[Last amended: 8 Oct 20]
When the opportunity to learn from failures is taken, there is then the questions of how this might be done. To be consistent with my other work, I have adapted Turner's Disaster Incubation Theory for this purpose.
I would argue that, to enhance risk management practices and procedures, it is good practice to conduct a live review of an organisation’s response to any major risk that materialises. The intended purpose would be to consider how well the procedures enabled the organisation to anticipate, manage and recover from incidents.
The organisation therefore has to identify the onset of a crisis and work through the immediate consequences. While routine operations will clearly still be impacted by the crisis, now is always the time to review, by way of a post-mortem, the effectiveness of its response to date, and especially consider how well the risk management procedures prepared them practically and culturally ready to react. Delaying any such review risks losing corporate memory of the detail.
It is seen as being most beneficial to hold the review with a wide range of staff. The purpose is not to criticise anyone, rather to conduct a collaborative exploration of what went well, what went less well and what might be learnt from the experience while seeking improvements going forward. Chairmanship of such events should be open for debate, offering opportunities for everyone with intimate knowledge of the response or someone more detached from events.
Below a simple model, shown in the attached diagram, is proposes in order to understand the stages of preparation for and response to a crisis. Below are samples questions that might be addressed.
The model is designed to help us visualise and understand the complex dynamics surrounding the development of a crisis and its resolution. While it will be unfamiliar to most, possibly all, staff, its very unfamiliarity would usefully help to challenge us and jolt us out of our customary ways of thinking, opening our minds to questions and concepts that might not otherwise be present.
The model assumes that every crisis has an ‘incubation period’ (A): the time during which problems develop that we normally try to mitigate through our routine risk management activity. At some point we become aware that the crisis may have been triggered or become more likely to occur, opening up a ‘recovery window’ (B). During this time, if we recognise it is happening, we have the opportunity to conduct specific mitigation activity to prevent a crisis and start our plan of action should it occur (C). Once the crisis occurs (D) (in this case Covid-19 and the examination results issue), a force field is created (E) between forces driving the crisis on (F) and our actions to stop it or reduce its impact (C). Eventually, a ‘new normal’ is created (G) in our post crisis world (a state that may not yet have reached but which we should already be planning for).
Some of the Questions We Should Be Asking
1. In running through the questions, we should encourage participants to consider what went well and what went less well.
2. Incubation Period (A):
a. Was the pandemic risk on our corporate risk register? If not, why not?
b. Had we considered something of this magnitude?
c. Did something stop us anticipating and preparing for this seismic shock? Had we asked what would kill the organisation? If not, why not?
d. What did we decide to do about it: tolerate, treat, transfer or terminate the risk? Was the action different depending on whether elements were specific or generic risks?
e. What mitigating action did we take? How effective was it?
3. Recovery Window (B):
a. When were we aware that the ‘recovery window’ had opened up?
b. What further mitigating action did we take?
c. Did we start contingency planning in case the risk materialised?
4. Crisis (D):
a. What did the crisis affect (reputation, operations, finance and/or our stakeholders’ trust)?
b. How did key and other staff respond? Was it widely accepted as a possibility or did it come as a brutal shock? In other words, was risk awareness embedded in the organisation? What does this say about our risk culture?
5. Forces Driving the Crisis (F):
a. What dynamics perpetuated the crisis (and are still)?
b. What are the forces that make up these dynamics and how did we go about countering them?
c. How do we try to develop foresight about what might drive future events?
6. Forces Driving to Resolve the Crisis (C):
a. Did we have a system in place to manage the crisis?
b. How well did our structures, policies and processes cope with responding to the situation?
c. Did we corral our response into a coherent framework that addresses all stakeholders in this crisis?
d. Are we maintaining and building trust among our stakeholders?
e. What value did the Audit Committee add in identifying and responding to the crisis?
f. Did we fair better or worse than other comparable businesses? If so, why?
g. How are our actions compared to other comparable businesses – consider input from auditors and others.
7. New Normal (G):
a. What does the future look like?
b. What have we learned so far in terms of risk and crisis management?
c. What should we do differently in the future?
d. What good practice is emerging from our response that we might adopt permanently in the future?