Standard Recovery? Recovery Standards?

Standard Recovery? Recovery Standards?

In two week’s time, I’m moderating a conference panel session entitled Standards in Recovery: Are we getting it right and what have we learnt from recent incidents? 

This blog is an attempt to organise my thoughts and set out my own views, rather than to reach any particular conclusions!

On the face of it, standards seem like a good idea in anything; normalising complicated processes or ensuring homogenous technical precision. However, you don’t have to look too far before you realise that the issue of standards is polarizing and fraught with challenges.

That doesn’t mean they can’t be useful, just that extra care is needed in their development and application, as well as the performance management which flows from them.

Standards came to prominence around the time of the Industrial Revolution, allowing manufacturing industries to regularise processes and reduce waste. Things we take for granted are the result of standards which have developed over long durations.

I can easily conceive of, and ascribe value to, standards for ‘technical’ things. Even if I’m not an expert in the subject, I can see why it would be advantageous to standardise things like:

  • How much electricity comes out of your sockets.
  • How bright your lightbulbs are.
  • How can you be confident your eggs are salmonella free.

I can also see that standardising language/terminology would be helpful in establishing a shared understanding.

However, I find it harder to see how a meaningful standard can be developed for the complex set of processes associated with emergency recovery. Like Alice falling down the rabbit hole, there is a seemingly endless range of questions and possible answers about what recovery is, and how it should be done.

So I turned to Lewis Carrol to see if he had any wisdom…

‘Would you tell me, please, which way I ought to go from here?’ asked Alice.

‘That depends a good deal on where you want to get to,’ said the Cat.

‘I don’t much care where –’ 

‘Then it doesn’t matter which way you go,’ 

Can we really know what we’re recovering from until an incident happens? If there isn’t a fixed destination for recovery, how will we know we’re there?

So, looking forward to the conference session, here are some of the questions that I’ll have in reserve for my esteemed panel members to respond to:

  • Just what is ‘recovery’ in the context of an emergency?
  • In their experience, when does ‘recovery’ start and finish?
  • What do you think a standard for recovery would look like?
  • Should a standard for recovery be specific or allow for flexibility? If it gives too much room for manoeuvre is it really a standard?
  • Have emergency responder organisations already adopted any of the standards out there? What has been their experience and how can we learn from it?
  • Is there a danger that standards become increasingly complex over time and require disproportionate effort to maintain and measure against?

What’s your perspective on these issues? My experience is that, as a profession, recovery is overlooked in favour of areas which are arguably easier to measure impact or seen to be more exciting.

Leave a comment or start a discussion with me on Twitter.

Some thoughts on professional societies

Some thoughts on professional societies

Getting into any career is tricky. Employers are looking for the perfect combination of both knowledge and experience. Fresh out of University you have to try extra hard to demonstrate that you can actually do the job, not just talk about it.

That was the position I found myself in almost 13 years ago. I spent countless days completing applications; labouring the point that “yes, I might have only ever worked in a shop, but you can definitely trust me not to screw this up”.

One way I could show employers that they could put their faith in me was to join a professional association. These bodies are designed to represent the interests of those in the field, so if I was a member it would enhance my legitimacy. Not one to do things by halves, I joined no less than 4 professional associations.

I did my research beforehand, of course.

Some of these organisations had a specific focus, others were more general. Some had active online communities, others were more traditional.

As a fledgeling emergency manager, I thought it was a good idea to try and learn from as much of this as possible. That way I could tell employers I not just only understood the job, but I also understood the profession and the direction it was travelling.

I’m no longer a member of any of those organisations that I joined.

Professional societies, at least those that I joined, had failed to move with the times. The challenges facing the profession now are not the same as those before critical UK legislation was introduced. The risk environment has changed, and the profession seems to be struggling to keep up.

