In an outstandingly authoritative webinar hosted by the Security Institute this morning, the former senior UK government security man now a consultant Paul Martin went through, with tongue in cheek 14 rules of ‘bad resilience’ (‘follow the rules and head fast for disaster’).
His serious point; it’s possible to plan for resilience, for example by keeping a risk register, and yet be unprepared for a crisis when it comes.
His final rule of what not to do to be resilient was: ‘It really is all quite simple.’ As he added, it really isn’t. The risks that materialise to cause crises change rapidly, and many also change in response to what we do to defend ourselves – certainly true of malicious risks such as terrorism, and criminals and hackers, said Paul Martin, a former head of the UK official Centre for the Protection of National Infrastructure (CPNI).
He also went through five rules of what to do. First, understand and counter your behavioural biases; because, as he set out during his 14 ‘bad’ rules, most crises are foreseeable, and foreseen – including Covid-19, because pandemic was among the risks on the UK national risk register from the 2000s onwards. Why do we fall short? Our ability to make sound judgements about risks, and to respond during a crisis, are distorted by well known psychological dispositions, he said. There are practical tactics, he added, to counter these effects, to improve our collective ability to avoid some crises and cope with those we cannot avoid.
Good rule two: implement a strategy to build active resilience. As earlier in his 30-minute talk, he defined passive resilience, while a good thing – the ability to return to normal from a setback – as separate from the more preferable active resilience. “We must establish processes to ensure we continually learn from experience, both our own and other people’s,” he said, and thereby to inform – rule three – tests and exercises that apply the ‘lessons learned’: “It’s vital for ensuring the defensive measures actually work.”
Fourth, invest in general capabilities and better decision-making. Each crisis is unique; the risks are dynamic. So accept that (as covered in the ‘bad rules’) that fossilised risk registers and detailed scenario based ‘big fat plans’ aren’t enough.
Besides building capabilities, know who is in charge of what – in a word governance; and apply principles of mission control. And don’t try to run everything from the centre. Fifthly, ‘be prepared to move early and move fast’. “I will confess this is far easier said than done.” As he added, in a security operations sense, it’s hard to know when to ‘press the red button’, and risk an apparent over-reaction, and embarrassment. Here he pointed to the covid-19 pandemic, where infection rates can double, then double and double again, so that tens of cases become thousands and then suddenly tens of thousands, ‘and our healthcare systems are potentially overwhelmed, if we are not on top of it [the coronavirus infection rate].’ To wait can be, literally, fatal.
