Organisational resilience – biological approaches

A biological approach to organisational resilience

By a lapsed microbiologist
 “Organisational resilience is only achievable through adaptability”
Wattle flower
Flowers are just an adaptation of normal leaf on plants, a combination of genes normally responsible for forming new shoots.   Photo by AWebling 2013
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations?  The answer is resilience, and at the core of resilience is adaptability.

The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible[1] an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.

The same is true for organisations.

The vast majority of organisations that have ever existed are not around today

In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons

1               They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or

2               They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.

By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.

This is an era of organisational accelerated extinction

What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

Research carried out on fortune 500 companies in the USA shows[2] that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.

So give me the recipe!

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.

1               increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past

2               increasing speed of communication forces speedier decision making

3               increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers

4               biology –  Organisations operate with an optimism bias[3]. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

5               Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.

Something about organisational culture and resilience

When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.

Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.

Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150[4] staff have a mix of cultures.

The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.

Where does my organisation start on the path

So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

Are there two sorts of resilience?

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

Last Thoughts

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.

If you wish to discuss any of the issues in this whitepaper, please contact us



[1] noting that the word dinosaur is directly translated as terrible lizard

[2] http://www.kauffman.org/uploadedFiles/fortune_500_turnover.pdf

[4] Dunbar number

Getting cyber security on the company board agenda

Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.

The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.

Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.

  1. Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
  2. Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
  3. Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
rsa fob
RSA key generator
Playstation breach - Sony contrite
Playstation breach – Sony contrite

 

 

 

 

 

 

 

 

Things to remember

  • most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
  • boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
  • If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
  • the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
  • Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.

That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.

The CPNI paper is here http://www.cpni.gov.uk/documents/publications/2013/2013009-influencing_company_boards.pdf?epslanguage=en-gb

Australia’s CERT also publishes advisories which are useful (disclosure – Alex Webling was the founding director of Govcert.au) https://www.cert.gov.au/advisories

 

 

Hacking the spies – or how to counter the cyber insurgency

You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.

Information Dominos 1

 

New espionage?

For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.

The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.

Information Dominos 2

What is different then?

The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.

The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong

Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.

4d

How can my organisation protect itself?

Paraphrasing the principles of counter-insurgency as espoused by David Galula and Robert Thompson

– the aim of the war is to gain the support of the population rather than control of territory

– most of the population will be neutral in the conflict.

– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution

– in the guerilla phase of an insurgency, a government must secure its base areas first

Using these principles we can identify a strategic direction

The way to deal with an insurgency is through hearts and minds.Information Dominos 6

Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.

Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.

Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.

By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.

Such an organisation is indeed resilient.  Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.

Information, if you don't protect it, it just fades away
Information, if you don’t protect it, it just fades away

 

Back To Top

 

Information Declassification – A way for governments to save money and improve their information security

In the digital world it is very easy to create data, very difficult to get rid of it

Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.

What is data classification?

It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.

Graphic by Mark Smiciklas
Graphic by Mark Smiciklas, Flickr.com/photos/intersectionconsulting

Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.

However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.

In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!

So how could governments shift the classification balance, improve security and improve efficiency in agencies?

The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a  piece of data is over-classified. However their agency has to wear the added expense.

Gentle readers, we have a problem of incentive imbalance!

Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.

If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.

A plan for implementation

So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?

  1. Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.
  2. Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.
  3. Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.
  4. Require each agency to report the numbers of classified data produced.
  5. Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.
  6. Agencies that produced fewer pieces of data than the previous year would receive a windfall.

That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.

I’d love to hear your ideas, please make a comment

Alex

 

 

Cloud cybersecurity, resilience, infrastructure

ENISA, Europe’s network and information security agency, just released a report looking at cloud computing from the perspective of critical infrastructure protection.

