"People court failure in predictable ways."

Dietrich Dorner, psychology professor at Universitat Bamberg, discussed this observation in "The Logic of Failure: Recognizing and Avoiding Error in Complex Situations." This courtship often takes the form of acting before thinking, failing to anticipate, jumping to reactions or proceeding without questioning assumptions. Many of these failure-inducing habits derive from what psychologists refer to as "normalcy bias." Normalcy bias is the human mind's tendency to expect things to continue to occur in the future as they typically have in the past—i.e., to assume matters will proceed "normally." This bias may lead people to underestimate both the likelihood of a crisis occurring, and how bad the disaster may be when it does. Research suggests approximately 70% of people succumb to this bias during a crisis situation.

For better or worse—often, for worse—this bias and the other ways in which people court failure follow those people into business, and often people are less likely to take the lead or become agents of change in the group setting ("groupthink," discussed later).

However, the predictable ways in which failure often befalls an organization present an opportunity for corporate leaders: To anticipate and avoid crises, an organization may develop strategies to assess potential risks, possible pitfalls or openings in the armor, and then combat the ways it courts failure.

This three-part series will explore pragmatic strategies for in-house counsel and business partners to address corporate threats spanning the entire timeline of catastrophes—from anticipating and avoiding crises, to successfully managing real-time business emergencies, to partnering inside and outside the organization and maximizing your organization's ability to learn and grow from a crisis event.

|

Anticipating Crises in Order to Avoid Them

This installment focuses on anticipatory tactics—specifically, two practical strategies for anticipating, assessing and avoiding potential business crises: red teaming and premortems. In tandem, these tactics enable an organization to identify and analyze potential threats before they occur, and then vet the strength of the solutions created to address and avoid them.

While crisis anticipation is universally important and is often seen in response to recessions or recalls, or competitive threats, its significance has perhaps never been clearer than in the midst of the COVID-19 pandemic. While all of the techniques discussed here apply to a crisis like the novel coronavirus outbreak, they are also widely applicable to a variety of other potential calamities.

|

What Is Red Teaming?

War gaming, devil's advocates and penetration testing. While some of its components may sound like the vocabulary of a science fiction novel, red teaming is an effective forecasting method available to organizations interested in identifying potential future crises as a means of preparing to avoid them.

Although often encountered in the context of cybersecurity, red teaming has roots in military tactics and intelligence work. The technique garnered much attention after the September 11 attacks, when Director of Central Intelligence George Tenet created the CIA's "Red Cell"—a group tasked with contrarian thinking about national security on a mission to dispute, challenge and ultimately better the agency and its analysis of intelligence collected. Today, the Red Cell is credited with thwarting numerous terrorist attacks against the United States by employing various red team strategies to anticipate, and avoid, tragedy.

While the definitions of red teaming are as varied as the ways in which the strategy may be tailored to a given organization or situation, we offer the United Kingdom's Development, Concepts and Doctrine Centre's particularly workable definition of this concept, set forth in its "A Guide to Red Teaming:"

"Red teaming is the art of applying independent structured critical thinking and culturally sensitized alternative thinking from a variety of perspectives to challenge assumptions and fully explore alternative outcomes, in order to reduce risks and increase opportunities."

In essence, red teaming is a flexible approach to the cognitive processes of analysis and anticipation, which is bespoke to a particular organization and a particular situation. As noted by the University of Foreign Military and Cultural Studies in "The Red Team Handbook: The Army's Guide to Making Better Decisions," this strategy "uses structured tools and techniques to help us ask better questions, challenge explicit and implicit assumptions, expose information we might otherwise have missed, and develop alternative we might not have realized exist" in order to improve understanding and result in "better decisions, and a level of protection from the unseen biases and tendencies inherent in all of us."

