six

Preparedness

Weather forecasters work hard to predict the possible path of an on-coming natural hurricane and to issue timely communications to the public and businesses that might be affected. But the fast-moving nature of hurricanes means that such warnings are only issued when the hurricane is already close at hand. The cone of uncertainty predicts the possible path of the storm center for three to five days ahead. A hurricane watch tells people that a hurricane is possible, with storm-force winds expected in the coming 48 hours, and a hurricane warning gives 36 hours’ notice. The short-term nature of these communications doesn’t give much time for people and businesses to prepare, and any serious preparation must be done in advance.

Fortunately, good guidance exists for individuals, families, and businesses, outlining the sorts of preparation that are needed if you’re located in an area where hurricanes are known to occur. But what about Risk Hurricanes? What advice is available to help us prepare in advance for the possibility of extreme risk exposure that leads to major business disruption? And what can we learn from natural hurricane preparation to improve and strengthen Risk Hurricane readiness?

In this chapter we introduce a new approach to vulnerability assessment, indicating where business leaders need to focus their short-term actions when preparing to face a Risk Hurricane. We also present proven frameworks for developing organizational resilience to provide longer-term protection against the effects of extreme risk exposure, and we explore how to use the novel concept of anti-fragility in practice.

PREPARING FOR A NATURAL HURRICANE

Given the frequency of hurricanes in certain areas of the world, most affected countries have developed comprehensive advice and guidance on how to prepare, both for members of the public and for businesses. Typical advice for individuals includes actions to be taken in advance of any hurricane warning to identify and reduce vulnerabilities, as well as things to do in the period immediately preceding the expected arrival of a hurricane, ensuring that the required resources are in place to support survival during the hurricane event. This usually includes the following areas:

• Strengthen home

• Check insurance

• Protect records

• Create emergency communications plan

• Assemble disaster supplies

• Prepare for evacuation

The advice to businesses facing an incoming natural hurricane is more structured, with a three-step approach to define a hurricane preparedness framework. Although this appears to be simple, it can require a significant degree of thought and work to do properly. The three steps are as follows:

• Identify vulnerabilities. A business owner might seek specialist advice to help them with identifying vulnerabilities, or they may be able to draw on generic guidelines from industry or government bodies. A better approach might be for a business to develop a specific checklist of vulnerable elements that relates to their own organization and to maintain and update this in the light of experience.

• Plan preparedness and mitigation actions. This also needs to be very specific, listing protective actions that can be taken in advance, as well as mitigating actions that will be implemented when a hurricane is underway. Depending on the size of the business, a leader may develop a simple action plan that lists who will do what, how, using which resources, and by when. Or it may be appropriate to produce a series of separate stand-alone documents, including a Business Continuity Plan, a communications plan, a disaster response plan, and so on.

• Implement actions when required. This vital step requires the organization to take timely actions to complete protective measures as soon as practically possible, and certainly before the next hurricane season. Necessary resources should also be gathered in advance to enable mitigating measures to be implemented effectively and fast in the event of a hurricane approaching.

These three steps of Identify/Plan/Implement should be considered across five important aspects of the organization:

• People. Consider impacts and implications for your people. This might include direct employees and their family members, as well as subcontractors and suppliers. Include both physical protection and emotional/psychological well-being at work, as well as considering their ability to travel to work or the possibility of functioning remotely.

• Property (buildings). Review your buildings to identify weak spots that might suffer damage. Pay particular attention to roofs, windows, and doors. Identify any key access points that might become blocked or unavailable due to hurricane damage.

• Property (grounds). Evaluate possible effects on your property, including trees, fences, landscaping, signage, phone masts, and so on.

• Property (workspace). Review contents of the working areas, including offices, document stores, shopfloor, goods inward, storage areas, and production lines. Think about the possible effect of high winds or floods on furniture and fittings, filing cabinets, shelving, tools, machinery, and so on.

• Practical support systems. Consider possible impacts on both utilities (electricity, gas, internet, water, sanitation, lights, heating, air-conditioning, fuel storage) and technological systems (computers, copiers, telephones, payroll, alarm systems, specialist equipment).

Having developed a hurricane readiness plan, the wise business leader will test it out before it is needed for real. This might involve a simple desk exercise, or computer-based simulations, or real-world practice drills. This allows fine-tuning of the plan before it is used in a real hurricane situation.

