Why crisis preparedness should have its own global awareness day
A global pandemic “audited” the world’s vulnerabilities; it’s now time to turn costly findings into better resilience
Written by Natalia Smalyuk
A year ago, the World Health Organization declared COVID-19 a global pandemic. Leaving our offices in March 2020, many of us packed light. If someone told us that, a year later, we still won’t be back, we would not believe them.
Although epidemiologists had warned for years that a new pathogen sweeping the planet was a “when,” not an “if,” COVID-19 caught the world by surprise.
Let me say this upfront. In hindsight, it’s easy to comment on the “could have’s” and “should have’s” in responding to the pandemic, but there’s no magic-cure playbook to manage all its curveballs. Not to suggest that organizations should abandon crisis planning all together because they can never envision the exact disaster that will hit them. Quite the opposite! The world needs more – not less – preparedness, but perhaps it should be approached differently.
The pandemic has performed a global crisis vulnerability audit, and we can’t let its free – and terribly costly – findings go to waste. Below are some reflections based on the chats with crisis experts on how COVID-19 lessons could be turned into better resilience. I’d love to hear your thoughts, too!
NEGLECTING LOW-PROBABILITY HIGH-CONSEQUENCE RISK EVENTS
COVID-19 showed that today’s preparedness systems are not designed for the “unbelievables” – in other words, high-impact low-probability events like a global pandemic that may look obvious in hindsight. Traditional risk assessments tend to rely on the readily available data and the experience of the recent past rather than looking ahead and attempting to imagine the future. In 2007 – 2008, the stress tests of many banks assumed a worst-case scenario in which U.S. housing prices remained flat. They overlooked the possibility that prices could actually go down.
A common approach is ranking risks based on the severity of their consequences multiplied by the probability of their occurrence. It only seems logical that organizations should prepare for the crises that are assigned high consequences should they occur and high probabilities of occurring at the same time. The problem with this approach is that the “unbelievables,” such as a pandemic crippling the world, an asset price bubble bursting, a plane flying into New York towers or a big earthquake hitting Vancouver one day fly under the radar.
What each big crisis teaches us though is that, as much as possible, organizations and societies should be designed to be worst-case-scenario-proof. That means dealing with the “scariest” scenarios first even when their statistical probabilities are not in favour of putting them at the top of the crisis plan. Uncovering these potential high-impact events takes asking a lot of “what if” questions and, as a crisis management expert Ian Mitroff puts it, thinking about the “unthinkables” systematically.
SHYING AWAY FROM COMPLEXITY
It would be naive to think there could have been a fail-proof perfect blueprint for managing COVID-19. “Scientists everywhere are just trying to stay ahead of the curveballs being fired by the virus,” says Dr. Timothy Evans, director of McGill’s School of Population and Global Health. “It’s a good pitcher.” Among the many curveballs are virus variants. Initially, scientists estimated that 60 per cent to 70 per cent of the population need to be vaccinated to achieve herd immunity. When more variants were found, the numbers shifted up to a 80 per cent to 90 per cent range – unprecedented with an adult vaccine.
The ever-mutating COVID-19 crisis looks like a Russian doll with endless shapes inside. Beneath health impacts are economic chain reactions, with layoffs, bankruptcies and closures triggering dominoes of broken careers and emotional connections, with a collapse of familiar meanings and stories adding to mental health issues and, in some cases, contributing to civil unrest. Behind this all is a massive loss of trust that fills up the air waves. Canadians are fed up with our pathetic response to the pandemic, reads one of the many similar headlines.
Mitroff calls this Russian doll of crises a “wicked mess” – a phenomenon a social systems scientist Russell Ackoff describes as a highly interactive system of problems. In a “wicked mess” crisis, the right solutions may seem obvious after the fact. In real time, organizations can only cope as best they can, with too many variables and their interaction patterns colliding in a collusion of the unthinkables and unknowns, causes and effects, crises within crises.
