Design

Design Your Organization to Withstand Future Disasters

In the business literature about crisis and disaster management, there’s a tremendous focus on topics like leadership, communications, and planning. Security personnel and those tasked with making sure companies are prepared tend to be more concerned with the technology and equipment needed to reduce physical and cyber risks. But between crisis leadership and tactical planning, a fundamental structural gap often exists — a dangerous chasm between those in charge and those on the ground.

As companies prepare for crises, they too often fail to take a step back and ask a simple question: How are we designed? I’ve spent years training and advising companies on disaster management and preparedness and have come to believe that good preparedness follows good organization — and bad preparedness can usually be explained by bad organization.

It’s obvious, entering year three of Covid response, that we’re all crisis managers now to some extent. The threats we face — to life, business continuity, property, and reputation — will not end as our masks come off. Company leaders must take inventory of their “architecture of preparedness.” This means focusing less at first on training, protocols, leadership, and communications and more on the company’s internal reporting and governance structure. The fundamental question for all companies now, in an era of recurring disasters, is whether their management and leadership design is safe.

In studying disasters and their consequences for my book, The Devil Never Sleeps: Learning to Live in an Age of Disasters, I identified several design flaws that should be addressed before — not if — the next crises comes. To design their company’s management structure to better respond to crises, leaders should focus on the following three areas.

Position

When I teach about crisis management at Harvard’s Kennedy School, my very first class is about design, because the “bones” (ie, the underlying structure) of an organization matter. I ask a simple question that’s met with wild guesses and blank stares every year: In the US government, where is the US Forestry Service placed? Immediately, some confident students will shout out “Department of Interior.” Having failed, others suggest the EPA. The answer is the Department of Agriculture. Think about what that means, what that placement discloses about how the government once viewed (and still views) forests: as an agricultural commodity, much like cows, corn, or soybeans. For better or worse, by design, trees and forests are in a government agency whose priority is not the environment or protecting historic lands. This placement matters because it informs the Forestry Service’s priorities.

Companies rarely have security personnel placed in permanent leadership roles. Few boards of directors for public companies have a single individual from the security or cybersecurity sector. This is not merely a symbolic challenge: It says to those professionals that their skills or expertise aren’t integral to the company’s leadership. It can impact the capacity to guide budget and staffing priorities, as executives divide up limited resources. It denies relevance: a seat at the table. And if an issue isn’t viewed by management as essential, it won’t be viewed by employees as essential either. Security must be elevated by governance design that shows that it’s as integral to a company’s future as its bottom line.

Often, to compensate for these design flaws or to seem responsible to the outside world, many companies, especially newer technology ones, are creating what they call “trust” or “trust advisory” boards. I don’t know if this is because “trust” seems less intimidating than “security.” These boards tend to be filled with all sorts of experts and former government officials (I’ve served on a few!), but the name — a euphemism — and place — outside of the organization — are telling. They simply consult and give recommendations, and importantly, cannot demand action. They’re literally off to the side and are often for show. Security architecture is serious stuff, and it can’t be relegated to the equivalent of the kids’ table at Thanksgiving. If board directors or internal leaders can’t drive preparedness planning and capabilities, then it won’t get done.

Access

No matter where the security personnel resides within an organization, I’ll often ask CEOs how often they meet with various members of their teams. Their responses are revealing. Many say they meet with the COO several times a day, the CFO at least a few times a week, the general counsel if they must. But as for the chief security officer or equivalent, the answer is often some variation of: “Well, he’s former FBI, so he knows what he’s doing.” This is the wrong answer. If it’s unacceptable for a CEO to delegate all financial or legal responsibility to others in the company, the same should be true for preparedness. A prepared CEO is one who understands that how they focus their attention and demands informs what the company deems as valuable.

In the security world, the capacity of the safety apparatus to have a say in business planning and priorities is called availability. Is the security team accessible when it matters the most? Many institutional leaders would say yes, that they know who to call if something goes wrong. This suggests that leadership doesn’t see security as an enabler, but more as a necessary nuisance or an add-on, the thing to be called rather than the connective tissue for the company. Complicated reporting structures, with safety personnel distributed so they report to different parts of the management structure, such as legal, risk, or strategy, minimizes their influence and capabilities.

