A holistic view of risk management in the context of ‘better practice’ is now viewed as ‘organisational resilience’ and is built around a framework that incorporates financial, operational and strategic risk.
A fully integrated risk model is achieved by intelligently fusing the disciplines of risks management, crisis management, emergency management, security, business continuity and other key areas.
The Janellis resilience model incorporates four key focus areas of Risk, Readiness, Response and Assurance. The model forms the basis by which Janellis reviews and builds an organisations resilience capability. An effective resilience framework ensures organisations can rapidly adapt and respond to internal or external change, risks, opportunities, demands, disruptions or threats; and continue operations with limited impact to the business.
An organisation with a mature resilience capability is able to demonstrate the following:
- Integration of strategic, operational and financial risks
- Response capability built against known catastrophic risks through training and exercising
- High levels of confidence to respond to emerging threats
- Embedded critical thinking across the organisation
- Alignment of resilience capability with key inter-dependencies
- Regular assurance to the board and other key stakeholders
About the Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high risk industries both nationally and internationally, this framework is based on the International Benchmarking on Organisational Resilience.
The framework is aligned with International and Australian standards including: ISO 31000, the Australasian Inter-service Incident Management System (AIIMS), the Prevention, Preparedness, Response and Recovery (PPPR) principles, AS/NZS 5050 and the Australian Federal Governments Critical Infrastructure Resilience Strategy for owners and operators of critical infrastructure.
Key elements of the framework have been embedded in leading organisations and government agencies.
The framework has four areas of focus which include RISK; READINESS; RESPONSE and ASSURANCE.
– ISO 31000 is the cornerstone of the framework and requires an integrated and consistent approach to managing strategic operational and financial risks across the enterprise. In addition to traditional enterprise-wide risk management, it entails a greater focus on: the identification, management and reporting of ‘catastrophic risks’; understanding the dependencies and vulnerabilities related to critical suppliers and other third parties; the identification and management of emerging threats and using scenario based modelling to build situational awareness and adaptability.
“The capability to respond to extreme events is an essential part of building and maintaining organisational resilience”.
– The readiness components of the framework includes a more strategic approach to pre-planning for disruptions and ‘shocks’ through: the development and alignment of plans; training and awareness; implementing appropriate technology and having alternate site arrangements. Advanced readiness capabilities include: the alignment of plans with critical suppliers or external agencies; ensuring that all communications mechanisms are in place to receive and distribute information; the development and use of tools including a decision making framework and response handbook as an aide memoire.
– The response components of the framework encompass the capability to respond to specific known strategic, operational or financial ‘catastrophic’ risks or emerging threats that the organisation is managing. The response aspects involve a robust exercising and testing process that builds and maintains capability. An effective exercise development process will highlight vulnerabilities and identify strengths within the organisation. The response elements of the framework build crisis management leadership as well as critical thinking capabilities.
“An organisation may have exhaustive risk management processes, detailed plans and experienced individuals but; if a team comes together in a crisis and they are unable to demonstrate critical thinking capabilities, they may not be effective. Critical thinking skills developed at all levels within an organisation – and evident during BAU – is one of the leading indicators of organisational resilience.”
– Higher levels of assurance are being sought to ensure that organisations can effectively respond to a wide range of potential threats. Traditional governance frameworks are being improved with targeted ‘readiness’ reporting, robust post-incident reviews, benchmarking and audits. Benchmarking is used to highlight areas of capability as well as areas of vulnerability and this can be done nationally and internationally.
The internal and external audit process is a recognised and effective way to provide assurance and there is a growing requirement in the areas of risk, organisational resilience, emergency and crisis management. Whilst it may not be possible to predict or mitigate the full range of unknown risks, assurance can be provided to key stakeholders if the organisation can demonstrate: an acceptable level of pre-planning; a robust exercising program and an effective and auditable decision making process.
Download the Harvard Business Review submission containing case study examples including: NSW State Emergency Service; Qantas; Lend Lease Group, Transfield Services and Westpac Banking Corporation. Or the technical version here.
The frequency of crisis events has raised questions on the role of the Board before and during a crisis. Janellis have been working with executive leadership teams in building their crisis management expertise for over ten years and understand that the Board has a key role in preparing for and responding to a crisis.
The role of the Board is to provide oversight and governance during ‘business as usual’and during a ‘crisis’ event.
The Board’s main role, prior to a crisis occurring, is ensuring that their organisation is prepared to effectively respond to a range of disruptive events.
Assurance needs to be provided to the Board so that they trust in the capabilities of the chief executive and the crisis management team. Members of the board need to be confident that the crisis management team can manage the strategic requirements of a crisis.
Clarity of expectations is critical in this relationship. The crisis management team needs to understand before the crisis event, what the board members require during the crisis response, and how they will support the associated organisational response. Conversely, the Board needs to ensure the executive team are fully cognisant of their expectations relating to the agreed strategic intent.
