Are Teams That Thrive in Crisis Poorly Managed ?

By Martin G. Moore

Well-run businesses can be boring. They don’t experience frequent crises, and don’t encounter surprises at every turn. Why? Because the leaders understand risk and they plan accordingly, avoiding the majority of disasters that other companies are routinely forced to face.

As a former CIO, I saw many of the crises that typically hit IT teams—cyber attacks, infrastructure failure, data corruption, project delays—all of these are eminently avoidable, but to do so requires long-term planning, smart investment, and a commitment to taking preventive action, not waiting until something breaks before you even realize that there’s a risk exposure.

It’s impossible to pre-empt all the permutations and combinations of potential failure, but it is achievable to identify and mitigate the most significant risks that your company faces.

WHY DO TEAMS GET ADDICTED TO CRISIS?

Crises can be addictive. Let’s unravel the DNA of the common crisis: something goes wrong, requiring dedicated focus and attention to fix… people feel important and valued as they swing into action… they work tirelessly to resolve the issue and get things back on an even keel… everyone collapses at the end, exhausted from the relatively short burst of effort, congratulating themselves on a job well done…then, the leadership swoops in and praises everyone for resolving the crisis: We have a great culture—we always get the job done!

This feedback loop rewards all the wrong things, but people become addicted to the adrenaline rush, the kudos, and the challenge of a crisis (and in some cases, to the overtime payments that accompany the additional effort).

Once this becomes the predominant culture, people become comfortable living in a beak/fix cycle. In between the inevitable system failures, they catch their breath and relax, taking the opportunity to rest up until the next disaster strikes. There’s no real focus on eliminating the root cause of a problem, nor is there appropriate attention paid to reducing the risk that something might fail in the first place.

Although the crisis culture demands that people respond with urgency when necessary, there’s no real imperative to plan ahead. Your people end up only ever addressing the most obvious, visible, and short-term symptoms of any issue. This is akin to covering a melanoma with a band-aid. Although you might think you’ve ‘treated’ the symptoms, it’s still likely to result in catastrophic long-term consequences. 

GETTING ON THE FRONT FOOT

There’s one very important fact that we need to accept in order to change our thinking. The cost and effort required to resolve an issue once it reaches crisis point is an order of magnitude greater than the effort required to avoid the crisis in the first place.

But avoiding the crisis isn’t as much fun, and it requires a different type of work—prospective risk management work. The culture of a team that understands and considers risk on a daily basis is completely different to the sometimes cavalier attitude that breeds in the troubleshooting culture.

Let’s think for a moment about cyber security. This field is constantly evolving, at an incredibly rapid pace, so it’s no wonder the risk exposures are high. Moreover, it’s virtually a given that no solution will ever be 100% foolproof. So how do you go about defending your organization against potential cyber security attacks?

It starts with understanding the likelihood that a certain type of attack will take place, and what that could mean for your company in terms of its consequences. If you work for an energy utility that provides public electricity infrastructure, the consequences of a bad actor hacking into your control systems could be catastrophic. However, given the nature of these control systems, and where they sit in the technology stack, it’s fairly unlikely that this would happen.

Analyzing the risk, and determining how much you’re willing to invest to mitigate it is a judgment call: how long is a piece of string? What you do know, for sure, is that the consequences of not having control of critical plant doesn’t bear thinking about. This might require multiple layers of security and protection to reduce this type of attack to an extremely low probability. How can you do this, though, without exceeding the organization’s expectations for cyber security investment?

FIVE TIPS FOR STAYING AHEAD OF A CRISIS

Well managed teams largely avoid crises by planning ahead, and putting appropriate steps in place to reduce risk. There’s no world in which all risks can be neutralized—no-one has the resources to reduce risk to zero—but treating them on the basis of criticality will enable you to ensure that the really big crises don’t land on your organization. Here’s a few tips for avoiding a crisis, whilst still being able to handle it on the off-chance it does strike:

#1: Understand and reduce key risks

Every leader in your team must be accountable for identifying and coming up with a plan for managing the key risks that are relevant to their portfolio. If this is emphasized, tracked, and rewarded, it’s much more likely that your people will undertake the essential work of risk management, rather than just being reactive.

#2: It’s not about the spreadsheet

Many organizations fill out elaborate and complex spreadsheets or databases to assist with risk management. But it’s not about the spreadsheet, which should simply be a means to an end. Sometimes, the simplest forms of risk capture are the best. 

Your goal is simply to understand a few key facts: a) what is the likelihood that this event might occur?; b) if it does, what are the consequences for the company?; c) what could we do to mitigate the risk?; and d) how much is it worth investing to reduce the risk to a more acceptable level?

#3: Create a culture of challenging conventional wisdom

Ideally, everyone who works for you will harbor a risk management mindset. For example, in industrial businesses where safety is an issue, before doing anything, your people should ask themselves, “what could possibly go wrong with the task I’m about to perform?” But even for less hazardous jobs, it’s important to create a culture of looking at the holes in the Swiss cheese, not just admiring the cheese itself.

#4: Develop long-term focus

It’s easy to fix problems by addressing the symptoms—the problem goes away immediately, and life can return to normal. But this is one of the pitfalls of a troubleshooting culture: symptoms will repeat if the root cause isn’t addressed. The team becomes excellent at dealing with that crisis, because every time they encounter it, it’s not for the first time. As a leader, you must always be challenging your people with the simple question, “Are you addressing the root cause of this problem, and have you resolved it in a way that guarantees it won’t re-emerge?” 

#5: Expect the best, but plan for the worst

All well-run companies have business continuity plans. In the event of an unforeseen event, what would you need to do to ensure the ongoing operation of your business? What happens when you lose connectivity to your major IT systems? How long can the business survive simply on manual processes? Knowing this in advance and testing any disaster recovery plans thoroughly will prepare you for most eventualities.

A really well-run business is one where the leaders think ahead, plan for the future, and focus their people on long-term outcomes with everything they do. Many who claim to have great teams purely because they can fix problems quickly may have missed the point and will never reach their ultimate performance potential. 

Martin G. Moore is the author of the Wall Street Journal bestseller, No Bullsh!t Leadership. He also hosts the chart-topping podcast of the same name.

As the former CEO of CS Energy, he grew earnings from $17 million to $441 million, a compound annual growth rate of 125%, within five years.