In recent years, resilience professionals have been preparing for, and responding to, incidents that are increasingly complex, severe, and frequent. As ransomware groups become more organized, for example, cyber attacks are increasing – reaching record levels in 2023.
While challenging, in the past, these events typically came about one at a time – giving teams that prepared for them time to react, restore normal operations, and learn from what occurred. Now, as the force of these incidents collides with an increasingly interconnected society, disruptions are intersecting and we are entering a new era of polycrisis.
A polycrisis – also called a layered crisis – is when multiple incidents intertwine, bringing with them a series of disparate, interacting shocks that make the whole more overwhelming than the sum of its parts.
First coined in the 1990s, polycrises were recently brought into focus when economic historian Adam Tooze discussed the cascading impacts of COVID – like loss of life, staffing shortages, cyber incidents, and security challenges caused by a remote workforce – at the 2022 World Economic Forum Annual Meeting in Davos.
In this new climate, organizations can no longer achieve resilience by preparing for one, big disruption. They must predict and account for its potential cascading impacts.
Polycrisis in practice
As an example, let’s look at the tragic mass shooting that occurred during the Kansas City Chiefs’ Super Bowl parade. While this incident may appear isolated, it could result in loss of life, workforce challenges, supply chain disruptions, cyber-attacks, and other consequences for businesses in the area.
In the immediate aftermath of the shooting, organizations should have quickly ascertained employee safety. Did this occur near their facility or office? Do they need to implement a lockdown? Were there staff members at the parade? Are they able to communicate with employees about emergency procedures?
They would then need to evaluate potential disruptions to their operations. Were there road closures that would impact stakeholders’ ability to enter/exit their facilities? Are any third-party vendors located in the area and/or was their staff impacted? Have any shipments been delayed or rerouted?
And, even if a business determined it was not directly impacted by this shooting, its community was. Did any employees have loved ones at the parade? Do team members feel safe coming into the office? Should employees be allowed to work from home and, if so, can that transition be made securely and without disruption? Are support services required? Is there any coordination to be done with law enforcement or other officials?
In the instance of a natural disaster, an organization would also examine community access to basic resources, like shelter, water, and electricity.
This is an example of cascading impacts. But polycrises can also take another, less predictable and more ominous form: Concurrent independent incidents.
Double trouble
In the summer of 2020 – as COVID cases were accelerating and the US healthcare system was under unprecedented strain, Louisiana emergency management officials, businesses, and residents also had to contend with two hurricanes within a 36 hour period – bringing winds last seen in the 1850s and a massive storm surge. These unrelated events crippled infrastructure, broke supply chains, and added to the public health catastrophe.
Earlier that year, in May of 2020, as COVID was surging, George Floyd was murdered by police, triggering peaceful protests as well as waves of riots and looting. This brought Minneapolis, which was already reeling from the pandemic, to a complete standstill, impacting businesses of all kinds and sizes.
At a time of accelerating weather events due to climate change, highly charged politics and social dynamics, and increases in the number and sophistication of cyber breaches, these types of concurrent events may soon become the norm. And businesses must prepare accordingly.
Conclusion
This new reality calls for a new mindset. Corporations today work hard to plan for specific events – the cyber breach, natural disaster, or active shooter. But it is impossible to predict, prevent, or effectively prepare for countless permutations of polycrises.
So, companies, agencies, and communities need to focus on building flexible teams and processes, strong communications protocols, advanced warning and notification systems, clear decision making, and high-quality, real-time data assets that together will enable them to manage unforeseen multi-crisis events.
In short, if you cannot predict or prepare for everything, you must build a resilience program that will allow you to respond to anything.
This is a departure from the way many organizations operate today: “If a ransomware attack happens, let’s take the cyber plan off the shelf.” But, as 80% of global experts expect either “persistent crises” or “multiple shocks” over the next two years, that’s a luxury we no longer have.