Risk Management: Are You a Responder or Solver?
Issue 177, September 12, 2024
We were recently invited to sit in on a cybersecurity simulation at a cybertech conference. The simulation was staged as an interactive exercise between the experts and the audience. The expert panel was comprised of local, state and federal disaster relief experts, a US Congress representative, the military and a few private sector officials.
The simulation started with a cyberattack, not unlike those we see in movies, where online systems and communications channels are blocked in major US and European cities by a nefarious skill and bones logo incessantly blinking on every available screen. Then the situation escalated with two nuclear explosions in the Atlantic and Pacific Oceans, followed by the power grid takedown of a Caribbean nation and then a full shutdown of a major US West Coast city.
As each additional attack unfolded, the panel responded with what they would do to protect the areas and mobilize relief efforts. The conversation was fascinating, albeit unnerving, as to the depth of disruption a cyberattack can cause and how long it would take for world governments to actually coordinate with each other and respond.
As an observer, it occurred to us that the conversation was largely focused on responding, not solving the problem — more risk management than risk assessment. There was only a passing reference to coordination with intelligence agencies. But to us novices, it seemed the exercise missed the point in working to figure out who was behind the attacks and why. Maybe we’ve seen too many spy films, but a handy person to have on the panel would have been a Hollywood scriptwriter. There is always a story behind everything. After all, these attacks were happening for a reason, and it would seem that provoking the perpetrators to reveal themselves and present the ransom demand would have accelerated the schedule while the rest of the teams were distributing water, protecting our energy girds, linking up to satellite communications to bring us back online and mobilizing the military to keep peace and protect people as the shortages and lack of provisions increased.
Of course, you need both responders and solvers to manage a cyberattack.
Reaction vs Strategy
Most humans find reaction an easier approach to a crisis as it is often tactical, immediate and powered by adrenaline. Of course, reacting in this type of simulation has a strategy behind it; one must know the actions to take and in what sequence to result in the intended outcome. A cyberattack results in a cascade of fallout and the operations teams need to establish some form of normalcy or business/government continuity while the bigger problem is being solved.
There is another layer of complexity. We tend to struggle to manage more than one task at a time. So, we need to take a moment to step back and analyze the situation (ever so quickly) and identify the right steps to source the reason for the problem/crisis to determine if tackling the source would reduce further consequences.
We are in no way strategic cybersecurity experts, but it did occur to us that there is a distinct psychological and behavioral difference between responders and solvers. And the parallels to business were striking. How many times have you been involved in solving a problem within an organization and the team focused solely on responses to the issue? There are always lots of suggestions and recommended quick fixes to the problem at hand. But these are veneers covering a root problem that often goes unattended.
ICMI says “First responders restore the immediate health, safety, and security of workers and they also include a team of professionals who can keep the business operating through emergencies. Orders need to be shipped, employees paid, and calls need to be answered no matter what or when disaster strikes.” According to LifePlan, “Problem-solving in business relates to establishing processes that mitigate or remove obstacles currently preventing you from reaching strategic goals. These are typically complex issues that create a gap between actual results and your desired outcome.”
Role Players
Here’s a business example. An organization produces several annual global events. The team players are content, marketing, sales, operations, design, and webmaster. They are diligently doing their jobs. But they are operating in silo systems. As a result, they are responding to the work and challenges at hand independently. What has recently happened is that descriptions of the sessions, postings on the site and text for the agenda are all similar but different. The marketing director uncovered these discrepancies because she was responsible for producing the final materials for the event. No matter how hard she tried, she couldn’t get the teams to coordinate and collaborate to align their work.
This is a case of an effort to fix the problem as a responder, not as a solver. The issues in this case are systemic and division wide. It is an organizational dysfunction starting at the top with leadership that has created factions, not cohesive teams. If the teams had been organized in a way to enforce interaction and collaboration, the misalignment could have been avoided.
Organizational Dysfunction
The example may seem slightly trivial, but we believe it stands as a model for clarifying the roles of responders and solvers to avoid unnecessary disruptions, or worse, systems failures.
Autor Denney Denhard takes it a step further identifying Problem Raisers, Problem Solvers and Problematics. This hierarchy matches our observation of the simulation with the additional facet of problematics.
Denhard explains that “Problem raisers (responders) usually have the right intent, they want to raise pain points for themselves, for users or for clients.” This mindset wants to address and fix the immediate problem at hand. They are less interested in the long-term fix and are motivated to work around the problem to alleviate the situation.
Problem solvers on the other hand have a core systematic approach to identifying pain points, raising problems and offering solutions, according to Denhard. They are goal-oriented, not process-oriented. Denhard adds a layer of complexity with “empowered problem solvers who want to solve the puzzle; they see puzzles not problems. They have the ability to lead from the front and often act as the project manager and engineer of the fix. The fix is their energy source.”
With all these nuances of responders and solvers, there can often be interpersonal/professional friction. “The best problem solvers typically have growth mindsets and want to take it on as a learning curve and grow from the experience.” As a result, they can get frustrated and annoyed when problems aren’t fixed right away. They use logic more than emotion in solving a problem, which is methodical, strategic and impassionate. The responders are by nature operations-minded, working quickly and globally to step in and fix the immediate fallout of a problem.
Then there are the Problematics who “stand out; they are a negative bunch, and the likelihood is they have been burnt, and the pain points they raise have not been addressed in the way they have felt heard.” Problematics take things personally without the bias filter and use their own experiences as the benchmarks for any problem.
Simulation
We suggest that you stage your own simulations periodically to reveal where there are team disconnects and systemic dysfunctions. These exercises will reveal the responders, solvers and problematics as the simulation unfolds and becomes more complex. Knowing the roles team members play is crucial in understanding how they tackle a problem and contribute (or not) to the solution.
You could also impose a rule for each simulation: Ask the players to come up with two solutions. Denhard explains, “Two possible solutions, one the preferred to show how you landed with this solution and the second an alternative.” He recommends this approach because more senior leaders may be less aware of the problems because they are more removed from the action that first responders encounter.
We add a crucial dimension to the simulation: Come up with a timeline. In our observation of the cyberattack, by the time all the governments, agencies and private sectors coordinate, it may be too late. Timing and a sense of urgency are inseparable from the process of responding and solving a problem.
Team simulations are great exercises to prepare your organization for unexpected crises to make them manageable. If the pandemic taught us nothing else, we need to use foresight to anticipate future scenarios. Cyberattacks aside, there are more frequent, worrisome, less dramatic crises and problems that can derail an organization. And the solution is often hidden in plain sight. You may never be ready for a crisis, but you can be prepared.
Get “The Truth about Transformation”
The 2040 construct to change and transformation. What’s the biggest reason organizations fail? They don’t honor, respect, and acknowledge the human factor. We have compiled a playbook for organizations of all sizes to consider all the elements that comprise change and we have included some provocative case studies that illustrate how transformation can quickly derail.