The Dalai Lama once said, citing a Tibetan saying, that “tragedy should be utilized as a source of strength.” As 2020 comes to a close, there can perhaps be no better way to approach such a turbulent, tumultuous, and yes, tragic year than to make sure that we learn and apply the hard lessons it has to teach us.
In this, the first in a series of posts about what we've learned—or need to learn—about security and risk management from the 2020 pandemic, we’ll review crisis management. In a year that far too many companies and individuals have experienced as one long and unfolding crisis, those lessons have at times been painful. But if we recognize what they have to teach us, and apply those lessons to the ways in which we think about and prepare for future crises, we may be able to mitigate their impact in ways that save dollars, businesses, and even lives.
Recognition and preparation
The first and arguably most important piece of the crisis management puzzle is to recognize and respond to the fact that crises will happen. If it wasn’t clear before, crisis management isn’t just a thought exercise: it’s a mission-critical endeavor with profound real-world consequences. 2020 may have reminded us all of the Eisenhower dictum that “planning is everything.” Planning for the next crisis or series of crises should take precedent over any other element of risk management.
Whether it’s because fewer leaders today have been through impactful and perspective-altering global crises like World War II and the Great Depression, or simply because of a general human reluctance to accept that worst-case scenarios can and will happen, we simply were not prepared for the COVID pandemic. Unfortunately, it’s not unusual for people to be unprepared for a crisis. From workplace violence to natural disasters, businesses have been caught unaware far too many times in the past. Even those that thought about disasters and invested in emergency planning often didn’t have the emotional intelligence—the lived experience and knowledge that things can and do go very wrong. Shaken by a pandemic that has left an indelible impact on the world, we are equipped with a new and more nuanced understanding of what risk really means. Individuals and institutions are now on alert, animated by hard-earned experiential wisdom.
Tactical and operational adaptation
The question, of course, becomes what we do with that wisdom. What lessons have we learned, and how can we adapt going forward to make sure that we are better prepared for the next crisis.
The way many companies and institutions manage cash has changed—or will need to change. Businesses need to become much more cognizant and cautious of not just their month-to-month financials, but the structural economic foundation of their operations. Decision-makers are paying much close attention to things like how much debt to carry, and what kind of cash reserves they need to keep on hand.
The workplace itself has changed forever. Newly mobile, work-at-home or hybrid work models may have been a necessity at first, but businesses have discovered that they come with a range of potential benefits. While security professionals will need to address any infosec challenges that come from newly flexible work models, this approach allows companies to diversify their operations and enhance their operational resilience in ways that make them less vulnerable to disruption from crises.
Coordination and connectivity
In the past, the question of who leads and coordinates crisis management planning has often been left up in the air. Is it security? HR? Legal? Environmental health and safety? The reality is that all of these elements need to have some kind of coordinated structure and shared mission. We’ve seen in 2020 that having the COO be a part of that unified team is essential. Because if you don’t have meaningful operational engagement, you don’t have a crisis management process that will be able to withstand the pressures of a real-world emergency.
Agility and reality
2020 has also shown us that crisis management must be more than a binder on a shelf. Companies need to be agile and effective—not corporate and clunky. Policies and procedures need to be documented, but also usable, accessible, and familiar—drilled into team members through regular training and preparation. The speed and severity of the pandemic’s emergence drilled home the point that businesses need to act with swiftness and confidence to identify and mitigate emerging threats. Those that were most successful limiting the impact of COVID to their people, properties and processes were companies that had active crisis management programs in place. They knew what to do, and they were not caught in denial or wishful thinking (as too many governments were). 2020 has demonstrated that it pays to be skeptical of conventional wisdom. Those that were quick to respond with bold measures are not only in a better position today than their contemporaries, but they are also likely to be better prepared for future challenges as well.
Prepared, but not scared
Crises don’t follow a pattern. And if there is one critical lesson to be learned from 2020, it’s that complacency has a cost. It won’t be another 100 years until the next pandemic or global emergency. It might not even be another 100 days! Above all, COVID has shown us the value of taking emergency planning and crisis management seriously, and of staying hyper-attuned to the potential for dangers and disruptions. The good news, and the silver lining of 2020’s dark cloud, is that people are paying more attention and taking this process seriously. We are already seeing more proactive thinking around risk and emergency planning, and of the importance of working with experienced security professionals to help identify and respond to future threats and crises.