It’s also important to review the plan on a regular basis, perhaps annually, to ensure that the information is current, correct, and complete. Contact details in the communications plan may have changed, with different individuals or new telephone numbers and email addresses. It is quite likely that vulnerabilities might change with time or that new or different protective or mitigating actions might be required. It’s also possible that additional actions might be needed as a result of changes to identified vulnerabilities and planned responses.

Each of these steps has parallels for the business wishing to prepare in advance for the possible arrival of a Risk Hurricane.

PREPARING FOR A RISK HURRICANE

Unless your business is situated in a hurricane-prone location, you won’t need to follow the guidance outlined in the previous section, as this is only relevant to individuals and organizations who find themselves in an area where natural hurricanes occur. Fortunately, this isn’t most of us.

Unfortunately, things are very different when it comes to Risk Hurricanes. Every business is vulnerable to the possibility of extreme risk exposure that could lead to major disruption. For your business and mine, it’s a case of when not if. This means that we all need to consider how to prepare ourselves and our organization in advance, to give ourselves the best possible chance of surviving the next Risk Hurricane and being able to recover after it has passed.

The basic steps to take when preparing for a Risk Hurricane match those required for a natural hurricane, namely:

• Identify vulnerabilities.

• Plan preparedness and mitigation actions.

• Implement actions in a timely manner.

Most of these elements are covered by business continuity planning (BCP), which is a well-established discipline. A full description of BCP is beyond the scope of this book, and detailed guidance is available elsewhere, notably from the Business Continuity Institute (Business Continuity Institute, 2013). However, it’s useful to be more specific about particular elements of Risk Hurricane preparedness, as discussed below.

IDENTIFY VULNERABILITIES

Each business is unique, and the areas that are most at risk of major disruption from a Risk Hurricane will differ from one organization to another. It may therefore seem impossible or unwise to attempt to give general advice on how to define particular areas of vulnerability that will be relevant to your organization. However, regardless of the specifics of your business, it’s helpful to use a structured framework when considering where you might be most exposed to high levels of risk. This will help to protect you against the effects of bias when considering where your organization might be most exposed to risk.

Beating Bias

It’s important when preparing for the extreme risk exposure of a Risk Hurricane that you maintain as wide a focus as possible. This means thinking outside the box, taking account of the areas of vulnerability that come immediately to mind, of course, but also being creative and looking proactively and intentionally in the places that you usually overlook. Churchill wrote, “It is a joke in Britain to say that the War Office is always preparing for the last war” (Churchill, 1948); we do tend to focus our protection efforts on the areas where we were most recently affected. But Taleb pointed out, “If humans fight the last war, nature fights the next one” (Taleb, 2012). It is the unexpected areas of vulnerability that will cause you the greatest trouble, when the extreme risk exposure of a Risk Hurricane strikes you in an area that you didn’t realize was weak and exposed.

All of us are subject to influences that tend to narrow our perspective (Hillson & Murray-Webster, 2007; Murray-Webster & Hillson, 2008), raising the danger that we miss a significant area of vulnerability. Many of these biases are subconscious, making them harder to spot and address, including the following:

• Availability: more memorable or more recent events are treated as more significant (even if they’re not)

• Representativeness: similarity to stereotypes seems like a reliable indicator of significance

• Anchoring and adjustment: the initial estimate feels most likely, even if it has no objective basis in fact

• Confirmation trap: seeking and weighting evidence that substantiates a prior conviction, and ignoring contrary data

• Groupthink: the majority view (real or perceived) suppresses expression of alternatives

• Hero worship: inappropriate weight is given to the view of an influential person

• Cultural conformity: the perceived organizational ethos or cultural norms limit choices

• Illusion of control: risk appears to be reduced by (real or perceived) ability to influence events

• Lure of choice: the ability to exercise choice is perceived as reducing risk

• Optimism bias: irrational view that things will go better than experience or data suggest

• Precautionary principle: preference to take action “just in case”

In addition to these subconscious influences, we’re sometimes misled by rational factors that we think are more relevant than they really are, including:

• Familiarity: previous experience should be a reliable indicator of how well we’ll be able to manage similar risks

• Manageability: risks that we can influence feel less severe than those over which we have no control

• Proximity: risks that are closer in time seem more important than those that are further off

• Personal propinquity: risk exposure is proportional to the extent to which something matters to me or us

When you’re trying to identify areas of vulnerability for your business, you need to be aware of these influences and try to reduce their effect wherever you can. Each source of bias tends to narrow your focus, but you need to have as wide a preparedness perspective as possible. Being aware of the possibility of bias will help you to overcome its influence, through the exercise of emotional literacy and intentional choices. Another effective and proven way to counter the subjectivity that results from bias is to use a structured framework to guide your considerations, making it less likely that you’ll miss something important. Two possible structured approaches are recommended to help you beat the biases when seeking to identify areas of vulnerability: stress testing and sustainability analysis.