Although, I think there were more fundamental issues holding those societies back

  1. Ego – None of these societies are sufficiently large in membership that they require the level of process that most of them have. Beacurcracy tends to override what could be helpful information exchange platforms.
  2. Identity crisis – There’s a shift towards a more holistic concept of resilience which is not reflected in the scope of the professional bodies. Emergency Planning, that’s too focused on ‘plans’. Civil Defence – that’s an outdated term from the 50’s. Business Continuity – that’s too defined by formal standards.
  3. Lack of value to members – having been associated with a range of bodies for at least the last 8 years I cannot honestly say that it has been worth the investment either financially or in terms of benefits gained.
  4. Unrepresentative leadership – those employed in emergency management when I first started my career often had military or security backgrounds. At the practitioner level that is changing, and new perspectives are being introduced, but the makeup of the decision makers in many of the professional organisations has not kept pace with the changing demographics of the field.

I don’t like to just sit on the fringes and criticise. If I see an issue I want to try and resolve it. For one of the bodies, I worked with similarly enthusiastic colleagues to solve some of these problems. However, after 18 months of trying different things and volunteering my own time, the same issues remained.

That organisation in particular alienated its members through sporadic, ill-conceived communication and disrespected its own volunteers. For a body designed to support members, it showed an extreme lack of empathy.

Contrast that with the sense of camaraderie and community I’ve seen online from my SMEMchat colleagues. This eclipses anything I have seen in over 10 years of being a member of a society.

There are, of course, many ways of doing things; I’m not simply suggesting that everything should move online. But if professionals are going to continue to support each other (and I really hope they do) then it might be time for a more radical rethink of how this is best achieved.

I feel no sense of loyalty to bodies which didn’t demonstrate any to me. However, I do feel a sense of loyalty to my colleagues, whether I work directly with them, or our paths haven’t crossed yet.

Everything that we do as a profession is a team effort. There are many ways that we can collaborate without the stuffiness of societies.

My challenge to emergency planners in the wake of Manchester

My challenge to emergency planners in the wake of Manchester

I want to preface this short post with two caveats

  1. I think the responders in Manchester have done, and continue to do, an incredible job. Not just the emergency services, not just the NHS staff, but everyone who has helped in any way. It’s a clear demonstration of the many supporting the few.
  2. My sincere condolences are with all the families of those killed, and with anyone affected by Monday’s events. I encourage you to dig deep and donate to the appeal fund to help support them through the difficult months and years ahead.

I didn’t know any of the victims or casualties from Monday’s attack, but I did follow one on Twitter. He brought his infectious sense of humour to my news feed. His name was Martyn Hett.

Martyn was 29. Facebook was launched when he was 16, Twitter when he was 18. He, and millions of others (myself included) have grown up not just with ‘IRL’ friends, but a whole network of online friends and acquaintances. Communities for whom sharing the same geography isn’t a factor.

I’ve seen outpourings of grief online from people that never knew Martyn. I’ve also seen those people supporting each other, showing compassion and kindness. The ripples of the incident go far beyond the physical communities within which he moved.

With more of us being connected through social media (or other platforms the internet has to offer), I think this needs to be a factor in how we design emergency response.

The world, our cities, and the people within them are constantly changing. It’s difficult (perhaps impossible) for large organisations to react quickly to every single one of those changes.

My hope is that emergency planners, especially those digital natives who have grown up online like Martyn, continue to challenge current processes, ensure arrangements reflect changes in society and above all, don’t forget that you’re doing this for anyone who is affected by an incident, no matter where they happen to be.

 

What Jurassic Park taught us about cyber risk

What Jurassic Park taught us about cyber risk

The tl;dr version of this post: don’t forget about the insider threat!

This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.

During a talk from Nathan Jones (see this blog on his talk) my mind wandered and wondered…Did Jurassic Park teach me everything I know about cyber risk?

God damn it! I hate this hacker crap!

Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.

Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.

However, such a complex system requires some centralised control.  Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.

This has clear parallels with our modern society and the interdependencies between systems that I’ve talked about previously.

Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.

Objects in mirror are closer than they appear.

As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.

Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of  people assume that a good password is all they need for their IT security.

It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.

But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?

Dennis, our lives are in your hands.

Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.

John Hammond, the park owner recognises the power that Nedry has.

There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.

Clever girl / I know this.

Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.

Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.

The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.

Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.

Life finds a way.

With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.

