In September 2008, seated in the back of a hot, noisy Chinook helicopter flying into Helmand Province in Afghanistan, where I was to take over as head of planning for the military and civilian operations for the entire province, I never envisaged that over 400 fighters had bypassed the outer bases of our ‘safe space’ and were ready to attack.
The military aim in Helmand at that time was to create a protected zone in which Afghan Government and USAID / DfID staff could work. The intention was to win the support of the local people and subsequently assist the Kabul government. Our predecessors had done a superlative job of fighting to establish this safe space and had set up a series of bases that acted as an outer defensive barrier to protect it.
Everything we did in planning and preparing for our deployment revolved around holding this protective barrier, improving the stability of the safe space and building on the success that had been achieved to that point. We believed that we knew exactly what we had to do and had considered what might go wrong, including attacks on one of the outer bases. We also considered what would happen if we weren’t able to bring sufficient government & civil aid to the safe space, leading to loss of support by the local populace; which would have been devastating.
My own base, at the headquarters, sat in the very centre of the protected zone. On the fourth day of the tour, before my force was fully in place, the 400 insurgents that had bypassed the outer bases began shelling us with rockets and mortars whilst their foot soldiers launched a coordinated ground attack.
How we coped with the situation and the actions we took to survive on that day is an interesting case study in crisis management. More importantly, it provides lessons from a business continuity perspective. How could we have improved foresight and identified the potential for disaster before it occurred? We were in the military. This is what we did for a living and yet we failed to identify a key threat to our business continuity.
Over the course of my military and business career, I have had a wide range of experiences related to business continuity, from working at the strategic level of government, to supporting global corporates, to being in a 4-man commando team deep in a combat area. In all of this eclectic life experience, I have observed one consistent trait; all organisations, regardless of sector, work with what they know, and rarely step back to challenge their understanding/model.
The tendency to focus on the familiar, rather than the unknown, is described with precision in ‘Bolt from the Blue: Navigating the world of corporate crises’ by Mike Pullen and John Brodie Donald. With a tongue in cheek reference to Donald Rumsfeld, Pullen and Donald capture the framework as follows:
The ‘known knowns’ are the issues that surround daily life in the organisation: cash flow, supplier agreements, marketing, salaries etc. They can be mapped out and managed and virtually everyone across the organisation is aware of them.
The ‘known unknowns’ are the standard purview of the business continuity experts: cyber threats, fire, flood, theft, loss of electricity or loss of use of the building etc. These are issues that the organisation is aware of, has a plan for, but cannot predict with any certainty when they might happen.
The ‘unknown unknowns’ is the classic lightning bolt. Nothing can help you specifically prepare for it. Nevertheless, a crisis management plan should be designed to cover for such an eventuality, because the need for response and preparedness remain, regardless of perpetrator.
My Helmand province experience sits in the fourth quadrant – what Pullen and Donald call the ‘unknown knowns’. These are elements that some people within the organisation are aware of but haven’t communicated them. These unknown issues are a ticking time bomb which, in hindsight, could have been predicted and included in the business continuity plan. Either through organisational culture, governance or casting a blind eye, they simply do not come to light until it is too late.
In Afghanistan, my organisation fell into this very trap. We focused on what was in place and predicted what we felt was likely to go wrong. Whilst we developed good contingency plans, we did not challenge the validity of the model we had been given, nor ask colleagues at all levels for their views.
We concentrated on preparing for what we knew and did not look to expose gaps in our knowledge. There were individuals who had become aware that the outer bases were not a solid barrier. In fact, the insurgents were able to bypass them in civilian clothing with no issues. There were also people who were concerned that the focus of combat power on the outer bases left a dangerous vacuum in the ‘safe space’, but their voices were not included in the planning.
The exercise that we used to challenge our thinking before we deployed to Helmand was a ‘business wargame’. Whilst this is a highly effective methodology for a comprehensive test of any issue, the mistake we made was to not include sufficient representation of individuals who were on the front line of the protected zone at the time. This meant that we were only testing our own understanding of the problem, instead of challenging the status quo and questioning the facts as they were presented.
I have seen and participated in Business Continuity exercises for a range of companies and organisations. They are invariably impressive in both extent and rigour, but only test the existing measures, i.e. how well do our current personnel entry procedures stand up to a penetration test, how can cyber criminals get around our current defences etc.
The parallels between this approach and the situation I faced in Afghanistan are striking. As businesses and organisations, we need to get away from preparing to deal with known problems and what we are used to, and instead take a step back. We need to challenge our Business Continuity Plans, using a wide range of individuals from across the organisation and those external to it. This enables the potential understanding of how and why plans might not be ‘fit for purpose’. In doing this, planners move from a templated fire/flood/terrorism response and instead identify the issues that are bespoke to the organisation, include questioning the status quo and re-evaluating areas which need advanced preparation.
By drawing in the wider expertise of the whole organisation and questioning existing norms, two significant outcomes occur. The first is the improvement in the Business Continuity Plan, to ensure it is fit for purpose, not merely relying on a false sense of current thinking. The second (and arguably the more important factor) is that by drawing the wider members of the organisation into the identification of problems surrounding business continuity, internal advocates are created for business continuity and the channels for thinking of potential issues are broadened.
The key therefore is bringing about controlled challenge to our plans; being unafraid to pose difficult questions, to discuss their ramifications and how to mitigate the effects. Unless we step back and challenge the status quo, business continuity plans will remain unable to provide the ‘safe zone’ in which businesses are protected.