Being an Ally: Educate, Create, Celebrate, Challenge … and Repeat

“We view allyship as a strategic mechanism used by individuals to become collaborators, accomplices, and coconspirators who fight injustice and promote equity in the workplace through supportive personal relationships and public acts of sponsorship and advocacy” 

Harvard Business Review 2020  

As a father to my little girl, a husband to my kick-ass professional wife, and a colleague to countless amazing females in my network, who are killing it out there right now, I was honoured to be invited to a recent webinar session to talk about being and ally. 

Many will already know I currently sit on the Business Continuity Institute’s Global Board of Directors, as a member representative. It is therefore vital that with this platform I find opportunities to support and represent these important discussions. 

Start With an Apology… 

As a white male, I can’t deny that my privilege has certainly had a significant contribution to the direction of my career. It’s only recently that I have become far more aware of the dominant culture that I have benefited from for many years. I’ve also become aware of how dangerously ignorant I once was!

I can’t honestly represent my current values in this post without acknowledging (and apologising) for the views I once ignorantly held before. So here goes…

There is a conversation which circulates in my mind regularly from a very long time ago, which on reflection, I am incredibly ashamed of. However, I think it’s very important to remind myself of just how much a perception can change with awareness and experience. It also demonstrates how dangerous that an uneducated view can be!

Disclaimer! What I’m about to say does not reflect how I feel now. I was young and very ignorant to a lot of things back then.

The Dangers of Ignorance in a Dominant Culture

Fresh out of university and at work I was speaking to one of my fellow graduates who now worked for the same company as me in our first role. We are talking about where we would like to take our careers and she remarked on how she would like to also plan for a family one day. I remember at the time I said: 

“I can’t understand how it could be fair that two people from the same university, with the same degree and the same grade go to work for the same company for five years, and in that time the female could potentially have two or three babies and may only work for two or so years. Yet, on her CV, she would have five years’ experience and it would be fair game for her to apply for the same jobs that I’ve worked longer for. This feels incredibly unfair…”

Me a long time ago… (sorry)

*Facepalm*I know, right? I sigh as I write this…

What was I thinking?!? I can’t believe for a second that this was ever my opinion and I’m embarrassed on a regular basis when I think back to that coming out of my mouth. However, at the time it felt like a very natural opinion to me. I wasn’t even close to being aware of just how unbalanced the game really was (and also in my favour). 

If you haven’t already, go out and buy the Gill Whitty-Collins Book “Why Men Win At Work” book… 

“…ask a goldfish in a bowl – how’s the water? They’ll say what water?” Those who are part of a dominant culture are unlikely to see that it even exists”

Gill Whitty Collins

This book, combined with what I now regularly witness, has broken the glass of my fishbowl! Now I see it, it’s everywhere. 

I think one of the reasons I share my honest example is because it demonstrates how easy it is to not see the full picture and therefore miss out on the opportunity to help. Even an individual, who is part of the dominant culture, but perceives themselves to be a good person and with the right values, can still get it incredibly wrong! We are all learning.

This is exactly why we need to keep having conversations. 

Webinar Answers and More

I was recently invited to be on a panel discussion that was put together by Women in Resilience (WIR). This is a global volunteer group of individuals that devote their time to providing a platform for equality in the workplace and spotlight women who work in resilience. A profession that still remains to be male dominated. 

I couldn’t help myself but blog the answers to some of the questions posed to me ahead of the ally webinar. In the spirit of sharing and growing together, please take a look at the types of answers/advice that I provided and some of the resources that I point to.

What should women look for when choosing a male sponsor? 

I think some of the considerations for a sponsor are the same as those when choosing a mentor. I actually touched on this partly via a blog I did on mentoring when I referred to a Forbes article about female mentorship.  

Some people might disagree, but I believe that you need to have some similarities and shared values with those that you’re hoping to sponsor you. This can make the whole process a lot easier and mutually beneficial (because they believe in the same things you believe in). In terms of looking for a male sponsor, I think actions speak louder than words. So, I would be asking myself these questions: 

  • Have you experienced or witnessed the individual take positive action to support equality in the workplace?  
  • Alternatively, have you experienced or witnessed examples of where the individual has not taken action where it could have been possible? 
  • Do you believe the individual shares a similar pattern of values to the ones that you hold?
  • Does the individual have your best interests at heart? 

When I talk about taking, or not taking positive action, it can take the form of many different things; from subtle intervention during meetings, to the open support of female colleagues both inside and outside the organisation. It could also be active mentoring or reverse mentoring with female professionals. The individual might also openly share content on related topics and issues to help generate awareness. 

There are plenty of ways to see whether an individual could be the ideal sponsor for you. Of course, you’ll have to cross reference that with exactly what it is that you want and the value systems that you hold, as well as where you want to take your career. 

If you haven’t seen this already, I highly suggest taking 10 minutes out of your day to watch Carla Harris in her TED talk about how to find the person who can help you get ahead at work. First of all, Carla is a senior Managing Director at Morgan Stanley and, in my opinion, is a shining icon for men and women everywhere. I highly recommend you look at her talks.  In this clip, she talks about the “a-ha” moment during the round table performance evaluations.  The meritocracy i.e. get your head down and work hard is a myth and  what you really need is someone to speak for you i.e. somebody supporting you on your behalf and in your favour = a sponsor. 

