Browsed by
Category: Work

Some thoughts on professional societies

Some thoughts on professional societies

Getting into any career is tricky. Employers are looking for the perfect combination of both knowledge and experience. Fresh out of University you have to try extra hard to demonstrate that you can actually do the job, not just talk about it.

That was the position I found myself in almost 13 years ago. I spent countless days completing applications; labouring the point that “yes, I might have only ever worked in a shop, but you can definitely trust me not to screw this up”.

One way I could show employers that they could put their faith in me was to join a professional association. These bodies are designed to represent the interests of those in the field, so if I was a member it would enhance my legitimacy. Not one to do things by halves, I joined no less than 4 professional associations.

I did my research beforehand, of course.

Some of these organisations had a specific focus, others were more general. Some had active online communities, others were more traditional.

As a fledgeling emergency manager, I thought it was a good idea to try and learn from as much of this as possible. That way I could tell employers I not just only understood the job, but I also understood the profession and the direction it was travelling.

I’m no longer a member of any of those organisations that I joined.

Professional societies, at least those that I joined, had failed to move with the times. The challenges facing the profession now are not the same as those before critical UK legislation was introduced. The risk environment has changed, and the profession seems to be struggling to keep up.

Although, I think there were more fundamental issues holding those societies back

  1. Ego – None of these societies are sufficiently large in membership that they require the level of process that most of them have. Beacurcracy tends to override what could be helpful information exchange platforms.
  2. Identity crisis – There’s a shift towards a more holistic concept of resilience which is not reflected in the scope of the professional bodies. Emergency Planning, that’s too focused on ‘plans’. Civil Defence – that’s an outdated term from the 50’s. Business Continuity – that’s too defined by formal standards.
  3. Lack of value to members – having been associated with a range of bodies for at least the last 8 years I cannot honestly say that it has been worth the investment either financially or in terms of benefits gained.
  4. Unrepresentative leadership – those employed in emergency management when I first started my career often had military or security backgrounds. At the practitioner level that is changing, and new perspectives are being introduced, but the makeup of the decision makers in many of the professional organisations has not kept pace with the changing demographics of the field.

I don’t like to just sit on the fringes and criticise. If I see an issue I want to try and resolve it. For one of the bodies, I worked with similarly enthusiastic colleagues to solve some of these problems. However, after 18 months of trying different things and volunteering my own time, the same issues remained.

That organisation in particular alienated its members through sporadic, ill-conceived communication and disrespected its own volunteers. For a body designed to support members, it showed an extreme lack of empathy.

Contrast that with the sense of camaraderie and community I’ve seen online from my SMEMchat colleagues. This eclipses anything I have seen in over 10 years of being a member of a society.

There are, of course, many ways of doing things; I’m not simply suggesting that everything should move online. But if professionals are going to continue to support each other (and I really hope they do) then it might be time for a more radical rethink of how this is best achieved.

I feel no sense of loyalty to bodies which didn’t demonstrate any to me. However, I do feel a sense of loyalty to my colleagues, whether I work directly with them, or our paths haven’t crossed yet.

Everything that we do as a profession is a team effort. There are many ways that we can collaborate without the stuffiness of societies.

My challenge to emergency planners in the wake of Manchester

My challenge to emergency planners in the wake of Manchester

I want to preface this short post with two caveats

  1. I think the responders in Manchester have done, and continue to do, an incredible job. Not just the emergency services, not just the NHS staff, but everyone who has helped in any way. It’s a clear demonstration of the many supporting the few.
  2. My sincere condolences are with all the families of those killed, and with anyone affected by Monday’s events. I encourage you to dig deep and donate to the appeal fund to help support them through the difficult months and years ahead.

I didn’t know any of the victims or casualties from Monday’s attack, but I did follow one on Twitter. He brought his infectious sense of humour to my news feed. His name was Martyn Hett.

