Not Just a Risk Manager…

Risk Management: A complex, multi-layered world of career opportunities

I think most people who don’t work in risk or are just starting out in the profession, or maybe even still studying it, might hear the term “risk manager” and see it as one type of job. I know I did. The job title covers so much complexity and more importantly career opportunity. I have been working within, and alongside, risk teams for over 10 years now and I’ve had my eyes opened to how much opportunity is out there.

I wanted to blog about it so I can refer back during mentoring conversations. I speak to a lot of undergraduates, post graduates and folks considering risk management as a career side step. This should help towards highlighting the world of career choices at your feet.

What is your profession?

I’m reminded of that movie called 300 with all the spartan warriors in it? When Gerrard Butler asks the soldiers what their day job is and they all shout back in unison. Everyone knows that they all do the same thing and fully confident about it. Got to love that confidence in knowledge!

However, I’m afraid to say you probably wouldn’t get the same unified warrior-esq response at a risk management conference (although that would be wonderful to see). The reason is because it’s way more complex than you might imagine.

Just a “Risk Manager

I was mentoring a junior software developer a while ago and for some reason he reached out to me because he wanted to know about risk management and how it might be set up in an organisation. In talking him through what I’d seen so far it became clear to me that most people just see “risk manager” and they don’t realise just how much depth and complexity goes on under the hood. The multi layered specialist world of risk management is a highly complex one in my opinion.

Even when I first started studying risk management at university, I to saw it as a singular profession where you would be risk manager of an organisation and you would manage their risks, right? However, fast forward quite a few years and it has become clear to me that this not the case. It seems like an obvious thing to say now, but on reflection, the younger me did not have any appreciation of it. Therefore, at the risk of repeating myself, I think it’s a useful insight to share for anyone that might be reading this. I also just think it’s a good opportunity to reinforce my understanding of the profession within which I work!

No One Size (and way) Fits All

Okay so first of all not every organisation has a risk manager. This might be simply because they aren’t legally required to manage risk, or that don’t believe they need to. Sometimes, it’s even just a case of not having the budget to do so.

The organisations that do have risk management departments will follow some broad frameworks (because people will tell you time and time again “risk management is risk management” but I disagree). However, they can be set up an organised in a variety of different ways. So much so in fact that a professional could well become confused by just how differently an organisation might set up their department compared to others!

Type of Risk

I took a quick look at the Institute of Risk Management website who list no less than 18 different special interest groups that cover different types of risks. Many specialisations are required to help understand them. I think this is quite telling on just how deep this profession can go.

There is a plethora of specialisations / domains within risk. Honestly there are so many I remember being quite shocked! In my career in financial services, I have come across a number of different risk departments that cover things like:

  • Cyber Risk
  • Technology Risk
  • Fraud Risk
  • Operational Risk
  • Credit Risk
  • Regulatory Risk
  • Change Risk
  • Supply Chain Risk
  • Compliance Risk

These are just a few of the top of my head. The point is that there are many different types of different specialties and departments. I think this is worthwhile being aware of if you’re just starting out because it can really inform your career decisions.

The 3 Lines of Defence

To add even more depth to the possible career opportunities, an aspiring risk manager may not only have the choice to consider which type of risk they’d like to specialise in but also the level of which they operate.

The 3 lines of defence model is a well-established and widely known framework which helps to describe how risk can be managed in an organisation. If you want a detailed and well thought out overview I quite like the ISACA breakdown.

As I said before, this approach may not be applied everywhere because it might be dependent on budget or appetite to do so. However, large complex organisations, particularly in financial services, often apply this approach.

First Line of Defence (FLOD) = Coalface

*I’m totally biased because I’ve worked mostly first line and I’m sure the other lines are equally as challenging but this can be a busy gig!

The first line of defence is often thought to be at the coalface of the operations. This basically means that the risk manager is working closely either with or in the business to manage the risks that arise. In my experience, the first line risk management tends to be the “doers” and are kept busy simply coordinating the front-line business to stay compliant against internal policy and standards (and frankly everything else).

The thing about having a role in first line is it can be so varied. You don’t even necessarily have to be a specialist in a particular type of risk. You may actually just be an expert in a particular phase of risk management. For example, risk controlled self-assessments, governance and reporting, data analytics etc. you could even be both at the same time. See I told you there’s loads of opportunity.  I once operated in a risk office where I was a business aligned risk manager but, in that role, I was responsible for managing an entire and varied program of non-financial risk. My remit ranged from risks raised from audits to non- compliance against risk programs such as conduct, data leakage etc. You name it and I seemed to be across it! The first line risk managers are all over it!

Second Line of Defence (SLOD) = Ivory Tower or Expert Collaborators?

The second line risk function provide independent oversight of the FLOD activities. In the organisations I’ve worked in they also own, define and maintain the various risk policies and framework. That’s the official sounding description anyway. It’s a really tricky role to have because you have to provide review and challenge (checking the homework) of the FLOD who are trying to execute on the standards that SLOD set. I have spent the majority my career so far in first line so I can talk more on the good, the bad and the ugly of that.

Bad second line = sudden changes to internal policy requirements, no communication of the change and changing expectations in the middle of a compliance program.

Good second line = collaborative, involved, positive influence to provide expert insight and challenge in good time to help enhance a program.

The bad second line makes you feel like these folks don’t really do any work other than create rules for others to follow.  The good second line can only help the organisation.

Third line of Defence (TLOD) – Detectives

TLOD typically involves internal and external audits. These folks review the work being undertaken in both lines and provide an independent review to top management based on their findings and fieldwork. I’ve not worked in the third line yet but I’ve been on the receiving end of their programs. It can be quite stressful. For me, the stress came from 2 key points of criticism:

  1. You either know something to be an issue and you’re not sharing it with audit which suggests a lack of professional integrity (if discovered)


  • You receive a critically high finding that you weren’t aware of which suggests lack of competency!

Either way, you can see why some departments tighten up when the auditors arrive.  

In my opinion, they have a really challenging role. I’m aware of times when auditors have been given certain information from the business to try to get them to focus on one thing and not notice something else. Among their BAU tasks, they also have to:

  • Understand the scope of the business and what they are looking at and often in a very short period of time
  • Critically analyse the findings to identify gaps and be confident they haven’t missed anything
  • Actively be aware that they could potentially be misled / misdirected from the area of business!

Tough gig but I’ve met folks who are frankly kick ass at it. They’re like detectives who can perform the sniff test on everything you do and can spot the gaps.

Final Thoughts

Listen. You will get a different version of the world of opportunities I have just described to you.

The key point I want to get across in this post is that if you weren’t already aware of where you can take your career in risk management, then please have a look about. I hope this post gives some insight to just how much opportunity there is.

A risk manager is not just a risk manager.

Financial Market Infrastructure Risk

A Case Study Example: A look back at the IMF US Financial Services Review

If your hands are tied on a risk, do you really have a choice about what you can do about it?

Organisations often find themselves in a situation where they are locked into a relationship with a supplier (for a variety of reasons) that could potentially put themselves (and the customer) at risk. So, what do you do? What can you do?

Most will agree that the global financial ecosystem simply makes the world go round. To most people, we see this as a series of different banks in varying sizes looking after our money and offering various products and facilities. We know they are heavily regulated and we know they can face public scrutiny if they aren’t safeguarding the interests of their customers. 