What advice would you give men looking to become a sponsor? 

It’s simple to me. To be a sponsor, you need to publicly and openly create visibility for the individual, find opportunities for them to succeed and support their successes.  

There’s a really good article in the Rutgers Business Review which breaks what you need to do and down into loads of steps. However, at its highest level they advise that you need to: 

1) Be her raving fan  

2) Provide cover and share your social capital  

3) Nominate her for stretch opportunities  

Can’t be any simpler than that.  

One other piece of advice (or rather caution) is that you seriously need to consider whether you are going to proactively do exactly what the label suggests. I’m not talking about capacity; we will all do what we can and we have our limitations with time etc. I’m talking about calling yourself an ally or a sponsor and turn up to a webinar or a session then do nothing with it.   

Actions speak louder than words – are you really an ally?  

As an Ally, how do you appropriately call out Bias when you see it? And,  how have you overcome your own bias? 

I think calling out bias sounds so simple but from my experience has been one of the most challenging aspects of trying to be an ally. Not least because I’m still educating myself about the list of inappropriate things that happen in the workplace. These things can be so subtle and passive such as microaggressions that I previously didn’t even notice. So, the first hurdle is to notice, which sounds simple but it’s not because it comes with awareness.  

Secondly, the next challenge is knowing how to call out bias. It’s not about jumping across the table and defending a female’s honour and pinning someone down to the ground until they retract what they said or apologise. The fact is, inaction is action and by doing nothing, you are essentially saying that it’s okay to behave like this…and it’s not. Learning when to call out bias and in what way is an ongoing endeavour.  

I can’t be alone in this because there is so much stuff online available to help people like me understand the above two challenges. Harvard University offers a 4-page leaflet, which gives a really useful high-level guide about the things you need to think about. This guidance talks about two approaches known as calling in and calling out. The former relates to relationships in the workplace where you might be closer to the individual that might have acted inappropriately and you can take them to one side in a safe and trusted environment to both explain to them what you saw and ask them if they understood the consequences of their actions. The latter relates to a more urgent need to press the pause button and openly call someone out. The Harvard guidance also gives really practical steps about what to do when you are personally called out. 

Calling Out  

So, and a good example of calling out that I’ve used in the past and is slightly more subtle relates to when a male is presenting something that I am aware has been mostly worked on (or even owned) by a female colleague. I have muscle memory in this now because it’s happened so many times around me. If the individual presents information as if it were theirs and I know that to be different I will deliberately ask a benign question but precede it with a statement like: 

“Thanks for the briefing, I’m conscious X did the majority of the work in this space and has a lot of the background so this might be a question better answered by her but….” 

For those that aren’t particularly good with conflict management, this is often a good way to start influencing a room of people where your female colleagues aren’t being recognised. 

Calling In 

The best example I can give to calling in is a moment I recently experienced when preparing for a presentation with several individuals (2 men and 2 women). One of the other men took the time to write to me afterwards 1:1 to point out I was monopolising the conversation and was talking over our female colleagues. At the time I didn’t even realise that I was doing this. The fact that this guy took the time to explain that to me gave me pause for thought and I duly apologised to my female colleagues.  

What’s your experience with the gender pay gap? 

Most recently,  I took part in a compensation study that covered 39 different countries, for which in return I received a report of the analysis (coordinated by a prominent female professional in the business continuity industry, Cheyene Marling). In the report, it cited that in full time permanent positions women were on average paid 8% less than men and 26% less when a consultant/contractor. This research is from real professionals around the world both men and women and they’re being honest about how much they get paid. I fully trust the data in the report and I’m saddened to see the results. At the end of the day there really is no excuse for the pay gap. 

I have also had courtside seats to watch the smartest most capable woman that I’ve ever met face so many more challenges than me when it came to being paid what they’re worth. (FYI this is the woman I married and she’s 1000% the professional I am but I believe that my privilege helped make those conversations a hell of a lot easier for me than her.  

Final Thoughts (for now)

Look, in terms of calling out bias, some men will take their time to do the right thing. Firstly, they have to see it. Secondly, they have to make time to raise their own awareness. Thirdly, they have to get it wrong and be okay with the fact it’s a continued journey of learning. Finally, you need to develop and practise (regularly) methods to appropriately call in and call out male colleagues in the workplace.  

To me, the positive side of being an ally is easy. Be a cheerleader, create opportunities and share your social capital.  

Educate, Create, Celebrate, Challenge … and Repeat

IT Risk – Financial Services

A Reflective Piece – The Treasury Select Committee on IT failures within the financial services sector (2019)

The Treasury Select Committee launched a review into IT failures within the financial services sector in November 2018, with support from expert witnesses and contributors to gain a full view of operational resilience in the sector at that time. 

From a UK banking perspective and now sitting 2 years on, I found looking back on this review particularly fascinating because it centred the discussion on the key issues within financial services technology. It also forecasted some pretty accurate expectations for operational resilience.

I think this review shows just how long it can take to formulate discussions, prompt change within regulation and execute on that change within the organisations. That is one big oil tanker to turn around! 