Red teaming strategies are versatile. Here, these tactics once reserved for military operations and cybersecurity readiness are adapted to corporate governance and business planning.

|

Assembling the Red Team

Red team outcomes are only as strong as the goals being defined and the team assembled to generate the anticipated outcomes. When looking to assess and avoid global, existential business disasters, assembling a broad-based team is key. The red team should include in-house members from various corporate departments, in addition to members from the company's outside counsel, consultants and vendors.

From the inside, the company's marketing, corporate security, in-house legal, human resources and IT departments could be probed for red team members. C-suite personnel may be included, bringing with them a wealth of information about the business, so long as their involvement will not inhibit other members' full and complete participation. Less senior red team members cannot be afraid to speak their minds about company policies in front of superiors.

Partnering with external vendors might increase the value of red team exercises. The company could include outside legal counsel, security vendors, forensics and IT support as applicable. External vendor participation diversifies the red team's perspectives, inviting outside opinions regarding the business's strategies and the potential threats to the company, into the analysis.

Red team members should have familiarity with the business and the particular policy or plan to be analyzed, and come equipped with differing areas of expertise, experiences and levels of seniority. This diverse composition will foster creativity and result in the most valuable outcomes.

|

Guideposts for Successful Red Teaming

Before turning to specific red team tactics, a few guideposts—essential to the success of any red team exercises—must be considered. The bases for these guiding principles are derived from the State University of New York, University at Albany, Center for Advanced Red Teaming's best practices for red teaming, upon which we have expanded. Adherence to these guideposts should help to ensure productive red teaming:

  1. The red team must operate independently. For red team activities to be credible and effective, the red team cannot be influenced by forces outside the process. The appearance of influence is also to be avoided. To maximize the free exchange of ideas, participants should operate free of the restraints of typical organization hierarchy. Team members from all ranks must be free to challenge ideas and reasoning without fear of retribution.
  1. Leadership should embrace the red team process. To ensure the red team has all resources necessary to execute the simulation properly, an organization's leadership should be encouraged to "buy into" the red team approach. Support from leadership is also necessary to ensure the results of the red team process are implemented, and ultimately shape the organization's choices moving forward.
  1. Groupthink is the enemy. Groupthink, or the psychological phenomenon of making decisions as a group to prioritize harmony and conformity at the expense of creativity and individuality, will render red team results less valuable. Vigorous efforts should be taken to avoid it. To avoid groupthink, red team members should engage in creative and individualized thinking, and frequently self-reflect to analyze whether groupthink is swaying their participation in any way. Participants should also be cautioned against using phrases that involve the terms "always" and "never," as they are often rooted in groupthink and normalcy bias.
  1. Keep a record. Red team members should thoroughly record problems identified and proposed solutions, to allow an audit trail of the reasoning underlying all decisions. A thorough record will also enable later analyses of what assumptions, if any, may have influenced the red team, and the validity of those assumptions.
|

Putting the Red Team to Work

Literature and studies have identified a multitude of red team strategies. These methods largely serve as systemic forms of devils' advocacy, aimed at challenging accepted ideas and tweaking the way team members think about internal policies and external factors. While the majority of red team strategies may be adapted to the corporate world, the focus here is on two tactics that help predict and anticipate threats.

|

Red Team Technique: Signposts of Change

You do not need tea leaves to know when a potential crisis is coming for your business. You just need to know what the warning signs might look like and the potential avenues of approach.

Before a hurricane arrives on land, the wind shifts and picks up speed, the tide rises, and clouds move in. This red team method enables an organization to identify these types of warning signs for all kinds of potential threats to its business. Equipped with a list of signposts that signal the approach of an impending crisis, the company will be best positioned to evade the threat.

Through this technique, the red team creates a list of indicators or "signposts"—observable events one may expect to see in advance of a certain situation.  These situations usually involve various global or large-scale changes that will affect the company, such as economic reforms, political instability, environmental law reforms, or specific fluctuations in geopolitics. This technique dovetails seamlessly with a second red teaming method: high impact/low probability analysis. This contrarian technique analyzes seemingly unlikely events that would have major policy consequences for the company if they occurred—a global pandemic, the likes of which has not been seen in over a century, is a good example.