However, just like any other company in any other sector, these banks are supported by a myriad of suppliers who they have come to rely on to meet the customer needs. Of the most important of “suppliers” are the organisations that support the financial transactions i.e. Financial Market Infrastructures (FMIs). These organisations are fundamental to everyone’s daily cash-flow and financial position. 

This article discusses the IMF‘s US Financial Services review as a case study example, which presents how concentration risk can and is occurring even in the most heavily of regulated and scrutinised industries.

Resilience Principles for FMIs

The IMF used a common set of known principles to make an assessment on US Financial Services.

CPSS IOSCO Principles to be exact…please don’t snore just yet and hear me out! 

I hadn’t previously heard of these principles before either, nor did I apply a great deal of thought into how they are used to assess anything.  However, the more I researched and the more I looked at this particular example from the U.S, the more I realised how it represented a good example of concentration risk (as well as being a useful thing to know that exists).

What are these Principles and where do they come from?

The principles for FMIs are the international standards for risk management for things like payment systems, central securities depositories, securities settlement systems, central counterparties and trade repositories (investment banking stuff). 

The principles were issued by the Committee on Payments and Settlement Services (CPSS) (later renamed (Committee on Payments and Market Infrastructures – CPMI) and the International Organisation of Securities Commissions (IOSCO).  

The G20 started it

The G20, for those that do no know) is an international forum for major economies. Its leaders meet and commit to various declarations. It is via this forum that the financial leaders committed themselves to enhancing the financial stability of the network of counterparty exposures between financial institutions i.e. the companies in the middle that help with all the transacting and clearing. You might be surprised to know there are quite a few globally!

During the 2009 conference, the G20 made a declaration to centralise over-the-counter derivatives by 2012. A year later, there was a further declaration to ensure that the financial market infrastructure supporting this activity had to have an established framework for national regulators. Hey presto – 2012 the principles get published.

So, what are the Principles?

The 2012 publication pushed out a standard set of principles for risk management within the financial market infrastructure space, with a view to the financial ecosystem becoming more resilient. These principles now act as an international standard and are designed to help ensure the resilience of the infrastructure that supports the global financial market. 

The publication comes complete with an assessment methodology making up nearly 300 pages of documentation to consume. In addition, the full document contains 24 broad principles and organisations are expected to adhere to them and perform self-assessments. 

The principles cover everything you would expect to see in a risk management framework for a financial services organisation. It covers everything from data disclosures, credit and liquidity risk exposure and settlement rules through to operational risk and governance.

The assessment methodology can be used as a self-assessment tool as well as a guide for examiners to benchmark against. For example,  the International Monetary Fund (IMF) recently used these principles as a benchmarking tool as part of the US financial services assessment. There is a publicly available white paper on their findings and I think it provides a really useful example of how the principles and its framework is applied.  

How are the Principles used?

The IMF financial sector assessment program released a technical paper on the supervision of financial market infrastructures and resilience of central counterparties in the US in August 2020. The analysis and recommendations appear to form part of the rationale for reviewing the way the financial market ecosystem (and the supporting infrastructure) is prepared for major business and market-wide impacting events.

The paper initially suggests a timeframe for delivery on most recommendations to fall between 1 and 2 years. This was obviously looked at prior to, and in the midst of, the global pandemic. Therefore, one might expect the response to this paper from the market and the associated regulators to not be perhaps as swift as they had originally hoped? It’s hard to say without working in one of them!

Too big or too important to challenge or change?

The case study assessment findings of the US Financial Services review set out a requirement to uniform some of the approaches to managing risk across the core FMIs. 


“FMIs are highly concentrated”

“Risks… include a failure of large globally significant U.S. FMIs, which could trigger a major market dislocation because of their quasi-monopoly position in the market.”

“For certain risk management measures, the mission found that in some cases the outcome of the implementation of PFMI risk management standards (by the CCPs) was uneven, specifically regarding the independence of the risk management function.”

International Monetary Fund – 2020

So basically, these organisations all do it differently and potentially not in alignment to the new rules. However, we can’t go anywhere else for the service so how they do it has to be just fine or we need to find a way to better regulate them / enforce change.

In fairness, I believe this report promotes the urgent need to improve governance in this space so there will undoubtedly be a marked improvement going forward.

However, I also believe that this is a representative example of a challenge across all sectors. Major players provide with you something essential to your customer and you can’t go anywhere else for. AWS, Azure etc. Do you accept the risk? Is there any other choice? Is this just the cost of doing business?


Third party outsourcing and operational resilience continues to be widely reviewed across regulatory and professional communities. The modern organisation is flush with supporting vendors in every way one can imagine. One might argue that some companies are nothing more than a front-end brand with a finance team and a third-party management group! 

The case study example represents a circumstance that business owners and leaders will find themselves in if they haven’t already. A third-party relationship becomes too big to challenge and is that okay?

This IMF assessment on US FMIs was published in the summer of 2020.  I wonder how much of an influence it has had to prompt the wider US or global regulatory landscape to address the risk management and resilience capabilities within the FMIs? I also wonder if stuff like this is used to also demonstrate the issue of concentration risk with third parties? I guess time will tell.

Enterprise Risk Management – Great Idea But Too Complicated?

I was listening to this great podcast a while back from Riskologists and they got onto the topic of enterprise risk management and whether they’ve truly seen the perfect finished article. Both the host and the guest jokingly agreed that this is “the dream” and confirmed neither had yet to see one so far.

So if the best in the business say they haven’t seen it, why has it yet to be achieved?

The modern-day organisation is becoming far more complex (even if yours isn’t already). The standard pillars of the business are always thought to be Sales, Ops, Finance, HR and IT etc. and they still are, but the way in which they exist are changing dramatically, as is the general make-up of the traditional organisation. It’s no wonder enterprise risk management is still an aspiration for many.

Exam Question: How do you capture, analyse, assess and present the risk landscape of a truly dynamic organisation like this? And, is enterprise risk management the answer?

How Has the Organisation Changed?

Once upon a time a company would develop a product or service in-house and focus their operation to just one country. That service would often be supported via a physical process in a physical location with an actual person.

The new “post” pandemic remote offering and hybrid working has accelerated a rapid transformation in the workspace. Organisations that would have been a little later to the party, because of budgets or traditional cultures, are now right up there in full transformation mode. This has radically changed the way we do business and who we do business with. This has seen a major increase in the use of IT vendors offering things like software, cloud hosting etc. As a result, the org set up and how it operates is becoming unrecognisable.

I blogged and hosted a panel session back in September 2020 with senior resilience professionals from Zoom and IBM. We talked about suppliers changing with everyone now adopting a cloud-first strategy. The bottom line is that most organisations are now partly, or completely, made up of someone else’s data centres and someone else’s applications. Yes, it’s your data and yes, it’s your responsibility but to me it feels like so much has changed. Perhaps not everyone is feeling the pace of change but it is happening. Having helped to onboard a major IT service provider in one bank and then globally managed supplier resilience in another, I can safely say I see the transition in full flow. Businesses aren’t the same as they use to be.

Why Enterprise Risk Management (ERM)?

The case for an organisation to develop an enterprise-wide approach to risk management continues to be a widely discussed topic by many a risk professional and academic. ERM however is not new but has been gaining traction in recent years. This has been driven, to a certain extent, by the fact that ERM is becoming something of a business requirement, as evidenced by its inclusion in the ISO 31000 standard. As organisations have begun to recognise the growing prominence of ERM in recent years, researchers and bloggers (such as myself) are beginning to look for case-study examples. However I can’t find a publicly available finished article.