The Paper

The paper provides an in-depth review and offers 55 conclusions back to the sector and UK regulators. Here are my summarised points below of what I have taken from the report:

  • The focus on operational resilience will probably continue. (It did)
  • PWC advised that organisations face the challenge of ageing legacy infrastructure that is hard to maintain, expensive and risky to replace (TSB being a great example there…).
  • Outages in the financial services sector are becoming more frequent and publicized and the number of incidents reported to the FCA has increased by 187% in the past year.
  • The lack of consistent and accurate recording of data on operational incidents is concerning.
  • Poor change management is one of the primary causes of IT failures. 
  • The cloud service provider market stood out as a source of concentration risk during the enquiry.
  • Firms cannot use third-party failures as an excuse for when incidents occur. Regulators are not observing a good standard of management of third parties by regulated firms and they should amend, as appropriate, their rules or guidance to prompt an improvement.
  • Firms are trying to work out how operational resilience fits in with some of the other requirements as regulators already have an operational continuity.
  • The senior managers regime does not apply to financial market infrastructure, for example payment systems, which need to be included within the scope of resilience.
  • The TSC and regulators need to prioritise publication of the final policy and guidance. In responding to this report the regulators should set out their upcoming timetable for publication. (They did)
  • Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but to also to focus the attention of senior management on the risk of incidence and incident management. 

Crystal Ball or what?

It is as encouraging as it is frightening to see that some of the observations and recommendations from this report have fully taken flight since it’s publication. It’s almost as if the collective insight had a crystal ball or something! hmmm.

Of course there is no crystal ball but rather an accumulation of incidents or near misses that encourage the industry (and it’s regulators and government) to take a closer look at this space. I know none of these things happen by accident. The very fact that the government are sat around in London with all of these expert guest witnesses and consultants is very telling. This review comes off the back of a series of IT failures and denial of services to customers within the UK retail banking sector. The collective insight has set the direction of travel and the reported observations and recommendations have progressed on significantly since this point (in my opinion).

Ain’t no party like a Third Party

The emergence of third party governance and oversight as a significant risk has featured as a key point in the post-mortem of many failures internationally and cross-sector. The need to do business with an organisation to achieve a commercial or strategic goal (often at pace) can, and has, won in the face of risk that can eventually manifest into a reality. There are a number of case studies out there that already exist, where you will see there is often a third party that creates a weakness in the operation and from which an incident subsequently occurs. 

If you look at data breaches for example you only have to do a quick Google to see how many major organisations around the world have been impacted by a third party vulnerability which has led to a major data security breach. Here is an example

I wonder if the major increase in the number of reported incidents to the regulator has anything to do with organisations moving towards cloud services / third party relationships?

The Regulators Produced

Maybe those writing this report secretly knew that the timelines for operational resilience within UK financial services were already set?  I say this because the March 2022 deadline to deliver on the new requirements was quickly put in place shortly after this review. Nevertheless, the time was set out and the UK financial services have devoted a significant degree of attention to what this new regulation might mean and how to address it within their respective organisations. This includes; the identification of key business services; the defining of tolerance thresholds; and the development of severe but plausible scenarios for which those tolerances can be tested against. 

One of the other things that I’ve seen debated in the last couple of years within the business continuity space is – how does all this hang together? Many professionals are trying to ascertain exactly what content they can leverage from what they already have against the new stuff. 

Final Remarks

I personally take great comfort in looking back on this review and seeing the direction that the UK financial services has taken. Several years ago, when operational resilience was being  debated, it was very difficult to see what would change within the current risk framework and what methodology would be born out of this requirement. However, now you can certainly tell there is a high-level methodology that can be used as a guide to proportionately implement something into your organisation.

I guess the million-dollar question is whether in 10-years time will we see a change in the level of reported incidents in a more positive way compared to the 187% increase flagged in this review? I’d hate to see all this good work go to waste!

Looking for a Mentor

We all need role models to help get us through the challenges we face in the workplace and during our career. It’s finding someone who shares similar values to you and who you believe cares enough about your career. That is the challenge.

Finding mentors is easy. Finding the right mentor is harder. In the beginning of my career I really struggled to find the right people. Fast forward over 10 years and I now have loads of mentors. Mostly by accident and not in the way I expected.

I think there are a few things to consider.

Where to Start?

I’d say Ferris Buller was probably my first mentor as a child so that meme is a nod to that amazing film!

There’s an article in Forbes about the importance of female mentorship which is a topic in its own right but the message about mentoring and how to find one can also be applied more generally. If you’re looking for advice on how to find a mentor and why it’s important then that is definitely a good place to start.

There are also a number of mentoring programs across the resilience landscape to name a couple:

The Business Continuity Institute Mentoring Program

ISACA Mentor Program

Of course many businesses now have programs internally and your old university (if you went) might operate one as well with alumni. At least it’s a few places to start looking at anyway.

Manage your Expectations

I’ve spent the earliest part of my career looking for someone I could shadow, who I could take time to learn from and develop to become the best professional I could be. Looking back it’s been quite the romantic idea. Probably best to manage your expectations on what you should expect from a mentor.