Upon completion of signposts of change, the company is equipped with a list of observable phenomena from which to anticipate future large-scale threats. The specific steps for engaging in signposts of change are straightforward and uncomplicated. The red team will:

  1. Identify an event, situation or phenomenon the company would like to be able to anticipate in the future.
  1. Generate comprehensive lists of activities and events expected to precede the situation's occurrence.
  1. Revise and update this list each time the situation occurs or nearly occurs, with new observed signposts that preceded it.

In this second step, the red team must think broadly: Will consumer patterns change in advance of the event, and how? What patterns in media coverage will be seen in advance of it? Will government agencies or competitors in the marketplace be aware of the looming event before you, and what will they do in response? What industry sectors are best positioned to sense the approach of the event, and how will they react?

This red teaming method provides a baseline of indicators from which a company may predict the approach of impending threats. The technique may be applied in the hypothetical, or immediately in the wake of major scale change. When applied hypothetically, the red team is tasked with imagining a potential postulated situation and researching precipitous events that historically accompanied it

When applied in the wake of major scale change, the red team can work in real time to identify what observable phenomena took place in advance of it. This latter approach also enables the red team to connect with boots-on-the-ground experts and observe concurrent discussions of the event and the warning signs that preceded it. The year 2020 is prime time to engage in signposts of change relative to a global pandemic.

|

Red Team Technique: Outside-In Thinking

Once you know how to anticipate a crisis, the next step is to formulate a plan to sidestep the crisis, and another to implement if the crisis is unavoidable. Many corporate employees think from the inside, or about what they can control, in relationship to the outside world. In this method, one of the most popular red team strategies, the team begins by considering external events that may profoundly affect a corporate plan or policy over time. Outside-in thinking helps reduce the risk of overlooking important variables early in the planning process.

Implement this technique in the midst of policy or procedure development. Consistent with the hallmark of many red team strategies, the steps to this method are fairly simple. The red team will:

  1. Form a description of the company plan or policy to be studied. The plan is likely to be in-progress, but the red team should sketch out what is known about it so far.
  1. Identify the key external forces that could have an impact on the plan or policy, including social, economic, environmental, technological, and political forces.
  1. Underscore the external forces over which the company may exert some influence or control to ascertain what strategies may be built into the company policy or plan to negate or account for these outside impacts.

Unlike in signposts of change, through this technique, the red team should focus on smaller-scale issues: a company decision results in litigation; or, a competitor introduces a product to the market before your company's roll-out of a competing design. Acts of God may also be studied through this method, such as a dangerous weather event that damages a processing plant or displaces employees from the workplace. Ideally, the red team should look at both categories of potential issues.

Outside-In thinking invites the external world into the internal policy planning process. Doing so results in more effective policies crafted with a multitude of potentially relevant variables in mind—and the more variables accounted for, the less likely a company will be caught flatfooted in a crisis. Consideration should also be given, within a litigation context, for the discoverability of the exercises, application of self-critical analysis privilege, and how the analysis could be interpreted, misinterpreted—or misused—outside the company. Little to no authority has addressed the discoverability of red team materials at this time.

|

Test the Plan for Vulnerabilities—Premortems

After the red team's efforts result in new or amended policy, a final managerial exercise may help to vet the plan for vulnerabilities. Research shows that organizations often become overconfident once they arrive at a policy or plan. Gary Klein, a Ph.D. in experimental psychology, has studied this phenomenon and recommends a solution: a premortem analysis, which seeks to combat this overconfidence. See Klein's "Performing a Project Premortem," Harvard Business Review. 85(6):18-19 (2007); and "Sources of Power: How People Make Decisions," Cambridge, Mass., The MIT Press (1998).