Stress Testing

One common approach for finding vulnerabilities is to stress test the strategic objectives and critical functions of the organization, taking each objective and function in turn, and exploring how susceptible it is to significant variation above or below the normal range of conditions. This approach begins with defining risk thresholds against each strategic objective or function that state the outer bounds of acceptable performance. Risk thresholds reflect your risk appetite, providing a measurable indication of “How much risk is too much risk” for each objective/function.

Once you’ve defined risk thresholds, there are two possible indications that an objective or critical function might be particularly vulnerable to the high levels of risk exposure associated with a Risk Hurricane:

• Pay attention to any areas where the gap between upper and lower risk thresholds is narrow. In these cases, there’s not much room for performance variation before a threshold is breached.

• Consider how close current performance is to the upper or lower risk threshold. Where you’re already running near the boundary, it might not take much to push you over the edge.

For each vulnerable strategic objective or critical function, identify drivers of performance, and assess how they might change if risk exposure were significantly higher or lower than it is currently. The aim is to understand where high levels of uncertainty could drive performance beyond the limits of your risk appetite for that objective/function. When you find a strategic objective or critical function that might be particularly vulnerable to the effect of uncertainty, you can focus your attention in these areas of the business.

This approach can be refined further by completing a similar assessment for lower-level objectives and functions, allowing a structured and hierarchical view of where vulnerability exists across the organization. If you’ve implemented enterprise risk management (ERM) in your business, this provides an ideal framework for multi-level stress testing, analyzing vulnerability across the various levels from strategic to tactical.

Sustainability Analysis

A more generic way of finding key vulnerabilities is based on the Five Capitals of Sustainability. These define five areas that contribute to the production of value by an organization and must be protected and managed sustainably. They were first expressed in 2007 by the Forum for the Future (n.d.), as follows:

1. Natural Capital. This represents the environmental and ecological resources that are needed to produce goods or deliver services. They include energy, water, fuels, raw materials, and other natural resources, as well as the ecosystems from which these are taken.

2. Human Capital. This is not just about individuals as productive working resources, but it also covers their energy, health and well-being, knowledge and skills, motivations, and emotions.

3. Social Capital. This describes the way that people interact in the various teams within organizations. It is also about how people relate through other networks, partnerships, and less formal groupings. In some industries, this can include relations with local communities or pressure groups.

4. Manufactured Capital. This covers material goods and infrastructure that are used by an organization to generate its products and services but are not part of the delivered output. It includes buildings, machines, tools, communications networks, IT systems, and so on.

5. Financial Capital. These are assets that exist in currency form, including cash, shares, bonds, and loans.

Each of these Five Capitals forms part of the value chain that an organization uses to generate its goods and services. The challenge for the leadership of each business is to make decisions that use these different types of capital in a way that is wise, efficient, effective, and sustainable. The Five Capitals of Sustainability can help you to identify and assess areas of organizational vulnerability because they describe elements that are required in order to create value, and any impact on one of the Five Capitals would affect the ability of your business to function well.

The process for exposing areas of vulnerability is different from that used for stress-testing strategic objectives, since it focuses instead on the resources required for the organization to function effectively and sustainably. The first step is to describe each of the Five Capitals in more detail, listing within each category the specifics that are needed by your organization. This can be done at different levels of detail, but usually you’ll start by seeking to understand your vulnerabilities at a high strategic level, allowing you to drill down into further detail for those areas that are found to be most exposed.

Next, you need to assess each of the contributing factors within the Five Capitals in two dimensions. The first considers how critical the specific resource is to the successful and sustainable functioning of your organization. Second, think about how available each resource is currently (or more properly, where there might be problems with lack of availability). The most vulnerable resources are those that are highly critical to the organization but have limited availability. Each level of criticality and availability must be defined unambiguously to avoid subjective disagreements over how to assess a particular resource, as illustrated in Table 6.1. Assessments of each resource can then be reflected using a two-dimensional “vulnerability assessment matrix,” which may incorporate a simple scoring scheme to calculate a “vulnerability index” for prioritization, such as the example shown in Figure 6.1. This example has four levels of criticality and four degrees of availability, but you may choose to use more or fewer levels.

