Category Archives: risk

‘Human error’ blamed for BA’s server crash. But which human and what error?

When there’s an accident at work, it’s often the worker involved who is blamed.

Sometimes – after lengthy and thorough investigations – the multiple causes of accidents are revealed to be much broader than ‘someone doing something stupid’ and the hope is that the BA IS system crash investigation will be as thorough.

Just like in a safety investigation, the discipline of applying ‘root cause analysis’ will seek to find out what happened to cause the failure and more importantly, why it happened.  The ‘why’ is critical because it identifies systemic, cultural and management failures – the root causesPlug pic.

Fixing root causes permanently makes a company more resilient – first it’s less likely to face a similar problem and second, if it does, its resulting contingency planning will mean it ‘bounces back’ from problems and recovers faster in future.

As an example of some ‘why’ issues: why did the contractor re-connect power without going through a process and or without authority?  Why did they not know about the process, or if they did, why was it ignored. And digging a little deeper: how is the process developed and who has management responsibility for the process and for reviewing and auditing that it’s applied properly. How are ‘near misses’ reported, recorded and shared to the benefit of refining the process?  In terms of culture, are contractors pushed to get things done in double-quick time in order to reduce downtime, do they regularly feel they have to resort to short-cuts in order to meet management expectations?

In manufacturing companies – this is characterised by ‘productivity over everything’; do what you have to do to get it done fast.  Is there constant squeeze on costs?  Is there little interest among management in hearing about the consequences of the squeeze, or do they just insist that all activities must continue, but that they must be done more efficiently.

Capital cost reduction, combined with reduction in staff may also result in a situation where the margin for error or the presence of back-up systems compounded the effect of the error. Was the cost of failure factored-in to financial decisions and how much did management think a failure – with all its attendant brand damage – would cost?

And a proper root cause analysis of BA’s outage will get to the heart of the culture that created the circumstances in which a contractor did what they did – either because they didn’t know what the correct procedure was, or felt pressured to override the process.

All this ‘digging into the issue’ may seem tedious, but it’s as tedious as a pilot doing a pre-flight check in the same way, before every flight. As yet, the total cost of the BA outage is not known, but creating a culture that avoids future incidents will certainly save a fortune.

The culture of the flight deck would be a good aspiration for many companies.

Thanks to Kevin Grocki for the picture, used under Creative Commons Licence

The theme of Business Continuity Awareness Week is Cyber Security. No, really…

If businesses and public organizations needed a kick in the backside over their cyber crisis preparedness, then many got it over the weekend as the ransomware ‘Wanna Decryptor’ paralysed hundreds of thousands of users and systems in more than 100 countries, including hospitals and doctors’ practices in the UK National Health Service.

So the irony of this being ‘Business Continuity Awareness Week’ #BCAW2017 is only heightened by the fact that the theme of the week is ‘Cyber Security’. But the timing of this week – and the theme – couldn’t be better.Screen Shot 2017-05-15 at 10.08.25

As the hand-wringing, blame-gaming and shock-horror media coverage continues – it’s worth spending a few minutes leafing through the Business Continuity Institute’s guide on preventing cyber attack (this is safe to click, by the way). Sure, there is some VERY basic advice in the guide – like not using ‘password’ as your ‘password’, but don’t roll your eyes too quickly.  One in five passwords are things like ‘1234567’ or ‘qwerty’ – and other entirely predictable passwords. It’s clear people need reminding of the simplest security habits.

The BCI’s guide won’t solve complex IS security issues, but it’s often the weakest links that allow the hackers in to do their business.  That weakest link is commonly your company’s IS or information security policy (or lack of it) – and if you have a policy – how well employees have been trained to implement the policy AND how diligently they act on those policy requirements.

I’m in trouble – send money!

And finally, it’s not only the junior or non-techie employees who let the hackers in.  Scammers and phishers target all levels of an organization in an attempt to breach firewalls or just separate someone from their money.

I’m aware of one CEO who knew what a ‘419’ scam was (wonder how many of you opened that link…) and how to avoid it, but was nearly stung by another email scam.  We just managed to stop him from sending his credit card details (including the ‘magic code’ on the back) to an employee whose email to the CEO claimed he was in trouble abroad, having had his laptop, wallet and phone stolen and who needed credit card details for him to be able to book into a hotel for the night.  Except it wasn’t the employee’s internet email address and he wasn’t in trouble… and, and, and.

Making America Great Again: risks and opportunities for the new POTUS

I wouldn’t want to be Mr. Trump. Not for all the tea in China (although from Friday, I hear he will be mandating that ‘all that tea must be made in the US from now on’).