For example, in the early days the most notable advice I have received from my mentors typically took the form of:

“Always look busy”

“Always know more than the person in front of you”

On reflection, not the golden nuggets of wisdom I was initially expecting. I guess this wasn’t bad advice. It is important to be prepared for any meeting and it is important to have a professional presence, which might for some include “looking busy”. However, at the time of receiving that advice I had this idealised view of “the experienced professional”. In the end most of the off-record advice I got just felt like everyone was simply blagging it. I quickly became disillusioned and frustrated because it didn’t align with my rose tinted glasses!

I initially found it difficult to find a mentor who I perceived wasn’t appearing to “fake it”. People who appeared to put on this professional, busy-body front (something I’ll be the first to admit I cannot do despite my best efforts) but actually often there is very little depth to what they are doing or saying. Talk about high expectations eh? I was so naïve!

The reality is imposter syndrome is a thing and by definition people are often pretending to perform and behave in a way that they believe they are not. Also “fake it ’till you make it” is a widely used quote as well. I’ve come to learn that there is definitely a corporate dance under the banner of “professionalism” that one needs to learn. However, starting out I felt a little let down by the gained wisdom of my experienced peers. On reflection I don’t think that was a fair judgement.

Mentor Alignment

As the earlier Forbes article actually points out, it is crucial that your chosen mentors who have similarities to you and your shared values. Otherwise, like any relationship, it doesn’t work out and you might become disheartened.

My first mentor was really great and good with personal challenges but not so hot on the professional practice guidance. They were considered a subject matter expert in their area at the time. When I was asked to develop a policy their exact words to me were:

“Here is a colleagues’ policy from another company – just change the name of the company to yours and you’re good to go”.

I felt really let down at the time but I learned a valuable lesson – a good person doesn’t equal good professional.

My next mentor followed a similar theme. They were very friendly and supportive. However, they seemed to get away with saying the right things at meetings and then making the right excuses for regularly not producing. I found this very frustrating because the energy and focus was all on appearance.

Once again – I walked away from that relationship feeling disappointed because our approach to work at that time did not align at all.

Both of my examples were mentors within my own departments which were often quite small and that might have perhaps been too close for comfort. Also in hindsight I had too higher expectations as to what they might bring to the table for me (based on my own expectations). On reflection their is undoubtedly an element of “political manoeuvrability” required when you have competing deadlines.

The reality is you shouldn’t expect too much from your mentor but also make sure they align to how you operate and match your values.

Advice is a Buffet – Take your Pick

Baz Luhrmann said:

“Be careful whose advice you buy, but, be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than it’s worth.”

I believe one of the greatest balancing acts to achieve with having a mentor (I have admit I’ve gotten it wrong once or twice) is to only take the best bits of insight and guidance on offer from the mentor. Take an honest look at your abilities and skills and any gaps you feel you might have but do not underestimate your own judgement!

Some advice can be bad advice – pick what works for you

No One-Size Mentoring

By which I mean no one size fits all. There are far too many variables when considering different individuals with different needs, career aspirations, rates of development, availability of time etc. So I guarantee your experience will be different to mine. I guess I initially expected a very structured formal kind of interview situation held on a regular basis. However, I now know that mentoring can be much more relaxed and received as-required. You may not need to be mentored all the time but only when you reach those difficult challenges. For example, when working on a task that you have no experience in or perhaps you’re at a career crossroads and you need to know what options are available. As we all know these experiences are sporadic so we deal with them as they arise and they simply won’t fit in to the second Tuesday of every month with the same person.

A Few Summary Thoughts

You might want to consider when looking at prospective mentors:

  1. Someone with shared values and approach
  2. Consider mentors in other departments or organisations for a different perspective and to avoid being too close!
  3. Pick out the best bits of advice that work for you
  4. Look at your career path – Is the advice you’re receiving going to be of any value with your desired career path?
  5. Look at their career path – take a moment to consider what has motivated the individual in their career.
  6. Believe in you own feedback! – Self-Awareness is the very moment you no longer exclusively rely on the feedback and assessments of others, and begin to trust the candid assessments of your own performance. That doesn’t mean to say you should ignore sensible guidance! The resilience industry is so diverse and there is a lot to learn from those individuals who have genuinely seen and done things.

Reflecting on IT Risk

A Reflective Piece – A look at an independent review of the TSB IT platform migration incident back in April 2018

Slaughter and May’s report on the TSB failure was published in October 2019 and provides an independent review before, during and after events of the failed IT migration.  For those that don’t know, this is a UK retail  bank that provided customers with current accounts, loans, mortgages etc. This incident was widely reported in the UK press and placed under a high-degree of scrutiny by UK regulators and government.

I don’t claim to know much more about this failure other than news clippings and what features in this report. However, I do find the observations contained within their review to be really interesting from a risk and resilience perspective. There are multiple themes contained within their findings which now feature as key areas for development across the risk management landscape. I think this serves as a useful case study to justify some of the work done in our space.

Anyway, here is a summary of what I read and my high-level thoughts/notes on this report.

The Report

It’s 262 pages containing 23 chapters broken up into 3 main sections –  wow! 

  1. Acquisition by Sabadell subsidiary SABIS and the mobilisation of the TSB IT  transformation 
  2. Execution of transformation and it’s delay
  3. Re-plan exercise, go live and subsequent events

The first 10-pages provides a very useful executive summary.

