Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Podcasts Crisis Management, Black Swans and Resilience

Crisis Management, Black Swans and Resilience

This item in japanese

In this podcast Shane Hastie, Lead Editor for Culture & Methods spoke to Sharon Robson about crisis management and business resilience, particularly in the context of technology and software supply chains.

Key Takeaways

  • Crisis management and business resilience are important for technologists to understand and incorporate into their work.
  • Threat identification involves considering targets, types of threats, and timing of threats.
  • Understanding supply chain risks, including second and third-tier suppliers, is essential for business resilience.
  • Open source software can provide both resilience and risks, depending on trust and limitations.
  • Business psychology and understanding the biological, social, and psychological aspects of teams can lead to better leadership and team performance.


Shane Hastie: Good day, folks. This is Shane Hastie for the InfoQ Engineering Culture Podcast. Today, I'm sitting down over not too many miles for a change with Sharon Robson. Sharon is based in Brisbane, Australia, and I'm in Little Otaki in New Zealand. Sharon, welcome. Thanks for taking the time to talk to us today.

Sharon Robson: Hey, Shane. Thank you for having me. It's a pleasure.

Shane Hastie: Now, you and I know each other well. We've been friends, and colleagues, and co-workers, and has done all sorts of things together, but I suspect most of our audience haven't come across you before. So tell us a little bit about who's Sharon.

Introductions [00:39]

Sharon Robson: As you know, Shane, I am the shy, retiring type, and because of that, I've actually had a really glorious career of opportunity. One of the things that I've been doing over the past... well, let's call it three decades, has been really, really getting stuck into technologies as they emerge. So, in the early '90s, I was working in satellite imagery and mapmaking using satellite imagery using not quite physical systems, but they were not as digital as they were now. That led me into data structures, databases, data management, which got me into working with information.

Now, it's quite funny because in the mid '90s, I was working a lot in data management systems and learning about data structures, and data architectures, and all of those things really interestingly pre-data-scientist, and it was really quite funny watching how data science and information architecture has really blossomed as a key element of today's solutions and systems. I moved away from that when I started to work for Hewlett-Packard. When I worked at Hewlett-Packard, I transitioned through a number of roles. I was a technical writer. I was a tester. I was a BA. I ended up running the test team for Hewlett-Packard in New Zealand for a while, but one of the big things that I did is I ended up being the program manager for a global national identity system program.

So this was post-9/11, and this is where everyone was getting really, really titchy about data security, data protocols, how do we use data well, all of those types of things. Because I've got that insight into data management, databases, data structures, I really started to get a lot more insight into system architectures, system solutions, and what's happened since then is I've migrated through a couple of consulting gigs, some of them with you, some of them without you, and I've actually morphed that knowledge into creating organizational structures, organizational information flows, organization decision architectures. So I'm spending a lot of time these days as a consultant owning my own company, as a trainer working with various organizations, and as a coach of senior leaders to help them really understand how information and decisions move through their systems. That's what I'm doing now.

Shane Hastie: So systems thinking writ large.

Sharon Robson: Writ large at scale.

Shane Hastie: I know one of the things that you've been exploring lately is the crisis management and business resilience. What does this mean to our technologists?

The importance of crisis management and resilience for technologists [03:36]

Sharon Robson: Ah. Shane, I tell you, it was fabulous. I went to a course at MIT, and luck of the draw, this course just happened to be on at the time I was in the States, and I thought, "Yeah, I'm going. I'm going to do that." I went with my agile, lean, systems thinking, leadership, organizational structures eyes on. What I learned was that there was a huge overlap between crisis management and business resilience, and the approaches that we take to designing and creating our systems these days. But one of the key takeaways was that often, in organizations, crisis management and business resilience doesn't sit in the tech space. It sits elsewhere. It sits in the risk space, enterprise level. It may even be under your compliance team.

Ironically, they speak the same language. They use the same approaches and concepts, crisis management and business resiliency, as we do inside the tech spaces. We just don't use the same words. So I had a great time when I was there looking at the world from my technology perspectives, from my agility lenses, from my system structures perspectives, and then mapping it into what these people were sharing with me. There's a community, a vibrant community of people who spend their lives thinking about how do we proactively support our organizations for when stuff happens because stuff happens.