ENISA asserts that 80% of large organisations will be using cloud solutions within two years. The approach that ENISA takes is nicely balanced, pointing out that cloud adoption is both good and bad in terms of critical infrastructure protection. From an organisational perspective, the message is similar

Like any information security endeavour, adoption of cloud boils down to a series of risk decisions. There is of course also a question of organisational and possibly national resilience in the case of critical infrastructure to adapt if any threats are realised.

Cloud is not bulletproof and is not the solution for all problems related to IT. A number of companies were affected by outages of the Amazon service in 2011 and this has provided a wake up call to the industry – http://www.wired.com/business/2011/04/lessons-amazon-cloud-failure/

Clouds
Light streaming through clouds

However, it is possible to use the cloud securely for many applications. It requires resources devoted to intelligent system design. This means that the business case for cloud adoption is not one necessarily about saving money. One company that uses the Amazon service, but did not get affected in 2011 was Netflix. Netflix has a very clever piece of software called Chaosmonkey which tests its environment during working hours with the intention that systems are fixed before they break. Netflix released the software as open source in July 2012. http://techblog.netflix.com/2012/07/chaos-monkey-released-into-wild.html

STRENGTHS

Cloud providers can afford people, processes and equipment which is state of the art

Cloud providers able to offer very good uptime and good backup.

Cloud provides good mitigation against natural disasters

Elasticity – Cloud offerings are able to increase and decrease load dynamically, this allows them to mitigate against DDOS attacks

WEAKNESSES

Cloud providers concentrate datasets from disparate organisations

Vulnerabilities are shared across the cloud

Even though cloud providers generally have excellent protective security, failures happen (eg Amazon in 2011)

Cloud providers located in different jurisdictions add complexity to the compliance and governance of organisations.

OPPORTUNITIES

Better collaboration with other organisations, integration of supply chain across disparate organisations and locations.

Organisations that utilise cloud well can become more resilient  eg Netflix

Code optimisation

THREATS

Cloud providers concentrate datasets so their ‘attractiveness’ as a target increases (aggregation)

An outage in one cloud provider can have consequences for multiple organisations. Additional issues may become apparent if those organisations are all providers of the same critical infrastructure.
A legal dispute related to data owned by one organisation which is located in the cloud might affect others

The threat from human actors can be seen to be the combination of intent and capability. Both organised crime and nation states have the capability to attack cloud providers. Their intent is obviously higher if they assess that they can access several prize organisations through a single attack.

I’m struck by the thought that the emergence of cloud should mean that risks to the critical infrastructure from natural disasters and mistakes should decrease.  However, on the other hand, cloud providers are such attractive targets, that the risks from human (active) threats are likely to be higher.

Importantly, the report makes a number of useful suggestions for organisations that are moving towards the use of cloud solutions in terms of risk assessment, security measures and recovery and reporting of incidents.

To download the report go to the ENISA site www.enisa.europa.eu or follow this link http://goo.gl/NZRQA which should take you to the right part of the site.

Cyber security focus in the oil and gas sector to increase significantly

Energy companies will need to significantly increase their focus on cyber security in the next three to five years if they wish to keep ahead of the increasing risks to their business from direct cyber attack and malware.

Oil and Gas 32 by Michael Dance http://www.flickr.com/photos/gpmarsh/page4/

The Oil and Gas sector will need to invest around $1.87 Bn USD into upgrading its SCADA* and general corporate systems to defend against direct cyber attack and malware, according to technology intelligence company, ABI research.

There have been several attacks targeted at oil and gas firms in the last two years, including:

  • Night Dragon in 2011. Originating from China according to McAfee. The attacks were a mixture of social engineering and unsophisticated hacks with the aim of gaining access to corporate forecasts and market intelligence from petrochemical firms. Most alarming was the assertion by McAfee that it had been undetected for up to four years.
  • Shamoon targeted Saudi Aramco in 2012, taking out up to 30,000 workstations. This attack has been linked to (and disputed by) Iranian interests.

The examples given are or attacks on energy companies’ corporate systems. The fear is that issue motivated groups or nation states might now choose to attack poorly protected SCADA systems owned by oil and gas companies.  The ability to do this has been demonstrated in the wild with Stuxnet, but not on energy installations.