ERM in theory can consolidate all known global, cross-domain, cross sector risks into a well organised system. An organisation might choose to decentralise its risk view to domain-specific areas such as IT risk, fraud risk, project control risk, credit risk etc. However, an ERM framework can organise a collective view in the full context of the organisation. The emergence of ERM allows for the risk related issues to be aligned into one space using one tool allowing for enhanced corporate governance.

By bringing together silos of sub-discipline, ERM could potentially provide a thorough understanding of the organisation. This allows leadership to have more of an enhanced and holistic view of the operations internally and externally. This can often present a range of unexpected benefits. The Economist Intelligence Unit back in 2007 presents a useful example, using exchange-rate risk, which demonstrates the advantages of taking a consolidated view of an organisation’s risk exposure through ERM:

“A company with divisions set up as separate profit centres in different geographical locations. Each division uses currency derivatives to hedge its exchange-rate risk. But it may be that exchange rate movements that are damaging to one division are favourable to another. In this case, separate hedging by individual divisions is a wasted expense, and one that could be avoided by adopting a centrally coordinated strategy. Given that such hedges can easily cost 1% of the overall transaction value, there is much to be gained from looking at this kind of activity from an enterprise-wide perspective”

EIU 2007

Surely consolidating your risk view can only benefit the business here? As the above example suggests, even financial benefits can be derived from taking this view. Also, the enhanced perspective on “total risk” for the business will surely empower the leadership to become more aware in the full context of the organisation?

Brining it all together into a balanced and well communicated ERM framework is arguably the way forward. No?

#Complicated – Easier Said Than Done?

Before we get ahead of ourselves. For those organisations considering ERM, there still remains a number of challenges to overcome. The above example on exchange risk works both ways. Yes, you can see the benefits of a risk in the wider context but adapting a unified approach that communicates a common and balanced picture is one hell of a complicated task. What about differences in risk appetite born out of jurisdiction, product line, local strategy etc? Different parts of the business will likely assess risks in different contexts. How can we be sure we have a balanced view?

Conceptually speaking, a holistic program makes total sense but I imagine many risk managers will be unsure about how to get started on such a program because managing risk across the entire company is far more complex.

Where’s the Guidance?

An enterprise-wide approach to risk management will often present a range of unique complexities. In order to ensure the successful implementation of ERM, and so to receive the associated benefits, the design of each framework will need to be tailored to the scale and complexity of the organisation. To help achieve this, the Institute of Risk Management provides high level principles known as PACED for business to first consider:

COSO also do a pretty good model on the complexities involved in this space. There is so much content all over the internet on this so I won’t deep dive.

They basically select interrelated components which are derived from the way in which management run an enterprise and their relationship with the overall business objectives. The relationship is then presented as a matrix, in the form of a cube. There is way more to it though and it might help risk managers to take a look if they are struggling with the complexity element.


I can totally see the benefit of a holistic view that ERM can bring by breaking down internal silos of risk management activities, removing wasted resource and duplication etc. It could also add greater context to the strategic insight which will ultimately improve decision making. The message is clear on benefits.

However, the complexities and associated challenges with implementing ERM into an organisation and getting it right does put me off a bit. It will need constant balance against bias and anchoring in the board room and the ever present evolution of the business.

Consistency will be one of the greatest challenges!

Being an Ally: Educate, Create, Celebrate, Challenge … and Repeat

“We view allyship as a strategic mechanism used by individuals to become collaborators, accomplices, and coconspirators who fight injustice and promote equity in the workplace through supportive personal relationships and public acts of sponsorship and advocacy” 

Harvard Business Review 2020  

As a father to my little girl, a husband to my kick-ass professional wife, and a colleague to countless amazing females in my network, who are killing it out there right now, I was honoured to be invited to a recent webinar session to talk about being and ally. 

Many will already know I currently sit on the Business Continuity Institute’s Global Board of Directors, as a member representative. It is therefore vital that with this platform I find opportunities to support and represent these important discussions. 

Start With an Apology… 

As a white male, I can’t deny that my privilege has certainly had a significant contribution to the direction of my career. It’s only recently that I have become far more aware of the dominant culture that I have benefited from for many years. I’ve also become aware of how dangerously ignorant I once was!

I can’t honestly represent my current values in this post without acknowledging (and apologising) for the views I once ignorantly held before. So here goes…

There is a conversation which circulates in my mind regularly from a very long time ago, which on reflection, I am incredibly ashamed of. However, I think it’s very important to remind myself of just how much a perception can change with awareness and experience. It also demonstrates how dangerous that an uneducated view can be!

Disclaimer! What I’m about to say does not reflect how I feel now. I was young and very ignorant to a lot of things back then.

The Dangers of Ignorance in a Dominant Culture

Fresh out of university and at work I was speaking to one of my fellow graduates who now worked for the same company as me in our first role. We are talking about where we would like to take our careers and she remarked on how she would like to also plan for a family one day. I remember at the time I said: 

“I can’t understand how it could be fair that two people from the same university, with the same degree and the same grade go to work for the same company for five years, and in that time the female could potentially have two or three babies and may only work for two or so years. Yet, on her CV, she would have five years’ experience and it would be fair game for her to apply for the same jobs that I’ve worked longer for. This feels incredibly unfair…”

Me a long time ago… (sorry)

*Facepalm*I know, right? I sigh as I write this…

What was I thinking?!? I can’t believe for a second that this was ever my opinion and I’m embarrassed on a regular basis when I think back to that coming out of my mouth. However, at the time it felt like a very natural opinion to me. I wasn’t even close to being aware of just how unbalanced the game really was (and also in my favour). 

If you haven’t already, go out and buy the Gill Whitty-Collins Book “Why Men Win At Work” book… 

“…ask a goldfish in a bowl – how’s the water? They’ll say what water?” Those who are part of a dominant culture are unlikely to see that it even exists”

Gill Whitty Collins

This book, combined with what I now regularly witness, has broken the glass of my fishbowl! Now I see it, it’s everywhere. 

I think one of the reasons I share my honest example is because it demonstrates how easy it is to not see the full picture and therefore miss out on the opportunity to help. Even an individual, who is part of the dominant culture, but perceives themselves to be a good person and with the right values, can still get it incredibly wrong! We are all learning.

This is exactly why we need to keep having conversations. 

Webinar Answers and More

I was recently invited to be on a panel discussion that was put together by Women in Resilience (WIR). This is a global volunteer group of individuals that devote their time to providing a platform for equality in the workplace and spotlight women who work in resilience. A profession that still remains to be male dominated. 

I couldn’t help myself but blog the answers to some of the questions posed to me ahead of the ally webinar. In the spirit of sharing and growing together, please take a look at the types of answers/advice that I provided and some of the resources that I point to.

What should women look for when choosing a male sponsor? 

I think some of the considerations for a sponsor are the same as those when choosing a mentor. I actually touched on this partly via a blog I did on mentoring when I referred to a Forbes article about female mentorship.  

Some people might disagree, but I believe that you need to have some similarities and shared values with those that you’re hoping to sponsor you. This can make the whole process a lot easier and mutually beneficial (because they believe in the same things you believe in). In terms of looking for a male sponsor, I think actions speak louder than words. So, I would be asking myself these questions: 

  • Have you experienced or witnessed the individual take positive action to support equality in the workplace?  
  • Alternatively, have you experienced or witnessed examples of where the individual has not taken action where it could have been possible? 
  • Do you believe the individual shares a similar pattern of values to the ones that you hold?
  • Does the individual have your best interests at heart? 

