How can those involved with the LGPS maximise the chances of predicting, and planning for, the next cyber-attack or pandemic-style event?
What links British Airways, LinkedIn, the NHS and Travelex? You guessed it, cyber-attacks. I would bet that cyber risk appeared on most, if not all, risk registers because it is a headline-hitting, movie-inspiring occurrence. Imagining being the victim of a cyber-attack is the only reason I don’t lose my mind when resetting a forgotten password for the umpteenth time.
What I wouldn’t bet on, is that pandemic risk appeared on a lot of risk registers before 2020, and yet there were hints. Bill Gates was talking about the lack of preparedness for epidemics in 2015, reportedly warning presidential candidates in 2016, and by 2018 he was predicting a pandemic.
No one wants to hit the headlines for a cyber-attack, or to be on the back foot when a big risk hits. Given the role of the LGPS in managing assets and data, employing people and providing services to members, we need processes to predict and plan for risks before they occur.
For some risks, such as investment and funding risks, we have sophisticated approaches, but how do we make sure we maximise our chances of predicting, and planning for, the next big pandemic-style event or cyber-attack?
No one wants to hit the headlines for a cyber-attack, or to be on the back foot when a big risk hits. Given the role of the LGPS in managing assets and data, employing people and providing services to members, we need processes to predict and plan for risks before they occur.
Room151’s LGPS Quarterly Webcast
February 23 2022
Online
Public sector delegates – register here
Predicting the next big thing
I remember when Mystic Meg used to appear on the National Lottery Live show and tried to predict the characteristics of the winner to be. I can’t remember how often she got it right, but some time spent googling while writing this blog suggests it wasn’t often enough! Meg is still consulting but, on balance, I would suggest adopting a different approach – leveraging the power of your own team.
There is a wealth of information on how well people can predict events from which we can extrapolate themes:
- Experts in a specific topic aren’t always better at predicting outcomes in relation to that topic than non-experts – Meg never improved her predicting, no matter how long the lottery ran;
- Past data on the topic at hand is helpful but not definitive;
- Some people are much better at predicting than others, and usually these people are good at dealing with uncertainty and can quickly change their minds;
- You need strategies to reduce cognitive biases, for example, presenting the Titanic as “unsinkable” made the risk of sinking seem inconceivable; and
- You need tools, such as facilitation or voting software, to ensure that teams working together avoid groupthink.
So, if your plan to recruit Russell Grant fails, what can you do in practice with the team you have to predict the next big thing? I suggest the following steps:
- Consider what you want to achieve and don’t be over ambitious. Are you looking to predict the day-to-day risks you expect over the next 12 months (like cyber-attacks), or are you looking to predict the next big crisis like a pandemic?
- Based on what you want to predict, gather relevant data. Industry data on cyber-attack trends in the last quarter might be more useful when looking at the next 12 months of business-as-usual (BAU) risks than identifying potential future political upheaval. If you don’t have data – don’t be deterred.
- Involve a wide range of people to create a diverse group and use a skilled and experienced facilitator to help reduce cognitive bias and groupthink. If you are looking at the team’s BAU risks, consider inviting interested people from outside the team to widen the perspective of the group. If you are considering longer time frames and external events, think about working with contacts from other areas of your organisation and different external organisations or sectors.
- Remember that practice doesn’t make perfect, but use does make mastery. The more you discuss risk and prediction, the better you will be at it. Avoid trying to do everything at once and keep dipping in and out across the year doing short sessions and exercises on risk, not only to keep improving predictions, but also to continue to build engagement in risk more generally and to drive a good team culture.
- Record all the risks you think you might need to manage in a clear and easy-to-update risk register. Celebrate your successes and learn from near misses. Risk management should be a tool to make things better and easier for everyone involved.
Once you have some predictions what do you do? Well, I am with Arthur C Clarke, “I don’t believe in astrology; I’m a Sagittarius and we’re sceptical”. I suggest we do some planning.
Remember that practice doesn’t make perfect, but use does make mastery. The more you discuss risk and prediction, the better you will be at it.
22 March 2022
The Marriott Hotel, Leeds
LATIF North
Lead sponsor: CCLA
Qualifying finance officers can register free of charge here
Planning, preventing and responding
When you start to plan your response, you need to harness your team again. Once more, consider what you want to achieve and don’t be over-ambitious. Risk cannot be eliminated, so don’t set an unrealistic target.
If you are dealing with BAU risk, consider how big the impact of the risk would be if the event actually happened. Run through the steps you think you would take if a cyber-attack took place and find the gaps and unknowns. Again, getting a wide range of people involved and some skilled and experienced facilitation should avoid groupthink and cognitive bias.
Risk is part of our everyday lives and should be embraced. Often a risk will be entirely acceptable: when you buy your lottery ticket, you are risking the price of the ticket for a chance at the jackpot. If you cannot accept a risk, then plan to control or prevent it. A good risk culture, driven by involvement in the predicting stage, should translate into better buy-in to the tracking of actions and checking on the adequacy and effectiveness of the controls you put in place.
When you are looking to plan for the next big crisis, think less about preventing and more about responding. Keep plans flexible – when the pandemic hit, many of us had to quickly move to working from home. The plans you put in place could have been developed to deal an office power loss rather than a pandemic. Every fund is different, so there is no “one size fits all” plan, but here are some top tips for getting started:
- Make sure you have a clear scope for your plan and all the things you want to prepare for (loss of premises, key staff, systems);
- List out any assumptions you have made in the plan;
- Include details of the people you would need to be engaged in a response and give lots of ways they can be contacted;
- List out all the priorities you have in the response, from reporting requirements to service delivery needs; and
- List out all the key documents and how to access them – looking for passwords and links is never fun, especially when you are in crisis mode.
The final top tip is to remember that whether you are predicting and managing BAU risks or creating plans to respond to a big future crisis, keep things adaptable and simple.
A good risk register and good response plan should be a starter for ten in just about any crisis unless you have managed to get Meg or Russell Grant on the payroll, in which case you’ve already won the lottery.
Susan Black is head of governance, administration and projects for the LGPS at Hymans Robertson.
—————
FREE monthly newsletters
Subscribe to Room151 Newsletters
Room151 Linkedin Community
Join here
Monthly Online Treasury Briefing
Sign up here with a .gov.uk email address
Room151 Webinars
Visit the Room151 channel
