Monday, 26 May 2014

Information – Friend or Foe?

The Information Risk and Treatment Balancing Act
Information is both a risk and a resource when thinking about organisational resilience, including business continuity. There are plenty of examples of information losses that have caused major embarrassment, cost a considerable amount of money to resolve and resulted in a loss of trust as well as clients. These have included hacking and cyber attack problems, lost memory devices, leaving files on the train or selling off filing cabinets with records still in them.  They even involve being photographed on the way to an important meeting carrying a document the content of which can be easily read from the photographs. Organisations involved have ranged from small business to multi-nationals and public sector bodies. The nature of information as a risk is well publicised, as a result, even if after the fact of its loss. The assessment and treatment of information risks is perhaps less well understood in practice as such losses continue to occur. How well thought through is your information risk strategy? Do you fully understand the nature of this risk and have you treated it properly? No one wants to see his or her organisation’s reputation in the gutter due to the loss of sensitive information, be it commercial or personal.

Information is also a key resource when it comes to business recovery. Systems and processes are not useable if the information they require is not available in an accurate, up to date and workable form. Often it may take longer to get information, with proven integrity, loaded back onto a system than to recover the hardware itself. Perhaps this was the problem when it came to the interruption to bank account access experienced in the UK and Ireland in the recent past. The concept of the Recovery Point Objective, the time by which information must be recovered to meet the Recovery Time Objectives of critical processes, is well documented but perhaps less well implemented. If you haven’t gotten into the weeds on this one your recovery strategies may well not deliver as you had hoped. In addition some recovery strategies themselves introduce information risks that may not have existed before the business disruption that caused the strategies to be invoked. Take for example home working. How secure is sensitive or personal information, including emails, when this is your selected recovery option? It is not clear that all organisations have assessed this risk and put in place appropriate steps to treat it. The UK Information Commissioner has had recourse, for example, to fine an organisation in the past for information uploaded onto the web accidentally from a home computer during home working.

There is legislation to cover information risks with the potential for significant fines and websites that name and shame those found responsible for the loss of personal and sensitive information. Currently the EU is reviewing this legislative framework and the outcomes of this work could significantly strengthen the approach taken with those organisations that compromise such information. Planning for this issue isn’t just about what do to when information may be lost but includes a more careful analysis of what information you gather in the first place, how you store it, for how long you keep it, who you allow to access it and how it can be recovered in time. Added to this is the complication of where information ends up and how people actually access it, sometimes without organisations perhaps being aware. This covers issues as diverse as portable laptops, photocopier memory storage and Bring Your Own Devices (BYOD) such as phones or tablets. The scale of the problem can be considerable.

A key place to start is with an information policy. Such a policy could useful set out the principles by which information is to be governed, from initial collation to storage and use/sharing. It should also include destruction and disposal guidance that can be applied to information no longer of use or technology that is not required or obsolete. Such guidance should also cover the eventuality of the invocation of recovery strategies as well as how damaged or irreparable equipment that could hold information is to be safely managed. You can find out much more about this issue at the ICO’s website. Go have a look and educate yourself on this risk and resource.

Tuesday, 6 May 2014



When was the last time you were asked to define leadership?  Its the kind of thing we know what it feels like when its good or bad, but its hard (and maybe unnecessary) to define.  It might help to think of leadership as both a noun and verb; in other words its not just about what leaders do, its a phenomenon centred on interactions. Sometimes using these two lenses can be helpful, especially in challenging times.

Grappling with this concept I formed a view that there are three dimensions to leadership, namely the leader, their followers and the context(s) in which they are operating.  These three dimensions interact to produce 'leadership' (noun); when the leader and followers 'connect', working in tune with each other and with the context in which they find themselves, the result feels good and is effective.  When one dimension moves out of synch the whole suffers; leadership happens when all the dimensions align.  What then of the context of a crisis?  In Part 1 of this two part blog I'm going to briefly explore something of the art of followership in a crisis.


Leading commentators classify followers according to their level of engagement with the leader and with the organisation.  In 2008 Barbara Kellerman described four groups in her book "Followership": 
  • Bystanders observe but deliberately stand aside, offering tacit support for 'whoever and whatever constitutes the status quo.'  
  • Participants are engaged to varying degrees and will invest effort to 'try and have an impact.'
  • Activists 'feel strongly about their leaders' and will work hard for or against them. Very engaged.
  • Diehards are utterly dedicated to their perception of the leader and will give everything to act accordingly.
Followers wishing to have an impact ('the engaged') will use their engagement to actively support or undermine leaders; so from the leader's perspective followers may be good or bad, with positive or negative influences on 'leadership' (noun).

So What? 

So how might this rudimentary understanding help in relation to managing crisis?  I offer 5 points for consideration to add value to the quality of your followership in a crisis.

Crisis disrupts the balance.  By its very nature a crisis will disrupt the balance between the 3 dimensions of 'leadership'; its inevitable. This provides an additional challenge for leaders and followers alike. The context has changed and so may the roles and behaviours of everyone involved.  Adjustment from the norm will be required to re-synchronise the 3 dimensions; this doesn't constitute a free for all, but rather a concerted and well managed effort.  Its important for followers to understand these dynamics and react positively to enable meaningful progress in the early stages of a crisis.

Understand the context.  Different contexts require different types and speeds of action. The situation may require deference to experts, a degree of debate or just some quick decisions and action.  In the earliest stages of a crisis lengthy discussions to decide the optimal path are unlikely to help. Sometimes however, the situation (including a leader's behaviour), may require a more challenging approach from followers. Understanding the context and adjusting your followership behaviour accordingly are key.

Sometimes we lead, but all of us will follow sometimes. Part of understanding the context may also be recognising whether you are playing a leader's role or a follower's role.  As a C Suite Exec you may be in charge, or you may be following a designated CMT leader or perhaps deferring to a subject matter expert.  The same logic holds true throughout the organisation; where individuals may sometimes be leading, sometimes following. As a follower, its important to understand your role and recognise that this role may change throughout the crisis.

Stay in lane.  Its sometimes difficult for a 'day to day' leader to play a followers role.  As a follower who 'normally' leads, you may need to consciously suppress your desire to step in or to take over, especially in times of crisis; egos to the back, collective needs to the fore! 

Bystanders incubate crisis.  Prior to and during a crisis the less engaged followers will not say or do anything to change the status quo, no matter what they might really feel.  These followers incubate crisis.  By remaining silent or by failing to challenge leaders, crisis may be inevitable and some unchallenged decisions within a crisis may simply exacerbate the problem. Speaking up may be whats required, and recognising when its helpful to do so is vital.

So effective crisis management is also dependant upon effective followers who understand the context and adjust their behaviour and actions accordingly, recognising the need to play different roles accordingly, to maintain a balance with the leader and the context.  And similarly there are lessons for leaders, which will be explored in Part 2.