Lessons learned – or are they?

By Katie Collison

A key theme to emerge from the 2013 Crisis Management Conference held in London in May this year was post crisis learning. The distinguished panel of speakers from the UK Cabinet Office, Unilever, Goldman Sachs, the BBC and Bank of England, unanimously agreed that it is all too easy to identify what went wrong in a crisis response or an exercise, but far harder to ensure that the lessons so welcomed are actually turned into change and implemented to protect and prevent the same things happening again.

How many times when watching a news broadcast do you hear the spokesperson utter the words:

“We’re dealing with an unprecedented situation” followed by: “we will be conducting an investigation to make sure nothing like this ever happens again”?

Yet in reality how many of these situations are truly unprecedented, and for that matter, how many times do organisations actually succeed in preventing history repeating itself? The answer sadly, is very few.

At the end of a crisis, the team that has been responding for the last however many days or weeks, breathes a huge sigh of relief with a general feeling of ‘we got through it’. This is hopefully, but not always, followed by a period of identifying lessons. What did the team do well? What could have gone better? Could more robust measures have been taken to try and prevent the crisis?

cube-cor-3

But how many lessons “identified” reports are labelled as lessons “learned”, with no further action taken on allocating responsibility to mitigate the issues? If teams go through the identification process, why does it so rarely convert into action?

  • The ‘day job’ gets in the way: as people’s responsibilities increase and longer working hours, the risk of mistakes being made inevitably increases and the capacity to learn is reduced; people don’t have time to report near misses, and something which should have been picked up by existing controls turns in to a full blown crisis.
  • Complacency: after an exercise or real time crisis, the team congratulates itself on its performance and reverts straight back to the day job. Yes, there may have been lessons but the overall performance was okay and “that’s all that matters in the end, isn’t it?”
  • Optimism: The organisation has recently experienced a crisis, they’ve survived and are optimistic that nothing like it will happen again. The reality is however, that if the organisation was to experience a second incident, even if it is of lesser magnitude, the reputational impacts alone are likely to be the same if not worse than during the first crisis. The so-called multiplier affect means the organisations faces longer-term reputation damage as incidents start to accumulate and organisations lose goodwill from their stakeholders.
  • Mistaken identity: the organisation has identified the lessons and recorded them, so the logic is that being conscious of them equates to learning and nothing further needs to happen. All these organisations are doing is creating an excellent audit trail for lawyers to use as evidence of negligence when there is a subsequent crisis, and it becomes apparent they have failed to act on their own recommendations.
  • Failing to learn from others: a different form of learning, but still relevant – the organisation has watched a competitor struggle through a crisis, they may have even profited from it as a result, but they don’t think it’s necessary to analyse what happened and how they may have performed under similar circumstances. After all, it can’t happen to your organisation, you have different systems and different ways of working?

So how do organisations effectively convert lessons identified into lessons learned?

  • After a crisis, or for that matter an exercise, the organisation should conduct an internal review in order to identify aspects of the response that could be improved and any gaps in procedures – if based on the experiences of an external party, parallels should be drawn where possible – what if it had been us..?
  • The learning should be documented with recommendations for improvements assigned to each issue identified – senior management should then approve these recommendations.
  • Owners should be assigned to each of the agreed recommendations – a person responsible for the implementation of the action with a deadline for delivery. Linking this to someone’s performance appraisal is also very effective.
  • A follow up audit of progress against the implementation of actions should be undertaken and presented back to senior management.
  • If possible, the original issue (or a variation thereof) should be revisited in the form of a scenario exercise, to examine the efficacy of all process changes.

About Katie Collison

Senior Consultant. Steelhenge’s longest-serving Project Manager, heading up business continuity exercises for public and private sector organisations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s