Martyn was 29. Facebook was launched when he was 16, Twitter when he was 18. He, and millions of others (myself included) have grown up not just with ‘IRL’ friends, but a whole network of online friends and acquaintances. Communities for whom sharing the same geography isn’t a factor.

I’ve seen outpourings of grief online from people that never knew Martyn. I’ve also seen those people supporting each other, showing compassion and kindness. The ripples of the incident go far beyond the physical communities within which he moved.

With more of us being connected through social media (or other platforms the internet has to offer), I think this needs to be a factor in how we design emergency response.

The world, our cities, and the people within them are constantly changing. It’s difficult (perhaps impossible) for large organisations to react quickly to every single one of those changes.

My hope is that emergency planners, especially those digital natives who have grown up online like Martyn, continue to challenge current processes, ensure arrangements reflect changes in society and above all, don’t forget that you’re doing this for anyone who is affected by an incident, no matter where they happen to be.

 

What Jurassic Park taught us about cyber risk

What Jurassic Park taught us about cyber risk

The tl;dr version of this post: don’t forget about the insider threat!

This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.

During a talk from Nathan Jones (see this blog on his talk) my mind wandered and wondered…Did Jurassic Park teach me everything I know about cyber risk?

God damn it! I hate this hacker crap!

Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.

Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.

However, such a complex system requires some centralised control.  Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.

This has clear parallels with our modern society and the interdependencies between systems that I’ve talked about previously.

Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.

Objects in mirror are closer than they appear.

As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.

Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of  people assume that a good password is all they need for their IT security.

It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.

But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?

Dennis, our lives are in your hands.

Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.

John Hammond, the park owner recognises the power that Nedry has.

There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.

Clever girl / I know this.

Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.

Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.

The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.

Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.

Life finds a way.

With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.

I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.

It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.

It’s also just a really great film!

Red Teaming for Emergency Management

Red Teaming for Emergency Management

How do we know that decisions taken in an emergency are appropriate? Ensuring appropriate checks and balances can help reduce the influence of groupthink or any other of these decision making biases.

In high stress situations, when the stakes are high, like in an emergency, could emergency managers could do to support those making the strategic decisions? Do they understand the complexity of the issues? Have they considered all of the options? Have they thought through all of the ramifications of their decisions? Are their decisions  justifiable and defensible?

Back in 2014 I binge-watched a TV series called The Newsroom, which shows what goes on ‘behind the scenes’ to make a fictional American news programme.

In the second season, the group of journalists close in on a story relating to the use of chemical weapons by the US army in Pakistan. Whilst the team are confident in the authenticity of the material, they don’t want to run with the story until they are absolutely sure.

Enter the Red Team. A group of researchers and producers deliberately isolated from the investigation so they can later examine the facts and determine whether to air the story.

Here’s the trailer for Season 1 of The Newsroom

What if we did something similar in emergency management? This is how it could work:

  • There would be no change to the nominated individuals who are already ‘on-call’ to provide strategic decision making (for simplicity, let’s call them the Blue Team)
  • Another set of individuals would be identified as the Red Team
  • Both teams require the same level of training, briefing and access to information
  • In addition, the Red Team needs an awareness of the psychological factors which influence decision making
  • The Red Team can only be summoned at the request of the Blue Team – this avoids interference or overstepping their role of critical friend

Should the Blue Team come up against a problem, or not reach agreement on a course of action, the Red Team could be called to offer a view, or to mediate between differing perspectives. Having maintained a distance, the Red Team would poke holes and identify the risks and bugs that insiders might have missed.

There are a number of drawbacks to implementing a Red Team approach. These include the increased resource required to staff dual roles. Culturally, it’s new, and there would undoubtedly be some reticence to decisions being challenged where they previously haven’t been.

I recognise these practicalities may make Red Teaming impossible to achieve in reality. However, the process could be useful in exercises or in thinking about strategic decision making processes.

As noted in my last post, this might not yet be a fully formed idea, and I’d be interested in any thoughts that colleagues might have about whether they have seen this approach used, or could see any reasons that it would not be something to experiment with.

