Browsed by
Category: Resilience

thank u, women in resilience

thank u, women in resilience

Emergencies affect everyone differently. Race, age, ethnicity, affluence and level of education are just some of the factors which determine your vulnerability (and resilience). Gender is also a factor, with women more likely to die than men after a large scale disaster.

But this blog isn’t about that…

This morning I watched this lecture on popular misconceptions about disaster.

Another misconception that Hollywood’s gets wrong is about women’s role to cope during disaster, as shown by this parody clip:

But this blog isn’t about that either.

This is a blog written on International Women’s Day 2019, to say “thank you” to the hundreds of women I have worked alongside. Thanks for the work they do to make people safer and for everything I have learnt from them.

I can’t thank everyone individually, but I’ve picked out those whose tutelage has had the most lasting impact…

Agnes offered me a job on the same day that I met her. Nobody would call her logical, or predictable, but her dedication and passion could not be questioned. She pushed me into doing things that I was uncomfortable doing and had faith in me when I didn’t always have it in myself.

Long after meeting her, I remember still being in awe of Sue‘s experience in emergency management. As well as her ‘battle stories’, she taught me about determination and to read between the lines. She acted as a mentor more than a manager.

Over the last two years, I’ve relied on Lucy more than she realises. She sees things through a different lens, one which I feel gives greater consideration to outcome over process. She is a demonstration that sensitive, technical and complex subjects can be approached in a compassionate, human way, but still with a sense of humour.

Fiona has a pragmatic, considered and calm approach to the most challenging circumstances, and has taught me the importance of taking even the briefest moment to reflect, consider alternatives and contingencies before a decision is made. In her words “you often have more time than you realise”.

And finally, J, whose request for us to “be real” and avoid obfuscation really resonates with me. It’s something I’m trying to bring through this blog, and how I communicate at work. And something I’m still working on!

Helen, Alison, Aggie, Kate, Lynn, Gail, Robyn, Barb, Megan, Susan…There are tons of brilliant women out there in resilience (and every field) who as well as being excellent at what they do, bring valuable and important perspectives.

Thank u.

Revisiting Red Teaming

Revisiting Red Teaming

Red Teaming: The independent application of a range of structured, creative and critical thinking techniques to assist the end user to make a better-informed decision or create a more robust product.

That’s a kinda academic way to say “having (and welcoming) someone whose job it is to critique you”. 

I originally wrote about this in February 2017, and a lot has changed for me professionally since then. Based on recent experience, I wondered whether I would approach this differently now, has my thinking had evolved? 

recent Twitter exchange gave me a renewed interest in this idea and so picking up on the key aspects of that discussion, I’ve revisited my previous post. 

Is a Red Team a name for something that already exists? 

Yes and no.

Decisions in emergencies (in a UK context at least) are made by consensus. So there is already a structure whereby people with different experience and responsibilities reach decisions jointly. A variety of aspects and implications will have already been considered and extremes moderated or discounted.

However, ‘decisions by committee’ typically take longer to reach and run the risk of ‘group think’ where the desire for harmony in the group results in dysfunctional decisions.

A Red Team is about doing what you normally do, what you have been trained to do; but then taking an equally qualified objective team and seeing if they have any other perspectives you haven’t considered either about the decision you have reached or the way in which you reached it.

UPDATE: A colleague also pointed out that the type of feedback that I would anticipate coming from a Red Team is can also be (although in many cases isn’t) provided in the form of post-exercise reports. However, these are painfully slow to be produced, missing the oportunity to make dynamic change.

What are the barriers to Red Teaming?

There are many, but I think they can be broadly categorised into two groups; culture and resources.

We all like to think that we have the answers, and so accepting that in ambiguous, high risk and complex situations we might always have thought of everything shows self-awareness. Adopting a Red Team approach would signify to me high levels of strategic leadership maturity.

On the resources side, sorry, I think sometimes you have to take a hit. However, this should be balanced against the cost of sub-optimal decisions being made. Arguably that’s much harder to quantify, but having a stab at working out the return on investment would be a better approach than looking at expenditure.

