disaster Recovery, Security and Cyber Security. If some, or all of these processes do not have the full support of the organisation’s leaders, what may have begun as good practice backed with the best of intentions can soon become disconnected, seen as the responsibility of a particular department or person rather than the whole organisation and, in the worst case, plans and processes become difficult to maintain, paperwork intensive and can just be seen as a form-filling exercise by staff, with the plans languishing on a shelf, or in a forgotten file. This situation was highlighted by a survey last year conducted by the Business Continuity Institute after the initial response to Coronavirus, which found that many organisations thought that their existing plans were: “too complicated, too specific to threats and individual departments, not widely understood and unable to adapt, and consequently often ignored by operations managers and senior management as they dealt with the initial impact of Coronavirus.”

Can we do resilience better?

ISO 9001 Quality Management, ISO 31000 Risk Management, ISO22301 Business Continuity Management and ISO 27001 Information Security Management, are some of the internationally recognised standards providing widely accepted good practice, but full compliance is not always suitable for every organisation, but it is still possible to achieve a high level of organisational resilience by aligning with these standards with simpler processes.

We advise organisations to follow three steps to resilience with the aim of ensuring senior managers across an organisation know:

• the service they are required to deliver
• the risk to their organisation if their service is disrupted (understanding the interdependencies with other services)
• the disruptive risks to their service
• the controls required to mitigate the risk of disruption to their service, and
• the response to a disruptive incident.

The three steps to resilience are:

Step 1: LEADERSHIP – Strategic Commitment

• Make “Organisational Resilience” a Strategic Objective. This will commit the organisation to be  If this is not done, resilience activity like response training will always take second place to other, named strategic priorities
• Senior management must support, and enforce where necessary, any changes to plans and processes that are required to improve resilience.
• Consider crisis management as personal development for managers. It requires the management skills of analysing lots of (often conflicting) information, prioritising and acting under pressure, quickly and repetitively over a sustained period of time.

Step 2: EMBEDDING RESILIENCE – Risk identification & control

• An organisation’s Board or Risk Committee should Identify disruption as a risk and Business Continuity as a risk
• Manage all Risk Controls and Business Continuity together to reduce duplication of effort and ensure all aspects of resilience receive the same attention as Business Risk. Business Risk is often dealt with at a higher level than other resilience subjects because it is financeled, a regulatory requirement for most businesses, and the Managing Director/Chief Executive, and other senior managers, tend to all sit on an organisation’s Risk Committee.

Step 3: IMPLEMENTATION – Incident/Emergency Management

• Common Process
  Identify a common process for emergency response/crisis management for any type of incident.  Despite there being an infinite number of risks and emergency types that could affect a business, they basically have the same consequences which are the need to assemble a senior management team to manage the incident, the impact on business reputation, the requirement to care for people and the financial cost to the company in lost business, and from responding to and recovering from the incident.
• Thresholds and Consequences
  Producing a common process requires you to plan for the generic consequences of an emergency, not every possible emergency scenario.  Identifying common consequences will show that Emergency Management can be activated for Business Continuity, IT Disaster Recovery and Security situations.  The point at which an organisation moves from dealing with a disruptive incident as a routine operating procedure to identifying the requirement for Emergency Management can be defined as quantified alerting points, e.g.
  • Service unable to operate for x hours
  • Damaging weather in x hours
  • x data lost
  • x number of fatalities
  • £ x worth of damage
  • x staff off sick
• Over-Respond
  When using the alerting points, respond on the basis that, “too much, too soon is better than too little, too late.” At worst if you activate and realise you could have responded using routine operating procedures, you have gained a fantastic training opportunity and the more the use of Emergency Management is seen as a routine within an organisation, the wider the understanding of how different emergencies can affect an organisation’s operations, the more people a company will have trained, and experienced Emergency.  Management, and therefore more resilient, and arguably more efficient, a company will be

What can possibly go wrong?

Most failures in making an organisation more resilient, relate to the following lessons observed in many organisations, over many years:

• Lesson 1: Leadership
  Building resilience generally requires an element of change.  Reluctance to support change is generally the biggest barrier to improving resilience.  Without leadership from the very top of an organisation, resilience is difficult to implement.
• Lesson 2: Partnerships
  Building resilience and responding to crises relies on partnerships, whether it is between 3 people in a departmental team, 3 departments, or 3 organisations.  Good partnerships provide the best achievable resilience and the most efficient responses.
• Lesson 3: Team Training
  The best response plans in the world won’t work properly if you don’t train with them.
• Lesson 4: Personal Development
  The more an organisation relies on “those that can”, the less likely they are to use standardised procedures and train, therefore the more reliant they become on “those that can”, the less resilient they are.

Looking Forward

All organisations will have learned lessons about the state of their resilience during the past year.  In our increasingly interconnected world, the potential for disruptive incidents is increasing.  Coronavirus has given all organisations the opportunity to ask themselves, “are we as resilient as we could be?” What’s your organisation’s answer?