Shane Hastie: Stuff happens. Absolutely, and we've been through a number of years of stuff happening more and more rapidly, and having to adapt and respond. So what are some of the key takeaways or key things that came out of this for you?

When a crisis happens, you have no option but to participate [05:28]

Sharon Robson: Ah, so many, so many, so many. It's just been phenomenal. It was in July, and I'm still sorting through things now. But for me, I think there was three super big things that really stood out to me from the crisis management and business resiliency activity that I went through. So the first one, it isn't really one of my three, but it's something that I think is so pertinent to any conversation we're having. Whether it's around solution creation, solution development, solution delivery, or crisis management and business resiliency, the takeaway that I had was from the course facilitator. It's a guy called Dr. Steve Goldman, and he said, "You have no option, but to participate." I loved it. I absolutely loved it because it's true. When there is a crisis, you have no option, but to participate. You can't say, "No, I'm opting out of this one." You actually have to be actively engaged.

Now, when that comes to our thinking around how we create our solutions, and how we engage with our customers, and how we make sure that we are doing the right work at the right time, adding value to our organizations, I think this is a great mantra to have as well. You have no option, but to participate. It's your job. Show up. Do it, but do it in a way that adds value. I think that is something that was really, really important around what Dr. Steve said when he mentioned that. But of the major takeaways, major takeaways, the direct overlap that I had between agility, lean, systems thinking, and crisis management was the first thing that you need to do proactively. Not reactively, proactively, and it's proactive risk identification.

Now, we're all very, very familiar with that 4 by 4, or 9 by 9, or 25 by 25, or whatever, or 5 by 5 matrix that we have for our risk management approaches where we look at our risk matrix, and we identify what's in that top right quadrant, what are the high-probability, high-impact areas that we need to focus on. The big takeaway that I had here, and this was a huge aha moment, is the ones that are in the top right, high-impact, high-probability, we've got them covered. They're like, "Yes, we know that's going to happen." The things that are in the low-probability, but high-impact quadrant, they're the things that we need to look out for. So they're called black swan events, and we all know the story about black swans.

The best thing about this with the black swan events is you get to play the "What If" game. What if there was a global pandemic that shut down workplaces for two years? "Never happen. We don't need to prepare for that." What if we had to mobilize our workforce and have everyone work from home within a two-week window? What if we had to upgrade our networks and our organizational infrastructure, but there were actually no parts available for us to support our infrastructure systems? What if? It's not really an exercise in fearmongering. It's an exercise in just looking at your organizational approach to how do we deal with these what-if things.

One of the lecturers at the course was a guy who spoke very strongly about supply chain management, and he started off straight away talking about the Suez Canal. "What if a ship got stuck sideways in the Suez Canal?" Prior to this decade, no one would've believed that's possible. No one, and no one would believe that China supply line would be so fragile that they've got heaps of stuff they just can't get it out of the country. No one would believe that. What's happened with COVID... and it's a true black swan event. What happened? It allows us to look at the world through those eyes, and then make very deliberate choices about whether or not we address those concerns, whether we pay attention to it.

Systems thinking and black swan events [09:47]

Now, from a systems thinking perspective, that was the next thing that came up because from a systems thinking perspective, when we start to look at our black swan events, we actually have to do threat identification, and there's three things that we need to look at. Who is the target of the threat? Now, it sounds pretty terrible, but what we're talking about is, are you prepared for individual person threat? Is your organization prepared for the CEO to go missing, the CIO to be stuck somewhere and unable to communicate with you for a period of time? Key person risk is something that we really need to look at inside our organizations, and I know from a lot of my coaching clients that we have many, many, many single points of failure based on key person risk, but then we've also got to look at threats to the team. What is the likelihood of one of our suppliers suddenly disappearing? So, all of a sudden, any contract skills that we have, they're just not available. What's that going to do?

Also, we got to be looking at our infrastructure. What could go wrong with our infrastructure? How many times do we talk about fires in data centers? Well, we know that's a likelihood, so we have fire prevention systems in our data centers, but what else could happen? I'm not sure if you remember. In Brisbane, in 2011, we had some absolutely appalling floods, and the lesson that we learned there, don't put data centers in basements. Guess where water goes? To the basement. Data centers and water, not a good combination, but again, black swan. "It's never going to happen. It will never be that bad." So we've got to look at that.