Clearly embedding Red Teams would take time, money and will, but should that be a barrier to doing things better?

A (red) rose by any other name…

I don’t get hung up on what this structure would be called.

I became aware of the concept through a TV drama Newsroom, where it was called a Red Team, and that term has stuck with me as shorthand.

I have mixed feelings about the militarization of civil emergency management. However, there is no escaping that Red Teams have a military connection, where they are used to good effect. Typically, where the military goes, the civil emergency response follows.

The 2010 Ministry of Defence guidance on Red Teaming states it is a “practical response to overcoming the complex problems introduced by our human frailties, helping us to recognise them and correct our thinking and analysis before faulty judgements are cemented in the minds of key decision makers.” I think that’s equally as applicable in a civil context.

Perhaps recognising a militarisation tendency, NATO has opted to call their structure ‘Alternative Analysis’. You could also think about De Bono’s Six Thinking Hats and call it White Hatting, that has a peculiar ring, but might look entertaining in a control room!

What am I doing to implement Red Teaming?

I’m not convinced I’m adding much actual substance to the conversation, other than being an advocate of ‘let’s try it’.

In a lower-key way, I made a recent decision to bring someone in specifically to check my working out on a particularly complex project at work. It was really helpful to have someone force me to reflect on my proposals, and can really see how this could be scaled up. 

I’m interested in views of colleagues on how this could be applicable and how some of the barriers could be addressed.

Standard Recovery? Recovery Standards?

Standard Recovery? Recovery Standards?

In two week’s time, I’m moderating a conference panel session entitled Standards in Recovery: Are we getting it right and what have we learnt from recent incidents? 

This blog is an attempt to organise my thoughts and set out my own views, rather than to reach any particular conclusions!

On the face of it, standards seem like a good idea in anything; normalising complicated processes or ensuring homogenous technical precision. However, you don’t have to look too far before you realise that the issue of standards is polarizing and fraught with challenges.

That doesn’t mean they can’t be useful, just that extra care is needed in their development and application, as well as the performance management which flows from them.

Standards came to prominence around the time of the Industrial Revolution, allowing manufacturing industries to regularise processes and reduce waste. Things we take for granted are the result of standards which have developed over long durations.

I can easily conceive of, and ascribe value to, standards for ‘technical’ things. Even if I’m not an expert in the subject, I can see why it would be advantageous to standardise things like:

  • How much electricity comes out of your sockets.
  • How bright your lightbulbs are.
  • How can you be confident your eggs are salmonella free.

I can also see that standardising language/terminology would be helpful in establishing a shared understanding.

However, I find it harder to see how a meaningful standard can be developed for the complex set of processes associated with emergency recovery. Like Alice falling down the rabbit hole, there is a seemingly endless range of questions and possible answers about what recovery is, and how it should be done.

So I turned to Lewis Carrol to see if he had any wisdom…

‘Would you tell me, please, which way I ought to go from here?’ asked Alice.

‘That depends a good deal on where you want to get to,’ said the Cat.

‘I don’t much care where –’ 

‘Then it doesn’t matter which way you go,’ 

Can we really know what we’re recovering from until an incident happens? If there isn’t a fixed destination for recovery, how will we know we’re there?

So, looking forward to the conference session, here are some of the questions that I’ll have in reserve for my esteemed panel members to respond to:

  • Just what is ‘recovery’ in the context of an emergency?
  • In their experience, when does ‘recovery’ start and finish?
  • What do you think a standard for recovery would look like?
  • Should a standard for recovery be specific or allow for flexibility? If it gives too much room for manoeuvre is it really a standard?
  • Have emergency responder organisations already adopted any of the standards out there? What has been their experience and how can we learn from it?
  • Is there a danger that standards become increasingly complex over time and require disproportionate effort to maintain and measure against?

What’s your perspective on these issues? My experience is that, as a profession, recovery is overlooked in favour of areas which are arguably easier to measure impact or seen to be more exciting.