When I talk about taking, or not taking positive action, it can take the form of many different things; from subtle intervention during meetings, to the open support of female colleagues both inside and outside the organisation. It could also be active mentoring or reverse mentoring with female professionals. The individual might also openly share content on related topics and issues to help generate awareness. 

There are plenty of ways to see whether an individual could be the ideal sponsor for you. Of course, you’ll have to cross reference that with exactly what it is that you want and the value systems that you hold, as well as where you want to take your career. 

If you haven’t seen this already, I highly suggest taking 10 minutes out of your day to watch Carla Harris in her TED talk about how to find the person who can help you get ahead at work. First of all, Carla is a senior Managing Director at Morgan Stanley and, in my opinion, is a shining icon for men and women everywhere. I highly recommend you look at her talks.  In this clip, she talks about the “a-ha” moment during the round table performance evaluations.  The meritocracy i.e. get your head down and work hard is a myth and  what you really need is someone to speak for you i.e. somebody supporting you on your behalf and in your favour = a sponsor. 

What advice would you give men looking to become a sponsor? 

It’s simple to me. To be a sponsor, you need to publicly and openly create visibility for the individual, find opportunities for them to succeed and support their successes.  

There’s a really good article in the Rutgers Business Review which breaks what you need to do and down into loads of steps. However, at its highest level they advise that you need to: 

1) Be her raving fan  

2) Provide cover and share your social capital  

3) Nominate her for stretch opportunities  

Can’t be any simpler than that.  

One other piece of advice (or rather caution) is that you seriously need to consider whether you are going to proactively do exactly what the label suggests. I’m not talking about capacity; we will all do what we can and we have our limitations with time etc. I’m talking about calling yourself an ally or a sponsor and turn up to a webinar or a session then do nothing with it.   

Actions speak louder than words – are you really an ally?  

As an Ally, how do you appropriately call out Bias when you see it? And,  how have you overcome your own bias? 

I think calling out bias sounds so simple but from my experience has been one of the most challenging aspects of trying to be an ally. Not least because I’m still educating myself about the list of inappropriate things that happen in the workplace. These things can be so subtle and passive such as microaggressions that I previously didn’t even notice. So, the first hurdle is to notice, which sounds simple but it’s not because it comes with awareness.  

Secondly, the next challenge is knowing how to call out bias. It’s not about jumping across the table and defending a female’s honour and pinning someone down to the ground until they retract what they said or apologise. The fact is, inaction is action and by doing nothing, you are essentially saying that it’s okay to behave like this…and it’s not. Learning when to call out bias and in what way is an ongoing endeavour.  

I can’t be alone in this because there is so much stuff online available to help people like me understand the above two challenges. Harvard University offers a 4-page leaflet, which gives a really useful high-level guide about the things you need to think about. This guidance talks about two approaches known as calling in and calling out. The former relates to relationships in the workplace where you might be closer to the individual that might have acted inappropriately and you can take them to one side in a safe and trusted environment to both explain to them what you saw and ask them if they understood the consequences of their actions. The latter relates to a more urgent need to press the pause button and openly call someone out. The Harvard guidance also gives really practical steps about what to do when you are personally called out. 

Calling Out  

So, and a good example of calling out that I’ve used in the past and is slightly more subtle relates to when a male is presenting something that I am aware has been mostly worked on (or even owned) by a female colleague. I have muscle memory in this now because it’s happened so many times around me. If the individual presents information as if it were theirs and I know that to be different I will deliberately ask a benign question but precede it with a statement like: 

“Thanks for the briefing, I’m conscious X did the majority of the work in this space and has a lot of the background so this might be a question better answered by her but….” 

For those that aren’t particularly good with conflict management, this is often a good way to start influencing a room of people where your female colleagues aren’t being recognised. 

Calling In 

The best example I can give to calling in is a moment I recently experienced when preparing for a presentation with several individuals (2 men and 2 women). One of the other men took the time to write to me afterwards 1:1 to point out I was monopolising the conversation and was talking over our female colleagues. At the time I didn’t even realise that I was doing this. The fact that this guy took the time to explain that to me gave me pause for thought and I duly apologised to my female colleagues.  

What’s your experience with the gender pay gap? 

Most recently,  I took part in a compensation study that covered 39 different countries, for which in return I received a report of the analysis (coordinated by a prominent female professional in the business continuity industry, Cheyene Marling). In the report, it cited that in full time permanent positions women were on average paid 8% less than men and 26% less when a consultant/contractor. This research is from real professionals around the world both men and women and they’re being honest about how much they get paid. I fully trust the data in the report and I’m saddened to see the results. At the end of the day there really is no excuse for the pay gap. 

I have also had courtside seats to watch the smartest most capable woman that I’ve ever met face so many more challenges than me when it came to being paid what they’re worth. (FYI this is the woman I married and she’s 1000% the professional I am but I believe that my privilege helped make those conversations a hell of a lot easier for me than her.  

Final Thoughts (for now)

Look, in terms of calling out bias, some men will take their time to do the right thing. Firstly, they have to see it. Secondly, they have to make time to raise their own awareness. Thirdly, they have to get it wrong and be okay with the fact it’s a continued journey of learning. Finally, you need to develop and practise (regularly) methods to appropriately call in and call out male colleagues in the workplace.  

To me, the positive side of being an ally is easy. Be a cheerleader, create opportunities and share your social capital.  

Educate, Create, Celebrate, Challenge … and Repeat

IT Risk – Financial Services

A Reflective Piece – The Treasury Select Committee on IT failures within the financial services sector (2019)

The Treasury Select Committee launched a review into IT failures within the financial services sector in November 2018, with support from expert witnesses and contributors to gain a full view of operational resilience in the sector at that time. 

From a UK banking perspective and now sitting 2 years on, I found looking back on this review particularly fascinating because it centred the discussion on the key issues within financial services technology. It also forecasted some pretty accurate expectations for operational resilience.

I think this review shows just how long it can take to formulate discussions, prompt change within regulation and execute on that change within the organisations. That is one big oil tanker to turn around! 

The Paper

The paper provides an in-depth review and offers 55 conclusions back to the sector and UK regulators. Here are my summarised points below of what I have taken from the report:

  • The focus on operational resilience will probably continue. (It did)
  • PWC advised that organisations face the challenge of ageing legacy infrastructure that is hard to maintain, expensive and risky to replace (TSB being a great example there…).
  • Outages in the financial services sector are becoming more frequent and publicized and the number of incidents reported to the FCA has increased by 187% in the past year.
  • The lack of consistent and accurate recording of data on operational incidents is concerning.
  • Poor change management is one of the primary causes of IT failures. 
  • The cloud service provider market stood out as a source of concentration risk during the enquiry.
  • Firms cannot use third-party failures as an excuse for when incidents occur. Regulators are not observing a good standard of management of third parties by regulated firms and they should amend, as appropriate, their rules or guidance to prompt an improvement.
  • Firms are trying to work out how operational resilience fits in with some of the other requirements as regulators already have an operational continuity.
  • The senior managers regime does not apply to financial market infrastructure, for example payment systems, which need to be included within the scope of resilience.
  • The TSC and regulators need to prioritise publication of the final policy and guidance. In responding to this report the regulators should set out their upcoming timetable for publication. (They did)
  • Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but to also to focus the attention of senior management on the risk of incidence and incident management. 