The Event

Circa 5 million TSB customers were to be migrated to the SABIS platform on the 22nd of April 2018 when it became unstable and almost unusable. This event generated 10 times the usual complaints and 70 times the amount of opportunistic fraud cases. 

Imagine being a trader requiring cash flow, or a member of the public trying to pay a last minute bill, which if they don’t puts them into more debt. Or, imagine a vulnerable customer who is trying to access their cash to buy their dinner for that night. I imagine this to be a particularly stressful scenario for the customer if they are denied access to their account and cash.

The  Report Observations (As far as I can see)

  • TSB inherited a legacy IT platform from their relationship with the Lloyds Banking Group which was then required to migrate over to an entirely new IT banking platform.
  • Following the acquisition of TSB, an ambitious and unrealistic go-live date was initially set for 17 months without detailed knowledge of technical requirements. Functional testing overran by 10 months from the plan, meaning non-functional testing only started at the point of the previous go-live date.
  • The board did not question why TSB would be “migration ready” 4-months after the previous go-live date, even with project streams still delayed by as much as 7 months! Furthermore, they announce the re-plan date publicly!
  • To meet new target dates,  performance testing targets were reduced. Reporting on non-functional testing and outstanding defects were also limited and inaccurate.
  • Limited third party governance was undertaken due to the nature of the relationship between SABIS and TSB akin to an intragroup set up.
  • Inadequate risk oversight and audit without robust independent opinion.  
  • This was a migration of the functionality and data of an entire bank to an almost entirely new IT platform and over a single weekend was very risky. According to the report, the board did not request or receive any advice on risks or the full range of implementation options.
  • A small piloted series of early cutovers representing small parts of the bank was the organisation’s approach to de-risk. Other protection such as being insulated from cost overruns and exit options were in place which reduced the risk of failure of a single migration.

I’m glad that case studies such as this exist for the risk and resilience community because it provides a real life example of what could go wrong. It also enables us to point to an example that supports the case for a effective risk management and governance (however dull and time-consuming it may appear to the management!).

Are we the storytellers?

I guess the obvious thing that springs to mind when reflecting on the observation  is that the board actually didn’t receive all the right information. Having seen this in another example before, where a hospital board we’re not aware of the lack of resources and training within a particularly  critical department. That organisation, at the same time, were experiencing a significant increase in mortality rates but no one put the two together for leadership. These are different scenarios but the point is the same –  if leadership don’t know, then what are they supposed to do about it?

Many mature complex organizations typically have a very comprehensive board assurance framework, where leaders are informed by huge decks of information on a monthly basis about risk stuff. It would be naïve of us to truly believe that they read and understand every slide in every deck. Moreover, we could never expect them to challenge missing information. It is incumbent on the risk and resilience professionals to find the most effective way to communicate the greatest risks to the organisation, regardless of what is in the standard reporting deck. Get your storytelling hats on folks and make the risk meaningful to the management because if they don’t get it  they won’t see it.

Is change the root of all risk? And do we need to communicate the upside?

I know it’s not the root of all risk but sometimes it does feel like most major and emerging risks (whether realised or not) derive from some form of change to the business. This case study represents a major technology change of which the risk was substantial. Therefore, one might suggest that any effective risk management program should include change management controls in every area possible within the business landscape because this could well be the Achilles heel for the organisation. Having worked in transformation programmes, any stage gate that requires approval or assurance before moving onto the next step is often perceived as a “blocker” or a hindrance to the progress of a project. This can sometimes create quite sensitive and difficult discussions. My experience so far is that opportunity wins against the risk on almost all occasions. This to begin with felt wrong and counterintuitive to my studies and learning thus far but I have now embraced the additional perspective which captures the opportunities of risk against the cost of doing business. I think this is a crucial part of the risk managers mindset as we balance the message to management about the risks being presented to the organisation.

Are organisations becoming just a brand that’s operated by Third Parties?

Third party due diligence and oversight has become a popular theme in recent years.  For example, the European Banking Authority released new guidelines in 2019 which went into great detail about how to manage the third parties operating within the financial  services arena.  The example above is a UK bank and it’s entire IT platform is moving to another organisation (albeit intragroup). The modern-day organisation often adopts a cloud-first strategy and choses to work with products and services are offered via SAAS solutions. It’s starting to look a lot like the organisation itself is nothing more than a brand with a thin veneer of operating management / relationship managers overseeing a vast array of third-party providers.  Is the traditional organisation dead? I did bring this up to a very experienced supply chain manager not too long ago and apparently for some organisations in some sectors this has been commonplace from as far back as the 90s. I wasn’t aware of this in financial services. Although I can certainly see this as the direction of travel. Risk and resilience practitioners may need to factor this into their  mindset when assessing a risk to the business.

Final Remarks

Using case study examples was a good for learning at university as it is for ongoing professional development. There is no denying that a lot appears to have gone wrong with the TSB example. The positive news is that they survived as an organisation, people kept their jobs and folks got their money – eventually.

I believe we are the storytellers. I believe we need to find the most effective way to communicate risk to the leadership. It needs to mean something for them to empower them to make the right decisions.

Mental Health in a Continuity and Resilience Role

When the Continuity Pro … Can’t Continue

*remarkably within 7 hours of posting this I got people who have never shared a view of anything I’ve written dive in with feedback.