Thinking about starting a business or getting a tattoo? Maybe that’s another area where a Red Team could help ‘avert disaster’?

Blogging in 2017

Blogging in 2017

One of the things I find most interesting about the Timehop app on my phone is how much my style of posting (especially to Facebook) has changed over 10 years. The melodrama is embarrassing and entertaining in equal measure. It’s interesting to see how what I was prompted to post about has changed. (Notice how I have deliberately stayed away from labelling this change as growth!)

enhanced-18554-1412943759-4
this isn’t me, obvs

The last blog post I wrote was waaaay back in August. I was thinking about the reasons for this, and it’s a combination of two things

  1. Too many boxsets to catch up with on Netflix – seriously, if you haven’t seen Designated Survivor you are missing out! It’s prefect kick-back-and-relax telly for emergency managers!
  2. A feeling that I was loosing, or at the very least, confusing my own voice with my work one. As the lead for “external relations and digital” for London Resilience, I started to find it difficult to have enough to say that was notably different from what I was already saying at work.

I had some pretty strong views back in the day. You may remember such blog posts as “Exercises are pointless” and “CBRN is elitist“. Since then (maybe because I’d already vented?) I started to find I didn’t feel as passionately about things anymore. For a while I felt I was becoming disinterested, but realised it was more about feeling I didn’t have anything new to add to the conversation.

In 2017, I want to re-establish my voice and blog. This might sound grandiose, even pompous, but I’ve found blogging helps me solidify proto-ideas. The process of writing something down means wider reading, consulting different sources, opening myself up to new ideas and discussing with colleagues.

I guess the other aspect is that the nature of being online has changed too. Is a blog the best medium? Should I, in fact, be using Medium? What’s the relationship to other platforms like Twitter and LinkedIn? These are all things I’ll no-doubt continue to unravel throughout the year. As with Timehop, I hope that one day I’ll be able to look back through my blog and see how my thoughts have evolved and what they have been shaped by.

So what is likely to follow in 2017? I think it would be unwise to commit to a regular schedule of blogging, I don’t want to be a slave to the blog. However, expect posts about the things that interest me, that frustrate me, that could be better. I’ll try not to moan too much, it’s all intended to be constructive and to help me (and perhaps others) improve what we do.

Best wished for 2017, and remember, if you want to get in touch hit me up @mtthwhgn on Twitter – I’ve love to have a conversation not just air my own thoughts.

Rio 2016 – lessons and reflections on resilience

Rio 2016 – lessons and reflections on resilience

The Olympics is a bit like an alien invasion. The organising committee speak their own language and expect things to happen in ways which might be unfamiliar to locals. Even the London 2012 Olympic mascots looked a bit other-worldly.

With a touch of nostalgia, I thought I’d take a look back at the emergency planning considerations four years ago, and how things have changed just days from the start of Rio 2016.

I joined London Resilience with about 18 months to go. Planning and preparation for the Games was already at an advanced stage but there was still lots to do. I spent much of that year providing assurances to the Mayor, LOCOG (the Olympic Organising Committee) and Government that organisations in London were ready.

From the massacre in Munich in 1972, bombings in Spain just ahead of the 1992 Barcelona Games to the Atlanta bombing in 1996; the history of the Games is punctuated with incidents. In London, the bombings following the Host City announcement in July 2005 provided a sombre backdrop and framed much of the subsequent planning.

News from Brazil this week of problems with the accommodation for athletes, sadly, doesn’t surprise me. I visited the Olympic Park many times, and can distinctly remember the unfinished 1970’s spanish holiday resort vibe that I got from our own athlete’s facilities, even quite late in the process. In contrast, I also remember being in awe of the late Zaha Hadid’s Aquatics Centre!

Many of the risks we had planned for didn’t occur (for example, the importation of African Horse Sickness or an unconventional attack on a crowded place). Going through the planning process made sure all responders knew their roles and how members of the public would be supported. As well as planning together, a whole series of exercises helped confirm the validity of arrangements in place.

