Public Crisis Management as Operational Risk Management in the Public Administration Domain

A. Issues: operational risk, resource security and business continuity constitute a joint triad that pragmatically captures the essence of challenges related to the variability of the conditions involved in the provision of public services by or on behalf of public administration (so-called social logistics). The concept of the triad is used to emphasize that in practice these three issues are inseparable. Operational risk is assessed to determine the nature and scale of threats and vulnerabilities. This assessment shows how and to what extent security can be guaranted and the business continuity plans complement the safeguards. This concept is described in [1]. The practical classification of operational risk types is given in the same publication. Its criteria integrate resource and process approaches in management as well as supporting risk analysis, which means that based on the types of risk indicated in it, one can be assured that the analysis is complete, i.e. that no significant aspect of threats and risks has been omitted.

B. To monitor risk, using a four-layer learning approach, integrating four management concepts (this approach is described in [2] is suggested. These are, starting from the basic level:

a) Organizational layer (strategy, structure, audit) - perspective of system management theory,
b) Operational layer (disclosure, collection, codification, sharing and knowledge management) - perspective of process management theory,
c) Content layer (from hidden to explicit knowledge) - perspective of resource management theory,
d) Intellectual layer (socialization of knowledge, interpersonal relations, interpretation of content) - perspective of behavioural management theory. Risk monitoring should be supplemented with a domino effect simulation mechanism to identify threats that cause a rapid increase in the financial and non-financial effects of threats. Such simulations can be performed using the adverse event scenarios generation method [3].

C. The method of formulating decision problems can be used to indicate the required actions and safeguards under the chosen scenario of response to interference [4]. It allows to indicate decision areas resulting from considered threats and then to make simple decisions based on possible reactions to the threat. This method indicates those safeguards most likely to reduce the level of risk or at least maintain its level in the assumed range. In addition, a four-variant method is suggested for designing scenarios for responding to disturbances and ensuring business continuity. This division into four results from two main criteria for assessing the intensity of operational risk, i.e. strength of impact and frequency of impact, and are as follows [1]: tolerance, monitoring, prevention, preparation of business continuity plans.

D. Regarding key services provided by or on behalf of public administration, which are dependent on the efficiency of socalled critical infrastructure of the state [5], a nine-module risk analysis method is recommended as the basis for the design of security and response solutions (business continuity plans). This method is described in [6]. In determining the readiness of the local community to deal with a crisis, it is recommended to distinguish between two risk categories. The first is that of a hazard being an independent and therefore unpredictable threat. The second is the risk of a crisis, which can only happen after the threat first occurs. This risk is therefore a dependent one and its size is a correlation of three factors: vulnerability of the local community, prepared resources and the scale of the expected event. The risk of a crisis in relation to the local community is equivalent to the operational risk that occurs in organizations. To measure it, a crisis situation matrix can be used [7].

E. Then, in relation to determining the readiness of the local community to deal with a crisis, a five-step methodical planning procedure is recommended to ensure the ability to undertake rescue operations [8,9]. In improving the activities undertaken in the operational risk management process and as part of the public crisis management process, the use of specialised maturity model is recommended, which are defined as layered structure and indicates the direction of organizational improvement [10].

Treating risk and risk management as separate scientific issues has been undertaken since the 1920s, the first significantly example being the classic dissertation of Frank Hyneman Knight [11]. The most significant milestones in the development of theory and good practices of risk management are experiences from: large military operations of World War II; the Apollo space program; tackling natural disasters; struggling with economic crises since the 1970s and in the 21st century, including the development of the Basel Committee’s recommendation for banks and corresponding recommendations of other entities for insurers and capital market participants [12-14]. The Basel Committee’s achievements include identifying the structure of risk types and isolating operational risk among other types. It is understood as being the possibility of losses resulting from the unreliability of processes or resources of the organization. Operational risk has a much broader application than just within the financial sector. It applies to all planned human initiatives and, in relation to organized and collective activities, concerns economic and administrative entities. However, it transpired that the concepts of risk protection on the basis of determining the financial level of risk and the corresponding socalled capital adequacy [15] (i.e., the amount of financial, capital or insurance reserves needed) are not sufficient. What’s more, that ‘financial’ approach does not explain the true nature of such risks, because seeing them through the effects only indicates how much money is required to avoid the fear of threats.