Leave a comment or start a discussion with me on Twitter.

Some thoughts on professional societies

Some thoughts on professional societies

Getting into any career is tricky. Employers are looking for the perfect combination of both knowledge and experience. Fresh out of University you have to try extra hard to demonstrate that you can actually do the job, not just talk about it.

That was the position I found myself in almost 13 years ago. I spent countless days completing applications; labouring the point that “yes, I might have only ever worked in a shop, but you can definitely trust me not to screw this up”.

One way I could show employers that they could put their faith in me was to join a professional association. These bodies are designed to represent the interests of those in the field, so if I was a member it would enhance my legitimacy. Not one to do things by halves, I joined no less than 4 professional associations.

I did my research beforehand, of course.

Some of these organisations had a specific focus, others were more general. Some had active online communities, others were more traditional.

As a fledgeling emergency manager, I thought it was a good idea to try and learn from as much of this as possible. That way I could tell employers I not just only understood the job, but I also understood the profession and the direction it was travelling.

I’m no longer a member of any of those organisations that I joined.

Professional societies, at least those that I joined, had failed to move with the times. The challenges facing the profession now are not the same as those before critical UK legislation was introduced. The risk environment has changed, and the profession seems to be struggling to keep up.

Although, I think there were more fundamental issues holding those societies back

  1. Ego – None of these societies are sufficiently large in membership that they require the level of process that most of them have. Beacurcracy tends to override what could be helpful information exchange platforms.
  2. Identity crisis – There’s a shift towards a more holistic concept of resilience which is not reflected in the scope of the professional bodies. Emergency Planning, that’s too focused on ‘plans’. Civil Defence – that’s an outdated term from the 50’s. Business Continuity – that’s too defined by formal standards.
  3. Lack of value to members – having been associated with a range of bodies for at least the last 8 years I cannot honestly say that it has been worth the investment either financially or in terms of benefits gained.
  4. Unrepresentative leadership – those employed in emergency management when I first started my career often had military or security backgrounds. At the practitioner level that is changing, and new perspectives are being introduced, but the makeup of the decision makers in many of the professional organisations has not kept pace with the changing demographics of the field.

I don’t like to just sit on the fringes and criticise. If I see an issue I want to try and resolve it. For one of the bodies, I worked with similarly enthusiastic colleagues to solve some of these problems. However, after 18 months of trying different things and volunteering my own time, the same issues remained.

That organisation in particular alienated its members through sporadic, ill-conceived communication and disrespected its own volunteers. For a body designed to support members, it showed an extreme lack of empathy.

Contrast that with the sense of camaraderie and community I’ve seen online from my SMEMchat colleagues. This eclipses anything I have seen in over 10 years of being a member of a society.

There are, of course, many ways of doing things; I’m not simply suggesting that everything should move online. But if professionals are going to continue to support each other (and I really hope they do) then it might be time for a more radical rethink of how this is best achieved.

I feel no sense of loyalty to bodies which didn’t demonstrate any to me. However, I do feel a sense of loyalty to my colleagues, whether I work directly with them, or our paths haven’t crossed yet.

Everything that we do as a profession is a team effort. There are many ways that we can collaborate without the stuffiness of societies.

My challenge to emergency planners in the wake of Manchester

My challenge to emergency planners in the wake of Manchester

I want to preface this short post with two caveats

  1. I think the responders in Manchester have done, and continue to do, an incredible job. Not just the emergency services, not just the NHS staff, but everyone who has helped in any way. It’s a clear demonstration of the many supporting the few.
  2. My sincere condolences are with all the families of those killed, and with anyone affected by Monday’s events. I encourage you to dig deep and donate to the appeal fund to help support them through the difficult months and years ahead.

I didn’t know any of the victims or casualties from Monday’s attack, but I did follow one on Twitter. He brought his infectious sense of humour to my news feed. His name was Martyn Hett.

Martyn was 29. Facebook was launched when he was 16, Twitter when he was 18. He, and millions of others (myself included) have grown up not just with ‘IRL’ friends, but a whole network of online friends and acquaintances. Communities for whom sharing the same geography isn’t a factor.

