Mitigation is the second phase of the emergency management cycle. In short, mitigation covers protection and preparation.
To prepare for crisis and emergencies, organisations have only limited resources. Everything we do, every hour we spend on training, every staff member that’s revisiting emergency plans, is not put into customer satisfaction or growing our business. But as we see in the current crisis, a failure to plan for emergencies can push whole economies to their limits. Single companies suddenly rely on state support to simply survive. Even corporations which made huge profits in the past can quickly get into liquidity problems if cash flow suddenly dries up. Huge companies usually have the assets to cover costs. But you cannot pay your staff with your plant unless you sell your plant.
Profit vs. cash flow
Bear in mind: Most companies that fail do not fail because they were not profitable in the long run. But because they were unable to pay their bills at one point in time. The tighter you plan your liquidity, the more impact an event has that limits your cash flow. Not all emergencies have that impact. E.g., when an airline loses an aircraft, while being a financial and personal loss and devastating for all people involved, it usually does not impact ongoing business and bookings. Unless, of course, you lose several machines in a row because your new system is failing. But even that is more likely to impact the builder of the aircraft than the airline using the aircraft, as Boeing is currently learning painfully.
So, after we assessed the risks your business faces and have evaluated their probability and impact, we need to take a look at each risk in turn and decide how to react to it. We usually focus on highly likely events with massive impact on our business, ignore unlikely events with minimal impact and need a strategy as to how to handle high probability / low impact events as well as low probability / high impact.
Adapt mitigation to risk assessment
The former may add up and impact profit, culture, and reputation while being easy to handle as long as they occur individually. But the latter are often really difficult to address within organisations, as those responsible for allocating resources are oftentimes concerned with more pressing or more likely scenarios. It’s a matter of stakeholder involvement, safety culture, good data, and communication skills to raise awareness for the improbable disaster that can destroy the company if not addressed properly.
But let’s also be fair: Everybody has to make up their own minds as to how much unsafety they can stand. Which risk to accept, above what is legally required, is your choice, given limited resources for emergency planning and preparedness.
However, once we identified the risks our organisation faces and have developed an idea about their likelihood and impact, we now turn to each risk separately to see what we can do about it. We call this phase of crisis and emergency management mitigation. In general, there are 5 ways to address risk in an organisation:
- Decrease likelihood
- Limit impact
Apparently, the first three are mutually exclusive. We can only ever eliminate or avoid a risk, or decrease its likelihood. If you have decreased the likelihood of, say, a cyber-attack, we would still consider ways to limit the impact should one occur nevertheless. And we still have to prepare and plan for an actual event. So, for most risks mitigation requires an integrated approach of decreasing likelihood, limiting impact and preparing for the event.
Are there ways to eliminate risks at all? This totally depends on the risk category, and how it combines with your business model and operations. E.g., you cannot eliminate natural hazards. If you live in an earthquake prone area, there you are.
Risks, however, that are associated with your business model and operations, or are more about perception than actual risk, can sometimes be eliminated. A typical example would be changing the legal form of a business to eliminate financial liability of the owner and thereby protecting their family.
Sometimes, business decisions create drama where it’s not necessary. One of our clients – in a project unrelated to our orginal job – chose to create a new parking space for their employees. Rather than being happy about having a parking space now, some members of staff were really unhappy, and what was originally a good intention now threatened the atmosphere in meetings and employee satisfaction. What had happened?
Perceived and actual risk
The new parking space was quite a bit further away from the entrances than the street where staff used to park. And the debate focused very much around that which sounded like staff being lazy or not appreciative. But after some digging from our side, some female employees mentioned a lack of light along the new way. Mainly in winter, they had to walk in darkness to reach their cars. And they were afraid of being attacked while out of sight.
In a situation like that it’s pointless to argue using facts: That darkness has never attacked somebody or that, statistically, a woman is much more likely to be attacked in her home rather than on the way to her car after work. You put up a lamppost and solve the problem of perceived risk and employees feeling not considered. As a side effect, you reduce the risk of accidents happening on the dark pathway.
The desire to avoid risk can pose a threat in itself. Namely, when it leads to you not taking necessary risks to grow and develop your business. If you don’t delegate to avoid the risk of being cheated upon or having a staff member make a huge mistake, you will stay a one woman show and thereby limit your potential. You may even work way too much and burn yourself out, jeopardising your health and wellbeing in the long run. Some risks are imminent in doing business and cannot be eliminated or avoided. But are there any risks to avoid at all?