* I am not a mental health professional. This is just my experience of a heavily redacted article

Continuity and resilience professionals are often found at the centre of crisis response and are considered to be the pragmatic, sensible support at all times. But what if they are struggling as well?

“Mental health conditions are increasing worldwide… there has been a 13% rise in mental health conditions and substance use disorders in the last decade (to 2017).”

World Health Organisation

Mental health and wellbeing (even since this stat in 2017) is now more than ever at the forefront of every corporate response to their employees when addressing the recent response to COVID-19. Just to get to this point, most organisations have required an incident response team to navigate through the unknowns and unanticipated challenges of this year multi-year incident.

Shhhhhhh I’m “Okay”

In late 2021, there was a small survey conducted across a number of continuity and resilience professionals that reveals a high degree of mental health issues, such as anxiety. This is the first set of survey results I have seen with this kind of data from our community. I think that in itself paints a concerning culture of not often talking about it.

More often than not, continuity and resilience professionals have found themselves at the centre of their organisation’s response to the pandemic and continue to be so even 18+ months on. As a current member of the Global Board of Directors at the BCI, a number of people have approached me to tell me about their mental health and how it is often not discussed because of the nature of their role.

Any professional having experienced a true business disruption will attest to the fact that incidents can cause stress and trauma to those responding. My question is:

As a professional community, do we do enough to recognise the importance of mental health and wellbeing and the psychological challenge of a live incident? And what happens if the continuity pro can’t continue?

Disclaimer – I had to seriously pull back on the personal content from this article because the people close to me who I shared drafts with (who work in our professional community) told me it would leave me vulnerable and people may use it against me! I think that tells you all you need to know about some of the active folks in our community…

But anyway, it’s not going to stop me sharing the core of the article. Here is the edited version….

Perspectives on Mental Health

I would consider myself a lifelong sympathiser of those struggling with mental health having supported people close to me.

However, I can’t begin to fully understand and appreciate what people are going through. With mental health, you have the person experiencing the issue, which is entirely specific to the individual. No one can ever fully appreciate something so intangible as the thoughts and feelings of another person. But then there’s also parents, partners, siblings, children and friends, who have first-row seats but still don’t fully get it. It’s so unique to the individual and that needs to be appreciated.

It’s not like they have a broken leg with a cast or a virus that has them coughing and sneezing in bed. You can’t see this person’s illness or injury in the same way. This makes it harder to understand and empathise. Some loved ones might be quick to disregard it as being weak or using it as an excuse to not be “getting on with it”.

You can’t always see it and touch it but that doesn’t mean it isn’t there AND don’t begin to think you understand what the person is going through. Just support them.

Therapy – Not so straight forward

I always thought of therapy in that classic scene of someone lying on the couch talking about their childhood to a nodding doctor. I always thought you’d leave having emptied your thoughts and the doctor would give you some pearl of wisdom and you’ll be fixed for the experience. However, when I first experienced therapy, I discovered this is not the case at all.

For starters, COVID has led to everything being so virtual. Soo many people’s sessions are via video conference. For me this presented its own challenges of finding a private space and having good Wi-Fi!

Secondly, therapy is difficult. It is emotionally exhausting to talk a stranger through your thoughts and memories. Before every session I felt a build-up of anxiety as I prepared to pour out more of what was in my mind.

Thirdly, I wasn’t ready for the way I would be spoken to and the questions I would be asked. My therapist was nice and supportive, but they had a way of picking out key points and diving into uncomfortable territory. It isn’t all nice voices telling you everything is alright. If you do this you need to be prepared for some difficult conversations.

Finally, the last thing that struck me about therapy is just how much effort you have to put in yourself to truly get anything out of it. I found it to be hard work but in a worthwhile way, similar to the gym. You can’t just say everything out loud to a stranger and be better for the experience. The process requires commitment and self-investment to get to a point where you may need to make some brave decisions about the future and then see them through.

Finding the Strength to be Weak

I’ve never stopped before COVID. It has always felt better just to get my head down and get on with it. It’s in the nature of what I’ve studied and worked at for years. You work through a crisis. I have personally discovered that in order to be vulnerable, to feel weak, you have to find strength. For example:

  • Strength to acknowledge what could be perceived as weakness in front of family, friends, colleagues and yourself
  • Strength to let go of your responsibilities at work and let the work sweep away (and possibly feel like a failure for doing so)
  • Strength to deal with whatever was happening to you head on and organise you own recovery (including the admin!)
  • Strength to handle difficult thoughts and conversations in therapy to work through any issues

Finally, the strength to eventually go back to working life. However, once you stop the clock to find support, the prospect of getting “back on the horse” of one’s career might seem frightening. Will you ever be as confident? What if this happens again? It must take so must strength to go through this.

Writing a Mental Health Continuity Plan

I’ve spent years helping to write continuity, crisis and incident management plans for organisations. I’ve even been involved in responding to crisis, such as fuel shortages, possible terrorist threats, flu pandemic, mass evacuations, etc. In all of that planning and responding, I’ve never once thought about needing a plan for myself and my mental health. Then I recently thought “what happens if I have an “incident”, like an internal crisis or breakdown? What do I do then?”.

