The year 2020 will be remembered for its high-impact, global events that left most organizations rethinking how they respond to crises — with risk mitigation strategies, resiliency plans, and organizational structures heavily tested. Among those crises, the relentless global spread of the COVID-19 disease, resulting from a novel coronavirus first detected in late 2019, has upended nearly every crisis playbook.
While businesses face myriad challenges during this protracted pandemic period — such as declining revenues, supply chain disruptions, rapidly changing public health mandates, and travel restrictions — the enterprises that are managing to stay on course, and even thrive, are those that had already established and tested plans, processes and tools, across key functions, to better anticipate and mitigate emerging risks. In a 2019 survey from PwC, 70% of senior leaders said their company had experienced at least one major crisis in the past five years — and one year later, this experience of crisis has only intensified.
Now, every organization needs to take a closer look at their playbooks and reset along several dimensions. Some best practices to help your enterprise prepare for the next crisis include a clear view of who will do what as a crisis unfolds, using advanced technologies to gain an early line of sight into emerging risks before they become crises, and promptly sharing information within and across designated teams to craft an appropriate crisis response.
1. Realigning roles and responsibilities
Understanding and responding to unprecedented risks is no easy feat. The COVID-19 pandemic shows us that a wide range of organizations in both the public and private sectors -- from retailers and manufacturers to schools and universities — were inadequately prepared for the severe impacts of the world’s first pandemic in 100 years. One area ripe for change is how roles and responsibilities are determined and aligned, in preparation for a crisis. There is a strong case for heightened cross-functional coordination.
When we examine this more closely, we realize that companies are at different stages of maturity in their shifts to more cross-functional risk and crisis response approaches. In some cases, there is a basic level of delineation for who does what, but teams still largely work in silos. For others, business continuity plans may lack documentation and formal executive support. Some teams may be under-resourced but are asked to step outside their designated functions. And there may be little to no automation of information gathering at key moments. In short, lacking a mature framework for how and when to communicate and collaborate across functional lines is no longer an option.
Before an era when organizations reached every corner of the globe, and before the internet and social media became pervasive in our lives, information flows were slower and infrequent. In the past, risk management was more confined to a centralized team — relying on a “command and control” model. Today, risk is more broadly dispersed across multiple, disconnected functions, occupying significantly more “space” across the organization. We’re seeing a pronounced need for companies to assess and respond to the same risk across multiple departments — and to align the correct technology with the right people and processes along the way. This approach recognizes that risk management is really a team sport.
For example, operations teams are responsible for physical security of assets. Marketing and communications teams protect brand reputation. Employee protection capabilities are often tucked away within physical security teams. IT mitigates cybersecurity threats and protects virtual assets. And in the context of COVID-19, new forms of collaboration including cross-functional task forces have emerged because the pandemic has created challenges that cut across organizational boundaries. The ideal path is to let teams, including cross-functional teams, handle the aspect of risk for which they have the best expertise — and create clear procedures and key performance indicators for how incidents are managed when they require input from multiple teams, often having a global security team oversee the process.
Whether it's a short-term, kinetic crisis such as an active shooter, or a prolonged crisis such as building back after natural disasters, key functions and roles must be in sync at every step, working from a common set of facts and action plans to make their overall risk response more efficient. Organizations should identify clear owners within each affected department, and functional leaders need to articulate a set of KPIs to measure against plans and execution.
2. Real-time information as the cornerstone of effective risk management
Every functioning business is informed by a wide variety of proprietary and public information stemming from multiple internal and external sources. Thanks to social media, blogs and a host of other global, public data sources such as weather and traffic sensors, information is flowing much more quickly and frequently — and in many more formats and languages — than ever before. One person or team cannot quickly process and make decisions from such a range of data sources when a crisis hits.
For this reason, there is an increasingly outsized role for real-time information to provide valuable, earliest indications of something important happening. Real-time information can also help you to understand how an event is unfolding and provide a comprehensive view of the situation so that you can respond in the most effective way. Organizations are more nimble when they take in this dynamic information and create prompt dialogue with the appropriate colleagues as soon as there is awareness of an unfolding, high-impact event.
How can an organization establish repeatable methods to consume and respond to real-time information about high-impact events and emerging risks? Moving beyond Google Alerts, local and national newsfeeds, Tweetdeck dashboards and emergency response scanners, strategic use of advanced technology can pave the way for teams to know and act differently in the face of risk.
Investing in risk workflow automation, such as artificial intelligence (AI) platforms that process enormous amounts of data at great scale and speed to generate real-time alerts, can accelerate risk detection and effective decision-making. Real-time information alerts generated from public data sources can provide clear and direct accounts of that fire near one of your office buildings, a sudden road closure, or the latest pandemic lockdown edict in an international city where your company has regional headquarters.
There is a clear opportunity to learn and assess how to use real-time information across an enterprise, leading to proactive and better decision making. This can form a new backbone of the crisis playbook, whatever the nature, duration or severity of the event.
3. Expanding data access and perspectives on decision-making
Effective risk management today should be rooted in the belief that when an appropriate set of people have the right information at the right time, the enterprise can respond to a crisis faster and more effectively. To help ensure efficient responses, organizations must give functional leaders and teams access to real-time data about high-impact events and emerging risks for the parts of the business they manage. The current year has made it clear that deeper collaboration across functions is key to business success. There is no benefit in combating dynamic risk types through static, traditional organizational structures.
In fact, the most nimble organizations have spent considerable time and effort putting in place tools and processes to disseminate relevant information to key stakeholders as soon as early warnings of an event are known — making that information more useful, more quickly. A new ethos is emerging, where understanding of and practices for sharing information about a wide range of events is paramount to achieving positive outcomes — those affecting not only the physical security of people or physical assets, but also brand risk and cyberthreats.
With real-time alerting platforms, relevant stakeholders from across the company can have a personalized alerting experience that is aligned with their priorities and the decisions they need to make. Smartphones and proximity-based alerts help engage stakeholders and help individual employees feel safer.
Moreover, the pandemic forces chief security officers (CSOs) and other security leaders to think about what the security operations center (SOC) of the future will look like. There is a move to more distributed or hybrid models, with a mix of experts bringing traditional physical security or cyber backgrounds combined with digital natives who bring experience with advanced business intelligence and data analytics platforms. This has significant implications for how organizations must think about who needs access to real-time information and when.
A combination of skilled people in the right roles, tested processes and robust technology can help reset any organization’s crisis response playbooks. Real-time alerts can help leaders make better informed decisions, even in the face of a still unfolding and enormous challenge whose impacts will be felt for years.
In the new year ahead, security leaders can pour what feels like a lifetime of learning into our existing playbooks, and be better prepared and equipped for the next reality.