Table 6.1: Example definitions of criticality and availability

PLAN PREPAREDNESS AND MITIGATION ACTIONS

When you understand which areas of your business are most vulnerable to the effects of a Risk Hurricane, it’s time to decide how to respond. Actions generally fall under three headings:

• Short-term preemptive preparation and protection

• Short-term reactive and recovery responses

• Longer-term structural changes

Preemptive and reactive elements usually form part of a typical Business Continuity Plan, although some aspects of recovery may be addressed separately in a disaster recovery plan. The key for both preemptive and reactive planning is to consider what options you have in order to address specific individual vulnerabilities you’ve identified, then choose which options to implement, then plan when and how to take action.

Generic structural changes involve considering what changes you might make to the structure and nature of your organization in order to improve your chances of surviving a Risk Hurricane and thriving afterward. This approach is more generic than what is usually covered by business continuity planning.

Short-Term Preemptive Actions

Preemptive preparation and protection responses correspond to the actions taken by individuals and businesses threatened by a natural hurricane, strengthening your home or business premises, and protecting or moving items that are particularly exposed. It also involves checking insurance, ensuring that vital records are protected, and creating an emergency communications plan that identifies who to contact.

For each key vulnerability that you’ve identified for your business, consider what you can do in advance to protect against breaching a risk threshold on a strategic objective or a critical function and to protect against losing availability of a required resource.

Where vulnerability arises from a narrow risk threshold, consider whether your risk appetite in this area is appropriate. You and your senior management colleagues may intentionally decide to accept more variation in a strategic objective or to widen the acceptable bounds of performance for a critical function in order to allow more room for maneuver if/when risk exposure increases.

In cases where significant vulnerability exists for a key resource, consider building in redundancy, duplication, or contingency, changing processes to introduce additional slack or remove bottlenecks, or training additional staff to avoid single-point responsibilities. For resources where availability may become limited, additional supplies might be obtained and stockpiled, or new suppliers and providers could be sought.

Short-Term Reactive and Recovery Responses

These are comparable to steps taken by individuals or business owners to assemble disaster supplies and prepare to evacuate. The goal is to have required resources in place before they are needed and to define in advance what will need to be done in the event of a hurricane. This avoids the “What shall we do?” panic, allowing necessary predefined actions to be implemented calmly and effectively.

The equivalent for your business when preparing for a Risk Hurricane is to pre-position any recovery assets that will be needed and clarify actions to be taken. You need to provide sufficient detail that the people responsible for taking action will know precisely what to do. When you’re in the midst of a Risk Hurricane, you don’t want to be making important decisions on how to react. Apart from the inevitable delay that this would introduce, the unusual circumstances of extreme risk exposure and major business disruption make it very hard to take good decisions.

Longer-Term Structural Changes

In addition to specific preemptive and reactive actions that you identify to address individual vulnerabilities, you need to prepare your organization to face types of risk exposure that you’ve never seen before. Planned short-term responses aim to protect and mitigate against specific foreseen areas of vulnerability that you’ve identified in your business. In the longer term however, you need to be able to survive the unforeseeable, including emergent risks (International Risk Governance Council, 2010) and Black Swans (Taleb, 2007). Fortunately, there are two generic structural types of response that address risks that you haven’t yet seen coming: resilience and antifragility. Both of these approaches target the characteristics of your organization as a whole, aiming to identify areas that can be changed in advance of a Risk Hurricane in order to improve your chances of surviving and thriving afterward, no matter what the future throws at you.

Resilience

The subject of resilience is well established, with many resources available that provide guidance and advice. However, despite this widespread interest, there is still no accepted definition of the term. The United Nations Office for Disaster Risk Reduction (UNDRR) defines resilience as “the ability of a system, community or society exposed to hazards to resist, absorb, accommodate, adapt to, transform and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions through risk management” (UNDRR, n.d.). This definition has been applied in a variety of settings, from disaster risk reduction to society as a whole (House of Lords, 2021). When thinking about Risk Hurricanes, however, we’re interested in how resilience applies to organizations.

The international standard ISO 22316:2017 Security and resilience—Organizational resilience—Principles and attributes defines organizational resilience as the “ability of an organization to absorb and adapt in a changing environment” (International Organization for Standardization, 2017), and the American National Standard ASIS SPC.1-2009 Organizational Resilience says it is “the adaptive capacity of an organization in a complex and changing environment,” noting that “Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time” (ASIS International, 2009).

