The ability to survive a crisis and thrive in a world of uncertainty is at the heart of a new technical standard for utility companies

Utilities across the world are currently grappling with both the immediate challenges of the COVID-19 crisis as well as emerging risks such as cyber and longer-term issues such as climate change and resource scarcity.

In this increasingly complex world, organisational success will be ensured by integrating risk management with resilience approaches.

I have long been a champion of unifying risk-and-resilience and have been applying it here at Watercare successfully for a number of years. The perfect opportunity arose to highlight its importance to large organisations when I was invited to become the technical author of the recently published PAS 60518:2020 titled Developing and implementing enterprise risk and resilience management (ERRM) in utilities standard.

The role and importance of global standards in guiding and enabling organisational success in an increasingly complex world cannot be overstated. An international standard provides best practice approaches and highlights solutions that can guide industries during times of crisis or growth, and even changes in thinking and accelerate innovation.

PAS 60518 is designed to lead organisations through the process of developing risk management capability and building their adaptive capacity to enhance resilience.

The standard reflects how risk and related resilience thinking has changed. Resilience was previously viewed as the ability to recover quickly from difficulties but is now seen as the ability to survive a crisis and thrive in a world of uncertainty.

Resilience is more challenging to understand than risk and should be viewed as an organisation’s adaptive capacity to respond to unexpected (including very low likelihood/very high consequence) events.

Lifeline utilities should look to build and improve enterprise resilience to ensure they can continue to provide their critical services, regardless of the myriad of potential challenges they could face.

There is a clear link between risk and requirements for increased resilience. An understanding of the most significant risks provides a guide on the key areas of focus where resilience requires enhancement.

Resilience has always included business continuity and incident management but now needs to be extended to comprise the development of wider adaptive capacity to resist, respond and recover from extreme events and then to consider how to reinforce for the future.

Figure 2: Linking Risk and Resilience

This continuing journey includes:

  • Building resistance, e.g. to protect critical assets to try to withstand the event – this will be a continuing journey as new infrastructure takes considerable time to provide and is expensive.
  • Developing response and recovery capability in advance of events, starting with specific business continuity and an organisation-wide incident management plan.
  • Then extending to understand:

o Critical asset vulnerabilities and how to extend and change capabilities

o Extending the capabilities of current and developing additional critical staff

o Greater knowledge of key business processes and systems and how these can be changed in very short timeframes to address changed circumstances

o The capabilities and vulnerabilities of critical support networks including consultants, contractors and suppliers and how they can extend their services to provide additional or different support

  • Extending organisation-wide capability to provide the adaptive capacity to respond to all events
  • Lastly, to reinforce using the learnings from events to improve for the future. In this regard the term ‘build back better’ is often used. However, wider thinking is required and should now extend to ‘building back differently’ or in the case of climate change ‘build back somewhere else!’.

It is often difficult to contextualise these challenges, so a simple example is given below and should be considered with the areas highlighted to improve resilience in the diagram above.

Assume that during the period of the event that normal operations, levels and quality of outputs must be maintained (no forgiveness from regulators for any perceived failings) and all work would have to be completed in the same timeframe:

  • The operating capacity of one critical asset must be slowed below its current minimum capacity (specified operating envelope) and another with different technology must be enhanced to operate above its current maximum capacity. Both must continue to operate with no failures as these would result in significant customer impacts.
  • There is a requirement for major changes to processes and systems to support new operations, some of these changes are new and not previously attempted. Again, this must be achieved without failures.
  • Additional construction projects must be initiated and delivered, through procurement to completion of construction in timeframes that have never previously been attempted.
  • Leveraging support from extended networks, with consultants, contractors and suppliers will all be required to provide enhanced and additional support above currently available levels and with an expectation that those providing this support will do their part to meet these challenges.
  • With a limited number of critical staff available to provide the support to these and initiatives and actions, the organisation will need to flex to provide support from across the wider business and upskill to ensure this support can be maintained as this will need to be sustained for many months.

While these circumstances may seem unrealistic, this is the work ongoing to address the drought in Auckland and responses to COVID-19, droughts and fires have also called for a wider range of response actions. Success in these circumstances can be greatly improved by advanced preparation as well as training to create and enhance adaptive capacity.

The key focus areas for the enterprise risk and resilience model (ERRM) include:

  • Maximising organisational capability
  • Informing the understanding of risk management, including areas where more risk could be accepted
  • Identifying areas where business continuity and incident management plans are required
  • Aiding decisions on capital investment to increase organisational resistance
  • Improving resilience, including response, recovery and supporting resource and network capabilities

An integrated approach to understanding risk and using this to guide resilience development will make an organisation increasingly capable and quick-to-recover when faced with challenges. A continuing programme of resilience work should ideally be undertaken to ensure that the organisation can adapt to changing environments. Effective ERRM enables just such an integrated approach.

Utilities and other large organisations should develop and implement ERRM policies and frameworks that are driven by the context of the organisation (strategic objectives, vision and mission) and directly address its risk profile and operating model. It should aid directing the risk and resilience function, prioritise enterprise risks and provide effective oversight of the processes that drive risk management, specific mitigation and wider resilience development actions.

Ideally, the ERRM policy and framework should be accessible to staff at all levels and reviewed regularly to account for any organisational changes. Training staff to ensure understanding, competence and capability, will enable organisation-wide commitment to ERRM, and successful performance when these challenges occur.

Effective risk and resilience practices to increase adaptive capacity take time to build and need to be driven by the leadership team within organisations. Understanding and prioritising risks is a key requirement to make the case for the investment in resilience.

Making the case for enhanced resilience is difficult to achieve in purely financial terms (that is considering the return on such an investment in monetary terms) and a changed approach to justifying this investment is required to prevent resilience actions from continually being reprioritised into future years.

A better understanding of the vulnerabilities that increasing resilience seeks to address and the cost in financial terms of impacts on outputs needs to be added to make a wider and more balanced investment decision. This should lead to considering investment in terms of how this is improving resilience maturity over time and should be supported by resilience metrics to highlight progress. The adage what gets measured gets done is important in moving thinking on the importance on increasing resilience.

The leadership team should also build resilience thinking into the company’s culture, by demonstrating their own personal commitment to it. This includes being active in the development and exercise of plans and having processes to maintain unity-of-command when senior executives are absent.

Some good ways to drive improved resilience include:

  • Run incident practices/exercises using varied staff teams. This increases understanding across the organisation and reduces reliance on a small cadre of well-experienced managers and senior staff.
  • When there are incidents, form an incident team and require less experienced staff to act as deputies. This improves skills without hampering the overall incident response.
  • Make incident response capability and experience a pre-requisite for staff looking for advancement.
  • Make sure staff training and reporting systems include a record of this experience.
  • Make sure all those involved in responding to and recovering from an incident take part in the lessons learned exercise after completion.
  • Continue to look for new ways to train staff to improve their adaptive capacity.
  • Include key members of the organisation’s support network (contractors, consultants and suppliers) in training exercises. Work to understand how and where they can extend their capabilities, and their limitations in events.
  • Remember there are other utilities with the same or similar skill sets in your or surrounding countries and building alliances will enhance preparedness whether giving and receiving help. Building these alliances and asking for help should always be seen as a strength, not a weakness. This is one of the best, but most under-utilised ways to increase resilience capability.

Risk and resilience is a continuing journey and PAS 60518:2020 includes information, templates and practical examples that together provide a path to ordered development, taking utilities on a structured journey to develop and improve their organisational resilience.

Nigel Toms is chief financial officer at Watercare Services Ltd and technical author of PAS 60518 on ERRM for utilities