It's the people, stupid!
2019 sees me journey into the 30th year of my involvement with the Business Continuity/Organisational Resilience industry. At the start of the year, I was asked for the title of a presentation at an event I’d been asked to share what I’d learned about incidents and responses over those years, It’s the people, stupid! was my choice and theme.
My rationale was borne out of the fact that the key risks and challenges faced by our profession throughout my 30 years are defined by the interaction, reaction and expectations of ‘people’ during an incident. I’ve highlighted ‘people’ in my text because the definition changes depending upon the lens you’re looking through.
People as Risks:
Whilst Cyber-crime is associated with IT, the use of employees to penetrated corporate networks through email phishing etc still remains a significant cause of breaches. Losses of confidential data due to technology being lost/stolen, malicious acts by disgruntled employees and simple human error (delete all Y/N?) has continued through the decades.
People as Causes:
You’d have to have worked through the Bird Flu Pandamic scares of a decade ago to really understand the challenge posed by human infection risks. Most plans and responses just go out of the window. Your primary responsibility is a duty of care to your employees. You can’t ask staff to put themselves/families at risk by potentially contracting a disease in the line of their work during a Pandemic risk. Imagine, you are a Recovery Site Provider, a client whose staff have been infected at work want to come to a recovery centre to mitigate the risk of the infection spreading. You have clients in the Centre who haven’t been infected, but have had another issue. You have your own staff onsite that have been disease free and you are asking them to knowingly let a potential cause of infection onsite. We had to sit down as an industry with the BoE/FSA/HMT to discuss that one!
People as Saviours:
This is the biggest change from the days of IT Disaster Recovery, the involvement of the wider business in ensuring a holistic approach to responding to an incident. From Crisis management teams, through early responders, bronze/silver/gold command members, no continuity/resilience plan succeeds without the knowledge, willingness and time given by your people. They are only human though. They need to be loved. They need to be cajoled. They need to be trained. They need to be stretched. They need to be looked after. How do they get to work (and back) in a crisis? Who feeds them? Where do they sleep? How do they recover themselves post incident? Use them, but don’t abuse them – oh and don’t expect them to choose between protecting their family, or your business. Work should lose every time.
People as Customers/Consumers:
My most used piece of advice is, “you can buy yourself a lot of time and goodwill by clearly communicating with stakeholders during an incident.” Most people who know you are suffering a major incident will be understanding and tolerate the inconvenience. It’s the lack of communication that really winds people-up and it’s panic that can turn to anger, violence and irrational decisions. Telling someone that you have a problem, but, have a well-rehearsed recovery plan that will see you back and running in x hours ordinarily will be OK. Sure, you might need to offer an apology, gesture of goodwill etc but you are more likely to keep the customer over the long-term than if the phones, email, website and social media are all silent or inoperative in a crisis.
Also, you used to be able to manage the newsflow in a crisis, we’ve all seen the coverage from camera phones and social media during major events (NB not sure I would get my camera out and post if I thought I was about to die). Being well rehearsed in how to handle communications and any press interest now takes a huge role in reputational management during any crisis made public.
I could go on with more examples, but in summary, my experience over the last 30 years is that technology trends change, different risks will come and go, Industry Standards and nomenclature will be debated and evolve, but the one thing that always remains pivotal in the world of risk, incidents and disasters? It’s the people stupid!