Board members should resist the urge to make too many demands on managements time during a crisis. The crisis management team members will have established relationships and processes and be best placed to understand the impacts across the organisation and to mobilise the appropriate resources.
An effective crisis management team should provide assurance and demonstrate critical thinking capabilities by: identifying the facts; identifying what is unknown; understanding the impacts across the organisation; considering most likely outcomes and worst case scenarios; identifying key stakeholders impacted and developing and communicating their plan.
This process will often take place with incomplete information and under immense time pressure. The crisis management team will ideally focus on managing the incident rather than managing the Board requirements. However, one of the key activities of the crisis chair is to provide situational awareness to the Board through regular and effective briefings, enabling the board members to support the crisis management team to maintain shareholder, regulator and community confidence.
Depending on the nature of the event and to ensure that the strategic objectives of the organisation are met, the Board may be called on to:
- Become a ‘sounding board’ to the crisis management team for significant strategic decisions that need to be made. This may be crucial to the effectiveness of the crisis chair and the crisis management team, depending on the size, complexity and scale of the crisis.
- Endorse the key strategic decisions and actions of the chief executive and crisis management team and provide Board level oversight regarding these key decisions.
- Liaise with key external stakeholders including the regulators, shareholders and the media, only as agreed upon by the crisis management communications team.
In what situations would the Board need to operate as a crisis team?
The role of the Board may change from a role of oversight to one of leadership where the crisis has a direct impact on the chief executive and/or their leadership team. Questions board members should be asking at this time are:
- Are any members of the crisis management team implicated or impacted by the crisis?
- Do the crisis management team have the skills and capability required to respond to this event?
- Do the crisis management team need additional support?
If the entire crisis management team and their alternates are unable to lead a crisis, the strategic decisions will lie with the Board and they will need to assemble and direct a new crisis management team.
What can the Board do to prepare for a crisis event?
Members of the Board have a highly influential role in crisis management preparedness. They should be asking targeted questions to executive leaders to ensure that an adequate level of preparedness has occurred and that capability exists at all levels within the organisation.
Key actions for the Board are to ensure that:
- Emerging risks are effectively monitored and that contingency plans are developed for significant emerging threats, as they are identified.
- The organisation has the demonstrated capability to respond to a range of strategic, operational, financial and environmental threats.
- There is a robust and strategic exercising program with scenario-based activities that develop critical thinking capabilities at multiple levels within the organisation including the incident, emergency and crisis level.
- The organisation has access to crisis, emergency and incident management tools to enable them to respond in a co-ordinated way that facilitates critical thinking.
- Members of the board understand how the organisation would respond to a crisis event, including key roles and responsibilities and; that board members have access to crisis management tools should they be required to lead a crisis event.
What is ‘better practice’ in Board level crisis management?
In working with organisations to develop a mature crisis management capability, opportunities arise to invite select members of the board to participate in the crisis management scenario-based activities. The Boards role in these activities can be as an observer, a ‘player’ in the scenario or simply to be briefed, as a rehearsal for what would happen in a real event.
Customised hypothetical-style activities can be designed specifically for board members to build their capability individually and collectively.
Organisations with high levels of trust between board members and the executive team are able to work together to build and maintain a mature crisis management capability.
If you have any specific questions on The Role of the Board in a crisis please email me at Natalie.Botha@Janellis.com.au or read more about our crisis management training and tools. To register your interest in attending an event on this topic please visit our Events page.
This video highlights the importance of city-wide resilience, the role of business in building resilience and the value of a global partnership with 100 Resilient Cities.
Featuring Michael Berkowitz, CEO of 100 Resilient Cities and Natalie Botha, Managing Director of Janellis.
For more information on Janellis resilience capabilities:
For more information on 100 Resilient cities:
Previously, we wrote an article on The role of the Board in a crisis and the need for clarity of expectations between the Board and the Executive, prior to a crisis occurring.
During a crisis, the role of the Board remains one of assurance and governance. In situations where the Executive are directly impacted or implicated, the Board will need to take an active leadership role but outside of those scenarios, it is the responsibility of the Crisis Management Team to lead the crisis response.
What is the role of the Executive in a crisis?
During a crisis, the Crisis Management Team (CMT), made up of members of the Executive, will quickly form to become the strategic thinking and decision-making team for the organisation. As soon as a crisis is declared, key actions for the Crisis Management Team include:
- Distil and verify information received from within the organisation and externally and; clarify what is known and unknown.
- Understand the impacts across the organisation and community.
- Determine what strategic decisions need to be made immediately (often with incomplete information) and actions that need to be taken now and later.
- Understand the key stakeholders impacted and develop a strategy to communicate and engage effectively with all key stakeholders (including the Board).