The next thing we've got to be thinking about when it comes to those black swan events in this threat identification is we have to talk about what type of threat is it. Now, one of the elements that we had shared with this at the course in Boston was we had two lectures on cybersecurity. Seriously, since then, I barely turn my phone on. I have clicked on no tabs, no links anywhere, and please don't send me any emails because I'm not reading them. These guys were scary as. There was a formal lecture from an MIT professor who specializes in cybersecurity, and then we actually had a session from the FBI around the type of cybersecurity threats.

Cybersecurity threats [12:06]

Now, this was really important because not only did it talk about cybersecurity threats to the organization, but also, cybersecurity threats to the government and the impact that has on the organization. These are the types of things that we are thinking about. So, from a systems perspective, we're talking about the extrapolation of what we know into what could be, and then the impact analysis of that. From a solution creation perspective, the big thing that I take away from that is we need to be super, super conscious of those things, but not get stuck into gold-platting our solutions. So, again, we've got to play the balancing game.

Now, the other thing that came out of the cybersecurity conversations was if you know have been breached, odds are the perp has been in your system for 200 days at least, and you only just see the breach. So timing of the threat is very, very important. So, again, when we're doing that black swan event analysis, we've got to be thinking about, "Is the threat imminent? Is it predictable? Is it regular, or is it historical?" These are the types of things that we need to be aware of when we're doing threat identification. So that, to me, just made me sit back really, really powerfully and think, "Okay. Well, what does this mean for the solutions that we design?" The structures we design inside our organizations, the decision frameworks that we've put in place is very, very, very important for us to be aware of.

Recovering from a crisis inevitably takes far longer than we expect [13:41]

The third key takeaway that I want to talk to you about, which I think is really important as well, is that a lot of people think that a crisis is a one-and-done thing, an event happens, but there's actually quite a strong timeline associated with crisis management, and then business resiliency because you don't have the thing that happens that is the crisis, and then a massive dip in productivity, or revenue, or customer market share, or whatever, and then you don't come back straight away to where you were. There's actually a prolonged element of the time it takes to regain your BAU or normal status.

Now, that's crucial. That's crucial from our perspectives of the solutions that we build and the approach that we take in dealing with crises because we can't expect the resumption of normal service to be instant. So when we start to design our solutions, we actually have to be thinking about what are the core elements that we need to bring back online, and we have to think about it like a forward cascade. What are the elements that we need to bring back online that will allow us to create the next step, and then the next step, and then the next step? Eventually, we are going to get back to BAU. But as with all things, and agile is something that I spend a lot of time thinking about and talking about, we don't want to get back to how we were. We actually want to get back to better. So it's not simply about restoration of service. It's about getting back to BAU, and then the next step. What can we learn from what has just happened?

Shane Hastie: Interesting stuff. I'd like to dig a little bit into supply chain and software supply chain. What's our risk there? Because surely, it's just download another file.

The importance of supply chain management [15:49]

Sharon Robson: Oh my gosh. When we did the session on supply chain management and the risk to supply chain, it was just fascinating because again, that's the system view of the world. So when we do supply chain analysis, we really have to dig deeper. It's not just you and your clients or you and your vendors. So depending on where you identify yourself in the supply chain, what you actually have to do is move beyond what has classed your tier one suppliers. So your tier one suppliers are those who directly supply to you. You have contracts with them, and you have arrangements with them, and they give you things, you give them money. You have to look at the tier two. Tier two are the suppliers who supply your suppliers, the vendors that support your vendors. Then, to be really resilient, you actually have to go back and look at tier three. Who supports the people who support the people who support you? Why? Because your crisis, back to the black swan thing, will come from left field.

COVID. Oh my goodness, COVID. Terrible, terrible environment for us to be working in. Very, very difficult. So we're all going to work remotely. Not a problem. You could not buy a webcam. You couldn't for any money. You couldn't buy a webcam. You couldn't buy a headset. You couldn't buy the infrastructure to get online. You couldn't get any of the little dongles. You couldn't get anything for months. So organizations were hamstrung. Even if they had people who were prepared to work from home, even if they had people who had laptops that were powered enough to work from home, we didn't have the infrastructure in place, and we couldn't get it. We just couldn't get it.