I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.

It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.

It’s also just a really great film!

Red Teaming for Emergency Management

Red Teaming for Emergency Management

How do we know that decisions taken in an emergency are appropriate? Ensuring appropriate checks and balances can help reduce the influence of groupthink or any other of these decision making biases.

In high stress situations, when the stakes are high, like in an emergency, could emergency managers could do to support those making the strategic decisions? Do they understand the complexity of the issues? Have they considered all of the options? Have they thought through all of the ramifications of their decisions? Are their decisions  justifiable and defensible?

Back in 2014 I binge-watched a TV series called The Newsroom, which shows what goes on ‘behind the scenes’ to make a fictional American news programme.

In the second season, the group of journalists close in on a story relating to the use of chemical weapons by the US army in Pakistan. Whilst the team are confident in the authenticity of the material, they don’t want to run with the story until they are absolutely sure.

Enter the Red Team. A group of researchers and producers deliberately isolated from the investigation so they can later examine the facts and determine whether to air the story.

Here’s the trailer for Season 1 of The Newsroom

What if we did something similar in emergency management? This is how it could work:

  • There would be no change to the nominated individuals who are already ‘on-call’ to provide strategic decision making (for simplicity, let’s call them the Blue Team)
  • Another set of individuals would be identified as the Red Team
  • Both teams require the same level of training, briefing and access to information
  • In addition, the Red Team needs an awareness of the psychological factors which influence decision making
  • The Red Team can only be summoned at the request of the Blue Team – this avoids interference or overstepping their role of critical friend

Should the Blue Team come up against a problem, or not reach agreement on a course of action, the Red Team could be called to offer a view, or to mediate between differing perspectives. Having maintained a distance, the Red Team would poke holes and identify the risks and bugs that insiders might have missed.

There are a number of drawbacks to implementing a Red Team approach. These include the increased resource required to staff dual roles. Culturally, it’s new, and there would undoubtedly be some reticence to decisions being challenged where they previously haven’t been.

I recognise these practicalities may make Red Teaming impossible to achieve in reality. However, the process could be useful in exercises or in thinking about strategic decision making processes.

As noted in my last post, this might not yet be a fully formed idea, and I’d be interested in any thoughts that colleagues might have about whether they have seen this approach used, or could see any reasons that it would not be something to experiment with.

Thinking about starting a business or getting a tattoo? Maybe that’s another area where a Red Team could help ‘avert disaster’?

Blogging in 2017

Blogging in 2017

One of the things I find most interesting about the Timehop app on my phone is how much my style of posting (especially to Facebook) has changed over 10 years. The melodrama is embarrassing and entertaining in equal measure. It’s interesting to see how what I was prompted to post about has changed. (Notice how I have deliberately stayed away from labelling this change as growth!)

enhanced-18554-1412943759-4
this isn’t me, obvs

The last blog post I wrote was waaaay back in August. I was thinking about the reasons for this, and it’s a combination of two things

  1. Too many boxsets to catch up with on Netflix – seriously, if you haven’t seen Designated Survivor you are missing out! It’s prefect kick-back-and-relax telly for emergency managers!
  2. A feeling that I was loosing, or at the very least, confusing my own voice with my work one. As the lead for “external relations and digital” for London Resilience, I started to find it difficult to have enough to say that was notably different from what I was already saying at work.

I had some pretty strong views back in the day. You may remember such blog posts as “Exercises are pointless” and “CBRN is elitist“. Since then (maybe because I’d already vented?) I started to find I didn’t feel as passionately about things anymore. For a while I felt I was becoming disinterested, but realised it was more about feeling I didn’t have anything new to add to the conversation.

In 2017, I want to re-establish my voice and blog. This might sound grandiose, even pompous, but I’ve found blogging helps me solidify proto-ideas. The process of writing something down means wider reading, consulting different sources, opening myself up to new ideas and discussing with colleagues.

I guess the other aspect is that the nature of being online has changed too. Is a blog the best medium? Should I, in fact, be using Medium? What’s the relationship to other platforms like Twitter and LinkedIn? These are all things I’ll no-doubt continue to unravel throughout the year. As with Timehop, I hope that one day I’ll be able to look back through my blog and see how my thoughts have evolved and what they have been shaped by.

