When examining the resilience of private sector organisations, many of which help to prop up the UK Critical National Infrastructure (CNI), it is important to consider how good they are at dealing with crises. It is vital that the government and private sector begin looking at the picture of UK resilience as a whole, rather than the individual pieces that make up the resilience jigsaw.
The British Standards Institute will soon publish specific guidance on crisis management (BSI PAS 200) once an external review panel has commented on the first draft. Thereafter, it could become a formal standard. The government is sponsoring the entire project as it knows only too well how easy it is to make a mess of opportunities when a crisis calls, notwithstanding the excellent work of the Civil Contingencies Secretariat. The new guidance will help to define emergencies, incidents and crises, although that is easier said than done – even within government.
However, crisis management for the Ministry of Defence, for example, is very different than that of the Department of Rural Affairs. In the private sector, the interpretations can be even more varied. Curiously, none of this is helped by the otherwise successful BSI standard on business continuity (BS 25999) which refers to ‘incident’ rather than ‘crisis’ management. During the planning stage of BS 25999, it was felt that the expression ‘incident’ would be more acceptable to customers than hearing their suppliers were having a ‘crisis’. When reputation is everything, what you say is almost as important as how you look.
One of the most obvious sensations experienced when a crisis suddenly arrives is acute unease. In his excellent book, Preventing Chaos in a Crisis, Patrick Lagadec summarises this as ‘un-ness: unexpected, unprecedented and almost unimaginable’, to which all too frequently might be added untrained, unnecessary and unprepared. However, it would be quite wrong to assume almost all private sector organisations cannot cope when a catastrophe appears. They are frequently more rapid and responsive than many in the public sector (there is nothing like fear and profit margins to inspire action). So the idea of the military always showing the way is no longer as valid as it once was.
The really good organisations monitor and respond to rumours and social networks, and ideally see a crisis as an abrupt audit of their executive and operational competence. For the bad ones, crisis is an immediate disaster as all efforts were probably focused on the bottom line rather than the back door. In the twelve months ending in the second quarter of 2009, approximately one in 120 active companies (or 0.8 per cent) went into liquidation owing to some sort of crisis. Despite good examples of crisis management (for instance, Sir Michael Bishop and the Kegworth air crash 1989, and Nokia’s supply chain failure in 2000) if this rate of failure due to crisis continues, it is inevitable that some of the suppliers who underpin the CNI could cause a problem greater than many realise. This is especially the case when some vital organisations do not have a UK head office, and are therefore not as influenced by UK guidance.
But just listing a series of considerations can ignore a vital point: perception is crucial. This is where the media steps in to become one’s best friend or worst enemy — which often depends on the attitude towards the media taken by the organisation under the spotlight. These days, this very much includes social networks that far outstrip viewing figures for all the TV news stations in the world combined. Twitter is reported to have a monthly growth rate of 1,350 per cent. It is pointless babble to some, but undeniably a key source of decision-forming information to millions.
There are many lessons to learn from global companies who might react superbly in one crisis, but then commercial reality and variations in risk management combine to change things. This is often compounded by the ingredients of business resilience featuring as discrete operations, rather than combined at the forefront of activity. Take, for example, what happened to Nokia in 2000. In March that year, lightning caused a fire in a semi-conductor plant owned by Phillips Electronics in New Mexico, resulting in thousands of silicon chips being destroyed or contaminated by smoke. Two of the factory’s main customers were Nokia and Ericsson, who accounted for 40 per cent of its sales. Almost immediately, Nokia supply chain managers detected a problem, despite Phillips downplaying their own crisis.
Nokia risk managers had already considered the possible threats created by having such a stretched supply chain; so when they perceived a serious disruption, they immediately triggered prompt crisis management actions and moved swiftly to tie up spare capacity at other Philips plants, and every other supplier they could find. They even re-engineered some of their phones so they could take chips from other Japanese and American suppliers, and meanwhile sent some of their own people to help repair the Philips plant.