It wasn’t just the emergency arrangements which were practised; I was fortunate enough to attend one of the dress rehearsal events for Danny Boyle’s Opening Ceremony. This is an experience that I will never forget! (As an aside, I’d also really recommend the Imagine: documentary on the Opening Ceremony!)

Danny_Boyle_announces_DVD_film_of_London_2012_Opening_Ceremony

For 61 days I managed a control room where partners worked 24/7 so that in the unlikely event of an emergency, structures were in place to respond. We were involved in the response to 154 incidents and the ability to react early meant the majority were small-scale and did not escalate. Thankfully there were a number of incidents which I didn’t have to get involved with…and which we hadn’t anticipated!

boris-zipwire (1)

One of the big challenges which sticks with me from 2012 was what was referred to as ‘The Last Mile’, and ensuring shared understanding of responsibilities in the gap between public transport hubs and sporting venues.

Hosting the Olympics carries similar challenges regardless of Host City. Bringing in tens of thousands of athletes, many more spectators and officials (who will likely be unfamiliar with local arrangements), and putting the city front-and-centre in the eyes of the media pose challenges.

The Games this summer in Rio occur in a world which has faced recent attacks in public spaces (a sadly extensive list) and one which continues to experience internationally significant outbreaks of disease like Ebola and Zika.

Whilst there are undoubtedly opportunities to share learning and experiences between Host Cities, there are also so many differences in how the cities are administered, the impact the Games has as well as the potential for change in the four years between events (live streaming video will put far more pressure on telecoms networks in Rio for example).

Like an alien abduction, hosting the games is something you can only really understand once you’ve experienced it (or so I’m told!)!

Best of luck to colleagues in Brazil – I’ll be watching!

Picture1

Earlier versions of this blog (with less ET references!) appeared in the City Hall Blog and the July Edition of London Calling, the newsletter of the London Branch of the Emergency Planning Society.  

Unified Response: did I follow my own advice?

Unified Response: did I follow my own advice?

Last week saw the culmination of over a year of planning for Europe’s ‘largest ever emergency exercise‘.

141123799-82c486a6-edf7-4e0e-a327-7c1b6497fa0d

Coordinated by London Fire Brigade, the exercise simulated the collapse of a building in central London punching into an underlying tube tunnel as an underground train was passing.  Check out the @LDN_prepared Storify below for a collection of tweets from participants as the exercise progressed.

 

Since 2014 my involvement, as workstream lead for the Command Post element of the exercise was to make sure that participating organisations achieved their own objectives as well as the overarching objectives of the whole exercise. This meant that, in addition to emergency response and rescue, the scenario included strategic consideration of

  • disruption to transport services, utilities and the environment
  • distribution of casualties and fatalities across and outside of London
  • requests for national and international support and
  • considering the information and long term support provided the public, businesses and to individuals and communities affected.

Did I follow my own advice?

I’ve blogged previously about how, if not managed appropriately, the value of exercises can be limited. If I wanted Unified Response to be different, I needed to follow my own advice, which boiled down to six key points

  1. Use locations you would use in reality
  2. Make it no notice as far as possible
  3. Draw participants from what’s available on the day
  4. Don’t let the scenario win out over objectives
  5. Speaking of objectives – have lots of specific ones rather than sweeping generalities
  6. Evaluate. Evaluate. Evaluate.

During the four days of the exercise many lessons were learned dynamically. Undoubtedly there will be lots more learning to come out through the debrief processes. It’s not the intention of this post to debrief the exercise, but to revisit the points from my earlier blog. Did I follow my own advice? In hindsight, have I got any additional thoughts on getting the best return on investment from exercises?

Objectives and Scenario Fidelity

Developing SMART style objectives rather than “to exercise our major incident response”  became my own personal crusade for a while at the start of the planning process. In the long-run this made developing the scenario easier and we were able to tie all injects (nearly 2000) to objectives, which will support ongoing evaluation.

