Mountaineering is Risk Management (with Boots)
What I’ve learned about risk management while dangling off a mountain
As a professional in disaster management and business continuity—part of the wider field of risk management—it may seem a bit odd (or even crazy) to want to climb the highest or most challenging peaks in the world.
But I do it. And I love it.
I’m supposed to be avoiding risk, right? Not chasing it. But risk isn’t necessarily a bad thing when you approach it the right way, with the right attitude and tools. In fact, mountaineering and risk management actually have more in common than you’d think. Both are all about balancing risk and being prepared.
Mountaineering IS risk management
Mountaineering is a full-on invested and continuous process of risk management, every step of the way. Literally. Climbing a mountain IS a constant risk management exercise.
Mountaineering, like risk management and business continuity, presents continuous challenges that come with the potential for catastrophic losses if not done right. Every alpinist’s risk appetite dictates how much protection she uses and what risks she is willing to accept during the various stages of the ascent - putting more or fewer anchors, using a fixed rope or not, retracting when the weather gets too crazy, etc.
Similarly, an organization’s actions toward mitigating risks are also very much determined by the level of risk its management team is willing to accept.
And successfully implementing a resilience program, whether a wide ERM (Enterprise Risk Management) framework or more specific elements like a BCM (Business Continuity Management) program, is very much like planning and executing a mountain-climbing expedition. To reach the ultimate goal, whether it’s a mountain peak or a fully functioning program, the same steps apply. Because after all, in both cases, you’re managing risk.
What does it take to have a successful resilience program?
1- Extreme commitment
Climbing a mountain is a long, fastidious process - one of extreme ambition, drive, and commitment. If you don’t have the guts to overcome obstacles at every turn, you won’t make it to the summit, or even worse, back down safely. It’s an ambitious endeavour, just like implementing an organization-wide program for risk or BCM.
One reason implementing an organization-wide Risk or BCM program is so arduous is that it requires a change in the culture of the organization - a switch to the core of “the way we do things.” Old habits must die. New ones need to be integrated. None of this is fast or easy.
An organization must be truly devoted to becoming resilient in the way it manages risk to acquire a true continuity capability. It takes extreme drive and commitment because this process is fraught with difficulties every step of the way. People do not like change, and change is necessary to this process.
2 - A Solid Plan
A climbing plan should cover everything you need to embark on the adventure with the agility and preparedness of a pro: physical fitness, acclimatization, adaptability, worst-case scenarios, various contingencies, adequate resources, and of course a good team.
An organization developing its Risk Management / BCM capability requires basically the same thing. What that means is that you will need solid tools and data, strong relationships (internally and with key contractors/suppliers), an in-depth knowledge of vulnerabilities and single points of failures, tremendous commitment from all organizational levels, reliable staff, and appropriate technology to support your efforts.
Climbing a mountain without any of these critical elements is courting likely disaster— In business, it could cost your company its life.
3 - The Right Resources
As we say in climbing, there’s no such thing as bad weather, only bad clothing, bad equipment, and a lack of general preparedness. To roll out an ERM/BCM program in your organization, choosing the right resources for your journey protects you from disaster along the way. The two main types of resources you need are roll-out tools and the right team.
Roll-out tools: Depending on the size of the organization, it may be useful to use software to roll out ERM/BCM programs. The main benefit to using a software is notification capabilities, either as part of a mass notification or via a system of on-call staff. In my own experience, a good old Excel spreadsheet template is more often than not just as effective, if not more.
Your team: Without the right team players, the success of an expedition can be very quickly compromised. For your organization’s risk management implementation, teaming up with the right people is critical for producing fit-for-purpose outputs. We say BIAs/BCPs are only as good as the information contained in them. Who will provide such valuable information?
Hopefully that job goes to a whole range of subject matter experts in all areas of the organization. A business continuity or risk management lead is rarely an expert of the organization’s services or manufacturing processes. The success of the program will hugely rely on the network of “champions” (focal points) who will help develop and maintain the risk registers/BCPs by providing the right data. For a successful program, surround yourself with collaborators of appropriate seniority, gravitas, and adequate knowledge of the business and its internal “mechanics.” You may want to ask senior management to nominate them for you.