It was helpful to use the logic of technical reliability in terms of classic management, which was scientifically shaped within the engineering community at the turn of the 19th and 20th centuries [16], when the foundations of the theory of technical reliability were also formed. From the engineering understanding of reliability, it follows that the limited usefulness of the ‘financial’ approach for the business and administrative sphere results from focusing prudent treatment on therapy and postponing prevention. Within the spheres of services provided by public administration, in assessing the effectiveness (or vice versa - unreliability) of social logistics services, the issue of operational risk is rarely taken directly into account. Meanwhile, the whole concern of controlling the consequences of public service disruptions (public crisis management) is analogous to operational risk management and it is beneficial to use good methodological practices that come from the business sphere. The main difference lies in the much less formalized relationships between participants in these services - beneficiaries (mainly citizens), suppliers and other stakeholders. This is why the public sphere is even more difficult to organize. In addition, the services designated with providing assistance are involved in resolving crises, which means that their formal hierarchy and stringent procedures can conflict with the casual relationships of other participants.

Operational risk is defined as ‘the possibility of the loss of material and reputation and legal liability resulting from inadequate or failed processes and their essential resources (personal, material, information and financial) and the disruption emerging as a result of the impact of internal and external threats’ [1]. They are divided into 28 types based on three criteria. The first is related to the nature of the processes (basic, auxiliary, management) implemented by the organization. The second takes into account the main categories of threats that may interfere with the proper conduct of processes. The third relates to possible vulnerabilities from the perspective of resource types. Such arrangements are derived from studies of good practices in the field of ensuring security and business continuity [1]. The analytical approach to such risk consists of adopting three perspectives: possible causes (in terms of threats), possible mechanism of vulnerabilities with threats and possible effects. Determining the causes and vulnerabilities fosters adequate preparation of security solutions [1]. Determining possible effects permits the preparation of scenarios to ensure business continuity [1].

In maintaining a balance between direct security solutions and solutions for ensuring business continuity, it is helpful to use the analogy of the theory of technical reliability [17,18]. The essence of striving for technical reliability is the service of the devices to ensure their technical condition suitable for the implementation of production and service processes. Ensuring the continuity of technical systems can be implemented as [19,20]:

a) Reactive maintenance - repair of equipment / systems when they cease to be functional,
b) Preventive maintenance - reducing the probability of failure by the early replacement of those components considered potentially weak or vulnerable,
c) Predictive maintenance - maintenance and repair activities before a failure occurs, which is achieved by the systematic monitoring of deterioration of parameters,
d) Corrective maintenance – constantly implementing improvements to increase resilience.

Administrative systems, although more ambiguous, are organizationally similar to technical systems, which means that the rules for seeking effective solutions combining preventive processes with a corrective approach are very similar. Social logistics describes how to organize and manage the delivery of key services to society. Part of it is public crisis management, which deals with anticipating instances where the provision of public services becomes difficult or impossible as a result of various types of disturbances with varying degrees of impact [21]. This includes the need to identify threats, analyse and assess risks, and take measures to secure and maintain the continuity of public services. There is a clear analogy between public crisis management (referring to the community functioning within a certain administrative area with its public authorities) and operational risk management within a single enterprise [21]. Risk characterization in the business sphere and the sphere of public administration (in causal, vulnerability and effect terms), its assessment and the course of preventive and remedial procedure are identical in principle. Also, the rules for managing and creating organizational structures responsible for managing risk are similar

The ability to respond to risk is to be a feature of a vulnerable system, not to be derived from the competence of a single element of a system. In particular, the causal approach allows one to hedge against risk and improve the practice of one’s current risk-taking action. On the other hand, the effective approach allows the preparation of methods and resources of remedial proceedings in the event of a crisis. There are two differences. Firstly, a single organization or enterprise is a much more homogeneous society than a community that is protected from crises. Secondly, in crisis management in business, the main criterion for assessing the considered options for preventive and corrective action is efficiency from the perspective of the entire organization and its business. However, in public crisis management, the main criterion is the effectiveness of the solutions considered, especially when it comes to people’s safety in general and lives and health in particular, and efficiency is less important.

The social scope of public crisis management is reflected in the four categories of stakeholders directly involved. These are: services designated to provide assistance (especially fire brigade, police, ambulance service, but also municipal guard, water and mountain emergency services, etc.); critical infrastructure of the state operators (energy, gas, road, rail, telecommunications, etc.) [5]; public administration bodies (including crisis management centres) and local communities and their organizations [21]. This means that public crisis management is an extraordinary public service provided as part of social logistics as a guarantee that the public administration can maintain the expected level of ordinary public services or to be able to restore them quickly.