So what is likely to follow in 2017? I think it would be unwise to commit to a regular schedule of blogging, I don’t want to be a slave to the blog. However, expect posts about the things that interest me, that frustrate me, that could be better. I’ll try not to moan too much, it’s all intended to be constructive and to help me (and perhaps others) improve what we do.

Best wished for 2017, and remember, if you want to get in touch hit me up @mtthwhgn on Twitter – I’ve love to have a conversation not just air my own thoughts.

Rio 2016 – lessons and reflections on resilience

Rio 2016 – lessons and reflections on resilience

The Olympics is a bit like an alien invasion. The organising committee speak their own language and expect things to happen in ways which might be unfamiliar to locals. Even the London 2012 Olympic mascots looked a bit other-worldly.

With a touch of nostalgia, I thought I’d take a look back at the emergency planning considerations four years ago, and how things have changed just days from the start of Rio 2016.

I joined London Resilience with about 18 months to go. Planning and preparation for the Games was already at an advanced stage but there was still lots to do. I spent much of that year providing assurances to the Mayor, LOCOG (the Olympic Organising Committee) and Government that organisations in London were ready.

From the massacre in Munich in 1972, bombings in Spain just ahead of the 1992 Barcelona Games to the Atlanta bombing in 1996; the history of the Games is punctuated with incidents. In London, the bombings following the Host City announcement in July 2005 provided a sombre backdrop and framed much of the subsequent planning.

News from Brazil this week of problems with the accommodation for athletes, sadly, doesn’t surprise me. I visited the Olympic Park many times, and can distinctly remember the unfinished 1970’s spanish holiday resort vibe that I got from our own athlete’s facilities, even quite late in the process. In contrast, I also remember being in awe of the late Zaha Hadid’s Aquatics Centre!

Many of the risks we had planned for didn’t occur (for example, the importation of African Horse Sickness or an unconventional attack on a crowded place). Going through the planning process made sure all responders knew their roles and how members of the public would be supported. As well as planning together, a whole series of exercises helped confirm the validity of arrangements in place.

It wasn’t just the emergency arrangements which were practised; I was fortunate enough to attend one of the dress rehearsal events for Danny Boyle’s Opening Ceremony. This is an experience that I will never forget! (As an aside, I’d also really recommend the Imagine: documentary on the Opening Ceremony!)

Danny_Boyle_announces_DVD_film_of_London_2012_Opening_Ceremony

For 61 days I managed a control room where partners worked 24/7 so that in the unlikely event of an emergency, structures were in place to respond. We were involved in the response to 154 incidents and the ability to react early meant the majority were small-scale and did not escalate. Thankfully there were a number of incidents which I didn’t have to get involved with…and which we hadn’t anticipated!

boris-zipwire (1)

One of the big challenges which sticks with me from 2012 was what was referred to as ‘The Last Mile’, and ensuring shared understanding of responsibilities in the gap between public transport hubs and sporting venues.

Hosting the Olympics carries similar challenges regardless of Host City. Bringing in tens of thousands of athletes, many more spectators and officials (who will likely be unfamiliar with local arrangements), and putting the city front-and-centre in the eyes of the media pose challenges.

The Games this summer in Rio occur in a world which has faced recent attacks in public spaces (a sadly extensive list) and one which continues to experience internationally significant outbreaks of disease like Ebola and Zika.

Whilst there are undoubtedly opportunities to share learning and experiences between Host Cities, there are also so many differences in how the cities are administered, the impact the Games has as well as the potential for change in the four years between events (live streaming video will put far more pressure on telecoms networks in Rio for example).

Like an alien abduction, hosting the games is something you can only really understand once you’ve experienced it (or so I’m told!)!

Best of luck to colleagues in Brazil – I’ll be watching!

Picture1

Earlier versions of this blog (with less ET references!) appeared in the City Hall Blog and the July Edition of London Calling, the newsletter of the London Branch of the Emergency Planning Society.