In preparing to respond effectively to a crisis, the Executive need to have:
- Identified ‘catastrophic’ risks through scenario based activities.
- An integrated response model with clarity on roles and responsibilities.
- A capability development program that includes training and exercising.
- Access to crisis management tools that will enable and support a response.
- Regular reporting to the board and other key stakeholders to ensure alignment and assurance.
The Crisis Management Team, made up of key members of the Executive, are presented with significant challenges in a crisis.
The team will often be mobilised with very little notice. The incident may be uncontained or uncontrolled, putting the team in a high-stakes and high-pressure situation, with significant community and media interest.
The crisis team members need to have strong critical and creative thinking skills and; be able to made key decisions with conflicting or incomplete information, under time pressure and with intense scrutiny.
Key decisions made by the team may be reviewed at a later date and it is essential that there is evidence of clear decision making.
To support these teams for this significant role within their organisation, an on-going capability development and maintenance program needs to be in place.
Building capability through experiential learning
Scenario-based and training and the use of tools to support the crisis management team will provide assurance that the team has the capability to respond to a range of strategic, political, operational, financial and environmental threats.
Developing this capability at the most senior levels within the organisation has significant benefits outside of responding effectively to a crisis including:
- Building adaptive thinking capability that can be drawn upon for escalating or unknown risks that emerge.
- Enhanced critical and creative thinking capability that can be used during ‘business as usual’ and in responding to ‘slow burn’ or strategic risks.
- Uncovering blind spots by identifying risks that could lead to catastrophic events and; enhancing the identification of emerging threats to the organisation.
Janellis have been working with Executive Leadership Teams for over ten years in the specialist area of crisis management. Many leaders have strong intuitive capabilities to respond to a crisis but the complexity of a crisis will, by its very nature, be immensely challenging.
Individual and collective thinking capabilities are put to the test and tools and training will help the teams to challenge assumptions, ask the right questions and make decision that draw upon their combined experiences.
Key steps to building and maintaining this capability include: identification of ‘catastrophic’ risks through scenario based training; an integrated response model with clarity on roles and responsibilities; access to tools that will enable an effective response; training and testing of the crisis management team and regular engagement with key stakeholders within the organisation and externally.
Janellis is an enterprise consulting firm working with leading organisations across many industry sectors. Janellis helps organisations execute their strategy and are specialists in organisational resilience; risk, compliance and assurance; crisis and emergency management.
Our crisis management tools have been embedded in organisations across a number of industries in countries including Australia, Canada, China, India, Italy, Japan, New Zealand and the USA.
Janellis have recently become a partner of the 100 Resilient Cities, an organisation pioneered by the Rockefeller Foundation. This partnership provides our crisis management tools to member cities around the world. The tools are particularly valuable for cities with significant risks and vulnerable communities within those cities.
Following the recent Government announcement, there is a renewed focus on the ownership and resilience of Australia’s national critical infrastructure. A joint media release with Senator The Hon George Brandis QC stated:
“With increased privatisation, supply chain arrangements being outsourced and offshored, and the shift in our international investment profile, Australia’s national critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
We need to manage these risks by adopting a coordinated and strategic framework. This challenge is not something the Commonwealth can address alone”.
The diverse number of threats and the need for an ‘all hazards’ approach presents significant challenges to owners and operators of critical infrastructure. In 2006 Janellis pioneered an integrated organisational resilience framework with critical infrastructure providers and key elements of the framework continue to be embedded in industries including: aviation; banking and finance; energy; transport; water and government agencies.
Areas of focus:
- Clarity on the role of the Executive and Board in a crisis, including their role in ensuring the organisation is prepared for an incident, emergency or crisis.
- Scenario-based planning at the Executive and Strategic level to uncover and mitigate against ‘catastrophic’ risks the organisation may face.
- Crisis Communications and its effective integration within the crisis emergency and incident management framework.
- Multi-agency Emergency Management Capability Awareness Programs providing multi-faceted resilience protection for key assets.
- The effective use of decision support tools for Emergency and Crisis Management Teams to enhance integrated critical thinking and decision making.
- Exercise development process to facilitate scenario-based exercises that build capability, highlighting areas for improvement and provide assurance to key stakeholders.
- Resilience reporting to provide assurance to the Executive, Board and other key stakeholders.
The ‘all hazards’ approach to building resilience is growing in awareness and acceptance due to increasingly complex and unpredictable impacts. Developing and maintaining capability is a key requirement for critical infrastructure owners and operators and; non-critical infrastructure organisations who are operating in higher risk industries.
Greater levels of assurance are being sought by key stakeholders that teams and organisations have the capability to respond and resilience reporting is being used to assess the capacity and capability for specific assets and across the enterprise.
For more information on the Critical Infrastructure Resilience Assessment and Assurance Tools or the Organisational Resilience Framework, please email Harrison Orr – Harrison.firstname.lastname@example.org