A Recent Trend
As our OnSolve leadership team reflects on 2020 and 2021, we note a trend in our conversations with Business Continuity (BC), Enterprise Risk Management (ERM), Physical Security (PS), Travel Risk Management (TRM) and Supply Chain Risk Management (SCRM) leaders. At first, we did not connect the dots on a clear way to describe this trend. But over and over, our customers and partners have used the following phrase or something very similar:
“I was expecting [Risk A], but then I got hit by [Risk B].”
For example, seven days after Hurricane Ida made landfall in the gulf in Louisiana, a BC leader at a large hotel chain told us:
“We were expecting Ida to hit the gulf. We were ready. We had identified our most flood-prone properties. We had adjusted our staffing. We had tested our communications. We had pre-positioned generators and other equipment… But we’ve spent much of the last week scrambling, responding to Ida’s flooding of Manhattan – where we were not prepared.”
As a second example, a logistics and transportation company shared the following scenario:
“On a Friday morning, we noticed many of our staff were not showing up to work, causing a major staff shortage. We soon realized that Thursday night, a tornado hit one of the primary communities where our staff live. With the sky clear and crews responding in team members’ communities, our first assumption was the staff shortage would soon be over. But nearly a full day after the tornado, power outages and gas leaks were causing new evacuations, and the staff shortage continued into the following week.”
These are just two examples that capture the concept of “dynamic risks.” Included within this concept are the following elements:
- Rapid change
- A risk hitting from a secondary direction or event
- Some level of surprise
At OnSolve, we’re fortunate to be able to support and serve over 30,000 companies, communities, NGOs, governments and other organizations. Our running conversations allow us to extract and share trends so that all may benefit from the experiences and lessons learned. While leading resilience practitioners currently consider some aspects of dynamic risks in their programs, we recommend that these concepts be threaded throughout the design and management of all resilience programs in order to achieve the best possible outcome from every incident.
Dynamic Risks: A Working Definition
For years, our industry has used the term “dynamic” to describe the operating environment itself. For example, security leaders will be familiar with ASIS, whose 2017 ORM Standard states “Organizations typically operate in inherently dynamic risk environments[1].” To be clear, we agree that the business and operational environment has been dynamic and will likely grow more dynamic. A full consideration of the risks that have appeared frequently over 2020 and 2021—COVID, changing COVID restrictions, unrest, severe weather, supply chain disruptions, inflation, etc.—illustrates this trend.
Understanding the concept of the dynamic environment is helpful, though we believe new lessons are available from the focus on the risk itself, in addition to the environment. The tables below provide a structured approach to dynamic risk management that will support immediate enhancements across each element/level of resilience program maturity.
Fundamentally, a dynamic risk is a risk in which the ultimate harm is different than the initially expected harm.
Let’s explore deeper. Table 2 provides four conditions, explanations and examples.
Why are dynamic risks difficult to manage?
Fundamentally, dynamic risks are difficult to manage because by definition, they are not our focus. They come on the heels of another risk - when we are in a weakened state.
Boxers know this well. An effective left jab (“Risk A”) never ends a fight, but a left jab-right hook (the jab being the enablement of the hook, “Risk B”) keeps an opponent on defense and can surprise the opponent with a knockout.
The response to dynamic risks is further confounded because:
- The response to Risk B is often not the same as the response to Risk A.
- The people and functional team responsible for Risk B are often the same as those responsible for Risk A. This response team can be consumed with Risk A while Risk B is the most impactful.
- Our “eyes and ears” are focused on the immediate; our conversations and signals are focused on Risk A, and our response can be focused on Risk A.
Got it. I’m convinced dynamic risks are real. What I should I do about it?
We recommend that BC, Security, TRM and other risk leaders consider dynamic risk in building and assessing their people, processes and platforms.
Your People
Risk leaders can use the following dimensions to assess and build people and teams using a lens of dynamic risk.
The assessment questions below are not meant to be exhaustive, but are a helpful starting point for internal assessment.
Your Processes
Similarly, risk leaders can use the following dimensions to assess and build on their existing frameworks. We describe implications, followed by a specific response framework.
Response Framework Example
A typical response framework may look like the one below. These response frameworks take large response plans and break them down into “bite-size” chunks, with a few key tasks for each phase.
A response leader using a dynamic risk lens would then analyze the response framework to ensure the following:
Your Platforms
Technology can certainly help. Platform selection and configuration should prioritize for speed of changing information, relevance of information and usability.
- A risk intelligence platform with internal assets (employee homes or clusters, facilities, offices) and external assets (key supply chain hubs, airports, ports, customers)
- Real-time risk intelligence
- Highly granular risk intelligence, with coverage in the areas where your teams live and work and travel
- Highly granular filters—What may be noise to one organization may be a critical event to a second organization.
- Highly customizable information routing—What may be noise to one function may be crucial to another. (i.e., a port disruption is not relevant for a travel manager, but may be crucial to a supply chain manager.)
To learn more about dynamic risk, watch the on-demand webinar featuring the author in an interactive Q&A with Matt Bradley, OnSolve VP of Global Security Solutions.
[1] The ANSI/ASIS ORM.1-2017 standard can be found here. The particular dynamic reference can be found here.