However, practitioners frequently adopt a narrower view. They either focus merely on being able to cope with stress and adversity, or they consider only negative aspects such as the ability to absorb change without fracturing or breaking. It is common to think of resilience as the ability to recover back to the original condition after a force has caused some deformation or distortion. Alternative terms include “elasticity,” “suppleness,” “flexibility,” or “bouncebackability.” While these meanings might be useful in physics, ecology, or psychology, a different sense is developing in the field of organizational management.

For example, the Institute of Risk Management (IRM) report Organisational Resilience: A Risk Manager’s Guide (2021) defines organizational resilience with two elements (Operational Resilience and Strategic Resilience), each with three sub-elements (see Figure 6.2). The activities commonly associated with resilience are grouped under Operational Resilience, focusing on processes that deliver protection and recovery. But the heading of Strategic Resilience covers other non-process aspects that are equally important.

Similarly, The International Consortium for Organizational Resilience (ICOR, https://www.build-resilience.org/) has developed useful guidelines, including a number of resilience frameworks, certifications, and credentials. The ICOR approach to organizational resilience has three dimensions (Leadership & Strategy, Culture & Behaviors, and Preparedness & Managing Risk), each of which is subdivided into three strategies, supported by a set of 16 behaviors (see Figure 6.3). As with the IRM framework, process-based elements are included, but more emphasis is placed by the ICOR model on leadership and culture.

The IRM and ICOR models of organizational resilience both include other elements outside the traditional disciplines of risk management, business continuity, and disaster recovery. They both mention “softer” aspects, including culture, behavior, communication, leadership, and strategy. This reflects the distinction made above between actions to address specific vulnerabilities through preemptive protection and reactive recovery, and the more generic approaches that involve the whole organization. These two models suggest that it’s not enough to focus on what we can do through strong risk management and business continuity management. We also need to pay attention to who we are, expressed in our culture and behaviors.

The challenge of building a resilient culture with flexible supporting behaviors is not trivial. It is much easier to concentrate instead on process-based solutions. But these will only help us to address the immediate issues arising from a Risk Hurricane, using protection and recovery strategies. Wise leaders will spend time and effort in developing longer-term solutions that will make their organizations more resilient. The characteristics of such a resilient culture have been defined by the New Zealand– based Resilient Organisations research consortium (see https://www.resorgs.org.nz/), with a set of 13 indicators that can be measured to determine your degree of organizational resilience. These “resilience indicators” are shown in Figure 6.4, arranged under three headline attributes: Leadership & Culture, Networks & Relationships, and Change Ready.

The prominence of softer aspects of culture and behaviors in these three models makes it clear that actions aimed at increasing resilience must be planned and implemented as part of the strategic development of your organization. As such, they clearly address issues that are much wider than your preparedness for a Risk Hurricane.

Antifragility

The term “antifragility” was coined by Nassim Nicholas Taleb in his book Antifragile: Things That Gain from Disorder (Taleb, 2012). While this concept has attracted considerable interest, it’s still not entirely clear how it can be used practically within organizations. We include it here to stimulate thinking outside the usual box of risk management, business continuity, and resilience. The idea of antifragility suggests a different way of thinking about how we might respond to the challenge of major business disruption in ways that bring positive improvement.

The concept arises by imagining a spectrum of possible ways to handle the challenge of external forces, as illustrated in Figure 6.5. This shows the end-points that result from each of three approaches to handling disruption, indicating where we might end up if/when the strategy fails.

The first set of responses comes under the heading of Strength. By making our organization strong, we can resist the pressures that might otherwise force us to change in ways that aren’t consistent with our preferred way of working. The stronger we are, the more we can handle pressure. The problem comes when we run out of strength, and when external forces break through our defenses. The result is failure, as we collapse in the face of the challenge, which ultimately results in loss of value. Strength as a strategy for dealing with disruptive force is an all-or-nothing binary approach. We’re either strong enough to resist the challenge, or we’re not. If we con-sider the types of action that we can take to protect ourselves in advance from disruption or to define effective recovery plans to be implemented afterward, these are all Strength responses designed to help us ward off the effects of a Risk Hurricane. Things are good while these responses work as planned, but if they fail, then we suffer the full negative effects of disruption.

A second type of response is Adaptability. This is classic resilience territory. The Japanese proverb “The bamboo that bends is stronger than the oak that resists” illustrates the difference between Adaptability and Strength strategies. Adaptability starts by accepting the deformation that results from the external forces of change, trusting that we’ll be able to recover when the situation returns to normal. The term “bouncebackability” captures this well. The weakness is that Adaptability responses aim to return us to normal, regaining our original shape and purpose after the forces of disruption cease. But sometimes the situation will also have changed in ways that make our original shape and purpose less relevant than it was previously. In these cases, we need to find new ways of working that maintain our core purpose and vision, or maybe we’ll have to change our purpose.