There’s no – and can’t be – an all-encompassing simulation for the Russian doll. I can hear sceptics say: what’s the point of crisis planning then? The very rules and assumptions on which the discipline rests seem to have shifted. Is crisis preparedness dead? However, executives whose organizations fared better through the COVID-19 emergency suggest the opposite. It’s their pre-COVID actions, such as appointing a pandemic management committee or empowering a champion for this type of crises, that helped them weather the storm.
OVER-RELYING ON RIGID STRUCTURES
What’s dead is rigidity. Passive rule-based mindsets. Static bureaucratic structures where integrated crisis leadership is replaced with fragmented controls paralyzing swift action. Over-codified, simplistic procedures reducing “wicked messes” to something that creates an illusion of control on paper. Uncoordinated, mis-timed responses wasting valuable time. Canned statements taking a week to approve.
Becoming a BP CEO in 2007, Tony Hayward introduced new rules, such as the requirement for all employees to use lids on coffee cups while walking and refrain from texting while driving. In 2010, the Deepwater Horizon oil drilling rig exploded in the Gulf of Mexico. The U.S. investigation commission later attributed the incident to management failures inhibiting “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate and address them.”
While checklist-based processes are essential in some situations, others require fewer rulebooks and more flexible tools that enable critical thinking, pivoting on the spot and triggering the steps involved in developing an optimal solution in a fast-changing environment. What needs to emerge in place of the rigid models are the new structures of preparedness fit for purpose, with organizations of any size being able to roll with the punches when crises don’t stay in the clean boxes assigned to them and get in front of the curveballs wherever possible.
NOT ACTING BUT REACTING
Generally, proactive organizations take action before – not after – things go wrong. South Korea got credit for its investment in the ramp-up of mass testing capacity early in the first wave of the pandemic. In contrast, Canada is often criticized for its reactive response. “The bulk of Ottawa’s hundreds of billions of dollars in COVID-19 costs have been incurred not fighting the virus directly, but paying people to stay home,” says the Globe and Mail’s editorial board. Crisis management experts view their work as a continuum of three stages – “before,” during” and “after” adverse events. If organizations don’t act in the “before” phase, they often end up reacting when a crisis hits, wasting valuable time and resources ramping up mitigation measures.
One common problem is a lack of stakeholder coordination and joint action between response partners. If they don’t meet regularly in the “before,” or planning phase, collaboration with a shared understanding of roles, processes and priorities will be a lot more complicated when disaster strikes. In the early days of the COVID-19 pandemic, we saw surprisingly little international coordination. Recognizing that the initial phase of the crisis – those often chaotic first hours or days – is vital in its subsequent development, the Centers for Disease Control and Prevention (CDC)’s Crisis and Emergency Risk Communication mantra is to “be first, be right, be credible.”
NOT LEARNING FROM MISTAKES
Mitroff looks at proactiveness with yet another lens. Most organizations prepare for a limited set of risks that are familiar or direct threat to their core business, such as contamination in the food industry, product tampering in the pharmaceutical, and supply-chain issues in the automotive. In Mitroff’s view, proactive organizations are those that prepare for a wider variety of adverse events than what they’ve experienced before.
This requires a new, systematic approach to crisis management shifting from a myopic focus on the direct experience to a broader, more open-ended understanding of the patterns in different types of crises as a basis for proactive preparation. The good, the bad and the ugly of what happened in other times, other countries, other industries and other contexts is invaluable in learning from the success stories, best practices and especially hard-earned lessons.
Here’s one example of learning across geographic boundaries. In Canada, we face the daunting challenges of immunization with the systems designed to vaccinate kids. Working with the Canadian Network for Neglected Tropical Diseases (NTDs), I realized how much Canada can learn from the world's experience managing NTDs, applying this knowledge to innovate in its COVID-19 response at home and abroad. NTD programs in Africa run well-developed community health programs that engage vulnerable communities at scale, working across borders and developing behaviour change messages pulling on local cultural truths.
