Corporates need to rethink their approach to uncertainty, says Mils Hills, associate professor in risk, resilience and corporate security at the University of Northampton Business School.
From alleged fraudulent activity at the c-suite of a leading café chain, through daily cyber security breaches to the ongoing and coruscating effects of uncertainty from Brexit – trade sector and mainstream media are replete with stories describing the loss of value to brands and the perils of a company finding itself being overtaken by events.
Rather than bending to accommodate temporary tempests and then rebounding to their original state (like the adaptive reed), organisations tend to be brittle and fall foul of squalls and storms – more like the mighty oak which creaks and groans and risks being uprooted or torn to destruction.
From a PR, GDPR, technical cyber, criminal or other source: companies remain largely as susceptible to undiscovered and unexpected risks than ever before.
To some degree the problem has arisen from the false security of investment into, for example, ‘cyber security’, which becomes yet another functional silo disconnected from business continuity.
The business of risk assessment is a further challenge, as most organisational cultures do not reward the reporting of actual latent risks – or these are regarded (from undertaking totally subjective and unreliable activities such as ‘probability times impact’ analyses) as so unlikely that it is unnecessary to deal with, prepare for or counter them.
Things are bad enough for enterprises given that they have to anticipate and engage with known or knowable risks, especially when decision-making under pressure is not exactly a skill which is either screened for on appointment (nor insisted on in professional development) for managers and leaders.
But the scene darkens even more in an era where there is, arguably, more uncertainty than ever. A mercurial, tempestuous US President; commercial competitors backed by adversarial nation states who stop at nothing to win deals and hoover-up Intellectual Property; massively brittle global supply chains; climate change and, naturally, BREXIT. To name but a few top tier challenges.
Given the impossibility of predicting political, regulatory, competitor and other actions and reactions over the next few days let alone into the fabled long-term that organisations would much prefer – the spotlight should rightly turn on how businesses select and promote their people for the capacity to handle uncertainty, valorise their culture to adapt and deal with internal causes of risk and embed resilience into all aspects of the corporate body.
Having consulted widely at the national strategic levels of the UK government (from 10 Downing Street, the COBRA crisis management machinery and out to the Bank of England to give just three examples) as well as to the c-suite of substantial businesses, I have a distinctive perspective on the challenges.
Although one must be sympathetic to threats which genuinely emerge from a clear blue sky – many businesses continue to be plagued by risks which are absolutely soluble or, if less so, react to incidents in tone deaf, glacially slow and massively ineffective (hence expensive) ways. And yet, there has never been so much investment in corporate risk management and resilience, security and crisis preparedness. Let alone social media and brand protection.
The problem is that the majority of these investments are probably wasted. By treating problems in siloed ways, following prescriptive cycles, standards and frameworks, being drawing up plans and training reluctant personnel: organisations have managed to ossify their capabilities whilst simultaneously persuading everyone that all is well.
Which organisation of any size does not undertake exercises of their crisis or continuity plans? Probably very few. But to what degree are these exercises genuinely robust, stretching and aimed at producing insights which enable the organisation to learn about its limitations? For it is only by knowing the limitations that the level of capability can be truly known and then enhanced.
By developing exercises which are guaranteed to succeed as showcases that all of the wise investment made by seniors has resulted in genuine defence in depth against risks, the organisation is more exposed than ever. Its attack surface, to use jargon familiar to the cyber security world, is massive – especially because, when the caretakers of it have convinced themselves that everything is fine in a parallel universe – the actual attack surface is left largely unpatrolled.
From my work in government and outside where I led teams doing just this, I remain surprised that so few organisations of any scale commission scenario-planning and genuinely tough exercises of their crisis management and daily risk surveillance capabilities.
It is extraordinary that organisations which can have literally billions wiped from their market capitalisation or be reduced to drastic survival measures by the loss of millions do not have systems and processes (largely human, not technical) to search out the hidden disasters within that need to be identified and neutralised.
Whilst organisations may reward employees for finding some new way of making a production line more efficient or for signposting to the recruitment of an excellent new employee: little positive reinforcement of risk detection and reporting exists. There are few rewards for the bearer of bad news about poor customer service, the inadvertent disclosure of protected data or of some other painful liability.
In order for businesses to become more immune to threats to the corporate body, these external and internal attack surfaces need to be made much less amenable to pathogens and systemic disease. The corporate bloodstream should be replete with immune responses which act at speed and scale up to limit the amount of damage that an incident can inflict.
To make this reliable, the corporate body needs to exercise regularly and ensure that all immunisations are up to date: this makes the reaction to both unconventional and conventional risk swift. Further, individuals promoted to positions where decision-making is an art and science rather than merely a reflex should be selected and developed for their ability to be comfortable with and operate rationally in conditions of uncertainty, stress and highly dynamic situations.
In the context of Brexit, organisations should – arguably – have undertaken sensitivity analysis around three poles of scenario plan: a desirable, acceptable and intolerable outcome. Decisions could then have been made which balance risk (and opportunity) – but all of this work has to be undertaken years ahead of the planned date for leaving the EU.
Instead, what businesses have done (as with smaller and sharper crises) is wait for certainty. By the time certainty arrives, of course, the freedom of manoeuvre of a business may be eroded to almost nothing and the cost of any action could be massively higher than having acted years before.
It’s not too late to learn and apply lessons – but this does require an appetite for changing corporate behaviour around decision-making, introspection and exploring plausible futures at a point in time where there is still something that can be done about fate.