Antifragility is positioned as a progression from the responses of Strength and Adaptability. Instead of resisting the forces of change (Strength) or accepting them and then seeking to recover (Adaptability), Antifragility welcomes disruption and disorder as an opportunity to create positive improvement and change. This is partly reflected in the proverb “What doesn’t kill you makes you stronger” (which isn’t strictly true, as disruption can leave you weakened or wounded), but antifragility goes further. It reflects situations that require disorder or disruption in order to reach their full potential, and that benefit from stress. The adaptive immune system is a good example, since effective antibodies can only be produced in the presence of the antigen threat. Child development is antifragile, since learning comes from experience, including both bad and good. Broken bones are stronger after healing than they were before. And some non-Newtonian fluids turn to solid when shaken or stressed, including custard that becomes strong enough to walk on when it experiences the pressure of a person’s weight.

Each of these four examples has parallels in organizations seeking antifragile ways to respond to the major business disruption of a Risk Hurricane:

• Adaptive immune system. Antigens activate an antibody response that deals with the immediate challenge and also provides ongoing protection against this and similar threats. Empowered individuals and teams can act like antibodies, if they have clear scope, defined boundaries of action and authority, and preallocated resources. They need to be alert and agile, poised for action and ready to go when the challenge arises. And having responded once, they’ll be more motivated and capable to respond again if a similar situation arises in future.

• Child development. When innovation and experimentation are combined with a robust approach to capturing lessons, failure becomes valuable. This requires a safe space within which to operate, encouraging confidence and freedom to try new things. The debrief process is also crucial to ensure that benefits are gained from experiences that others might find negative, demotivating, or damaging.

• Broken bones. The body recognizes that damage has occurred and initiates a staged repair process, from an initial blood clot at the fracture site to laying down soft tissue across the fracture, then replacing tissue over time with new solid bone. Where an organization experiences a fracture, time and resources should be provided to build across the gap, adopting a phased approach that gradually increases strength, ultimately going beyond what was originally present.

• Non-Newtonian fluids. These change state when pressure is applied, increasing viscosity in a way that allows them to support weight. This occurs when particles in suspension are forced together into a semisolid structure. In organizations experiencing pressure, people can be forced to interact in new ways that increase creativity and encourage synergy, improving efficiency and allowing the additional pressure to be absorbed productively.

While the concept of antifragility has been around for over a decade, its application is still in its infancy. However, for businesses prepared to explore and experiment, it offers new options for building an organization that is structured to survive and thrive in the face of a Risk Hurricane. And although the benefits of being anti-fragile are only seen when stress and pressure are applied, the preparatory work to build antifragility into your organization must be completed in advance.

Documenting Plans

At this point you’ll have decided on proactive preparatory actions that offer protection in advance for your key vulnerabilities, as well as defining reactive recovery actions to be implemented in the event that a Risk Hurricane occurs, and considering generic structural changes to the organization to improve your chances of surviving and thriving. But deciding is not doing. You need to document your decisions and plans in sufficient detail to enable them to be implemented.

Plans for preemptive preparation and reactive responses can be documented in a Business Continuity Plan so that you can communicate them to affected stakeholders, particularly those individuals who will be required to implement actions. Various Business Continuity Plan templates are available, all sharing similar characteristics, and the format is less important than the act of recording decisions and communicating agreed-upon actions. Whichever format is adopted, the Business Continuity Plan must answer the six key questions made famous by Rudyard Kipling in the opening lines of his poem The Elephant’s Child (Kipling, 1902):

Any meaningful plan of action should address each of these elements:

• What will be done. Provide a SMART description of the action (specific, measurable, achievable, relevant, timely).

• Why it should be done. Clearly specify the purpose of the action.

• When it will be done. For preemptive actions, give a deadline for completion, together with interim milestone dates where appropriate. It’s helpful to divide reactive actions into those that require implementing immediately, short-term actions to be undertaken in the first few days, and other tasks to be completed later.

• How it will be done. Outline required methods, processes, tools, techniques, resources, and so on.

• Where it will be done. This might be a physical location, or more likely it describes the parts of the organization involved in performing the action.

• Who will do it. Each action needs a single responsible owner who is accountable for its completion, and other contributors may also be specified (possibly using a RACI chart to define who is Responsible, Accountable, Contributing/Consulted, and Informed).