Well, once a business is up and running, avoiding certain risks can be really difficult or impossible. But e.g. when you chose a new location for your business you could assess the environment, climate, and natural hazards in advance and take them into consideration before opening your plant or office. Maybe you want to avoid earthquake prone areas or areas that are flooded regularly with your brick and mortar business.
If your business model depends on you being available face to face, everything that negatively impacts your ability to work poses danger on your company. You can avoid that by either creating other products and services to limit your dependence on face to face work. Or you could hire staff who can jump in for you should you fall sick or need to care for a family member.
There are a million and one ways to decrease likelihood of an emergency in your company, totally depending on your organisation and the risks you identified. Most of all health & safety or compliance regulations are concerned with limiting threats for one stakeholder or another, usually our staff, customers, or investors. Sticking religiously to regulations is a minimum requirement when it comes to crisis and emergency management. Make sure you are familiar with all the relevant rules, everyone in your company knows and applies them, and you have skilled experts on your team where necessary.
I sometimes hear business owners complain about all the rules and regulations they have to abide by. And it can seem unfair when a small business owner has to stick to just the same rules as a corporation, but with much less (wo)manpower or money. Or when it’s the big corporations who seem to always pass when breaking the rules because of their financial and political prowess. If you want to change the rules, I suggest you go into politics. But as long as you are in business, chose the high road. And maybe find a niche where big corporations are not your competition.
As there are so many ways to limit the likelihood of an emergency or potential crisis, let’s go back to the initial example of a cyber-attack. Everybody who goes online can be the target of a cyber-attack. The Deutsche Telekom security department registers some 32.000 attacks. Per minute.
Mitigation of cyber risk
Amongst others, the danger of a cyber-attack includes stealing corporate or customer data, using data for fraud, or shutting down your facilities. While you should talk to an expert on cyber security if your infrastructure is specifically vulnerable or crucial, or when you think you have been hacked, there are some things everybody can do to protect themselves. The following list contains only a few ideas, and is not exclusive!
- Use different passwords for each service and account
- Do not save passwords in your browser, especially not on devices you carry around such as smartphones and laptops
- Decide whether you need separate networks for internal and external communications, processes or data
- Only give access to those who definitely need it
- Train your staff on IT security
- Use renowned online services that invest in their own infrastructure safety
- Update your software regularly
- Never share passwords
- Always use the current version of your security software
- Think twice whether something needs to be done online
- If you feel or get noticed that one of your accounts was hacked or your password got stolen, change your passwords using a safe device
We can do quite a bit to decrease the likelihood of a crisis occurring in our organisations. Several of those measures also help with the next point: limiting the impact of an event. If you make it harder to hack your network, chances are that you identify an attack much quicker. Hence, it causes less damage. Which is the ultimate goal of mitigation.
If we can neither entirely avoid or eliminate a risk nor decrease its probability so that it becomes practically irrelevant, we may still be able to limit the damage an event may pose. And again, different risk categories require different approaches to address them. An example of attempts to limit the impact of an event is earthquake engineering: creating buildings that can withstand earthquakes. It’s amazing what’s possible with modern technology and some creativity! Whether it’s bridges, skyscrapers or a house for a family, earthquake resistant buildings limit the impact of an earthquake where we have no influence on the actual event.
Modern production is just-in-time production. Interconnected via the internet, corporations buy what they need when they need it. Large warehouses become less and less the norm. But what if something interrupts the value chain? After the tsunami in Japan and subsequent emergency in the Fukushima nuclear plant, computer factories around the world had problems to buy processors. Japan had to cut production because of their energy situation, but they deliver processors for markets around the world.
How long are you able to produce should something hit your sourcing? Do you need to stock up on certain items?
Preparing for an event that we’d rather not experience is a crucial part of mitigation. It includes planning the response, identifying responsibilities, and allocating resources. It goes on with communicating with various stakeholders and training staff. Somebody has to monitor the environment for triggers to set the plan in motion, or new information to adapt plans. Next week, we are going to dig deeper into the idea and practice of preparedness.
Do you want to get deeper into planning for emergencies in your business? Check out our Disaster Preparation Intro course on Teachable. This 4-week online course will introduce you to the full emergency management cycle and help you start your planning process.
Of course we are also available for individual consulting projects or coaching calls. Let’s discuss what you need to do to mitigate risk in your organisation. We are here to help you kick drama out of your life and business!