Dr Robert Macfarlane once described (during crisis management training) a theory from Reason (1997) called the swiss cheese model, in which an organisation’s defences against failure are a series of barriers or slices of the cheese. The holes in the cheese slices represent individual weaknesses in individual parts of the system which are protected as layers through which a risk scenario cannot easily pass. 2021 could easily be the year of swiss cheese – Senior staff fatigue, vulnerabilities in our IT networks and arrangements not having been updated and exercised means that the swiss cheese layers may be aligning in 2021.
With uncertainty over a trade deal, border disruption and ongoing COVID impacts you would think we have enough concurrent risks ongoing to keep your resilience plans under review. 2020 has been such a challenging year and many of the difficulties for organisations will roll into 2021. Like the ‘wrong leaves on the line’ scenario we hear on the rail networks in Autumn, the UK’s flu pandemic response was overwhelmed on several fronts by the wrong kind of virus – the level of infectiousness exceeded planning assumptions, capacity for testing was insufficient and stockpiles found wanting. This comment is not to undermine or dismiss the herculean efforts of those responding and continuing to respond & manage the COVID-19 response, or to suggest that greater pandemic planning would have made a seismic difference to our response, but underlines the importance of building capability before the emergency and seriously considering the implications of Government planning assumptions.
The new National Risk Register (NRR), published last week offers a well-presented view into risks we should be planning for now. The NRR provides information on the most significant risks that could occur in the next two years and which could have a wide range of impacts on the UK. From this can be determined ‘planning assumptions’ and what capability (resources & equipment etc) is needed to deal with the risks. Three new risks identified include serious and organised crime, disinformation and hostile state activity. Additionally, the following risks mentioned in the 2017 NRR have now been formally assessed: antimicrobial resistance and major fires.
Our advice and support to clients this year has involved upgrading plans to manage the consequences of concurrent incidents, beyond planning assumptions. If we extrapolate the recommendations from Parliament’s Joint Committee on the National Security Strategy in its report “Biosecurity and National Security” (and commentary from Lord Harris), they apply well to all organisations: ensure governance is in place with funded resources to plan and respond, key personnel are trained, resources prepared/stockpiled where necessary, conduct validation exercises and include the supply chain.
We advise this broad spectrum of resilience actions to combat the complacency/fatigue which can easily set in after many months of response to one disruption. At the Executive level we are asking Clients key questions to establish their readiness for 2021:
- Do we have a list of critical business activities which is visible at an Executive level and briefed to Members, with planned timescales for restoration, key dependencies and systems involved?
- In the event of key sites being inaccessible, have we mapped the priority, restoration time and minimum desk space and IT needs for customer-facing staff for each critical function to be able to move to another site?
- Are our key risks reviewed and mitigations in place which are current and tested – a good example is Cyber risk where security and response arrangements may be out of date given the rapid business transformation delivered for IT in many organisations during 2020 for COVID-19.
- Do we have a defined Business Continuity structure which efficiently coordinates our response to horizon scan and respond to disruption When was this last validated (outside of COVID specific coordination)?
- In the event of a post-incident/disruption debrief do we have a defensible log of decisions, actions and the supporting context and rationale?
- Can we maintain acceptable minimum service levels customers’ requirements in the event of foreseeable risks materialising?
- Can our suppliers meet our requirements?
- Do we have sufficient liquidity and stock buffers for key supplies?
- With current resources can we meet all new legal and regulatory requirements arising from COVID regulations as well as potential BREXIT changes?
- With current resources do we have sufficient capacity to respond to ongoing COVID activities and BREXIT impacts?
- Will we remain GDPR compliant if UK data adequacy is not accepted by the EU?
- Do we have a response, coordination and information management arrangement in place to efficiently and swiftly respond to actionable outcomes of BREXIT and the ongoing COVID response/vaccine roll-out
Controlled Events is a corporate partner of the Business Continuity Institute, Member of Resilience First, Corporate sponsor of British APCO and Member of the Emergency Planning Society. Since 2011 we have been supporting organisations to establish resilience capabilities, establish readiness and with control and communications resources in place. See our resource portal for further resources (most of which are free).