Crystal Ball or what?

It is as encouraging as it is frightening to see that some of the observations and recommendations from this report have fully taken flight since it’s publication. It’s almost as if the collective insight had a crystal ball or something! hmmm.

Of course there is no crystal ball but rather an accumulation of incidents or near misses that encourage the industry (and it’s regulators and government) to take a closer look at this space. I know none of these things happen by accident. The very fact that the government are sat around in London with all of these expert guest witnesses and consultants is very telling. This review comes off the back of a series of IT failures and denial of services to customers within the UK retail banking sector. The collective insight has set the direction of travel and the reported observations and recommendations have progressed on significantly since this point (in my opinion).

Ain’t no party like a Third Party

The emergence of third party governance and oversight as a significant risk has featured as a key point in the post-mortem of many failures internationally and cross-sector. The need to do business with an organisation to achieve a commercial or strategic goal (often at pace) can, and has, won in the face of risk that can eventually manifest into a reality. There are a number of case studies out there that already exist, where you will see there is often a third party that creates a weakness in the operation and from which an incident subsequently occurs. 

If you look at data breaches for example you only have to do a quick Google to see how many major organisations around the world have been impacted by a third party vulnerability which has led to a major data security breach. Here is an example

I wonder if the major increase in the number of reported incidents to the regulator has anything to do with organisations moving towards cloud services / third party relationships?

The Regulators Produced

Maybe those writing this report secretly knew that the timelines for operational resilience within UK financial services were already set?  I say this because the March 2022 deadline to deliver on the new requirements was quickly put in place shortly after this review. Nevertheless, the time was set out and the UK financial services have devoted a significant degree of attention to what this new regulation might mean and how to address it within their respective organisations. This includes; the identification of key business services; the defining of tolerance thresholds; and the development of severe but plausible scenarios for which those tolerances can be tested against. 

One of the other things that I’ve seen debated in the last couple of years within the business continuity space is – how does all this hang together? Many professionals are trying to ascertain exactly what content they can leverage from what they already have against the new stuff. 

Final Remarks

I personally take great comfort in looking back on this review and seeing the direction that the UK financial services has taken. Several years ago, when operational resilience was being  debated, it was very difficult to see what would change within the current risk framework and what methodology would be born out of this requirement. However, now you can certainly tell there is a high-level methodology that can be used as a guide to proportionately implement something into your organisation.

I guess the million-dollar question is whether in 10-years time will we see a change in the level of reported incidents in a more positive way compared to the 187% increase flagged in this review? I’d hate to see all this good work go to waste!

Looking for a Mentor

We all need role models to help get us through the challenges we face in the workplace and during our career. It’s finding someone who shares similar values to you and who you believe cares enough about your career. That is the challenge.

Finding mentors is easy. Finding the right mentor is harder. In the beginning of my career I really struggled to find the right people. Fast forward over 10 years and I now have loads of mentors. Mostly by accident and not in the way I expected.

I think there are a few things to consider.

Where to Start?

I’d say Ferris Buller was probably my first mentor as a child so that meme is a nod to that amazing film!

There’s an article in Forbes about the importance of female mentorship which is a topic in its own right but the message about mentoring and how to find one can also be applied more generally. If you’re looking for advice on how to find a mentor and why it’s important then that is definitely a good place to start.

There are also a number of mentoring programs across the resilience landscape to name a couple:

The Business Continuity Institute Mentoring Program

ISACA Mentor Program

Of course many businesses now have programs internally and your old university (if you went) might operate one as well with alumni. At least it’s a few places to start looking at anyway.

Manage your Expectations

I’ve spent the earliest part of my career looking for someone I could shadow, who I could take time to learn from and develop to become the best professional I could be. Looking back it’s been quite the romantic idea. Probably best to manage your expectations on what you should expect from a mentor.

For example, in the early days the most notable advice I have received from my mentors typically took the form of:

“Always look busy”

“Always know more than the person in front of you”

On reflection, not the golden nuggets of wisdom I was initially expecting. I guess this wasn’t bad advice. It is important to be prepared for any meeting and it is important to have a professional presence, which might for some include “looking busy”. However, at the time of receiving that advice I had this idealised view of “the experienced professional”. In the end most of the off-record advice I got just felt like everyone was simply blagging it. I quickly became disillusioned and frustrated because it didn’t align with my rose tinted glasses!

I initially found it difficult to find a mentor who I perceived wasn’t appearing to “fake it”. People who appeared to put on this professional, busy-body front (something I’ll be the first to admit I cannot do despite my best efforts) but actually often there is very little depth to what they are doing or saying. Talk about high expectations eh? I was so naïve!

The reality is imposter syndrome is a thing and by definition people are often pretending to perform and behave in a way that they believe they are not. Also “fake it ’till you make it” is a widely used quote as well. I’ve come to learn that there is definitely a corporate dance under the banner of “professionalism” that one needs to learn. However, starting out I felt a little let down by the gained wisdom of my experienced peers. On reflection I don’t think that was a fair judgement.

Mentor Alignment

As the earlier Forbes article actually points out, it is crucial that your chosen mentors who have similarities to you and your shared values. Otherwise, like any relationship, it doesn’t work out and you might become disheartened.

My first mentor was really great and good with personal challenges but not so hot on the professional practice guidance. They were considered a subject matter expert in their area at the time. When I was asked to develop a policy their exact words to me were:

“Here is a colleagues’ policy from another company – just change the name of the company to yours and you’re good to go”.

I felt really let down at the time but I learned a valuable lesson – a good person doesn’t equal good professional.

My next mentor followed a similar theme. They were very friendly and supportive. However, they seemed to get away with saying the right things at meetings and then making the right excuses for regularly not producing. I found this very frustrating because the energy and focus was all on appearance.

Once again – I walked away from that relationship feeling disappointed because our approach to work at that time did not align at all.

Both of my examples were mentors within my own departments which were often quite small and that might have perhaps been too close for comfort. Also in hindsight I had too higher expectations as to what they might bring to the table for me (based on my own expectations). On reflection their is undoubtedly an element of “political manoeuvrability” required when you have competing deadlines.

The reality is you shouldn’t expect too much from your mentor but also make sure they align to how you operate and match your values.

Advice is a Buffet – Take your Pick

Baz Luhrmann said:

“Be careful whose advice you buy, but, be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than it’s worth.”

I believe one of the greatest balancing acts to achieve with having a mentor (I have admit I’ve gotten it wrong once or twice) is to only take the best bits of insight and guidance on offer from the mentor. Take an honest look at your abilities and skills and any gaps you feel you might have but do not underestimate your own judgement!

Some advice can be bad advice – pick what works for you

No One-Size Mentoring

By which I mean no one size fits all. There are far too many variables when considering different individuals with different needs, career aspirations, rates of development, availability of time etc. So I guarantee your experience will be different to mine. I guess I initially expected a very structured formal kind of interview situation held on a regular basis. However, I now know that mentoring can be much more relaxed and received as-required. You may not need to be mentored all the time but only when you reach those difficult challenges. For example, when working on a task that you have no experience in or perhaps you’re at a career crossroads and you need to know what options are available. As we all know these experiences are sporadic so we deal with them as they arise and they simply won’t fit in to the second Tuesday of every month with the same person.

