Digitisation has transformed our lives by providing boundless economic and social benefits through improved efficiency and productivity. Yet within critical infrastructure organisations, technological innovation has accelerated faster than our ability to secure it.
A holistic view of risk management in the context of ‘better practice’ is now viewed as ‘organisational resilience’ and is built around a framework that incorporates financial, operational and strategic risk.
A fully integrated risk model is achieved by intelligently fusing the disciplines of risk management, crisis management, emergency management, security, business continuity and other key areas.
The Janellis Resilience model incorporates four key focus areas of Risk, Readiness, Response and Assurance. The model forms the basis by which Janellis reviews and builds an organisation’s resilience capability. An effective resilience framework ensures organisations can rapidly adapt and respond to internal or external change, risks, opportunities, demands, disruptions or threats; and continue operations with limited impact to the business.
An organisation with a mature resilience capability is able to demonstrate the following:
- Integrate strategic, operational and financial risks
- Ensure a response capability is built against known catastrophic risks through training and exercising
- Demonstrate high levels of confidence to respond to emerging threats
- Embed critical thinking across the organisation
- Align the resilience capability with key inter-dependencies
- Regularly provide assurance to the board and other key stakeholders
About the Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high risk industries both nationally and internationally, this framework is based on the International Benchmarking on Organisational Resilience.
The framework is aligned with International and Australian standards including: ISO 31000, the Australasian Inter-service Incident Management System (AIIMS), the Prevention, Preparedness, Response and Recovery (PPPR) principles, AS/NZS 5050, HB 167-2006, Security Risk Management Standard and the Australian Federal Government’s Critical Infrastructure Resilience Strategy for owners and operators of critical infrastructure.
Janellis has embedded key elements of the framework in leading organisations and government agencies.
– ISO 31000 is the cornerstone of the framework and requires an integrated and consistent approach to managing strategic operational and financial risks across the enterprise. In addition to traditional enterprise-wide risk management, it entails a greater focus on: the identification, management and reporting of ‘catastrophic risks’; understanding the dependencies and vulnerabilities related to critical suppliers and other third parties; the identification and management of emerging threats and using scenario-based modelling to build situational awareness and adaptability.
“The capability to respond to extreme events is an essential part of building and maintaining organisational resilience.”
– The readiness components of the framework includes a more strategic approach to pre-planning for disruptions and ‘shocks’ through: the development and alignment of plans; training and awareness; implementing appropriate technology and having alternate site arrangements. Advanced readiness capabilities include: the alignment of plans with critical suppliers or external agencies; ensuring all communication mechanisms are in place to receive and distribute information; the development and use of tools including a decision-making framework and response handbook as an aide memoire.
– The response components of the framework encompass the capability to respond to specific known strategic, operational or financial ‘catastrophic’ risks or emerging threats the organisation is managing. The response aspects involve a robust exercising and testing process that builds and maintains capability. An effective exercise development process will highlight vulnerabilities and identify strengths within the organisation. The response elements of the framework build crisis management leadership as well as critical thinking capabilities.
“An organisation may have exhaustive risk management processes, detailed plans and experienced individuals but; if a team comes together in a crisis and they are unable to demonstrate critical thinking capabilities, they may not be effective. Critical thinking skills developed at all levels within an organisation – and evident during BAU – is one of the leading indicators of organisational resilience.”
– Higher levels of assurance are being sought to ensure that organisations can effectively respond to a wide range of potential threats. Traditional governance frameworks are being improved with targeted ‘readiness’ reporting, robust post-incident reviews, benchmarking and audits. Benchmarking is used to highlight areas of capability as well as areas of vulnerability and this can be done nationally and internationally.
The internal and external audit process is a recognised and effective way to provide assurance and there is a growing requirement in the areas of risk, organisational resilience, emergency and crisis management. Whilst it may not be possible to predict or mitigate the full range of unknown risks, assurance can be provided to key stakeholders if the organisation can demonstrate: an acceptable level of pre-planning; a robust exercising program and an effective and auditable decision making process.
Download the Harvard Business Review submission containing case study examples including: NSW State Emergency Service; Qantas; Lendlease Group, Transfield Services and Westpac Banking Corporation. Or the technical version here.
The frequency of crisis events has raised questions about the role of the Board before and during a crisis. Janellis has been working with executive leadership teams in building their crisis management expertise for over ten years. We understand the Board has a key role in preparing for and responding to a crisis.
