Lisa Cameron de Vries, Technical Director for Phoenix Resilience in Australia, tells Juanita Van Der Colff why collaboration is the future of risk management and what Covid-19 recovery might look like.
One of the challenges in risk management is getting different parts of the business to talk to one another and actively collaborate to mitigate risk. Due to the nature of my profession, I have had the privilege to design, implement, review, test, improve, and maintain resilience-related management systems in many industries and organisations. Through this it became apparent to me that risks and risk controls are identified in silos within the different disciplines and are addressed in silos, creating disconnected or contra-productive risk treatment/opportunity development efforts and wasted resources. Today I consult with different disciplines for research purpose to develop the optimal approach to risk management and incident management.
One can see the hazards of responding to risk without thinking things through. During the Covid-19 epidemic, many businesses responded in a panicky and reactive way, retrenching staff without sitting down with representatives from within legal, technology, marketing, human resources, and business continuity to explore alternative scenarios. They could have asked themselves questions like “How can we diversify? What is the company good at? What resources does it have at its disposal? What opportunities might arise?” It would have been better to rise to the occasion and come up with a better strategy, rather than letting staff go. This is a concept that could be applied in future, too, once the pandemic has passed.
Events like the Australian bush fires, global financial crises and now Covid-19 have reshaped the way organisations look at risk management, which is now at the top of their agendas. In Australia, a lot of companies have risk management in place, but it is not part of their culture to anticipate scenarios to the extent that they can formulate a flexible, agile response. Too many still have the ‘What to do in case of fire’ plan in place that doesn’t take a simultaneous event like drought or pandemic into account, for example. It comes down to having a methodology in place that will allow you to understand exactly what situation you’re facing, and what resources and capabilities you have at your disposal – in that way, you can design an appropriate response. You really need a plan for all hazards, underpinned by specific checklists for what to do in an earthquake versus a pandemic.
Designing a holistic response
By planning and collaborating with other agencies as well as internal departments, one can design a more holistic organisational response. Get your entire organisation involved in coming up with solutions, then continuously monitor threats and review potential consequences as part of your response. Businesses should view themselves as part of a larger ecosystem, able to involve their suppliers, partners, customers, and organisations in their immediate environment in the development of emergency response and business continuity plans. They are all critical pieces of the puzzle.
In Australia, we have seen aged care facilities that not have the resources to conduct a full evacuation during a disaster, and who took residents living with dementia to evacuation centres, which was unsuitable for both the residents and other evacuees. On behalf of a Local Council we collaborated with a group of health care providers, critical suppliers, emergency services and others and identified the vulnerabilities within the emergency plan. As a group we workshopped the resilience plan requirements, and we went through the same exercise leading up to Covid-19, thinking about what was needed as a collective.
Demonstrating the value of risk management
Having a risk register hiding in a file somewhere, that nobody knows what to do with, should make way for an integrated risk register with clear risk management procedures indicating who is responsible for what and when. Meeting at regular intervals to discuss risk as a group and collectively coordinate risk treatment plans instead of working in silos is vital. Risk management should add value – you are not there to stop the business from operating, you are there to make sure that a business can get through what whatever it could potentially face. As soon as leadership sees the value of risk management, a culture shift can occur. When you walk into a business that views risk management as a great tool, people are proud to show you how they are mitigating their risk and executives are pleased with the outcome. But this comes about through collaboration, integrated risk frameworks, and coming together to look at risk from all different angles.
Because today’s business environment is complex and inter-dependent, demonstrating connectedness is vital, as is coming together regularly when changes are made. For example, if SharePoint has been introduced in the business, it may be able to mitigate risks, but the implementation could introduce new risks. People should be able to bring their concerns to a risk meeting and come up with potential risk controls as a group.
Improving risk and resilience capabilities
During the pandemic, some leaders stood out for remaining positive and agile, viewing the challenges as opportunities, and finding creative ways to solve problems, like taking their companies online or partnering with delivery companies, and getting back in business within 24 hours. However, many scrambled to put their Covid-19 plans in place. This came down to a lack of preparedness or pre-empting the severity of the situation. For some companies, it is an effort to exercise, test or update their plans.
To improve their capabilities, businesses need to change their risk cultures, creating a culture of ownership within each employee. Small and medium-sized businesses should have some sort of all-hazards process for dealing with emergencies and identify key contacts, looking at how to assess, monitor, respond and come up with solutions. For larger businesses, focus on collaboration and integrated risk management. Have your incident management team include representatives from all disciplines, and test and trial all processes beforehand. Start small with little meetings, where you talk through scenarios and identify vulnerabilities – perhaps lunch-and-learn sessions every three months or so – because it is easy to skip the big, expensive exercises and end up doing nothing at all.
Lisa Cameron De Vries is technical director for Phoenix Resilience, which she co-founded. The Australian company specialises in organisational and community resilience.