GETTING LOST IN THE ALPHABET SOUP OF METHODOLOGIES
Organizations and societies should grow their crisis management knowledge, transforming it into world-class training, planning and preparedness. However, we are not there yet, with preparedness systems operating at different levels of maturity across the board. Thus far, I used the terms “risk management” and “crisis management” loosely, but it’s worth putting them into perspective. Risk and crisis management are closely interconnected, but separate disciplines that have evolved significantly over the past few decades. The COVID-19 pandemic is likely to catalyze more change in both of them in the near future. But lets take a brief history tour first.
A while ago, crisis management primarily meant emergency and rescue services, such as firefighters, policemen and ambulance workers.
According to Mitroff, the tampering of Tylenol capsules in a suburb outside of Chicago in 1982 is generally recognized as the beginning of the modern field of crisis management.
More recently, the 2007-2008 financial crisis put a spotlight on risk governance. The Dodd-Frank Wall Street Reform, the international Basel III framework and various consumer protection regulations solidified the institutionalization of risk management. Prior to the financial crisis, only the organizations specializing in risk management – namely insurance companies – had a Chief Risk Officer (CRO) job. Today, large banks are expected to have a senior executive responsible for the risk management function.
A rising focus on risk and crisis management has led to an alphabet soup of acronyms: risk management (RM), business continuity planning (BCP), crisis management (CM), crisis communications (CC). There’s a plethora of qualifications, from the Professional Risk Manager (PRM) awarded by the Professional Risk Management International Association (PRMIA) to the Financial Risk Manager (FRM) granted by the Global Association of Risk Professionals (GARP) to the Canadian Risk Management Designation (CRM) offered by the Global Risk Management Institute. The ISO standards and their equivalents spun up to bring consistency to risk management practices. Some regulators and business contracts make following them mandatory.
Despite this global movement to standardize professional practices, different disciplines speak different languages colliding when it comes to solving urgent crisis problems. Here’s a common scenario. In an emergency, a client calls their communications advisor to write a holding media statement. “Do you have a crisis plan that I could refer to?” asks the advisor. “We have a business continuity plan somewhere,” the client responds, “But I am not sure where to look for it. I believe it hasn’t been updated for a while.” The company ends up improvising an ad hoc response outside of any consistent framework. Somewhere there there’s a breakdown that, for many organizations, still needs to be addressed.
AVOIDING THE BOUNCING BALL OF PAIN
No one wants to get a crisis call in the middle of the night and, if the operational model is not clearly defined, preparedness may become a bouncing ball of pain. In the worst cases, various managers taking on bits and pieces of risk and crisis management end up in a never-ending debate about who should do what.
To add value, preparedness structures should be designed strategically, and a culture of resilience starts with the boards. Risk oversight is one of their core responsibilities, and boards need to ensure a robust risk and crisis management operating model is put in place.
Throughout the COVID-19 crisis, many boards have played a central role in guiding organizations towards recovery. However, the collaboration between boards and management teams is often inconsistent. Many organizations do not include, or even mention, their board in their crisis plans. According to a Deloitte board members survey, almost one-fifth of board members say they have no crisis playbook; one-third don’t know if they have one.
A conversation gaining momentum among boards of directors, management teams and regulators is enterprise-wide risk management (ERM). Angela Patel, an enterprise risk management program leader at Amazon Web Services, highlights functional independence and separation of duties as important ERM principles. The CRO or their equivalent should have an independent reporting line to senior management – preferably the CEO or the board. The Three Lines of Defense model provides a simple framework to clarify roles where the first line of defense is business and operations that own and manage risk. The second line is compliance and risk, or functions that oversee risk. Finally, the third line is independent assurance, including internal and external audit. Its role is to ensure the first and second lines of defense are functioning as intended.
DRAWING ON TOO MUCH SCIENCE, NOT ENOUGH ART
In increasingly data-driven rational management cultures, it’s tempting to see risk as an exact science. Risk management often borrows its concepts from insurance and financial industries where risk models emerged earlier and evolved into more sophisticated forms. In a bank, capital is the logical means for quantifying and comparing risks, translating them into dollar terms. Value at risk, for example, is a common risk management measure. However, we don’t necessarily have the language to talk about the human – as opposed to capital – values and costs. What is the value at risk when it comes to human lives in a global pandemic? What does “risk appetite” mean? Is there an acceptable level of sickness or deaths?
