A Recent Trend
As our OnSolve leadership team reflects on 2020 and 2021, we note a trend in our conversations with Business Continuity (BC), Enterprise Risk Management (ERM), Physical Security (PS), Travel Risk Management (TRM) and Supply Chain Risk Management (SCRM) leaders. At first, we did not connect the dots on a clear way to describe this trend. But over and over, our customers and partners have used the following phrase or something very similar:
“I was expecting [Risk A], but then I got hit by [Risk B].”
For example, seven days after Hurricane Ida made landfall in the gulf in Louisiana, a BC leader at a large hotel chain told us:
“We were expecting Ida to hit the gulf. We were ready. We had identified our most flood-prone properties. We had adjusted our staffing. We had tested our communications. We had pre-positioned generators and other equipment… But we’ve spent much of the last week scrambling, responding to Ida’s flooding of Manhattan – where we were not prepared.”
As a second example, a logistics and transportation company shared the following scenario:
“On a Friday morning, we noticed many of our staff were not showing up to work, causing a major staff shortage. We soon realized that Thursday night, a tornado hit one of the primary communities where our staff live. With the sky clear and crews responding in team members’ communities, our first assumption was the staff shortage would soon be over. But nearly a full day after the tornado, power outages and gas leaks were causing new evacuations, and the staff shortage continued into the following week.”
These are just two examples that capture the concept of “dynamic risks.” Included within this concept are the following elements:
- Rapid change
- A risk hitting from a secondary direction or event
- Some level of surprise
At OnSolve, we’re fortunate to be able to support and serve over 30,000 companies, communities, NGOs, governments and other organizations. Our running conversations allow us to extract and share trends so that all may benefit from the experiences and lessons learned. While leading resilience practitioners currently consider some aspects of dynamic risks in their programs, we recommend that these concepts be threaded throughout the design and management of all resilience programs in order to achieve the best possible outcome from every incident.
Dynamic Risks: A Working Definition
For years, our industry has used the term “dynamic” to describe the operating environment itself. For example, security leaders will be familiar with ASIS, whose 2017 ORM Standard states “Organizations typically operate in inherently dynamic risk environments[1].” To be clear, we agree that the business and operational environment has been dynamic and will likely grow more dynamic. A full consideration of the risks that have appeared frequently over 2020 and 2021—COVID, changing COVID restrictions, unrest, severe weather, supply chain disruptions, inflation, etc.—illustrates this trend.
Understanding the concept of the dynamic environment is helpful, though we believe new lessons are available from the focus on the risk itself, in addition to the environment. The tables below provide a structured approach to dynamic risk management that will support immediate enhancements across each element/level of resilience program maturity.
Table 1. Dynamic Environment vs Dynamic Risks |
|
Dynamic Environment |
Dynamic Risk |
ERM/SCRM/PS/BC/TRM teams must be versatile and cross functional. In a given year, teams should expect a greater number of large events than in previous years. Stability in operational environments (i.e., supply chains in Asia, customer access to retail stores in the US, etc.) should not be assumed. Strategically, plan for new types of risks. Incorporate this analysis into your people, processes and platforms. |
Same
In a given week, the ultimate harm to the business or operation was not the active focus of the risk team or response team the week prior. In a given response, teams should expect escalation of risk, or enablement of new risks or a cause of a new risk - confounding the response. Responses should not assume stability beyond the subject of the focused response. Strategically analyze how recent disruptions have changed in the moment or enabled other disruptions. Same. |
Fundamentally, a dynamic risk is a risk in which the ultimate harm is different than the initially expected harm.
Let’s explore deeper. Table 2 provides four conditions, explanations and examples.
Table 2. Four Types of Dynamic Risks |
||
Dynamic Risk Condition |
Explanation |
Example |
Risk A becomes Risk B |
The risk changes in character, in location, in severity or some other key attribute. |
The Hurricane, expected to hit the Louisiana and Texas coast, floods Manhattan with little advanced notice. |
Risk A enables Risk B |
The risk enables, or sets the conditions for, a new type of risk. |
The 2020 protests, many of which began as peaceful demonstrations, enabled looting. |
Risk A causes Risk B. |
The first risk sets a chain of causal events. |
The tornado caused the gas leaks, which caused a new evacuation. |
Risk B is independent of Risk A, and hits when the focus was on Risk A. |
Many risks are unrelated. |
As a director of Enterprise Risk Management, the author was planning for a large, new water project in Eastern Congo. Previously, a massive volcano eruption had occurred nearby. As a result, our risk planning, mitigation and control activities followed suit, identifying the volcano as the greatest risk. Yet soon after the project kicked off, M-23 militia threatened to enter the city, halting the project. M-23 militia activities were unrelated to the volcano, but ultimately were most disruptive to the project. |
Why are dynamic risks difficult to manage?