I started to think that maybe I should try to write a mental health continuity plan. I like writing. It’s helps me to remember. It helps me to understand and better explain things to myself.

Plans have structure and direction and give those who use them confidence so why should this be any different? I decided to work through my own a mental health continuity plan.

Another Disclaimer! Everyone’s plan will be different but this was my 3-step approach and the inherent challenges.

Step 1 – Identify the Triggers

Find out exactly what triggers the emotions and behaviours. Use the opportunity to increase your own self-awareness. Get them really clear in your mind. Write them down. You can’t respond to them in a managed way if you aren’t completely clear on what they are and why they are there.

Challenge with Step 1: Let’s Be Clear…

Trying to find a way to clearly express or explain the issue is hard! If you can’t explain it to yourself or someone who might be supporting you, you may come across some challenges. This is easier said than done. One might find it difficult to articulate exactly what they are feeling. People express feelings in different ways.

Step 2 – Develop Strategies

Develop some early warning indicators for the thoughts and behaviours that you associate with the issues and also some coping mechanisms. This might also include relaxation techniques that you can deploy to reduce anxiety to help manage your emotional reaction. For example, one coping mechanism might involve introducing boundaries.

Challenge with Step 2: Setting Boundaries Vs Living a Boundary

Developing strategies for managing an emotion and behaviour on the face of it seems quite straight forward, doesn’t it? For example, emotion A occurs – do this, behaviour B arrives – do this. How hard can it be? Right?…

Setting healthy boundaries is particularly challenging. For example, any boundary set might impact someone or something else. A boundary is often likely to prompt some kind of change against the previous normality. For me, this has meant having difficult conversations, handling reactions to change from both myself and those around me, feelings of guilt etc. Setting a boundary and living a boundary are two very different things and the later takes bravery and commitment. Probably one of the hardest you might ever have to do as part of your ongoing recovery.

Step 3 – Ongoing Self-Care

Look after yourself. You’re useless to anyone, including yourself, if you can’t do that. Find time to decompress, eat well, take on water, exercise and get outside. Make sure to carve out time in your busy life to be kind to yourself and enjoy what is around you and what’s important.

Challenge with Step 3: Self-Care Realities

Being a father of 2 young children alongside both my partner and I working, sometimes self-care boiled down to whether we have the time to do the laundry or make a sandwich. A long way off hydration, meditation, relaxation, etc.

Everyone is busy and stressed out. I’m sure most adults forget to really take care of themselves physically and mentally (I know I often don’t).

I have learned that some of this is achieved by dealing with the step 2 challenge. Positive boundaries/decisions will carve out time and inclination to even begin to look at self-care.

In Summary

I’ve long felt that more could possibly be done in the professional community to discuss mental health. I hope by writing this that others may come forward with their thoughts and provide their advice and tips.

I’d like to conclude by repeating earlier points:

  • Mental health for continuity and resilience practitioners needs more attention.
  • Ideally the professional community should try to share more of these experiences.
  • Whilst planning techniques can assist to working through your experience, it’s definitely not that simple.


Resilience By Design

Two things have occurred to me recently as part of my ongoing journey to better educate myself on the ever- evolving concept of resilience.

Firstly, I got to share half an hour with a senior manager within one of my previous organisations who had recently taken up a lead position in resilience. The individual came from a seasoned engineering background but not specifically continuity and resilience. In our short conversation they were able to inspire me to try to look at resilience in different ways as often as I can to see what I could learn.

Secondly, I recently found a reference to an article in some notes being shared with me to a paper that was published in 2020 on the concepts, constructs, and mechanisms relating to resilience. It was academic and it didn’t apply to my usual financial services context but I really liked the way it helped me look at the same thing but in a different way.

Both the conversation and the article have proven to me that you can refresh your understanding of something by taking an alternative perspective.

Resilience Principles in Engineering

Okay, so the conversation with the engineer was pretty simple. This individual was able to talk me through an example to help me understand how in fact everything that they had been involved in throughout their career was founded on resilient principles and it was nothing new to them. They explained to me that product design and materials engineering within the automotive industry has to consider resilience themes from day one. Themes such as tolerance thresholds for their chosen materials and the ways in which they are being used before deciding on whether they should be included or not.

After this conversation I went straight to Google and came across a guy called Erik Hollnagle who is a published author on resilience concepts in engineering and he is quoted on this blog from the Resilience Engineers Association which provides a great background of how resilience is viewed via this perspective. It appears to be created as a contrast to safety management and offers some really useful basic principles for resilience and calls for constant evolution.

Resilience engineering must free itself from the frame of reference that might have been of some value ten years ago (yet even that is doubtful), but which surely will impede any further development.

Resilience Engineers Association – 2019

Change the Perspective

I have been reading so many articles and listening to so many podcasts (admittedly from my own professional community/sphere) that I never stopped to consider how the concept of resilience is applied in other ways.