In the technology industry the second and third tier suppliers are education institutions and government policy [17:43]

So our second and third tier suppliers weren't in place to enable us to deal with that particular crisis. That's really fascinating when you start to look at what are your second and third tier suppliers, what are their needs? We know at the moment, particularly in technology, there is a huge need for skilled employees. Huge. We're at a massive deficit there. Why is that? So if we start to look at that, then our second and third tier suppliers start to be our universities or our governments, and our immigration policies, and all of those types of things. It's really interesting when you start to do that decision tree, how vulnerable we actually are.

Shane Hastie: Something like open source because so many products today are built on top of or using open source frameworks and so forth. Does that give us more resilience or less?

Open Source is both a risk factor and a source of resilience [18:36]

Sharon Robson: Ugh, Shane, I wish I could say yes or no. Tuesday. Purple. It depends. It really does. So, first of all, with open source, you've really got to trust what you're using. Super seriously, you've got to trust what you're using. Most open source providers are going to be asking for something in return. There is the real catch when it comes to using open source approaches and technologies, but if we step aside from the cyber risk associated with it, then you've got to be asking yourself, "Well, where does it come from, and what are the limitations of it?"

Now, just because it's free or available, it doesn't make it good. It just means that it's available. So you've still got to give all of your due diligence to the work there, but you also need to be looking at where is it coming from. Where is the content being created? I think that's a really important thing that we need to look at. Libraries that are online, all of the libraries, all of the things that are freely available that we just consume because they're quick shortcuts. Even if we step away from what's inside those libraries or the content that's there, have we actually got the skills to recreate those if we need to, or are we becoming more and more dependent on our suppliers like those open source environments to give us things that we actually can't use unless they're there or we can't recreate?

Shane Hastie: So, shifting focus slightly, I know that you're also been doing a whole lot of stuff around business psychology. So let's dig into that and what the implications are for teams, teamworks in the technology space.

The relationship between psychology and physiology and how that impacts teamwork [20:23]

Sharon Robson: Ah, Shane, it's fascinating. It's absolutely fascinating. I've been loving it because it's taking the systems view of organizations and taking the personal view of your body as a system. What I'm studying is how your physiology, so the physical mechanical bits of your body, how they interact with your psychology, what you think, what you feel, what your behaviors are, and how that adds up to your wellbeing. In my mind, because I'm looking at business psychology, wellbeing is about, are you being productive? Are you engaged? Are you delivering value? Are you enjoying your work?

So there's so many things that are really important when it comes to organizational constructs and the way that we build our organizations because if we're turning our organizations into factories, and we're just grinding stuff out, and there's no joy in the work, we are not going to get joyful outcomes. To create joy in the work, you have to understand what drives people's motivations, what gets them going, and we're both deep in IT, so you know as well as I do that most people in IT are problem-solvers. Give us a crunchy problem. Let us think about how to solve it. What we're seeing in workplaces these days is the focus is on efficiency, time and cost management and metrics versus effectiveness. Are we solving the right problems in the right way? What I'm really enjoying about doing this masters is it's really helping me understand more about the psychology of agility. What are the behaviors that we ask for from an agile team, and why? Then, how they actually promote better outcomes for the organization and for the team members.

Shane Hastie: What's that mean to me as a technical leader in an organization?

Sharon Robson: There's so many as you know. There's so many elements to leadership, but the key is to be aware of the key three dimensions. So we talk about bio, social, psychology. Bio being the body, socio being the interactions, and the psychology, how you think, how you feel, how you behave. They're inextricably linked. So when we start to think about creating the golden child of a team, which is the unicorn, the high-performing team that collaborates well together, the team that is focused on delivery of value, and the team that is really driven to lean into the challenges that we have in the modern workplace.

Advice for leaders when designing workplaces [23:09]

As a leader, we've got to be thinking about those three elements. We've got to be thinking about the biological necessities of our team members. Are they actually comfortable, physically comfortable? Are they working too hard? Because as soon as you start to work too hard, you start to sleep less. As soon as you start to sleep less, you actually start to impact on the prefrontal cortex, and your executive function diminishes. Lack of sleep incredibly, powerfully impacts your ability to think clearly and solve problems.