I wouldn’t want to be Mr. Trump, because I’ve just read the 2017 Global Risks Report, released last week by the World Economic Forum.  Managing the multitude and magnitude of risks in the report will need thought, care, attention, leadership and policy responses from him as head of the most powerful nation on earth.  As an aside, I use the reports to provide strategic background to crisis and resilience scenarios that I develop for exercises and workshops for clients. In the past, they’ve also provided excellent context for Enterprise Risk Management (ERM) work.

So what are the risks that may be keeping POTUS Donald Trump up at night?

The top four strongest risk trends in the 2017 report are ‘rising inequality of income and wealth’, ‘polarisation of society, especially among older generations’, ‘climate’ and ‘cyber dependency’. Risk trends pull together a basket of specific risks and the higher the number and importance of those contributory risks, the stronger the trend.

Looking at the impact of specific risks (and there’s certainly reference to a ‘water crisis’, but that’s only risk number three, in terms of impact). Top and second place go to ‘weapons of mass destruction’ and ‘extreme weather events’, fourth is ‘major natural disasters’ and finally, ‘failure of climate change and mitigation’.


Watson and the Shark, photo of detail of original painting by John Singleton Copley. Photo: Adam Roscoe

In terms of likelihood, the top risk is ‘extreme weather’, second is ‘large-scale involuntary migration’, then ‘major natural disasters’ followed by ‘large-scale terrorist attacks’ and finally ‘massive incident of data fraud or theft’.

It seems to me that many of the environmental and social risks, could be rooted in, affected by or the result of climate change.  Extreme weather, water scarcity and some major natural disasters and some triggers for migration are all connected with climate change, so it is concerning that the new POTUS intends to roll back on the Paris Climate agreement.

When combining most likely/biggest impact risks, then ‘interstate conflict’ and ‘unemployment or underemployment’ are consistent features in BOTH the 2016 report and 2017 report. These are both big enough issues to sit firmly on Mr. Trump’s desk, where a predecessor displayed a plaque stating ‘The buck stops here’.

Interstate conflicts and proxy wars are already flaring in the Middle East and are drawing in US and other western (NATO) forces, whether Mr. Trump thinks NATO is up to the job or not. 

‘Making America Great Again’ is the theme of this presidency and there seems to be a risk is that the ‘greatness’ could be made at the expense of relations with other countries like China and Mexico.

25 million jobs a year

A previous Chinese president in the 2000’s said what kept him up at night was the ability of the economy to grow at a sufficient rate that it created 25 million jobs a year. Economic growth and the ability to create those jobs affects the government’s ability to maintain order and close inequality gaps in the country. But as China moves from a so-called ‘cheap labour arbitrage country’ to a high-tech, high automation exporter, they will need to cut a win/win deal with the US that saves face for both parties and doesn’t precipitate a mutually damaging trade war.

86% of all US jobs lost in the decade from 1997 were lost to productivity, not trade

And it’s a war that really needn’t be fought.  According to the economists Michael Hicks and Srikant Devaraj, 86% of manufacturing job losses in the United States between 1997 and 2007 were the result of rising productivity [a part of which was achieved through automation], compared to less than 14% lost because of trade (see page 20 of the 2017 Risk Report). Making America Great Again need not to be a regressive step into Luddite protectionism, even if AI, robotics and biotech will require regulation.

If it is to remain competitive, the US will also need to actively manage the inevitable disruptive effects of automation that the Fourth Industrial Revolution brings.  The promise of on-shoring or re-on-shoring jobs to the US, allegedly at the expense of lower cost economies is a delicate juggling act – if not purely smoke and mirrors.  Create too many blue- and white collar jobs in the US that can be done by automation and robotics and the economy risks being uncompetitive.

A partial response to this challenge could be regular retraining of older workers in industry and commerce – so they continue to contribute to taxes, rather than become a drain on the social security system – should become the standard operating practice for all companies and could be supported by tax breaks.  High value-added work will always be needed and will be well-paid, but people will need to be trained on an ongoing basis to do it.

Win, win, win…

Part of the solution should include investment in low carbon technologies, including solar, wind, hydro and electric mobility, all of which are getting huge attention and investment in China.  The US could also improve its energy resilience by making additional investment in alternative sources of power, aside from fossil fuels, and retraining older workers to install, service and run new energy projects.  Low carbon tech could create a ‘win, win, win’ for the economy, jobs and the climate and in doing so positively mitigate some of the key risks highlighted by WEF.

Regardless of whether the future is low carbon or high carbon, you just have to look outside the top 10 headline risks to find some consequences of getting the response to these key risks wrong or too late or weak.  The ‘failure of a financial mechanism or institution/fiscal crisis’, ‘failure of national governance’ and ‘profound social instability’ all vie for a position in the top 10 risks and could jump to the top spot.

But who knows what will happen, when and how? After all – in 2016, few pundits or risk reports predicted that Brexit would become a reality, or that Donald Trump would be elected President, or that 5,000-1 outsiders Leicester City (a UK football club, round balls) would win the Premier League title.