Of course, the engineers are right and it sounds so obvious now I say it out loud. Those product designers and material engineers have to consider core components of resilience from the outset. Once they understand what they’re designing and who they’re designing it for and why, the next question is what materials are they going to use and how it will meet the needs of the design and purpose. For example, if I were to develop a 4×4 truck to off road, would the materials of that design have the same needs as perhaps the requirements of a Formula One racing car? I’m not an engineer but I’m guessing racing cars need lighter metals whereas trucks could allow for something stronger for durability. I’m also pretty confident the way in which they are designed will be different because they have entirely different objectives. Every decision about every material, design and build will have had to have considered beforehand just how resilient they want it to be.

I’ve heard the term resilient by design said quite a few times and I have never really appreciated the simplicity of it. I guess whenever I’ve taken to designing a business continuity plan for example, it’s always been about the ability to recover and respond to an incident but beyond that I don’t think I’ve ever applied the same approach by asking myself why am writing the plan in the first place? Obviously I know I’m writing the plan to detail how the business will respond and recover to a disruption but beyond that reason. Why is it even needed? That reminds me, I must read that book Start With Why. Maybe I need to do this more often in everything I do at work. All in the name of development eh?

The Resilience Trinity Approach

The article I stumbled on not only supported that I should try to find new ways to look at things differently, it also offered some pretty useful fundamental ideas to resilience. In summary, it proposes a thing called the Resilience Trinity and it was published in January 2020 and has about 30 authors. It uses ecosystem services such as water purification and wood production to provide examples of how their approach can be applied.

I should probably say that I am coming at this from a professional continuity and resilience practitioner perspective in financial services and this an academic article which is presenting itself in the context of ecosystem services. I am looking to apply this approach into my own context and will be henceforth commenting as such. Let me also say that nothing in this paper is radically groundbreaking but what excites me more about it is that it provides individuals with an opportunity to look at the same thing with a different slant and explanation which might uncover new learning.

Time Horizons

One of the things the paper first looks to discuss is the notion of time horizons in decision making which they break down into three contexts in which decisions must be made.

First is reactive, whereby the threat is known and imminent and there is a high pressure to act. Second is adjustive, whereby the threat is known in general but the organisation still has time to adapt their position to react, and third is provident, whereby the nature of the threat is uncertain and the timescales are very long which may lead to an unwillingness to act. I think most enterprise risk management frameworks pick this up as part of their likelihood thresholds and risk appetite but this presents a different and useful way of explaining time constructs and decision-making.

Recovery as a Single State – Reductionist?

The paper also talked about how the concept of recovery is reductionist because it only often considers a single state variable i.e (for me) the recovery of a business. I guess ultimately one will know when one’s recovered as nothing seems to be on fire anymore and BAU resumes. However, the argument in this paper is that to achieve a view of recovery it would require the knowledge of the entire set of variables available to be fully confident in the view of its own recovery. How confident are you that your organisation has that? I’d like to think most do?

Resilience Mechanisms

My favourite part of the article is the description of resilience mechanisms which are so simple it’s beautiful.

The paper covers mechanisms such as redundancy for example which most disaster recovery managers will be well aware of more than anybody in terms of redundancy within data centres. But redundancy can be applied in many different scenarios. There is also a mechanism called diversity. The argument here is that by producing a range of different services, the diversity of your offering would otherwise still be available should just one be impacted. I think a lot of modern commercial organisations apply that one. No one wants to be another blockbusters! Another good one in the paper is the mechanism of modularity whereby one might decentralise in the event one area is impacted it will not affect the other areas and of the business could continue. I suppose this is similar to diversity in a way because the diversity does break up your offering just in a commercial way. I believe a number of international businesses do this with legal entities in different jurisdictions that essentially operate as individual organisations. There are others to such as adaptability where perhaps services could be re-combined to manage different disruptions. All very useful but those were my favourites.

Redundancy. Modularity. Diversity. Adaptability.


So now that I’ve had that conversation with the engineer, done some Googling and I’ve read and tried to understand that article (in the context of my experience) – what now?

Well, first of all I will now always try to go back to the question of why we are doing this in the first place. Start with why.

Then I should probably apply some or all of the resilience mechanisms/ fundamentals to what I’m designing and in the context of the three different time horizons. This will help me categorise different controls that I could consider. So for a business continuity plan for example one question would be – what mechanisms am I using in this plan and in what time horizon am I going to deploy them? I feel like it adds a bit more science and rationale to it than simply just writing a plan then testing it.

I’ll also keep looking for resilience perspectives in different sectors and professions that will broaden my own understanding!

A letter to me…

Dear me… (and anyone else who reads an intro blog post).

You’ve always been enthusiastic about the writing and you are often looking for the latest updates, research or news from the risk and resilience industry.

You spent the last 15 years googling the subject to death whilst studying and moving between jobs.

Most of the time you come across the same old recycled stuffy content and it just doesn’t fully go into your simple brain!

You’ve always been searching for a central place to log your thoughts You’ve achieved this so far by blogging on LinkedIn, posting on other peoples channels, podcasts, webinars, white papers etc. But never in one place just for your content.

You’ve posted over 50,000 words elsewhere that’s devoted to sharing experiences and thoughts as a developing professional in the risk and resilience industry.

Whatever you are trying to interpret you always try to digest and regurgitate it from a very simple and honest place. People seem to like it and it really helps you learn.

Use this space to bring everything you’ve ever written or created into one place to give yourself and anyone else a one stop shop for content.

Let’s do this…