Fundamentally, dynamic risks are difficult to manage because by definition, they are not our focus. They come on the heels of another risk - when we are in a weakened state.
Boxers know this well. An effective left jab (“Risk A”) never ends a fight, but a left jab-right hook (the jab being the enablement of the hook, “Risk B”) keeps an opponent on defense and can surprise the opponent with a knockout.
The response to dynamic risks is further confounded because:
- The response to Risk B is often not the same as the response to Risk A.
- The people and functional team responsible for Risk B are often the same as those responsible for Risk A. This response team can be consumed with Risk A while Risk B is the most impactful.
- Our “eyes and ears” are focused on the immediate; our conversations and signals are focused on Risk A, and our response can be focused on Risk A.
Got it. I’m convinced dynamic risks are real. What I should I do about it?
We recommend that BC, Security, TRM and other risk leaders consider dynamic risk in building and assessing their people, processes and platforms.
Your People
Risk leaders can use the following dimensions to assess and build people and teams using a lens of dynamic risk.
The assessment questions below are not meant to be exhaustive, but are a helpful starting point for internal assessment.
Table 3. Assessment of People |
|
Dimension |
Example Assessment Question |
Skill |
Planning—Do the individuals on my teams have the skills to analyze the variety of recent risks through a lens of dynamic risk? For example, some organizations rely primarily on Access Control/camera monitoring centers as a way to receive information. Are there simple tasks that could be expected of this team that could expand into signals related to dynamic risks? (The answer will vary, depending on the organization).
|
Time (Bandwidth) |
During an active response, does my organization have
the bandwidth to look “up and out” to understand whether the risk I’m dealing
with might be evolving into a new risk? |
Communication |
Every organization has various means of receiving information about the outside world. In a sense these means are sensors— from front door/lobby reception, to sales teams on the road, to global security operations center analysts and beyond. Given that, do these sensors understand which types of
new information would be helpful to risk teams? Is the culture open enough to
allow this information to flow?
|
Burnout /Risk Cycles |
How is my team doing? In the previous example related to Ida, the quote ended with, “…and we are frankly, exhausted.” Dynamic risk increases the risk of burnout for all first responders, including those on corporate risk and security teams. |
Your Processes
Similarly, risk leaders can use the following dimensions to assess and build on their existing frameworks. We describe implications, followed by a specific response framework.
Doctrinal Framework
Table 4. Assessment of Frameworks |
||
Role |
Typical Framework |
Implications for Dynamic Risks |
BC |
Tactical-Operational-Strategic |
Scenario planning and war-gaming can include dynamic risks (the scenario has changed). Feedback cycles and After Action Reports (AARs ) ask: “Were these risks dynamic? What can we learn from our experience?”
|
ERM |
New Framework for ERM |
|
Physical Security |
ESRM |
|
Travel Risk Management |
TRM ISO 31030:2021 |
|
Incident Command |
ICS NIMS |
Response Framework Example
A typical response framework may look like the one below. These response frameworks take large response plans and break them down into “bite-size” chunks, with a few key tasks for each phase.
A response leader using a dynamic risk lens would then analyze the response framework to ensure the following:
Table 5. Implications for the Response Framework |
|
Typical Response Framework |
Dynamic Risk Implications |
1. Monitoring 2. Activation of the Crisis Management Team (CMT) 3. Preparation 4. Active Phase 5. Recovery 6. Restoration 7. Corrective Action |
|
Your Platforms
Technology can certainly help. Platform selection and configuration should prioritize for speed of changing information, relevance of information and usability.
- A risk intelligence platform with internal assets (employee homes or clusters, facilities, offices) and external assets (key supply chain hubs, airports, ports, customers)
- Real-time risk intelligence
- Highly granular risk intelligence, with coverage in the areas where your teams live and work and travel
- Highly granular filters—What may be noise to one organization may be a critical event to a second organization.
- Highly customizable information routing—What may be noise to one function may be crucial to another. (i.e., a port disruption is not relevant for a travel manager, but may be crucial to a supply chain manager.)
[1] The ANSI/ASIS ORM.1-2017 standard can be found here. The particular dynamic reference can be found here.