Somewhere there, traditional risk programs enter a thorny territory where capital-based hard measures don’t easily mesh with soft human-centric values. According to the Globe and Mail’s health columnist Andre Picard, tuberculosis still kills 1.5 million people a year, AIDS 700,000, and malaria 400,000. When COVID-19 is no longer seen as a threat to affluent countries, will it no longer be a public health priority, similar to neglected tropical diseases that affect one in five people on the planet and are called neglected precisely because they have not received the attention and funding their scale warrants?
COUNTING CAPITAL COSTS AS OPPOSED TO HUMAN VALUE
A focus on the human – as opposed to capital – factors is the missing piece in traditional risk management whose terminology doesn’t include such soft concepts as empathy, stakeholder concerns and trust. One can model the variables of infections, hospitalizations, deaths and lockdowns. However, human behaviour will always be the wild card, and crisis managers need to read the emotional needs of their stakeholders. In Madrid, a government campaign’s creative saying “This round of drinks buries your grandfather” outraged local residents who felt authorities were shifting the blame to young people. A counter campaign saying: “Battered public health = burying your grandmother” attacked the ruling party for slashing public health spending.
Risk management is not equipped to deal with the curveballs of the unusual states of mind and black swan events that require more art than science – divergent thinking and open risk debate, personal experience and intuition, imagination and creativity. Interestingly, those who’ve been through major crises often use the same words to describe their experience as soldiers. In a Globe and Mail article on pandemic preparedness, Manulife’s CEO Roy Gori talked about the “weekly war room” meetings, calling the speed of decisions the “new battleground.”
Robert Kaplan and Anette Mikes argue that risks fall into preventable, strategy and external categories that call for different strategies. Preventable risks – for example, a rogue trader – are internal and controllable. Strategy risks are those a company voluntarily accepts to generate returns. For example, BP accepted the high risks of drilling several miles below the surface because of the high value of the oil and gas it expected to extract. Finally, external risks, such as pandemics, natural disasters and major macroeconomic shifts, stem from events outside the company and beyond its control. Traditional rule-based compliance or analytical models are inadequate for strategy or external risks.
FORGETTING COSTLY LESSONS
COVID-19 has exposed many vulnerabilities in the world’s preparedness. For example, it took a global pandemic to pay attention to the wretched state of many long-term care homes. Despite the devastation of infectious diseases in different parts of the world, including the SARS outbreak in Toronto, Canada’s cutting-edge early warning system for pandemics had curtailed its surveillance before coronavirus struck, and Canada cut the number of cities storing critical medical supplies by one third.
“Building back better’’ is a popular political message. First and foremost, building back means not forgetting the costly lessons from the crises that are already behind us – even if the next disaster happens on someone else’ watch. The vicious cycle of erasing earlier learnings and repeating the same mistakes will repeat over and over again if governments and businesses don’t act on the COVID-19 “vulnerability audit” and make crisis preparedness a top priority.
In the spirit of learning, we can look at the experience of Japan. After its government was criticized for a slow response to the Kobe earthquake of 1995, Japan spent billions of dollars to strengthen buildings, develop early warning systems and educate the public on what to do if there’s an earthquake or tsunami. Japan’s “massive public education program” could be credited for saving the most lives when the 2011 earthquake and tsunami hit, according to a tsunami preparedness expert Rich Eisner. Today, Japan observes an annual Disaster Preparation Day commemorating those who died and reminding people that another major earthquake is always a possibility.
Our short memories are one of the biggest unacknowledged risks in crisis management. To safe-guard against it, the world should introduce a global Crisis Preparedness Day so we don’t forget the human cost of the mega crises like COVID-19 and remember the reasons why organizations and countries should commit to preparedness with the right resources, mindsets and best practices.
NBAU Consulting offers crisis leadership consulting, coaching and training to guide organizations through adversity and build resilience.