A Few Summary Thoughts

You might want to consider when looking at prospective mentors:

  1. Someone with shared values and approach
  2. Consider mentors in other departments or organisations for a different perspective and to avoid being too close!
  3. Pick out the best bits of advice that work for you
  4. Look at your career path – Is the advice you’re receiving going to be of any value with your desired career path?
  5. Look at their career path – take a moment to consider what has motivated the individual in their career.
  6. Believe in you own feedback! – Self-Awareness is the very moment you no longer exclusively rely on the feedback and assessments of others, and begin to trust the candid assessments of your own performance. That doesn’t mean to say you should ignore sensible guidance! The resilience industry is so diverse and there is a lot to learn from those individuals who have genuinely seen and done things.

Reflecting on IT Risk

A Reflective Piece – A look at an independent review of the TSB IT platform migration incident back in April 2018

Slaughter and May’s report on the TSB failure was published in October 2019 and provides an independent review before, during and after events of the failed IT migration.  For those that don’t know, this is a UK retail  bank that provided customers with current accounts, loans, mortgages etc. This incident was widely reported in the UK press and placed under a high-degree of scrutiny by UK regulators and government.

I don’t claim to know much more about this failure other than news clippings and what features in this report. However, I do find the observations contained within their review to be really interesting from a risk and resilience perspective. There are multiple themes contained within their findings which now feature as key areas for development across the risk management landscape. I think this serves as a useful case study to justify some of the work done in our space.

Anyway, here is a summary of what I read and my high-level thoughts/notes on this report.

The Report

It’s 262 pages containing 23 chapters broken up into 3 main sections –  wow! 

  1. Acquisition by Sabadell subsidiary SABIS and the mobilisation of the TSB IT  transformation 
  2. Execution of transformation and it’s delay
  3. Re-plan exercise, go live and subsequent events

The first 10-pages provides a very useful executive summary.

The Event

Circa 5 million TSB customers were to be migrated to the SABIS platform on the 22nd of April 2018 when it became unstable and almost unusable. This event generated 10 times the usual complaints and 70 times the amount of opportunistic fraud cases. 

Imagine being a trader requiring cash flow, or a member of the public trying to pay a last minute bill, which if they don’t puts them into more debt. Or, imagine a vulnerable customer who is trying to access their cash to buy their dinner for that night. I imagine this to be a particularly stressful scenario for the customer if they are denied access to their account and cash.

The  Report Observations (As far as I can see)

  • TSB inherited a legacy IT platform from their relationship with the Lloyds Banking Group which was then required to migrate over to an entirely new IT banking platform.
  • Following the acquisition of TSB, an ambitious and unrealistic go-live date was initially set for 17 months without detailed knowledge of technical requirements. Functional testing overran by 10 months from the plan, meaning non-functional testing only started at the point of the previous go-live date.
  • The board did not question why TSB would be “migration ready” 4-months after the previous go-live date, even with project streams still delayed by as much as 7 months! Furthermore, they announce the re-plan date publicly!
  • To meet new target dates,  performance testing targets were reduced. Reporting on non-functional testing and outstanding defects were also limited and inaccurate.
  • Limited third party governance was undertaken due to the nature of the relationship between SABIS and TSB akin to an intragroup set up.
  • Inadequate risk oversight and audit without robust independent opinion.  
  • This was a migration of the functionality and data of an entire bank to an almost entirely new IT platform and over a single weekend was very risky. According to the report, the board did not request or receive any advice on risks or the full range of implementation options.
  • A small piloted series of early cutovers representing small parts of the bank was the organisation’s approach to de-risk. Other protection such as being insulated from cost overruns and exit options were in place which reduced the risk of failure of a single migration.

I’m glad that case studies such as this exist for the risk and resilience community because it provides a real life example of what could go wrong. It also enables us to point to an example that supports the case for a effective risk management and governance (however dull and time-consuming it may appear to the management!).

Are we the storytellers?

I guess the obvious thing that springs to mind when reflecting on the observation  is that the board actually didn’t receive all the right information. Having seen this in another example before, where a hospital board we’re not aware of the lack of resources and training within a particularly  critical department. That organisation, at the same time, were experiencing a significant increase in mortality rates but no one put the two together for leadership. These are different scenarios but the point is the same –  if leadership don’t know, then what are they supposed to do about it?

Many mature complex organizations typically have a very comprehensive board assurance framework, where leaders are informed by huge decks of information on a monthly basis about risk stuff. It would be naïve of us to truly believe that they read and understand every slide in every deck. Moreover, we could never expect them to challenge missing information. It is incumbent on the risk and resilience professionals to find the most effective way to communicate the greatest risks to the organisation, regardless of what is in the standard reporting deck. Get your storytelling hats on folks and make the risk meaningful to the management because if they don’t get it  they won’t see it.

Is change the root of all risk? And do we need to communicate the upside?

I know it’s not the root of all risk but sometimes it does feel like most major and emerging risks (whether realised or not) derive from some form of change to the business. This case study represents a major technology change of which the risk was substantial. Therefore, one might suggest that any effective risk management program should include change management controls in every area possible within the business landscape because this could well be the Achilles heel for the organisation. Having worked in transformation programmes, any stage gate that requires approval or assurance before moving onto the next step is often perceived as a “blocker” or a hindrance to the progress of a project. This can sometimes create quite sensitive and difficult discussions. My experience so far is that opportunity wins against the risk on almost all occasions. This to begin with felt wrong and counterintuitive to my studies and learning thus far but I have now embraced the additional perspective which captures the opportunities of risk against the cost of doing business. I think this is a crucial part of the risk managers mindset as we balance the message to management about the risks being presented to the organisation.

Are organisations becoming just a brand that’s operated by Third Parties?

Third party due diligence and oversight has become a popular theme in recent years.  For example, the European Banking Authority released new guidelines in 2019 which went into great detail about how to manage the third parties operating within the financial  services arena.  The example above is a UK bank and it’s entire IT platform is moving to another organisation (albeit intragroup). The modern-day organisation often adopts a cloud-first strategy and choses to work with products and services are offered via SAAS solutions. It’s starting to look a lot like the organisation itself is nothing more than a brand with a thin veneer of operating management / relationship managers overseeing a vast array of third-party providers.  Is the traditional organisation dead? I did bring this up to a very experienced supply chain manager not too long ago and apparently for some organisations in some sectors this has been commonplace from as far back as the 90s. I wasn’t aware of this in financial services. Although I can certainly see this as the direction of travel. Risk and resilience practitioners may need to factor this into their  mindset when assessing a risk to the business.

Final Remarks

Using case study examples was a good for learning at university as it is for ongoing professional development. There is no denying that a lot appears to have gone wrong with the TSB example. The positive news is that they survived as an organisation, people kept their jobs and folks got their money – eventually.

I believe we are the storytellers. I believe we need to find the most effective way to communicate risk to the leadership. It needs to mean something for them to empower them to make the right decisions.

Mental Health in a Continuity and Resilience Role

When the Continuity Pro … Can’t Continue

*remarkably within 7 hours of posting this I got people who have never shared a view of anything I’ve written dive in with feedback.

* I am not a mental health professional. This is just my experience of a heavily redacted article

Continuity and resilience professionals are often found at the centre of crisis response and are considered to be the pragmatic, sensible support at all times. But what if they are struggling as well?

“Mental health conditions are increasing worldwide… there has been a 13% rise in mental health conditions and substance use disorders in the last decade (to 2017).”

World Health Organisation

Mental health and wellbeing (even since this stat in 2017) is now more than ever at the forefront of every corporate response to their employees when addressing the recent response to COVID-19. Just to get to this point, most organisations have required an incident response team to navigate through the unknowns and unanticipated challenges of this year multi-year incident.