 

What are the key security issues surrounding SCADA systems?

  • The general observation that SCADA systems are built for throughput, and security is bolted on as an afterthought, rather than being built in at the design stage.
  • An overemphasis on security through obscurity, with the belief that the use of specialised protocols and proprietary hardware provides more than cursory protection against cyber-attack. Better to assume the enemy knows or will know the system.
  • Over-reliance on physical security to provide protection
  • An assumption that the SCADA system can be kept unattached to the Internet and therefore will be secure.

A bit of background.

SCADA systems have been around since the mainframe era. However, these systems were based on proprietary hardware and software and they weren’t connected to open systems. The main threat to these systems was the ‘trusted insider’, such as when a disgruntled contractor, Vitek Boden used his knowledge and some ‘acquired’ proprietary hardware to cause sewage to overflow in a plant in Maroochy Shire, Queensland.

In the 1990’s, SCADA systems began to be built using the same technology as the Internet (TCP/IP) and early this century, companies began to connect these systems to the Internet.  In 2010, Stuxnet apparently caused centrifuges to spin out of control and self-destruct in nuclear processing plants at Natanz in Iran. Attribution is difficult, but the finger is alternately pointed at Israel and the USA (or both).

 What next?

Organisations, particularly in the oil and gas industry need to change their approach to cybersecurity and take a holistic and strategic view. This starts at the board level and requires a cultural change. This does not necessarily mean buying the latest machine that goes ‘ping’. It does mean thinking about how to integrate security at the core of the business, just like finance and HR.

 ———-

More info from ABI research

SCADA – Supervisory Control and Data Acquisition

Claude Shannon‘s maxim  “The enemy knows the system.”

Photo: Matthew Dance, used under creative commons – http://www.flickr.com/photos/gpmarsh/page4/ 

Complexity and organisational resilience

On the face of it, complex systems might have more resilience than those that are simple because they can have more safeguards built-in and more redundancy.

However, this is not supported by real world observation. Simply put, more complexity means more things can go wrong. In both nature and in human society, complex controls work well at maintaining systems within tight tolerances and in expected scenarios. However complex systems do not work well when they have to respond to circumstances which fall outside of their design parameters.

In the natural world, one place where complex systems fail is the immune system. Anaphylactic shock, where the body over-reacts because of an allergy to a food such as peanuts is a good example. Peanuts are of course, not pathogens, they are food, The immune system should not react to them. However people’s immune systems are made up of a number of complex systems built over the top of each other over many millions of years of evolution. One of these systems is particularly liable to overreact to peanuts. This causes in the worst case, death through anaphylaxis – effectively the release of chemicals which are meant to protect the body, but which do exactly the opposite. This is an example of where a safety system has become a vulnerability when it is engaged outside normal parameters.

We are beginning to see the resilience of complex systems such as the Great Barrier Reef severely tested by climate change. Researchers have found that the reef is made of complex interactions between sea fauna and flora, built upon other more complex interactions. This makes it nigh on impossible for researchers to find exact causes for particular effects, because they are so many and varied. Whilst the researchers confidently can say that climate change is having a negative effect on the coral and that bleaching effects will become more common as the climate becomes warmer, they cannot say with a great deal of certainty how great the other compounding effects such as excess nutrients from farm runoff or removal of particular fish species might be. This is not a criticism of the science, but more an observation that to predict the future with absolute certainty, when there are multiple complex factors at play is extremely difficult.

These natural systems are what some might call ‘robust yet fragile’. Within their design parameters they are strong and have longevity. Such systems tend to be good at dealing with anticipated events such as cyclones in the case of the Great Barrier Reef. However, when presented with particular challenges outside the standard model, they can fail.

Social systems and machines are not immune from the vulnerabilities that complexity can introduce into systems and can also be strong in some ways and brittle in others.