The Business Continuity Plan is not merely a record of the planning stage; instead it is an action plan that will be used to help you and your colleagues know what must be done now, before there’s any hint that a Risk Hurricane may be on its way. It will also guide your responses when you receive warning that a Risk Hurricane is approaching, and it will tell you what must be done as the crisis of major business disruption unfolds around you.

Outside the Business Continuity Plan, you also need to create an action plan for implementing decisions that increase organizational resilience, as well as changes that could introduce elements of anti-fragility. Because these approaches are generic, you may need to launch a strategic initiative or business improvement program to facilitate the required changes to the organization. These could involve process modifications, changes to staffing numbers or balance of skills, behavioral adjustments, or developments in cultural values and beliefs.

Having documented your planned actions, it’s important that you test your plans to check whether there might be any glitches, aspects where you’ve missed an important step or duplicated something unintentionally. This can usually be done in a desk-based review or a computer-based simulation, but you might also want to execute a dummy run of elements of your plan to see how they work out in practice. Where you discover weaknesses in the plan, work to fix them then retest to ensure that the problem is resolved.

It’s also important that completed plans shouldn’t sit untouched or unread on the shelf for years. You should undertake regular reviews of your plans to be sure that they remain relevant and achievable. Check whether the actions you previously defined will still be effective. Are your prepositioned resources still available? Has staff turnover made some elements of your plan unworkable, and do you need to nominate and/or train replacements? Perhaps new approaches have been developed within your organization or elsewhere in the industry that offer improved effectiveness over what you’d initially planned.

IMPLEMENT ACTIONS

As with all aspects of a risk-based approach to business, analysis must lead to action to achieve full benefit. This is obviously true when preparing for the possible arrival of a Risk Hurricane.

Each of the actions documented in the Business Continuity Plan must be implemented in a timely manner. In some cases, this will mean taking action well in advance of any possible disruption, especially where protective or reactive measures may take time to put in place or to become embedded and effective. In other cases, it might be appropriate to wait until a Risk Hurricane is imminent before acting to ensure that maximum protection is achieved.

The same is true for actions aimed at producing resilience or antifragility. These may have been documented in a strategic review report or business improvement plan, or they may be part of an ongoing strategic initiative or cultural development program. Helpful implementation guidance is available from a variety of sources, including the report Resilience Reimagined: A Practical Guide for Organisations commissioned by the UK National Preparedness Commission (Deloitte, 2021), which proposes a range of practices for developing resilience. These include:

• Consider and discuss the possibility of future failure as a learning opportunity

• Identify relationships and connectivity between apparently unrelated areas of the business

• Understand how value is created and delivered by the business

• Clearly define risk thresholds for objectives across all levels of the organization

• Regularly use stress testing to validate thresholds and modify them where required

• Adopt adaptive leadership styles that respond to current and changing circumstances

CASE STUDY:
PREPARING FOR ZERO-CARBON FUTURE

One of the most important things you can do for your business is to invest time, energy, and resources in preparing for a Risk Hurricane. We’ve seen in this chapter that three steps are required:

• Identify vulnerabilities.

• Plan preparedness and mitigation actions.

• Implement actions.

Thinking early about the possibility of major disruption allows you to be proactive in putting in place protective measures that maximize your chances of surviving extreme risk exposure and thriving once it has passed.

This is well illustrated by the approach adopted by major energy companies to the challenge of a zero-carbon future. Instead of burying their heads collectively in the (oil-bearing) sand, they’ve been considering their options and laying their plans for some time. The pace of preparation has increased recently as the zero-carbon Risk Hurricane approaches, and energy companies have started to publicize their plans more widely.

As one of the world’s so-called “supermajor” oil and gas companies, the vulnerability of BP plc in a zero-carbon world is clear. As fossil fuels are phased out, the organization’s raison d’être is under threat. BP’s response is encapsulated in its current slogan “From IOC to IEC,” expressing the strategic redirection to move from an international oil company to an integrated energy company. This will involve focusing on low-carbon energy projects, investing in offshore wind and solar energy, bioenergy, and hydrogen and aiming to reduce greenhouse gas emissions in operations. Hydrocarbons will remain part of the BP portfolio during the transition period, although there will be no new exploration, and BP aims to reduce the carbon intensity of its products, as well as greening its processes. The company is aiming for net zero across all operations by 2050, including upstream oil and gas production, and it is investing in carbon capture, utilization, and storage (CCUS) to reduce emissions.