4 - The ability to approach the challenge in chunks
As a mountaineer, I’m often asked, “What is the best way to approach a climb when it becomes more than you bargained for?” My answers can also be applied to BCM projects as well as your organization as a whole.
When an organization embarks on the journey of developing resilience (through building its risk management framework or business continuity management capability for example), the task often seems like a mountain. Every person has her own mountain to climb. Every organization, too.
A successful high-altitude climb is best achieved when divided in chunks (or milestones). Not only because it is physically impossible to do it in one go (with no prior acclimatization/training), but also because mentally, the human brain gets easily put off by the enormity of a huge task.
“That rock” “That ridge.” “That boulder.” “The end of that slope.” These landmarks are all milestones to keep the mountaineer feeling like she’s pocketing small wins as she passes them. This technique has proven to be everything to me on a high mountain - keeping me moving when the climb seems interminable.
This same strategy is also crucial for the success of a program. Senior management is much more likely to continue to give its full support if they can see the small wins along the way. Make sure those small wins are translated into clear, trackable, tangible milestones from quarter on quarter. Ultimately, this boosts the ERM/BCM manager’s morale (and that of his team), while building a widespread feeling of progress toward the ultimate objective at an organization-wide level.
Examples of such milestones are, in the case of the implementation of a BCM program:
- the completion of X amount of BIAs
- the sign-off of these BIAs and the identification of key BC strategies
- the development of X amount of BCPs
- the testing of these BCPs
For the case of an ERM program, milestones could include:
- risk identification completed in X amount of departments
- risk analysis and evaluation completed for the identified risks
- risks treatment strategies identified / applied for the relevant risks
5 - The right timing
Often, the entire success of an expedition will come down to timing. The climbers have to find the right time to go for a summit bid, with plenty of time to return safely before nightfall. Is the weather okay to proceed, or conditions are too unstable?
Timing counts when implementing a BCM program, too. Requiring your champions’ time during a period where they are busy with a plant “turn-around,” product launch, or an audit may lead to downgraded information from their part.
Another example of bad timing would be trying to sell senior management on the benefits of launching an ERM program right after a high risk has materialized with negative consequences for the organization. However, you could use that high-risk scenario as an opportunity to reinforce the importance of investing in risk management and contingency plans, i.e. turning bad timing for one matter into the perfect timing for another.
6 - Thresholds
Establishing clear thresholds or deadlines before setting off is literally a question of survival on a mountain climbing expedition. You have to know when it’s time to turn back, whether or not you’ve reached the summit. In the heat of the moment, a climber’s judgement might be blurred by what we call “summit fever,” and without prior agreed-upon thresholds, they might push forward into a dangerous situation.
This rationale very much applies to organizations, especially in the formalization of a risk appetite. How far are you willing to go to accept certain risks, knowing they may severely affect the organization’s health if they materialize? This must be thought through early when embarking on the journey of risk management, because when a crisis strikes or an incident situation develops, it may be too tempting to naively follow the overly optimistic approach of “We’ll be fine - We’ll manage if the worst comes.”
Having clear guidelines keeps the overall mission and objectives in focus. These are often the difference between whether an organization will bounce back or collapse. Clear decision-making based on defined boundaries is why tough risk appetite discussions should happen sooner rather than later.
7- Clear priorities
Identifying thresholds often happens hand-in-hand with the establishment of clear priorities. Being aware of the priorities and not losing sight of them helps keep you on track toward the ultimate goal safely. Reaching the summit is nice, but coming back down with all limbs (i.e. without frostbite) is better!