Ericsson, meanwhile, had accepted early assurances that the fire was not a big problem, and settled down to wait it out. When at last they realised their mistake, it was too late. Thanks to highly effective crisis management skills by Nokia, they now had to face the bitter realisation that it had no other source of supply: Nokia had already taken it all and prospered while Ericsson had to merge with Sony just to survive.
In another case study, a major mobile communications company recently became embroiled in a crisis that has nothing to do with supplies. It does, however, highlight the importance of perception, and a crisis management team desperately trying to recover that most vital ingredient in commercial life: reputation.
Not long ago, the company supplied Iran with technology that could conceivably be adapted and used to manage, intercept, and interpret digital traffic. After the recent disputed elections and savage suppression of those challenging its validity, the Iranian government allegedly used the technology it had been sold to identify citizens daring to challenge Mahmoud Ahmadinejad.
The result was a significant backlash against the technology supplier from countries across the globe. Several social media services, such as Twitter, now provide an instant platform for waves of comments against such firms from the very people who had previously bought their products and services. The commercial consequences were, and continue to be significant, with many consumers cancelling services and switching to alternative devices.
This shows the need for crisis management to (a) be much better integrated with risk management and (b) expand a long way beyond the limitations of just being part of business continuity or reacting to security breaches.
Back to Basics
Across the globe, supply routes for critical services have become ever more stretched, fragile and vulnerable. Large-scale emergencies hitting one country’s crucial national infrastructure are likely to span regions, countries and even continents. We must therefore look more closely at a common language of crisis definitions – shared risk management in the broadest context – and focus on continuing critical services and activities during the acute phase of any crisis linked to disaster recovery (once the fires are eventually put out). In other words, we need a much greater appreciation of what crisis management actually is – without semantic distortions. Two recent reports, amongst many, point to how vulnerable we now are, and how important increased resilience, which very much includes crisis management, has become.
The Demos report ‘Resilient Nation’ asserts that we now live in a ‘brittle society’. Over 80 per cent of us live in urban areas and rely on ‘dense networks of public and private sector organisations to provide us with essential services. But our everyday lives and the national infrastructure work in a fragile union, vulnerable to even the smallest disturbances in the network. And both are part of a global ecosystem that is damaged and unpredictable.’
The Institute for Public Policy Research report ‘Shared Responsibilities’ in part concentrates on the concept of resilience, which has three distinctions or generations. The first is the ability of our systems to absorb shocks and then bounce back into operation again. The second generation recognises much stronger social and psychological dimensions. The third generation, which is based on a biological analogy, involves anticipating trouble and adapting to circumstances, but at the same time asserts that some of our systems are actually better off not bouncing back into exactly the same shape as before the disruption occurred. For example: not rebuilding power stations where they might have been on existing flood plains.
This last point might appear obvious, but too many business continuity plans for private and public sector organisations are still based on reverting to the status quo, rather than bettering their practice. This does not mesh with threat predictability, risk mitigation or especially crisis management, where jumping from slow to quick-time actions, making rapid assessments and delivering bold decisions can shape organisational destiny. So where does this leave us?
With a global flu pandemic possibly reappearing in a few months (having run its first wave), companies collapsing at an alarming rate, and a growing public scepticism of government competence, it really is time to take a much closer look at crisis management. The alarm has been ringing for decades, but for too many people, leaning on the snooze button has been the easiest response.
Our lives are now massively dependent on others, communication is seemingly instant and catastrophes no longer explained by divine intervention. The modern world is where the extraordinary has now become commonplace and the unexpected is now regularly anticipated. By failing to share ideas sufficiently between private and public, civil and military, regions and countries, too many organisations are effectively preparing to fail despite the warnings.
So moving from silo to synergy as part of a wider resilience picture, and promoting crisis management as a standard that can be predicated on continuing levels of corporate uncertainty and high levels of interoperability, has a good chance of success. While the obstacles in front of us can seem greater then ever, so are the opportunities.
 Patrick Lagadec, Preventing Chaos in Crisis: Strategies for Prevention, Control and Damage Limitation (London: McGraw-Hill, 1991).
 ippr Commission on National Security in the 21st Century, ‘Shared Responsibilities: A national security strategy for the UK’, 30 June 2009, www.ippr.org/publicationsandreports.