Risky business – how to future-proof your organisation and get ahead

For many years, there has been healthy debate about the value businesses get from investing in health, safety and environmental (HSE) initiatives. Questions abound, is it a good investment? What are the returns? Does it increase profitability? Does it drive revenues or just reduce potential costs associated with work-related injuries and fatalities? 

On a personal level, I have always believed that sound, proportionate and focused investment into HSE brings numerous benefits and adds measurable value to any organisation. The evidence would agree; that good risk management is synonymous with properly planned works.

In turn, this clearly improves efficiency, productivity, and creates a working environment that facilitates high levels of employee performance and profitability. Sound investment into HSE does make great business sense and it can improve margins.

The evidence is clear that investing into OSH yields returns in many ways, through productivity, profitability and, most importantly, through our people. In this article, I want to write about how being prepared for disruptive events can provide a competitive advantage as well as protect profit and public image. 

Ian Cooke: "Traditional data sets and recent patterns may no longer provide the strong indicators leaders have long relied on."

We currently live in a world where uncertainty and change are commonplace, and the impact disruptions can have on a business are both significant and sustained. Senior leaders and decision makers are faced with an economic climate which makes decision making and long-term planning more complex.
 
Data, modelling and scenario planning

Traditional data sets and recent patterns may no longer provide the strong indicators leaders have long relied on. The use of data is still important, but how we use it now becomes even more important. Modelling and scenario planning are key, but can only be effective if they combine industry insights with a deeper understanding of potential impacts. 

For HSE professionals, this is our skill set! We have the experience to identify foreseeable risks, consider how they might impact operations and, most importantly, the people who conduct the work. And once identified, HSE professionals can provide the control mechanisms needed to mitigate the impacts of disruptive events. 

The emergency frameworks which organisations already have can be applied to the management of other disruptive events such as terrorist threats, chemical spills, protests, etc. This allows organisations to manage a range of risks efficiently while maintaining a simpler system. 

Let us consider the logic of how an organisation can identify and manage business disruptions in a rapidly changing world. The steps below simplify and summarise some of the key steps in managing disruptive events:

1. Identify key dependencies and processes (the ‘what’ you’re trying to protect)
2. Identify the disruptions which could impact your organisation
3. Use data to justify and prioritise resources 
4. Plan for recovery strategies
5. Review and communicate to drive future lessons and best practice

The first step is for a business to understand the key dependencies and processes that it needs to remain operational and viable. Then, for each, the organisation will need to establish the tolerances that each could sustain before viability is affected negatively or catastrophically. This creates a level of operation that the organisation can aim to protect – this is often known as Minimum Business Continuity Objective (MBCO). 

So, for example, if supply of a key product were to be reduced by 50 per cent for three weeks, what impact does this have on the output and viability of your business? And, at what point would it become unviable? If at this level, the operation is no longer viable, then the organisation must use this level as the MBCO for that process. Of course, there could be multiple MBCOs and they can have a compounding effect.

When identifying disruptive events, sound risk analysis and discipline is useful but we must broaden our horizons and consider external influences. Image: iStock

The next step is to consider the types of events that could impact your organisation. This is an interesting exercise for many organisations, as with most general and operational risks, we tend to consider foreseeable hazards and the most likely impacts. When identifying disruptive events, sound risk analysis and discipline is useful but we must broaden our horizons and consider external influences that may not seem obvious or foreseeable to those without experience. 

The types of disruptions can include:

• Technology – system outages, cyber-attacks, data loss
• Premises – fire, flood, structural failures
• Suppliers – logistic failures, quality issues
• Utilities & infrastructure – power, water, telecoms, transport
• External environment – extreme weather, pandemics, political unrest
• Legal & regulatory – new regulations, licence withdrawal.

The list above is far from exhaustive. The good news for business is these lists are finite, and the contingency planning that goes into each is often complementary which helps in reducing the cumulative burden. Further help is out there for organisations to identify possible disruptive events, including ISO guidance, government agencies and organisations like British Safety Council.

Identify potential disruptive events

Once the previous steps are complete, the organisation should be in a position to identify potential disruptive events that could impact its operations. This is where data can become extremely useful and can support the prioritisation of risk in line with resource allocation; allowing for maximum mitigation from disruptive events. 

The fourth step is to generate recovery strategies that can both support the organisation in mitigating the severity of disruptions (lessen the depth of impact) but also help the organisation get back to ‘normal’ operational capacity more quickly (length of impact). This is neatly summarised in the graph below – Business performance before, during and after a disruptive event.

What I have found interesting from using this graph in practice is that organisations that implement effective recovery strategies have seen their organisational performance improve post-disruption.

An organisation I was consulting with during the pandemic was able to respond using a combination of technology, processes and people competencies to shift operations to remote working and still provide its customers with the service and information they needed. During the pandemic and the period immediately afterwards, they took market share from their competitors who did not respond as quickly or effectively following the disruption. 

I would like to point out that this was a global organisation with over 150,000 staff. In many respects, larger organisations can find disruptions more difficult due to their complexity and size slowing down their ability to change strategies and direction. The fact that they achieved this success is a testament to their planning and, of course, the sound advice they must have received.

Simple tips

Planning is key to survival and the more efficient the response, the more likely it is to work. A simple tip is to align with existing emergency response strategies. If there is a fire, you raise the alarm. 

How do people in your organisation raise the alarm when they spot an IT virus or social unrest as protestors break into your construction site? Who do they call? When the call comes through, who responds? Are they trained? 

Obviously, there are details here that need to be considered, and each organisation will have different capabilities and competencies. My only advice is to align them where possible. This links back to an earlier point about the role of the health and safety professional – we have developed robust strategies to deal with emergencies, therefore do not need or want to re-invent the wheel!

The final stage is to review. This is where most organisations fail, and they are not alone, as I have seen it with governments too. They do the hard work in the previous steps in identifying and creating a process to manage the disruptions, but fail to maintain the recovery plans. A key logic in risk management is that events that require emergency plans tend to have high consequences and low likelihoods.

Due to the low likelihood, there is a tendency for people to forget or prioritise other things, which is perfectly natural. Therefore, organisations must put in place mandatory reviews and scenario testing to ensure their plans remain relevant and responsive. Reviews allow you to change the tactics yes, but the objectives remain the same; protect your organisation, protect your profits, protect your people. 

A final point to highlight is to remember the people in the organisation who must deal with the disruption. These events can be extremely difficult and can, of course, be emotionally challenging. Everyone, including leaders, will feel the pressure of dealing with significant disruptive events. It is important that in your disaster recovery plans you consider the support people will need during the recovery phase and beyond.

I personally know of a senior director who could not sleep more than four hours each night following a workplace fatality. They discussed how the executive team worked tirelessly to implement system changes, but admitted they still have more to do in terms of personal help and support for all employees, including the leaders. 

As I said at the start of this article, we are in a constantly changing world, and this can present an opportunity for those organisations prepared to respond. Those who have planned and developed their responses are more likely to recover, reduce the organisational and people impact and give themselves a chance to steal a competitive advantage.

Ian Cooke is Audit, consultancy and culture change director at the British Safety Council

Ian will be speaking at SHW Live Manchester on Wednesday 11 February on Risky business – how to future-proof your organisation and get ahead. See:
safetyhealthwellbeing.live