The role of the Board is to provide oversight and governance during ‘business as usual’ and during a ‘crisis’ event.
The Board’s main role, prior to a crisis occurring, is ensuring their organisation is prepared to effectively respond to a range of disruptive events.
Assurance needs to be provided to the Board so that they trust in the capabilities of the chief executive and the crisis management team. Members of the board need to be confident that the crisis management team can manage the strategic requirements of a crisis.
Clarity of expectations is critical in this relationship. The crisis management team needs to understand before the crisis event, what the board members require during the crisis response, and how they will support the associated organisational response. Conversely, the Board needs to ensure the executive team are fully cognisant of their expectations relating to the agreed strategic intent.
Board members should resist the urge to make too many demands on management’s time during a crisis. The crisis management team members will have established relationships and processes and be best placed to understand the impacts across the organisation and to mobilise the appropriate resources.
An effective crisis management team should provide assurance and demonstrate critical thinking capabilities by: identifying the facts; identifying what is unknown; understanding the impacts across the organisation; considering most likely outcomes and worst case scenarios; identifying key stakeholders impacted and developing and communicating their plan.
This process will often take place with incomplete information and under immense time pressure. The crisis management team will ideally focus on managing the incident rather than managing the Board requirements. However, one of the key activities of the crisis chair is to provide situational awareness to the Board through regular and effective briefings, enabling the board members to support the crisis management team to maintain shareholder, regulator and community confidence.
Depending on the nature of the event and to ensure that the strategic objectives of the organisation are met, the Board may be called on to:
- Become a ‘sounding board’ to the crisis management team for significant strategic decisions that need to be made. This may be crucial to the effectiveness of the crisis chair and the crisis management team, depending on the size, complexity and scale of the crisis.
- Endorse the key strategic decisions and actions of the chief executive and crisis management team and provide Board level oversight regarding these key decisions.
- Liaise with key external stakeholders including the regulators, shareholders and the media, only as agreed upon by the crisis management communications team.
In what situations would the Board need to operate as a crisis team?
The role of the Board may change from a role of oversight to one of leadership where the crisis has a direct impact on the chief executive and/or their leadership team. Questions board members should be asking at this time are:
- Are any members of the crisis management team implicated or impacted by the crisis?
- Do the crisis management team have the skills and capability required to respond to this event?
- Do the crisis management team need additional support?
If the entire crisis management team and their alternates are unable to lead a crisis, the strategic decisions will lie with the Board and they will need to assemble and direct a new crisis management team.
What can the Board do to prepare for a crisis event?
Members of the Board have a highly influential role in crisis management preparedness. They should be asking targeted questions to executive leaders to ensure that an adequate level of preparedness has occurred and that capability exists at all levels within the organisation.
Key actions for the Board are to ensure that:
- Emerging risks are effectively monitored and that contingency plans are developed for significant emerging threats, as they are identified.
- The organisation has the demonstrated capability to respond to a range of strategic, operational, financial and environmental threats.
- There is a robust and strategic exercising program with scenario-based activities that develop critical thinking capabilities at multiple levels within the organisation including the incident, emergency and crisis level.
- The organisation has access to crisis, emergency and incident management tools to enable them to respond in a co-ordinated way that facilitates critical thinking.
- Members of the board understand how the organisation would respond to a crisis event, including key roles and responsibilities and; that board members have access to crisis management tools should they be required to lead a crisis event.
What is ‘better practice’ in Board level crisis management?
In working with organisations to develop a mature crisis management capability, opportunities arise to invite select members of the board to participate in the crisis management scenario-based activities. The Boards role in these activities can be as an observer, a ‘player’ in the scenario or simply to be briefed, as a rehearsal for what would happen in a real event.
Customised hypothetical-style activities can be designed specifically for board members to build their capability individually and collectively.
Organisations with high levels of trust between board members and the executive team are able to work together to build and maintain a mature crisis management capability.
If you have any specific questions on The Role of the Board in a crisis please email me at Natalie.Botha@Janellis.com.au or read more about our crisis management training and tools. To register your interest in attending an event on this topic please visit our Events page.
This video highlights the importance of city-wide resilience, the role of business in building resilience and the value of a global partnership with 100 Resilient Cities.
Featuring Michael Berkowitz, CEO of 100 Resilient Cities and Natalie Botha, Managing Director of Janellis.
For more information on Janellis resilience capabilities:
For more information on 100 Resilient cities: