Unexpected impacts to a business or property can cost a fortune. But impacts don’t create vulnerabilities; they expose ones that already exist.
Building resilience requires that we continually work to remove our blind spots (and blind spots tend to move around, so this work is never done!). In 2019, Edgar Westerhof and I wrote a blog about what to expect in the world of resilience in 2020. Neither of us saw the pandemic so near on the horizon, but the deep vulnerabilities it exposed were already clear. The impacts we don’t see coming are typically the most jarring and costly, but the vulnerabilities they expose can be detected and addressed through diligence and a systematic approach.
Despite popular misconceptions, it isn’t a lack of resources or abilities holding businesses back from building resilience, it’s that their approach to resilience planning – which is often focused on specific hazards or single dimensions of resilience – leaves critical vulnerabilities unaddressed. That’s changing. More of my clients are interested in a mission-focused approach equipped to expose potential blind spots and plan for them accordingly. Here are five insights that we often apply together:
- Clarify the time horizon of interest
It is important to start with the time horizon of interest. Too often I will see companies building only to code, for example, failing to consider realistic scenarios that will likely impact operations within the time horizon they want their asset to remain productive.
Risk is often variable over time. Additionally, it may correlate to impacts with annual probability, like storm events, but also other impacts such as legislative cycles, aging infrastructure, and an aging workforce. Considering multiple planning time horizons can help deal with the variability, risk accumulation over time, as well as risk that might be more cyclical.
Recently, I had a client with perpetual liabilities that was interested in planning for vulnerabilities that could be exposed within the next year, 3-5 years, 10-15 years, and 30 years and beyond. This enabled us to phase risk reduction and resilience-building actions and integrate them into the annual budgeting cycle, the cycle for operational plan development, long-term capital improvement plans, and other mechanisms the company uses to manage operations. Resilience building became a part of normal operational processes instead of something separate.
- Center resilience-building efforts around your organization’s mission and clarify how you’ll measure success
Keep in mind what managing risk is all about: achieving your organization’s mission and maintaining level of service. When we assess risks on a mission level instead of the asset level, we get a broader view of threats to the four pillars of resilience for any organization or industry:
- Physical (your physical assets)
- Economic (your finances and revenues)
- Environmental (the context within which we do all things) and social (the culture and human resources of your organization)
- Governance (who makes what decisions how and when)
Start risk assessments by mapping the internal functions, assets, and resources essential to your mission, as well as any external interdependencies – regulators, neighbors, communities within which your assets lie, upstream and downstream supply chains, and utilities you rely on. Identify potential single points of failure and any areas that, if disrupted, could threaten your mission.
If you’re not planning around the mission, you might be surprised at the unique risks and vulnerabilities your organization doesn’t account for. Reputational risk, for one, is growing in prominence but not always properly accounted for; and it can impact both the organization’s ability to meet its mission and the bottom line. The long-term revenue hit from losing the public’s trust could outweigh the cost of fines or remediation projects. Look beyond the obvious natural hazards and health and safety risks to incorporate any threat to the mission – workforce turnover, security flaws, unhappy stakeholders, malevolent threats, toxic work cultures and so on – into resilience plans.
Planning around the mission or desired level of service can also deliver value in more ways than bolstering defenses. It provides opportunities to develop multi-faceted solutions, leverage a single dollar to address multiple concerns, or add value while reducing risk. A resilience-related improvement that enhances staff’s day-to-day experience, for example, can provide a morale boost that brings financial benefits on top of the losses avoided.
It is also important to define success – key values and losses avoided that the company or organization wants to track and achieve to recognize ROI. There are the losses avoided from physical damage, insurance costs, regulatory risk, company reputation, employee turnover, workman’s comp and so on. Some of these can be complex to quantify, but it’s critical to think through the things that matter most to your organization.
Solutions that improve multiple metrics of resilience don’t have to be major capital projects. Minor operational improvements, additional outreach to adjacent stakeholders, and company cultural changes accomplished through modifications to hiring and promotion strategies can have little associated cost and still produce huge ROI over time. These benefits have a way of building on themselves in what Judith Rodin of Rockefeller coined as the “resilience dividend.”
- Search up and downstream for risks and opportunities
Risk doesn’t end at the property line. Interdependencies present their own challenges and opportunities to plan for. Say your organization is reliant on a power substation in a flood plain. You may be able to independently implement increased power measures to fortify that weakness in the chain, or there might be opportunities to pool resources with outside organizations to install mutually beneficial solutions.
Exploring interdependencies can also uncover sleeper risks that rear their head at the worst times. One of my clients used to depend on transporting fuel to the site as a backup power supply. But when Hurricane Sandy hit, there was a run on fuel in the area, and the company saw its expected backup power supply quickly run dry while the grid was down. Now, their broader view on risk takes the supply chain into greater account; they have diversified their fuel supply, improved power use efficiency, and increased on-site power generation.
- Engage and empower your internal and external stakeholders
I’ve touched on this earlier both when describing blind spots, critical functions, and interdependencies, but it is important enough to state overtly: stakeholder identification and engagement is critical to resilience building. Engage staff that could be affected by decisions you make as early in the process as possible and respect their input in designing solutions. Take the same approach with governmental agencies that oversee or regulate your operation –build relationships to develop an understanding of what changes could be coming down the pipe so that you can prepare. Encourage operators to get to know the neighbors around your facilities. This can add to the number of eyes and ears looking out for your business and build pathways to smoothing over issues as they arise.
- Intimately understand the benefits and limitations of the data used in decision-making
All wise decision-making is rooted in complete, accurate, and current data. It is important that we understand the information we use to make decisions. We are in a changing risk context, and data gathering and processing do not receive adequate investment in either the public or private sectors.
For one company I worked with, its data said that a devastating storm was a 6,000-year event. The problem was that the flood maps, despite being published in 2007, were based on data gathered in the 1960s. A lot has changed since the 1960s.
Once the project team integrated rainfall data through 2018, the storm frequency dropped to around a 1,000-year event. Nevertheless, this approach still presented problems. Representing all data equally over decades meant that the models ignored rapid advances in the magnitude of rain events over the previous 25 years. When the project team mapped rainfall events over the prior 25 years only, we were able to see that there had been:
- Five events greater than what the model considered a 100-year event
- Four events greater than a 300-year event
- Three events greater than a 500-year event
- Two events greater than a 1,000-year event
While this is an extreme example, similar scenarios play out in decision-making all the time. Do not take data you are using at face value; take steps to understand how and when it was developed and under what assumptions. Ensure data is being used effectively – and determine what to do when it isn’t. Systematically capturing and storing real-time information and making it accessible for later use, allowing teams to collaborate without silos, and leveraging analytics are some example actions to take.
Stay prepared for the unexpected
Events can be unpredictable, but vulnerabilities can be identified and reduced with the right corporate mindset and associated processes. With these five facets of industrial resilience planning guiding the way, your organization can be better equipped for risks – even ones we don’t see coming.
This piece is part of an ongoing series on industrial resilience. Read Beyond the models: Assessing industrial resilience and water risks to discover the four steps to an effective water risk assessment.