Shhhhhhh I’m “Okay”

In late 2021, there was a small survey conducted across a number of continuity and resilience professionals that reveals a high degree of mental health issues, such as anxiety. This is the first set of survey results I have seen with this kind of data from our community. I think that in itself paints a concerning culture of not often talking about it.

More often than not, continuity and resilience professionals have found themselves at the centre of their organisation’s response to the pandemic and continue to be so even 18+ months on. As a current member of the Global Board of Directors at the BCI, a number of people have approached me to tell me about their mental health and how it is often not discussed because of the nature of their role.

Any professional having experienced a true business disruption will attest to the fact that incidents can cause stress and trauma to those responding. My question is:

As a professional community, do we do enough to recognise the importance of mental health and wellbeing and the psychological challenge of a live incident? And what happens if the continuity pro can’t continue?

Disclaimer – I had to seriously pull back on the personal content from this article because the people close to me who I shared drafts with (who work in our professional community) told me it would leave me vulnerable and people may use it against me! I think that tells you all you need to know about some of the active folks in our community…

But anyway, it’s not going to stop me sharing the core of the article. Here is the edited version….

Perspectives on Mental Health

I would consider myself a lifelong sympathiser of those struggling with mental health having supported people close to me.

However, I can’t begin to fully understand and appreciate what people are going through. With mental health, you have the person experiencing the issue, which is entirely specific to the individual. No one can ever fully appreciate something so intangible as the thoughts and feelings of another person. But then there’s also parents, partners, siblings, children and friends, who have first-row seats but still don’t fully get it. It’s so unique to the individual and that needs to be appreciated.

It’s not like they have a broken leg with a cast or a virus that has them coughing and sneezing in bed. You can’t see this person’s illness or injury in the same way. This makes it harder to understand and empathise. Some loved ones might be quick to disregard it as being weak or using it as an excuse to not be “getting on with it”.

You can’t always see it and touch it but that doesn’t mean it isn’t there AND don’t begin to think you understand what the person is going through. Just support them.

Therapy – Not so straight forward

I always thought of therapy in that classic scene of someone lying on the couch talking about their childhood to a nodding doctor. I always thought you’d leave having emptied your thoughts and the doctor would give you some pearl of wisdom and you’ll be fixed for the experience. However, when I first experienced therapy, I discovered this is not the case at all.

For starters, COVID has led to everything being so virtual. Soo many people’s sessions are via video conference. For me this presented its own challenges of finding a private space and having good Wi-Fi!

Secondly, therapy is difficult. It is emotionally exhausting to talk a stranger through your thoughts and memories. Before every session I felt a build-up of anxiety as I prepared to pour out more of what was in my mind.

Thirdly, I wasn’t ready for the way I would be spoken to and the questions I would be asked. My therapist was nice and supportive, but they had a way of picking out key points and diving into uncomfortable territory. It isn’t all nice voices telling you everything is alright. If you do this you need to be prepared for some difficult conversations.

Finally, the last thing that struck me about therapy is just how much effort you have to put in yourself to truly get anything out of it. I found it to be hard work but in a worthwhile way, similar to the gym. You can’t just say everything out loud to a stranger and be better for the experience. The process requires commitment and self-investment to get to a point where you may need to make some brave decisions about the future and then see them through.

Finding the Strength to be Weak

I’ve never stopped before COVID. It has always felt better just to get my head down and get on with it. It’s in the nature of what I’ve studied and worked at for years. You work through a crisis. I have personally discovered that in order to be vulnerable, to feel weak, you have to find strength. For example:

  • Strength to acknowledge what could be perceived as weakness in front of family, friends, colleagues and yourself
  • Strength to let go of your responsibilities at work and let the work sweep away (and possibly feel like a failure for doing so)
  • Strength to deal with whatever was happening to you head on and organise you own recovery (including the admin!)
  • Strength to handle difficult thoughts and conversations in therapy to work through any issues

Finally, the strength to eventually go back to working life. However, once you stop the clock to find support, the prospect of getting “back on the horse” of one’s career might seem frightening. Will you ever be as confident? What if this happens again? It must take so must strength to go through this.

Writing a Mental Health Continuity Plan

I’ve spent years helping to write continuity, crisis and incident management plans for organisations. I’ve even been involved in responding to crisis, such as fuel shortages, possible terrorist threats, flu pandemic, mass evacuations, etc. In all of that planning and responding, I’ve never once thought about needing a plan for myself and my mental health. Then I recently thought “what happens if I have an “incident”, like an internal crisis or breakdown? What do I do then?”.

I started to think that maybe I should try to write a mental health continuity plan. I like writing. It’s helps me to remember. It helps me to understand and better explain things to myself.

Plans have structure and direction and give those who use them confidence so why should this be any different? I decided to work through my own a mental health continuity plan.

Another Disclaimer! Everyone’s plan will be different but this was my 3-step approach and the inherent challenges.

Step 1 – Identify the Triggers

Find out exactly what triggers the emotions and behaviours. Use the opportunity to increase your own self-awareness. Get them really clear in your mind. Write them down. You can’t respond to them in a managed way if you aren’t completely clear on what they are and why they are there.

Challenge with Step 1: Let’s Be Clear…

Trying to find a way to clearly express or explain the issue is hard! If you can’t explain it to yourself or someone who might be supporting you, you may come across some challenges. This is easier said than done. One might find it difficult to articulate exactly what they are feeling. People express feelings in different ways.

Step 2 – Develop Strategies

Develop some early warning indicators for the thoughts and behaviours that you associate with the issues and also some coping mechanisms. This might also include relaxation techniques that you can deploy to reduce anxiety to help manage your emotional reaction. For example, one coping mechanism might involve introducing boundaries.

Challenge with Step 2: Setting Boundaries Vs Living a Boundary

Developing strategies for managing an emotion and behaviour on the face of it seems quite straight forward, doesn’t it? For example, emotion A occurs – do this, behaviour B arrives – do this. How hard can it be? Right?…

Setting healthy boundaries is particularly challenging. For example, any boundary set might impact someone or something else. A boundary is often likely to prompt some kind of change against the previous normality. For me, this has meant having difficult conversations, handling reactions to change from both myself and those around me, feelings of guilt etc. Setting a boundary and living a boundary are two very different things and the later takes bravery and commitment. Probably one of the hardest you might ever have to do as part of your ongoing recovery.

Step 3 – Ongoing Self-Care

Look after yourself. You’re useless to anyone, including yourself, if you can’t do that. Find time to decompress, eat well, take on water, exercise and get outside. Make sure to carve out time in your busy life to be kind to yourself and enjoy what is around you and what’s important.

Challenge with Step 3: Self-Care Realities

Being a father of 2 young children alongside both my partner and I working, sometimes self-care boiled down to whether we have the time to do the laundry or make a sandwich. A long way off hydration, meditation, relaxation, etc.

Everyone is busy and stressed out. I’m sure most adults forget to really take care of themselves physically and mentally (I know I often don’t).

I have learned that some of this is achieved by dealing with the step 2 challenge. Positive boundaries/decisions will carve out time and inclination to even begin to look at self-care.

In Summary

I’ve long felt that more could possibly be done in the professional community to discuss mental health. I hope by writing this that others may come forward with their thoughts and provide their advice and tips.

