Design Your Organization to Withstand Future Disasters

Design Your Organization to Withstand Future Disasters

Author: Juliette Kayyem   |   Published by: c.2022 Harvard Business School Publishing Corp.

 

There’s a tremendous focus on leadership, communication, and planning in the business literature about crisis and disaster management. Security teams tend to be overly concerned about the technology and equipment needed to reduce physical and digital risks. But a fundamental structural gap often exists between crisis leadership and tactical planning; there’s a chasm between those in charge and those on the ground.

As companies prepare for crises, they often fail to step back and examine their organizational design. After spending years training and advising companies on disaster management and preparedness, I believe that poor structural organization is the reason many companies are ill-prepared for disasters.

Company leaders should focus less at first on training, protocols, leadership and communication and more on the company’s internal reporting and governance structure. In our era of recurring disasters, organizations must determine whether their management design is safe. It’s essential to address several design flaws before the next crisis starts. To design their company’s management structure to better respond to emergencies, leaders should focus on the following three areas:

 

Position

Companies rarely have security personnel placed in permanent leadership roles. Few boards of directors for public companies include any representatives from the security or cybersecurity sector. This is not merely a symbolic challenge: It signals to those security professionals that their skills or expertise aren’t integral to the company’s leadership. It can affect the capacity to guide budget and staffing priorities since these boards are in charge of dividing limited resources. If management doesn’t classify an issue as a priority, neither will their employees. Governance design must elevate security to show that it’s as integral to a company’s future as its bottom line.

Often, to compensate for these design flaws or appear more responsible to the outside world, many companies create what they call trust advisory boards. Companies will use the word “trust” because it sounds less intimidating than “security.” Experts and former government officials make up these boards, but the name (a euphemism) and place (outside the central organization) are telling. Trust advisory boards simply consult and give recommendations; they don’t have the power to demand action. Companies should take security architecture seriously and provide security personnel a seat at the table.

 

Access

No matter where the security personnel resides within an organization, I’ll often ask CEOs how often they meet with various members of their teams. Their responses are revealing. Many say they meet with the chief operating officer several times a day, the chief financial officer at least a few times a week and the general counsel if they must. As for the chief security officer or equivalent, the answer is often some variation of “Well, he’s a former FBI agent, so he knows what he’s doing.” This is the wrong answer. If it’s unacceptable for a CEO to delegate all financial or legal responsibility to others in the company, the same should be true for disaster preparation. A prepared CEO understands that how they focus their attention and demands informs what the company deems valuable.

In the security world, the capacity of the safety apparatus to have a say in business planning and priorities is called availability. Is the security team accessible when it matters the most? Many institutional leaders would say yes. But a complicated reporting structure — where safety personnel are distributed and report to different parts of the company’s management structure — minimizes the security team’s influence and capabilities. Treating security personnel as an afterthought by limiting their access to leadership is shortsighted and self-defeating. Instead, security efforts should be the connective tissue of a company.

There’s no one-size-fits-all architecture that can remedy this issue. Ideally, a senior head of safety or security would report directly to the CEO or a senior member of the leadership team. That security official would oversee all aspects of risk policy and guide budgets and personnel with support from the top. Security is too important an issue to bury at the bottom of an organizational chart or delegate to outside experts. If that’s not feasible given a company’s size or structure, the CEO and leadership team should ensure security is always represented in the budget and major business decisions.

It’s also essential that leaders are engaged when security teams request their presence at exercises or training. A monthly briefing is valuable, as risks often change. This kind of familiarity makes a leader comfortable in a space that’s key to their mission, even if they’re not the one purchasing online security software or designing safety gates around a building. The reality that nobody cares about safety until everybody cares should inform a leader’s accessibility.

 

Unity of Effort

These design changes aren’t simply about rearranging deck chairs on the Titanic. Design change should ensure that, when disaster strikes, the organization can minimize the consequences and reduce harm. And that can happen only if a company is designed for unity of effort in anticipation of the next problem.

After 9/11, many companies rightfully promoted or hired a chief security officer. Over the following decade, as companies were experiencing cyberattacks and vulnerabilities, a new leader arose: the chief information security officer. More recently, as a result of COVID-19, many major companies are hiring chief medical or health officers. This is commendable, but the effort means little without some level of connection among the different teams.

One solution is to appoint a chief of security or preparedness who oversees these efforts. Ultimately, a leader’s response will be essentially the same whether it’s an active shooter, earthquake, data breach or virus: Execute a plan, minimize the effects and lead the company to safety. With divided efforts, focuses and labor, executives are often placed in different reporting and management silos where they aren’t sharing ideas and plans. The problem is: However the ship goes down, the whole ship is going down.

 

In a time when disasters are inevitable, design is an essential aspect of organizational preparation. Before a company invests in the next cool new security product or appoints a fancy new advisory board, it should first examine its own architecture.

Share this post:

Smart Technology, Better Business

Partners in your
digital E-volution