Now, if you're dealing with a bunch of problem-solvers and they start to realize that they're being cognitively impaired because they're working too hard and they don't get a chance to have that downtime and switch off the prefrontal cortex, their executive functions will diminish, their ability to solve problems will diminish, and that has a huge impact on their self-esteem because they're not able to solve the problem as quickly as they used to be. So that leads to stress.

Another example is I'm writing a paper at the moment on open plan workplaces and the fact that they induce chronic stress because of the awareness that our brain creates when we are working in an open environment. Your brain can't switch off. It's always, always, always thinking and being aware, and we've got huge amount of sensory input. We've got auditory input. We've got visual input. We've got what we feel. So temperature, movement around us, all of those things. They create arousal states, not anything. It just means your attention is focused. So if you're working in an open plan office and you are trying to solve a problem, every time someone walks past, you contact switch. Every time the phone rings, you contact switch. Every time someone taps you on the shoulder and says, "Hey, Sharon. How you going?" you contact switch.

Now, in the workplace, in the open plan office, what that means is we are creating a huge cognitive load, which means that your brain is really busy trying to figure out does it care about that noise over there, or am I focused on this problem? So the paper that I'm writing is how do we create a cohesive workspace where people are able to get into the zone, into the flow zone in an open plan office. How do we override those constant distractions? So I'm looking at how do we do that.

Part of me, really, is about limiting exposure, giving people barriers. The old cube farms, oh my gosh, they're horrible, but they do actually reduce distraction. Having headphones on, really important. Having stimulating, but not auditory-dominating music. So things like classical music that has the right wave forms to stimulate the way that you think, very, very important. Songs that you're familiar with, very important because your brain can just tune into those which means it tunes out of what else is happening around you. So, as you can see, fascinating, and I'll talk about it for days. Not a problem.

Shane Hastie: What's some of the other neuroscience things that we're learning or have learned that maybe our audience is not that familiar with?

Sharon Robson: I will tell you a story. When I was looking into this, the impact of overwhelming auditory environments, okay, we traditionally looked at overwhelming auditory environments in terms of loudness in the workplace, but I was looking at it from the perspective of how do we actually hear things because there's a difference between physically hearing something and cognitively being aware of it. So one of the things that I was leaning heavily into in the past couple of days was understanding how hearing works.

So there's a physical aspect to hearing. Sound creates sound waves. They hit your eardrum, your eardrum vibrates. It vibrates a very small set of bones that then move fluid in your inner ear. So your middle ear is full of air, your inner ear is full of this fluid, and there's three gels that exist in your middle ear. They vibrate at what we call pitch levels so you can recognize a sound based on where it actually is vibrating in your inner ear. Really, really cool. But then, we get into the more detailed stuff because I'm doing the neuroscience of human behavior, so we get into the detailed stuff.

One of the things that we learned about is the fact that inside our inner ear, there are cells that when they are hit by this wave of gel that's moving, they actually... The cells tip over a bit, and they open pathways for potassium and calcium to go into the cell, and inside that cell, when there's enough potassium inside the cell, it actually opens up gateways for neuroreceptors to be passed to your neurons. That's what tells your brain a sound has been heard.

Now, this happens a gazillion times a second because we hear every sound that's around us, not just a single sound. We hear every sound that's around us, but our brain filters it and says, "You don't need to worry about that. You don't need to worry about that. You don't need to worry about that. You don't need to worry about that," unless you focus on it. Now, this, I found fascinating because, again, to my thesis around chronic stress in open plan offices in that our brain is constantly filtering. It's constantly saying, "Do I care? Do I care? Do I care?" So what do we do about it? We need to either reduce the input or we need to think about how do we teach our brains to not care, and that's another really powerful thinking skill that comes into play by doing these types of studies.

Shane Hastie: Some fascinating, interesting, and intriguing points. Sharon, if people want to continue the conversation, where do they find you?

Sharon Robson: I'm on LinkedIn, so Sharon M. Robson on LinkedIn. I also have my own website, so, and I also have my company website, Feel free, reach out. Flick me an email. Happy to chat.

Shane Hastie: Thanks so much.

Sharon Robson: Thanks, Shane.

About the Author

More about our podcasts

You can keep up-to-date with the podcasts via our RSS Feed, and they are available via SoundCloud, Apple Podcasts, Spotify, Overcast and the Google Podcast. From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.

Previous podcasts

Rate this Article