Instead of analyzing the policy's existing features in a vacuum, a premortem begins from the assumption that the plan has failed. By assuming the plan has already failed, a premortem analysis empowers participants to break ownership with the policy in order to fully exercise skepticism and objectivity—essential traits in any successful premortem. When conducted properly, premortems are as quick to execute as they are useful for analyzing a plan's potential pitfalls.

To begin, the premortem team should be intimately familiar with the plan to be analyzed. This intimacy may be achieved by asking the team members to study the policy for the first time in preparation for the premortem, or by involving team members who were previously involved in the policy's initial creation. A premortem team composed of both types of members is likely to result in the most thorough analysis.

Team members should imagine the plan has failed spectacularly, publicly and embarrassingly. Team members should conceptualize the worst-case fiasco possible. Then, individually and over the course of approximately two to 20 minutes, each team member could quickly jot down every possible reason why the plan may have failed. They should be all-inclusive in their thinking, identifying as many potential reasons for failure as possible. The likelihood of one reason over another is immaterial at this stage; the aim is to cultivate as complete a list of potential vulnerabilities in the plan as possible. Over-inclusion is welcomed; more is better. First conducting this list-making individually ensures the experiences and instincts of each team member are maximally utilized.

The premortem team should then come together to consolidate lists. While recording all ideas, the team discusses each possible reason for failure, one by one. They may find it beneficial to record ideas on a whiteboard or other easily visible medium, so team members may build off previous ideas. The details of why a particular reason may result in the plan's failure should be explored by the group aloud. The discussion will result in a comprehensive list of concerns and potential problems with the policy. At this stage, the team may elect to rank the concerns in order of likelihood it will result in the plan's failure.

Finally, the team revisits the original plan, side-by-side with the list of concerns, and identifies changes needed to mitigate potential vulnerabilities in the plan. The team should be encourage to create a redline version of the existing policy, or write a new one altogether, as they see fit. The creation of branch plans also often accompanies this step.

Each time amendments to the policy are considered, the premortem team's list of potential failures should be revisited. This tactic will keep the possibility of the various kinds of potential failures front of mind, resulting in improved, forward-thinking revisions to company policies and procedures. The premortem team's list of potential failures may also be of use if the organization engages in penetration testing, or mock exercises intended to expose a plan's weaknesses through simulated attacks, in the future to continue to assess and enhance its policies.

|

Conclusion

When used in tandem, red team and premortem exercises may help forecast and evade business crises—but anticipation is only the first step. Not all catastrophes can be avoided. Certain challenging circumstances are unavoidable. Nevertheless, seeking to identify problems early will best position a company to respond and adapt.

Ashley Garry is senior counsel and corporate secretary at Protara Therapeutics. Garry previously worked as counsel at Eli Lilly and Co. and as a law clerk and legislative liaison to the then chief justice of the South Carolina Supreme Court, following graduation from Cornell Law School. Prior to his legal career, Garry served as an officer with the U.S. Army's 3rd Infantry Division and is a recipient of the Bronze Star Medal.

Kaitlyn E. Stone is an associate in Faegre Drinker Biddle & Reath's products liability and mass torts practice group in the Florham Park, New Jersey, office. Stone defends the interests of major pharmaceutical, medical device and med tech companies in products liability cases. She has experience ranging from individual cases to class actions, and the majority of her practice focuses on multidistrict litigations and coordinated state proceedings. Stone also maintains an active pro bono practice, focused primarily on securing criminal expungement for indigent clients and veterans in New Jersey.

Michael C. Zogby is a partner and deputy leader of the products liability and mass torts group at Faegre Drinker. Zogby also serves as co-chair of the firm's health and life sciences litigation team. His trial and crisis management practice includes the defense of global clients in highly regulated industries in cross-border, complex litigation, mass tort, intellectual property, data privacy and products liability actions filed by consumer and government parties. He is a graduate of William & Mary School of Law.