I’d like to conclude by repeating earlier points:

  • Mental health for continuity and resilience practitioners needs more attention.
  • Ideally the professional community should try to share more of these experiences.
  • Whilst planning techniques can assist to working through your experience, it’s definitely not that simple.


Resilience By Design

Two things have occurred to me recently as part of my ongoing journey to better educate myself on the ever- evolving concept of resilience.

Firstly, I got to share half an hour with a senior manager within one of my previous organisations who had recently taken up a lead position in resilience. The individual came from a seasoned engineering background but not specifically continuity and resilience. In our short conversation they were able to inspire me to try to look at resilience in different ways as often as I can to see what I could learn.

Secondly, I recently found a reference to an article in some notes being shared with me to a paper that was published in 2020 on the concepts, constructs, and mechanisms relating to resilience. It was academic and it didn’t apply to my usual financial services context but I really liked the way it helped me look at the same thing but in a different way.

Both the conversation and the article have proven to me that you can refresh your understanding of something by taking an alternative perspective.

Resilience Principles in Engineering

Okay, so the conversation with the engineer was pretty simple. This individual was able to talk me through an example to help me understand how in fact everything that they had been involved in throughout their career was founded on resilient principles and it was nothing new to them. They explained to me that product design and materials engineering within the automotive industry has to consider resilience themes from day one. Themes such as tolerance thresholds for their chosen materials and the ways in which they are being used before deciding on whether they should be included or not.

After this conversation I went straight to Google and came across a guy called Erik Hollnagle who is a published author on resilience concepts in engineering and he is quoted on this blog from the Resilience Engineers Association which provides a great background of how resilience is viewed via this perspective. It appears to be created as a contrast to safety management and offers some really useful basic principles for resilience and calls for constant evolution.

Resilience engineering must free itself from the frame of reference that might have been of some value ten years ago (yet even that is doubtful), but which surely will impede any further development.

Resilience Engineers Association – 2019

Change the Perspective

I have been reading so many articles and listening to so many podcasts (admittedly from my own professional community/sphere) that I never stopped to consider how the concept of resilience is applied in other ways.

Of course, the engineers are right and it sounds so obvious now I say it out loud. Those product designers and material engineers have to consider core components of resilience from the outset. Once they understand what they’re designing and who they’re designing it for and why, the next question is what materials are they going to use and how it will meet the needs of the design and purpose. For example, if I were to develop a 4×4 truck to off road, would the materials of that design have the same needs as perhaps the requirements of a Formula One racing car? I’m not an engineer but I’m guessing racing cars need lighter metals whereas trucks could allow for something stronger for durability. I’m also pretty confident the way in which they are designed will be different because they have entirely different objectives. Every decision about every material, design and build will have had to have considered beforehand just how resilient they want it to be.

I’ve heard the term resilient by design said quite a few times and I have never really appreciated the simplicity of it. I guess whenever I’ve taken to designing a business continuity plan for example, it’s always been about the ability to recover and respond to an incident but beyond that I don’t think I’ve ever applied the same approach by asking myself why am writing the plan in the first place? Obviously I know I’m writing the plan to detail how the business will respond and recover to a disruption but beyond that reason. Why is it even needed? That reminds me, I must read that book Start With Why. Maybe I need to do this more often in everything I do at work. All in the name of development eh?

The Resilience Trinity Approach

The article I stumbled on not only supported that I should try to find new ways to look at things differently, it also offered some pretty useful fundamental ideas to resilience. In summary, it proposes a thing called the Resilience Trinity and it was published in January 2020 and has about 30 authors. It uses ecosystem services such as water purification and wood production to provide examples of how their approach can be applied.

I should probably say that I am coming at this from a professional continuity and resilience practitioner perspective in financial services and this an academic article which is presenting itself in the context of ecosystem services. I am looking to apply this approach into my own context and will be henceforth commenting as such. Let me also say that nothing in this paper is radically groundbreaking but what excites me more about it is that it provides individuals with an opportunity to look at the same thing with a different slant and explanation which might uncover new learning.

Time Horizons

One of the things the paper first looks to discuss is the notion of time horizons in decision making which they break down into three contexts in which decisions must be made.

First is reactive, whereby the threat is known and imminent and there is a high pressure to act. Second is adjustive, whereby the threat is known in general but the organisation still has time to adapt their position to react, and third is provident, whereby the nature of the threat is uncertain and the timescales are very long which may lead to an unwillingness to act. I think most enterprise risk management frameworks pick this up as part of their likelihood thresholds and risk appetite but this presents a different and useful way of explaining time constructs and decision-making.

Recovery as a Single State – Reductionist?

The paper also talked about how the concept of recovery is reductionist because it only often considers a single state variable i.e (for me) the recovery of a business. I guess ultimately one will know when one’s recovered as nothing seems to be on fire anymore and BAU resumes. However, the argument in this paper is that to achieve a view of recovery it would require the knowledge of the entire set of variables available to be fully confident in the view of its own recovery. How confident are you that your organisation has that? I’d like to think most do?

Resilience Mechanisms

My favourite part of the article is the description of resilience mechanisms which are so simple it’s beautiful.

The paper covers mechanisms such as redundancy for example which most disaster recovery managers will be well aware of more than anybody in terms of redundancy within data centres. But redundancy can be applied in many different scenarios. There is also a mechanism called diversity. The argument here is that by producing a range of different services, the diversity of your offering would otherwise still be available should just one be impacted. I think a lot of modern commercial organisations apply that one. No one wants to be another blockbusters! Another good one in the paper is the mechanism of modularity whereby one might decentralise in the event one area is impacted it will not affect the other areas and of the business could continue. I suppose this is similar to diversity in a way because the diversity does break up your offering just in a commercial way. I believe a number of international businesses do this with legal entities in different jurisdictions that essentially operate as individual organisations. There are others to such as adaptability where perhaps services could be re-combined to manage different disruptions. All very useful but those were my favourites.

Redundancy. Modularity. Diversity. Adaptability.


So now that I’ve had that conversation with the engineer, done some Googling and I’ve read and tried to understand that article (in the context of my experience) – what now?

Well, first of all I will now always try to go back to the question of why we are doing this in the first place. Start with why.

Then I should probably apply some or all of the resilience mechanisms/ fundamentals to what I’m designing and in the context of the three different time horizons. This will help me categorise different controls that I could consider. So for a business continuity plan for example one question would be – what mechanisms am I using in this plan and in what time horizon am I going to deploy them? I feel like it adds a bit more science and rationale to it than simply just writing a plan then testing it.

I’ll also keep looking for resilience perspectives in different sectors and professions that will broaden my own understanding!

A letter to me…

Dear me… (and anyone else who reads an intro blog post).

You’ve always been enthusiastic about the writing and you are often looking for the latest updates, research or news from the risk and resilience industry.

You spent the last 15 years googling the subject to death whilst studying and moving between jobs.

Most of the time you come across the same old recycled stuffy content and it just doesn’t fully go into your simple brain!

You’ve always been searching for a central place to log your thoughts You’ve achieved this so far by blogging on LinkedIn, posting on other peoples channels, podcasts, webinars, white papers etc. But never in one place just for your content.

You’ve posted over 50,000 words elsewhere that’s devoted to sharing experiences and thoughts as a developing professional in the risk and resilience industry.

Whatever you are trying to interpret you always try to digest and regurgitate it from a very simple and honest place. People seem to like it and it really helps you learn.

Use this space to bring everything you’ve ever written or created into one place to give yourself and anyone else a one stop shop for content.

Let’s do this…