It was Thursday, March 20th, around 10pm when I received an alert on my mobile device that London Heathrow airport would be closed.  London Heathrow (LHR) is the busiest airport in Europe, servicing almost 90 airlines over 200 destinations and over 80 countries. From a passenger perspective, the airport is a destination or pass-through for over 230,000 passengers per day. With that level of volume, it is a strategic piece of the global air traffic management on any given day. So, after my initial response of ‘Oh my!’, my next thoughts were:

• ‘What happened?’
• ‘What did the responsible individuals do?’; and
• ‘What will be the fallout?’

Through my career, I have made countless stops at this airport. So, when I saw that there would be a day without the full complement of the airport’s services, I understood the significant customer impact. Of particular note, the early reports on the incident had not ruled out a cyber-attack, so I was immediately intrigued.

If you’ve worked in this industry long enough, you have a pretty good idea about the series of events that transpire after a cyber-incident. Decisions get second-guessed, competencies get called into question, and processes get reevaluated. Cyber incidents tend to stir up the risk management blame game.

This sequence of events can make any risk and resilience professional more nervous than a long-tailed cat in a room full of rocking chairs. At the end of the day, something unpleasant happened, and someone must be blamed and pay for this risk-occurrence.

Is the juice worth the squeeze for risk professionals these days?

The job of a risk professional is full of these perilous moments. Some risk exposures are minor in nature, and we work through them in due course. However, when a real bad day arises, it can be a very lonely experience for a risk professional. The job is to manage, not eliminate risk.  Solutions are designed by these professionals to help organizations navigate through severe risk events. These solutions will not, however, eliminate the impacts to the consumer or organization. Unfortunately, there is an unspoken bar of success: Eliminate all inconveniences and pain points. When the elimination of the impacts doesn’t occur, the blame game begins…

Resources are finite and only a percentage of these resilience events can be planned for.

Operational Resilience Perspective

It was determined that the LHR outage was caused by an electrical fire at a substation. While this allowed for cyber professionals to breathe a sigh of relief, it squared focus on the operational resilience professionals and whether or not more should have been done in this area. Operational resilience is defined as the ability of an organization to continue to deliver its critical operations through any hazard. To deliver on this standard, organizations must review a large range of extreme but plausible impacts to their operations and decide which of these impacts has the higher likelihood of occurrence and what actions can be taken to minimize the impacts of these events. Similar to the risk professional, resources are finite and only a percentage of these resilience events can be planned for. In fact, there are events that even the best planning cannot mitigate. So, when events like the LHR outage occur,

What is the reasonable level of operational resilience that one can expect an organization to have?

Since the outage, I have seen a few articles that have been critical of the handling of the LHR outage. There have even been reports that senior management was made aware of the potential operational impacts that could occur from an electrical outage. However, in a world of finite resources and a prolific number of resilience impacts:

Is being made aware of a resilience risk prior to its occurrence the bar that we, as resilience professionals, really want?

If there is one thing that I have learned as a cyber professional, it is that I don’t want to be held accountable for every risk that I have been made aware of.

If there is one thing that I have learned as a cyber professional, it is that I don’t want to be held accountable for every risk that I have been made aware of. This bar is a losing battle that will lead to nothing but endless disappointment. Therefore, as organizations continue to move deeper into the operational resilience era, it is my hope that we have learned a few things that we may want to do differently when measuring the effectiveness of risk and resilience professionals.

Instead of assigning blame

A better approach may be to understand the process used by the organization to identify resilience hazards; how the resources were allocated between resilience and other organizational risks; and discover whether there was a reasonable approach to addressing the risk and resilience threats facing the organization. This approach may offer an avenue where we can learn how to better enhance the resilience of our organizations and achieve a deeper understanding of what can be done to mitigate these risks.