Generating more revenue is great, but doing so at the expense of the safety of the staff or consumers may very well backfire. A great way to map out priorities clearly is to carry out a strategic BIA, which will indicate which services/processes could be let down temporarily to focus on more critical activities. Performing such BIA exercises is healthy, as it not only allows for the development of fit-for-purpose BCPs, but it also lays out the foundations of the company’s long-term strategy while validating the overall risk strategy.
Having an in-depth knowledge of your own limitations and capabilities is a must in mountaineering because it helps you select appropriate climbing partners who can fill in where you are lacking. Plus, it helps the alpinist be more cautious during sections of the climb where he knows his skills aren’t the best, increasing the chance of success while reducing risk. Good self-awareness also helps climbers know where to focus their training to enhance their performance on the next climb.
Self-awareness comes with humility. Humility is EVERYTHING when mountaineering. Being too stubborn or overconfident in the mountains will get you killed. It is one thing to be determined to pursue your goals, but realizing when to turn around in the face of bad weather or conditions is literally a life-saving skill. There’s no shame in being aware of our own limitations. On the contrary, it makes you stronger because you know when to bring in help or change course to meet the final goal.
In organizations, having a good understanding of strengths and weaknesses helps us knock at the right doors for support. It’s necessary to balance staying positive about the tasks we can handle versus accepting shortfalls and efficiently bridging the gaps.
Speaking of, gap analyses are a good starting point for implementing an ERM program. The organization generally knows where it is lacking, but sometimes third-party validation works in favour of internal politics and will help get the process kick-started.
How would someone in a risk management setting, like a program manager freshly hired for the job, achieve this awareness? There are several things that can assist in providing insights: insurance claims, customer complaints, incident and crises reports, internal memos, employee exit interviews, financial reports, etc.
But equally, the newcomer should try to pinpoint the reason he was hired in the first place. What does the program aim to achieve? What is the current culture versus the culture required for the desired objective? What IS the objective? A great tool to help in achieving that awareness is a maturity assessment, i.e. “Where are we on a 5-levels matrix versus where do we want to be?” Understanding where the organization wants to be should be captured early on. It is worth noting that not all organizations aim to reach a level 5, and that is perfectly okay. A basic cost/benefit analysis is sometimes all that’s needed.
9 - Resilience
Mountaineering requires resilience. Mountain climbers are continuously forced to grow, bounce back, and come out even stronger from a long expedition. Not an “exped” goes by without failure of some form.
Personal resilience is about adapting our own persona to become a stronger version of ourselves. A resilient individual approaches life and its hardships with more confidence. Resilience allows individuals to tackle challenges and set new ones continuously as they fulfill them along the way. It’s not about becoming fearless (which in fact would be dangerous in the mountains, as fears play a vital role in keeping us alive) but it’s about being aware of our capabilities and of how to control emotions in the face of difficulties.
Personal resilience is about embracing the challenges that are being laid out rather than getting sucked up in them. In the end, one can either be impacted and only see the negatives of difficult situations, or one can choose to see them as opportunities for growth. And this approach applies to everything in life, whether on a mountain or in an organization. A resilient individual will not be put off by organizational setbacks.
10 - Leadership
Whether one chooses to solo a multi-pitch rock wall in Yosemite or climb behind several parties on a rope fixed by a sherpa team in the Himalayas, there will be a time where the leadership attributes of a climber will be put to the test.
Leaders are required to make the decisions that push us forward toward our goals.
A program will not succeed without great leadership. Some organizations may nurture new ideas and make them achieve maturity more easily, but in the end, a great dose of leadership will still be required.
Attitude over altitude
Mountain climbing is fun, exhilarating, and a bit terrifying—but all in a great way, if you’re up to the challenge. Are you ready to take on your organization’s “mountains?” If you’re still not sure, remember that above all else, it’s about maintaining your equilibrium over elevation – attitude over altitude.
Plan for everything and leave nothing to chance. Know in advance that all will be well, no matter what happens. And be ready to be pleasantly surprised, learning new things as you move steadily upward, one foot firmly planted in front of the other.
Learn more about Education Month 2022 :
About the author
Business Continuity Management