Each of these steps plays a part in preparing BP to face the uncertainty and disruption that a zero-carbon future will inevitably bring to an energy company, as well as putting measures in place to mitigate any negative impact. The various elements of the strategy include immediate and short-term changes that are being implemented right away, as well as longer-term pivots in the positioning and identity of BP as a corporation. Only time will tell whether its approach exhibits the characteristics of antifragility or whether it was merely adaptive (see Figure 6.5).

Perhaps the biggest challenge for BP lies in changing public perception. For most people, BP is still intimately associated with fossil fuels (the clue is in the name: the “P” in BP originally stood for “petroleum”). Spectacular disasters like Texas City (2005) and Deep-water Horizon/Macondo (2010) still loom large in public memory, creating a reputation deficit that requires attention. As the company seeks to transform itself in order to survive the coming zero-carbon Risk Hurricane, it needs to reposition the way it is viewed. Consequently, in addition to laying out the new strategy and detailed plans for its achievement, BP is undertaking a major communication exercise to raise awareness of the company’s efforts. Implementation of the new approach has been underway since early 2020, and each milestone is highlighted in press releases, presentations, interviews, webcasts, and website updates.

CLOSING CONSIDERATIONS

Louis Pasteur said, “Chance favors the prepared mind,” echoing Roman philosopher Lucius Annaeus Seneca, who said, “Luck is what happens when preparation meets opportunity.” If you want your business to have optimal chances of surviving a Risk Hurricane with minimal damage, then you need to make the best possible preparations.

As you think about how to get ready, your planning should address two distinct time frames. The first aspect to consider is the long-term actions that are needed to maximize the resilience of your organization and perhaps also to build in some antifragile characteristics. You might imagine that you can leave long-term changes until later and that immediate and short-term actions should take higher priority. However, many of the most important changes may take some time to build into the way your organization operates, especially where they involve corporate culture, so the time to act is always now! Consider the following:

1. Review your current organizational culture against the 16 behaviors and 13 indicators in Figures 6.3 and 6.4. Determine which of these need to be strengthened in your organization in order for your culture to be truly resilient to the major business disruption that comes with a Risk Hurricane.

2. Design and launch a culture change program within the business, specifically focused on developing those behaviors and characteristics in which your corporate culture is less resilient. Nominate a change champion from your senior leadership team to spearhead the campaign, and ensure that you provide the necessary resources. Communicate frequently, celebrate success, and maintain momentum. Successful culture change can take two to three years to become embedded, so prepare for the long haul.

3. Review your business processes to identify elements that are fragile and might break easily when stressed. Explore ways of reinforcing these elements to improve their strength.

4. Look for creative approaches that might introduce antifragility into your culture, behavior, and processes, where stress can make you stronger. Consider options for “bouncing forward” rather than merely bouncing back to what you had before.

Having given significant attention to long-term strategic actions that improve your ability to survive a Risk Hurricane, you must also ensure that you are fully prepared tactically. This involves the following steps:

1. Identify areas of vulnerability in your business by stress testing your strategic objectives and critical functions to determine where current risk thresholds might be breached under duress. Also consider the possible impacts of extreme risk exposure against the Five Capitals, assessing and prioritizing each identified vulnerability.

2. Decide where it’s possible to protect high-priority vulnerabilities by taking preemptive action in advance, and where you might need to be more reactive if and when necessary.

3. Design preemptive actions that you’ll take when a Risk Hurricane appears on the horizon in order to protect vulnerable risk thresholds and to ensure continued availability of vulnerable resources. Develop reactive responses to be implemented in the event of a Risk Hurricane actually occurring, identifying in advance the actions you’ll need to take and the resources that you’ll need to have in place.

4. Document your decisions in a Business Continuity Plan, then use that to produce a detailed action plan for protective and reactive measures that includes information on when required actions must be implemented.

Completing these actions will ensure that you’re as ready to face a Risk Hurricane as you can be. Your business will have developed maximum organizational resilience to resist and survive the effects of a Risk Hurricane, and it will also include antifragile elements that enable you to thrive as you move forward. All necessary protective measures will be in place to minimize damage to vulnerable areas, and your people will know what to do if the business actually encounters extreme risk exposure and major disruption.

All of this should make it easier for you to sleep at night, confident that you’ve done all you can to prepare for any Risk Hurricane that might threaten your business. But what if a Risk Hurricane actually occurs? What should you do afterward? It would be wise to plan in advance for the post-event recovery period so that you can do what must be done without delay.