Treating security personnel as afterthoughts by limiting their access to leadership is short-sighted and self-defeating. For example, consider the city of Oakland’s long effort to build a new stadium for their baseball team, the Oakland Athletics, at the Howard Terminal (an effort that’s dragged on for so long that it’s been called “a journey of a thousand steps”) . The project has run into many delays and roadblocks since the Oakland Athletics Investment Group chose the Howard Terminal site in 2018, one of which was the discovery of numerous safety vulnerabilities that should’ve come into view before they made their selection.

The site was perfect for recreational and investor needs. But because it’s surrounded on one side by water and has just a few exit roads (some of which were consistently blocked by rail and cargo), the advisory review I served on discovered that there was no way for people to leave safely should something calamitous ( an earthquake, fire, active shooter situation, etc.) happen. It so threatened the safe and secure flow of Oakland’s major port that Union Pacific railroad even raised opposition.

Where was the Investment Group’s safety team? There was none to speak of, and there was little attempt on the front end to engage other companies, including rail and cargo, and the residents who understood the site’s risks and challenges.

There’s no one-size-fits-all architecture. Ideally, a senior head of safety or security would report directly to the CEO or a senior member of the leadership team. That security official would oversee all aspects of risk policy and guide budgets and personnel with support from the top. Security is too important an issue to hide it down an organizational chart or delegate to outside “experts.” If that’s not feasible given a company’s size or structure, the CEO and leadership team should ensure that security is always represented in budget and priority business decisions before they’re made.

It’s also essential that leaders be willing and engaged when security personnel request their presence at tabletop exercises or training. A monthly briefing is valuable, as risks often change. This kind of familiarity makes a leader fluent and comfortable in a space that’s key to their mission, even if they’re not the one purchasing cyber defenses or building gates around a building.

I once worked for a political leader as his homeland security head, but by statute, I wasn’t a direct report. I told him simply that “you do not win elections on my docket, but you are likely to lose them on it. When I need to see you, make sure I can be seen.” He concurred and told his team his the same. The reality that nobody cares about safety until everybody cares should inform a leader’s accessibility.

Unity of Effort

These design changes aren’t simply about rearranging deck chairs on the Titanic. They’re about ensuring that, should a harm come to pass, the consequences can be minimized and the harm can be reduced. And that can only happen if a company designs for unity of effort in anticipation of the next disaster.

After the terrorist attacks on 9/11, many companies rightfully promoted or hired a CSO, chief security officer. Over the course of the following decade, as companies were experiencing cyberattacks and vulnerabilities, a new leader arose: the CISO, chief information security officer. Now, due to the pandemic, many major companies are hiring CMOs or CHOs, chief medical or health officers. That’s a lot of C-people.

The sentiment is commandable, but the effort means little without some connective tissue. One solution is to appoint a chief of security or preparedness who oversees these efforts. Though all of those C-roles are focused on different threats, a leader’s response is going to be essentially the same whether it’s an active shooter, earthquake, cyber breach, or virus: Execute a plan, minimize the impact, and lead the company. With divided efforts, focuses, and labor, the “chiefs” are often in different reporting and management silos. The problem is: However the ship goes down, the whole ship is going down.

For example, consider the ransomware attack on Colonial Pipeline in May 2021, which resulted in the pipeline operator having to shut delivery of gas and oil to nearly 45% of the Eastern Seaboard for over a week. Analysts tend to ask how the company could have been so vulnerable. The better question is: How could they have no plan for the how the inevitable cyber disruption would impact their capabilities and lead to a short-term energy crisis as the supply chain shut down?

The company had no choice but to shut down the entire system because it couldn’t effectively monitor gas flow. Companies generally divide systems between operations and information technology. They’re interdependent, which means a risk to one is a risk to the other. Had Colonial had a senior leader overseeing the entire array of potential consequences, the company might have been more prepared. It could have built redundancies or separated key data needs — such as those related to operations and distribution — from business ones — such as payroll — on the network. It might have planned a more sophisticated recovery effort that focused on getting large pipelines moving quickly and relieved on trucks and other forms of transportation for local delivery. Instead, what could have been a minor disruption common in cyberspace became a national energy supply challenge.

. . .

Design, as much as a good PR plan or effective training, is an essential aspect of preparedness in an age when disasters will keep coming. Before a company invests in the next cool new security product or appoints a fancy new advisory board, it should first examine its own architecture. Good preparedness comes from strong bones.

About the author

Getprofitam

Leave a Comment