Chapter 1
When the Unpredictable Occurs
In this chapter, three experienced security professionals discuss how to deal with the unanticipated consequences of “Black Swan” events. These events are rare, extremely impactful, and often thought of—after they’ve occurred—to have been predictable. While security leaders can’t plan for every possible event, they can plan for the potential consequences. This planning model helps businesses become more resilient to unpredictable events.
Keywords
Black Swan events; business continuity; emergency planning; resilience; unpredictable events; public-private partnership
With insight from Francis D’Addario, former vice president of Partner and Asset Protection at Starbucks Coffee; Brad Brekke, vice president of Assets Protection for Target Corporation; and Rad Jones, instructor in the School of Criminal Justice at Michigan State University and leader of the MSU/Security Executive Council Business Continuity Alliance
It is seven years since the publication of Nassim Nicholas Taleb’s book The Black Swan. In the book, Taleb introduces the concept of Black Swan events, which he characterizes as events that are 1) rare; 2) extremely impactful; and 3) often endowed by people—after the fact—with elements of predictability. Taleb argues that uncertainty cannot be tamed, and that it is foolish to attempt to tame it.
Historically, there has been a perception that security leaders are less than comfortable with unpredictability. If that’s the case, it’s understandable. After all, for many of these individuals, part of the job is knowing the future—preparing for every contingency and knowing when and how each event is likely to happen. They’re also often penalized by management for not predicting or preparing for everything. But today, Taleb’s Black Swan concept is integrating itself into more organizations’ understanding of security, and it’s proving a sensible and beneficial way to view and manage risk.
“Are we prepared? Not always. Innovative capabilities are required even when you are planful,” said Francis D’Addario, former VP of Partner and Asset Protection at Starbucks Coffee, as he introduced a session of the Security Executive Council’s Next Generation Security Leader development program. The session was focused on improving all-hazards preparedness and building public-private partnerships, so it’s interesting how often presenters encouraged participants to accept and embrace the fact that no organization can plan for every possibility.
Yet as Taleb argues, this acceptance is surprisingly crucial to preparedness.
Brad Brekke, Vice President of Assets Protection for Target Corporation, shared some of his organization’s methods for preparing for the unpredictable. “You can’t plan for everything. Instead, we plan for consequences. What happens if you lose communication, transportation, energy?” he said. Planning for consequences, as Brekke puts it, is one way of broadening the organization’s ability to respond to unlikely events.
Target has achieved resilience success from this planning model, and Brekke shared one example. On April 27, 2011, tornadoes in four southern U.S. states claimed the lives of 344 people and resulted in billions of dollars of property damage. Alabama was declared a federal disaster area. “We had 20 team members who lost homes and one killed,” he said. “We lost power and the ability to run eight stores immediately, and we lost our distribution center in that area.”
The company’s first priority was accounting for the safety of all employees, and they activated plans to accomplish that through call centers, radio and newspaper ads, and local contacts. Meanwhile, generator power quickly got the local stores back online, but they couldn’t be supplied because the distribution center was off the state’s power grid. Target had planned carefully for the known risk of tornado damage, but, said Brekke, “we never anticipated having stores open and the distribution center closed at same moment.”
Because of the company’s resilience planning efforts, the fact that they hadn’t specifically planned for this eventuality did not stop them from dealing with it quickly. The local teams were able to order five generators to be shipped overnight and the full distribution center ran off generator power only until local power was restored.
The fully stocked Target stores provided food and water to a community that desperately needed them as well as relief to public agencies. And, said Brekke, “Because our employees were safe and there was a plan, they were able to go into the community to volunteer to help the recovery efforts.”
Another critical element of preparedness for unpredictability is partnership. Target’s resilience efforts hinged on a multitude of partnerships with public agencies in the local area that the organizations had built and fostered long before the crisis arose. As Rad Jones, instructor in the School of Criminal Justice at Michigan State University and leader of the MSU/Security Executive Council Business Continuity Alliance, commented, “When your facility is on fire it’s not the time to figure out who should do what.” This is true both literally and figuratively.
If a Black Swan event occurs, both public agencies and private companies will be better able to handle consequences and continue operations if strong partnerships are already in place. The health of the community and the corporation are intertwined, and resilience improves when they know and can mutually leverage one another’s strengths and resources. Partnerships like this are built on a foundation of communication and trust, said Jones. “It’s difficult to accomplish collaboration without discussion about the interests and concerns of all the stakeholders,” he continued. If that foundation is laid in advance, mitigation of incidents can occur without delay because, even if specific plans don’t account for the event, the communication channels are there and multiple teams can easily work together to determine the best course of action based on plans that have been practiced.
Even organizations that invest heavily in intelligence gathering and analysis cannot predict every event that may impact their business. Consider planning for consequences and building public-private partnerships to help reinforce your resilience efforts when—not if—the unpredictable occurs.
Chapter 2
Building a Resilient Business
This chapter discusses how to increase your company’s ability to bounce back from interruptions by developing a business resiliency program. A business resiliency program brings together several functions, including emergency response, business continuity, crisis management, disaster recovery, and risk management. Each of these functions is defined, and strategies for piecing them together into one collaborative program are provided.
Keywords
Business resiliency; business resiliency program; emergency response; crisis management; enterprise risk management
By Rob Rolfsen, director of global risk management for Cisco Systems; and Gino Zucca, senior manager of enterprise risk management for Cisco Systems
Corporations today are subject to a variety of crises that cause more damage more quickly than ever before. Bigger storms, broader scandals, larger data thefts, and more credible terrorist threats across the globe have the capacity to take down an unprepared business in a short time. Despite this, many corporations lack a comprehensive program to ensure the resiliency of their businesses in the face of a catastrophic event. Not only does this put them at greater risk in the event of a crisis, but also it deprives them of the added value of a complete business resiliency program.
Business resiliency is a relatively new term that represents an enterprise-wide state of readiness—an ability to quickly identify, react to, and recover from business interruptions of any kind. It incorporates under its umbrella the more familiar functions of emergency response, business continuity, crisis management, disaster recovery, and, to some extent, risk management.
Even when they’re managed separately, these functions should be intuitively interdependent. But by unifying them under a resiliency program, a corporation can maximize the use of available resources, create a greater awareness of risk and continuity issues, and ensure that each involved group understands its responsibilities and those of its counterparts.
The Components of Resiliency
Confusion among familiar terms like emergency response, business continuity, and crisis management often makes it difficult for executives to understand what programs they actually have in place. Before exploring how a resiliency program can tighten the bonds among its component functions, it’s important to nail down some definitions.
Emergency Response
Emergency response provides the initial, on-site assessment of an incident. What is the situation, how are we impacted, and does this incident warrant further mitigative or responsive action on the part of the business? This function includes triage, e.g., emergency medical teams and first response.
Crisis Management
Crisis management is the process by which a business deals with an event that has been deemed significant. A situation has developed; now, how do we react? Crisis management teams (CMTs) respond based on a pre-determined plan of action that is appropriate to the event. They communicate with other business units to assess and reassess impacted areas of the business and determine appropriate responses. This function includes everything from public relations management to evacuation and physical infrastructure analysis.
Business Continuity
Business continuity is the ability of the business to continue operations during and after a crisis situation. This generally involves preparing and implementing manual workarounds to enable the business to respond to an interruption. Business continuity often focuses on IT responsibilities, such as data backups and off-site storage. Many organizations call this function “disaster recovery.”