From the outset my starting point was to develop the highest level of fidelity as possible. Over the past year I found myself continually asking “but what would happen in reality?” or “If this incident took place today what would actually happen?”

It’s easy when planning something on this scale to let creativity get the better of you. However it’s a fine balance and it wasn’t always possible to simulate reality without a consequential effect on the ability to meet exercise objectives.

For instance, one objective related to the activation and integration of international specialist rescue teams, but the scenario also included a ruptured water main and sewer which provided grounds for participation for a wide range of organisations. In reality, the presence of these hazards would have impacted on the ability to implement the technical rescue (as responder safety has to be a consideration) however in the exercise, water and sewage were notional.

Where there were simultaneously elements of live and notional play, there were challenges in how well they meshed together. Further to this, many organisations chose to use real-world conditions alongside exercise scenario. In addition to the incident at Waterloo, real-life traffic accidents and train delays all added to the complexity and realism. This is the first time that I’ve seen, first-hand, this attempted in an exercise. The closest I’ve seen are Emergo exercises which use real hospital bed states and staffing to determine capacity challenges for mass casualty management. Limited to one organisation it’s difficult enough to cross-check the impact of the scenario on the real world, but with so many participants this became very complex.

Locations, Dates and Times

This wasn’t always possible due to operational conditions or extent of participation, but by and large venues used were those which would be used in reality. This means that anything learned relating to the operation of those facilities is valuable and can be actioned. Not all of the learning is technical in nature. Softer, skills-based aspects (for instance, teleconference etiquette) is something which can develop with repeated practice. Familiarity with processes, technology and each other in non-incident conditions will improve crisis response.

In order to make sure that decisions taken at a strategic level were appropriate it was necessary to warn senior representatives of the exercise dates. However, I strongly resisted demands to schedule meetings in advance. Establishing the ‘battle rhythm‘ is a key incident management skill. If we’d pre-planned meetings the learning opportunity would be reduced.

I also made sure, by having a relatively small but empowered planning group, that the integrity of the exercise was preserved. Nobody involved in exercise play, not even my own management, knew the full extent of the scenario. This meant unanticipated questions seeking assurance that the exercise would be sufficiently challenging. Such assurance was provided by exploring parallels to past incidents and exercises with subject matter experts to develop the most comprehensive exercise I have been involved in. (We went as far as developing complete documentation for a fictitious construction company and producing staff records for fictional injured responders).

Participants and Advance Notice

As mentioned already, some representatives were essential and therefore did have prior notice. However, even when they knew the date of the exercise, they did not know anything about timings or scenario progression. There were short-notice requests and demands to be in multiple places at the same time, as there would be in reality.

Arguably these issues could have been avoided through advance notice, but then we would have been generating a false environment and actual learning about how to resolve those problems would not have been identified.

The ability to prioritise and dynamically allocate resources is another crisis management skill, one which many of the participants in the exercise had the opportunity to practise.

What else did I learn? 

I think my own personal learning relates more to the role of exercise control during an exercise of this scale.Having a good team with all the necessary expert knowledge and most importantly a problem-solving approach is absolutely essential.

If there was one aspect that I would look to improve next time, it would be to ensure communication between players and facilitators. So my seventh rule for exercise planning, would be to consider structures for exercise control earlier in the planning phase.

Synchronising an exercise with 30 different locations, 85 organisations and over 4000 participants was always going to be a challenge. Over the course of the exercise I spent more than 106 hours in Exercise Control, managing command post activity, resolving issues, creating simulated material and ensuring ‘my activity’ kept in step with all other exercise activity. The responsiveness of my Exercise Control team to roll with decisions made in exercise play was crucial, but this could have been made easier with a more complete picture of the response.

10393897_10153570853608335_4548301488491072650_n

There were some challenges along the way, but I thoroughly enjoyed Exercise Unified Response. Whilst I hope we never have to do it for real, the learning that will be taken from it will improve emergency responses in London and further afield. As my own reflections solidify I’m sure there will be more posts on Unified Response, but if you do have questions please get in touch.