I’ve seen outpourings of grief online from people that never knew Martyn. I’ve also seen those people supporting each other, showing compassion and kindness. The ripples of the incident go far beyond the physical communities within which he moved.

With more of us being connected through social media (or other platforms the internet has to offer), I think this needs to be a factor in how we design emergency response.

The world, our cities, and the people within them are constantly changing. It’s difficult (perhaps impossible) for large organisations to react quickly to every single one of those changes.

My hope is that emergency planners, especially those digital natives who have grown up online like Martyn, continue to challenge current processes, ensure arrangements reflect changes in society and above all, don’t forget that you’re doing this for anyone who is affected by an incident, no matter where they happen to be.

 

What Jurassic Park taught us about cyber risk

What Jurassic Park taught us about cyber risk

The tl;dr version of this post: don’t forget about the insider threat!

This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.

During a talk from Nathan Jones (see this blog on his talk) my mind wandered and wondered…Did Jurassic Park teach me everything I know about cyber risk?

God damn it! I hate this hacker crap!

Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.

Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.

However, such a complex system requires some centralised control.  Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.

This has clear parallels with our modern society and the interdependencies between systems that I’ve talked about previously.

Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.

Objects in mirror are closer than they appear.

As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.

Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of  people assume that a good password is all they need for their IT security.

It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.

But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?

Dennis, our lives are in your hands.

Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.

John Hammond, the park owner recognises the power that Nedry has.

There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.

Clever girl / I know this.

Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.

Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.

The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.

Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.

Life finds a way.

With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.

I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.

It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.

It’s also just a really great film!

Red Teaming for Emergency Management

Red Teaming for Emergency Management

How do we know that decisions taken in an emergency are appropriate? Ensuring appropriate checks and balances can help reduce the influence of groupthink or any other of these decision making biases.

In high stress situations, when the stakes are high, like in an emergency, could emergency managers could do to support those making the strategic decisions? Do they understand the complexity of the issues? Have they considered all of the options? Have they thought through all of the ramifications of their decisions? Are their decisions  justifiable and defensible?

Back in 2014 I binge-watched a TV series called The Newsroom, which shows what goes on ‘behind the scenes’ to make a fictional American news programme.

In the second season, the group of journalists close in on a story relating to the use of chemical weapons by the US army in Pakistan. Whilst the team are confident in the authenticity of the material, they don’t want to run with the story until they are absolutely sure.

Enter the Red Team. A group of researchers and producers deliberately isolated from the investigation so they can later examine the facts and determine whether to air the story.

Here’s the trailer for Season 1 of The Newsroom

What if we did something similar in emergency management? This is how it could work:

  • There would be no change to the nominated individuals who are already ‘on-call’ to provide strategic decision making (for simplicity, let’s call them the Blue Team)
  • Another set of individuals would be identified as the Red Team
  • Both teams require the same level of training, briefing and access to information
  • In addition, the Red Team needs an awareness of the psychological factors which influence decision making
  • The Red Team can only be summoned at the request of the Blue Team – this avoids interference or overstepping their role of critical friend

Should the Blue Team come up against a problem, or not reach agreement on a course of action, the Red Team could be called to offer a view, or to mediate between differing perspectives. Having maintained a distance, the Red Team would poke holes and identify the risks and bugs that insiders might have missed.

There are a number of drawbacks to implementing a Red Team approach. These include the increased resource required to staff dual roles. Culturally, it’s new, and there would undoubtedly be some reticence to decisions being challenged where they previously haven’t been.

I recognise these practicalities may make Red Teaming impossible to achieve in reality. However, the process could be useful in exercises or in thinking about strategic decision making processes.

As noted in my last post, this might not yet be a fully formed idea, and I’d be interested in any thoughts that colleagues might have about whether they have seen this approach used, or could see any reasons that it would not be something to experiment with.

Thinking about starting a business or getting a tattoo? Maybe that’s another area where a Red Team could help ‘avert disaster’?