The troubles with the global financial system are a good example. Banking has become very complex and banking regulation has kept up with this trend. That might seem logical, but the complex rules may in themselves be causing people to calibrate the financial system to meet the rules, focussing on the administrivia of their fine print, rather than the broad aims that the rules were trying to achieve. As an example, one important set of banking regulations are the Basel regulations. The Basel 1 banking regulations were 30 pages long, the Basel 2 regulations were 347 pages long and the Basel 3 regulations are 616 pages. One estimate by McKinsey says that compliance for a mid-sized bank might cost as much as 200 jobs. If a bank needs to employ 200 people to cope with increased regulation, then the regulator will need some number of employees to keep up with the banks producing more regulatory reports, and so the merry-go-round begins!

A British banking regulator, Andrew Haldane is now one of a number of people who question whether this has gone too far and banks and banking regulation has become too complex to understand. In an interesting talk he gave in 2012 in Jackson Hole, Wyoming, USA titled the ‘Dog and the Frisbee’, Haldane uses the analogy of a dog catching a frisbee to suggest that there are hard ways and easy ways to work out how to catch a frisbee. The hard way involves some complex physics and the easy way involves using some simple rules that dogs use. Haldane points out that dogs are better in general at catching frisbees than physicists! I would also suggest that the chances of predicting outlier events, what Nicolas Taleb calls ‘Black Swans’  is greater using the simple predictive model.

This is in some ways a challenge to the traditional thinking behind risk modelling. When I did my risk course, it was all very formulaic. List threats, list vulnerabilities and consequences, discuss tolerance for risk, develop controls, monitor etc. I naively thought that risk assessment would save the world. But it can’t. Simple risk management just can’t work in a complex system. Firstly, it is impossible to identify all risks. To (misquote) Donald Rumsfeld, there are known risks, unknown risks, risks that we know we have, but can’t quantify and unknown risks that we can neither quantify nor know.

Added to this is the complex interaction between risks and the observation that elements of complex systems under stress can completely change their function (for better or worse). An analogy might be where one city under stress spontaneously finds that its citizens begin looting homes and another intensifies its neighbourhood watch program.

Thus risk assessment of complex systems is in itself risky. In addition, in a complex system, the aim is homeostasis, the risk model responds to each raindrop-sized problem, correcting the system minutely so there are minimal shocks and the system can run as efficiently as possible. A resilience approach might try to develop ways to allow the system/organisation/community to be presented with minor shocks, in the hope that when the black swan event arrives, the system has learnt to cope with at least some ‘off white’ events!

Societies are also becoming more complex. There are more interconnected yet separately functioning parts of a community than there were in the past. This brings efficiency and speed to the ways that things are done within the community when everything is working well. However when there is a crisis, there are more points of failure. If community B is used to coping without electricity for several hours a day, they develop ways to adapt over several months and years. If that community then finds that they have no power for a week, they are more prepared to cope than community A that has been able to depend on reliable power. Community B is less efficient than community A, but it is also less brittle.

This does however illustrate out a foible of humanity. Humans have evolved so that they are generally good at coping with crises (some better than others), however they are not good at dealing with creeping catastrophes such as climate change, systemic problems in the banking and finance sector, etc.

Most people see these things as problems, but think that the problems are so far away that they can be left whilst other more pressing needs are dealt with.

Sometimes you just need a good crisis to get on and fix long-term complex problems. Just hope the crisis isn’t too big.

Video Donald Rumsfeld – Known Knowns
Back To Top

Visualising organisational resilience

Resilience

I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.

Apart from the diagram you can see, the text below attempts to give concise answers to the following questions

  1. What is it (Resilience)?
  2. Why should my organisation care about resilience?
  3. Why is detailed planning not working anymore (if it ever did)?
  4. What’s the recipe for resilience?
  5. How does an organisation develop these characteristics?
  6. Resilience before and after (a crisis)
  7. How does nature do resilience?

 

Resilience in a mindmap

Visualising resilience is itself an exercise in complexity

The diagram should be A3, so You can download a pdf version here resilience in a mindmap PDF

Let me take you on a journey …

What is it?

Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’

Why should my organisation care about resilience?

Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.

Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem.  For this reason, crises can be the  catalyst for change.

Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.

Why is detailed planning not working?

Simply put, the world is too complex and the outliers becoming more common

  1. increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
  2.  speed of communication forces speedier decisionmaking
  3. increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
  4. biology –  we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

So if

  • we can’t predict the outlier events and
  • this makes most strategy less useful– especially that which is written and gathers dust without being lived ,

maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.

Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.

What’s the recipe for resilience?

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:

  • Agility and the ability to recover quickly from an event and,
  • an awareness of their changing environment and the willingness to evolve with it amongst others.

How does an organisation develop these characteristics?

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

 Resilience before and after (a crisis)

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?

How does nature do resilience ?

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more

😉

back to top

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change”

The quote above has been often misattributed to Charles Darwin. But according to the Darwin project, it is actually a quote from Leon Megginson* in the 1960s paraphrasing Darwin in a management journal.

Now that I have done my bit to put that meme to bed, it is worth considering whether there is value in the concept or whether it is a dangerous oversimplification. And the answer is…

.. It depends!

You didn’t really think there was a black or white answer to this. The facts, such as we have, are that there are very few companies around today which are in the same form. Indeed, Mark Perry’s in his excellent economics blog Carpe Diem presents a chilling picture comparing the US fortune 500 from 1955 and 2011.

Of the 500 companies on the list in 1955, fewer than one in seven are still on the list in 2012! Only 57 years later. I say only 57 years, because it is less than the lifespan of an average western person.

So what happened to the rest, the other 6 in 7? They have either gone bankrupt, been privatised, merged, or their fortunes have gone south to the point that they are under the Fortune 500.

The parallels between evolution and raw capitalism are hard to resist. Indeed, although this may be a bridge too far, there may even be a parallel between evolutionary eras such as the Cambrian Explosion and the current communications technology fuelled business environment. As such, the life expectancy of companies seems to be getting less as the speed of global communications increases.  Steve Jobs is quoted in Forbes Magazine suggesting “why decline happens” at great companies: “The company does a great job, innovates and becomes a monopoly or close to it in some field, and then the quality of the product becomes less important. The company starts valuing the great salesman, because they’re the ones who can move the needle on revenues.” So salesmen are put in charge, and product engineers and designers feel demoted: Their efforts are no longer at the white-hot center of the company’s daily life. They “turn off.”

Maybe another way to say this is that all organisations must have purpose, whether that is a government agency or a company. The widgets (for want of a better description) might be policy or law in the case of a government agency; cars in the case of a car company; or services in the case of a services organisation. If the organisation maintains its focus on why it exists, then it can maybe adapt and survive beyond the average – however, this is hard work and most will end up like trilobites, ubiquitous one day, fossils the next.

Alex

Trilobite fossil – Photo by kevinzim – http://www.flickr.com/photos/[email protected]/43243889/

*Megginson, L. C. (1964). “Key to Competition is Management.” Petroleum Management, 36(1): 91-95.

 

Who do CEOs turn to regarding organisational resilience?

Words of wisdom

A recently released paper by the Australian Government indicates that CEOs turn to their Human Resources departments first when thinking about resilience in their organisations rather than Business continuity or risk managers.

The shocking results come from a survey of 50 CEOs undertaken in 2011/12 which show that CEOs mention HR Departments 10 times and Business continuity/risk managers only 6 times on average.

What do these figures tell us? Well, it would seem that the HR department is better at getting the ear of the CEO than the continuity and risk managers.

There is a silver lining to this story though. The same survey showed that CEOs are likely to consult equally with their board and general staff on matters of organisational resilience. Both boards and staff got a respectable score of 8, still less than the personnel department, but more than the specialists.

Why do you think HR is winning the heart of the CEO over the risk manager?

 

Alex

For more information: – Australian Government