The studies of the adaptation of operational risk management to public crisis management were conducted according to the action-research method with triangulation of both methods and researchers, as well as of case-studies method of specific projects for the development and implementation of operational risk management systems. This was accompanied by analyses of international literature sources, legal regulations and professional best practice descriptions. These studies concerned the issue of the operational risk triad in business entities, the issue of public crisis response plans and social logistics and as part of that last - public crisis management integrated with the EU Civil Protection Mechanism [22].

As part of research on the operational risk triad in the formula of action-research, observations were carried out during projects to implement organizational systems for managing such risk and develop specific solutions to secure and ensure business continuity. The projects lasted from half a year to three years, which was due to the size of the surveyed organizations, the largest at that time employing over 100,000 employees and had over $50 billion under management. In total, the research concerned 10 financial institutions (4 banks, 4 insurance companies, 1 stock exchange and 1 guarantee fund); 2 food industry corporations, 1 nationwide telecommunications operator and 4 entities of national public administration. Then, these projects were analysed and compared in the case-study formula. In turn, as part of research on crisis planning, good practices of Polish services designated to provide assistance (whose activities are coordinated by the fire service) and good practices of several other EU countries, were examined, all in cooperation with the Polish Government Centre for Security. At the same time, reflections were made on the proper placement of these issues in the theory of social logistics.

As a result of this research, the following were developed:
A. Systematics of types of threats and types of operational risk for identifying threats and analysing this risk [1],
B. Operational risk assessment methodology for business entities [1],
C. Methodology for risk assessment in the protection of critical infrastructure of the state [6],
D. Methodology for civil emergency planning and rescue and using data in civil planning and crisis reporting [4,23],
E. Methodology for managing the security of critical infrastructure of the state [3],
F. Maturity model of risk management in public crisis management [24].

The research was financed from the public budget of the National Centre for Research and Development (agency of the Polish Ministry of Science and Higher Education) in the form of grants for a total amount of about $2.3 million.

The partly inadequacy of the financial approach to operational risk is repeated in the case of social logistics and public crisis management. On the other hand, the theory of operational risk turns out to be fully adaptable to the tasks of social logistics and allows to better explain the issues of ineffective provision of public services, which depend largely on the technical efficiency of critical infrastructure systems of the state, and on the good organization and cooperation of entities responsible for these services. However, there are new challenges. The first is to control the problems arising from the social context, i.e. the need to refer to local communities as the beneficiaries of public services, and in the event of a crisis its potential victims. This condition can be determined as follows:

a) Many public crisis management solutions have a tradition, perpetuated in habits sometimes referred to as civil defence, which results in the side of public authorities the expectation of citizens’ subordination and in their turn passive side waiting for the effective operation of administration and services [25];
b) Therefore, a formal approach dominates, primarily referring to legal regulations (which are often ineffective in view of the atypical circumstances of many critical events) and there is a lack of sufficient methodological support which will be scientifically stable and open to social activation;
c) The practice is shaped to a dominant degree by the services designated to provide assistance, especially the fire brigade.

The second challenge is the interdependence of critical infrastructure systems of the state, because complicated relationships exist between them which affect the efficiency of operation and in critical situations even the phenomena of the cascade (or domino) effect [3,5,26-28]. The domino effect can be simulated using features of critical infrastructure, i.e. the functional dependence of resources and threats to which elements of this infrastructure are susceptible. The use of knowledge about these dependences allows one to build a system of related elements of critical infrastructure, under which adverse events scenarios can be implemented.

The convergence of the theory of reliability with the science of public crisis management, whereby the theory of reliability [18] is used as a model for an analogy, occurs on four levels:

A. General approach assuming that human creations are imperfect and unreliable, which applies to both technical and social systems
B. Extensive technical systems which are the systems of critical infrastructure of the state, whose efficiency is the subject of considerations of the theory of reliability against the background of system theory
C. Individual critical infrastructure devices of the state whose reliability is a direct subject of consideration of classical reliability theory
D. Methods and techniques developed by the theory of reliability, so far related to the issues of effective operation of technical devices and systems, and representing potential value for ensuring the effective functioning of public crisis management organizational systems.

One of the key functions in management theory is planning and one of the basic types of plans at the operational level, in addition to permanently binding plans and one-off plans, is contingency plans [29]. These should minimize losses associated with the occurrence of a disruptive situation for the organization, protect resources and ensure a return to normal operation as soon as possible. Initially, contingency plans were developed for manufacturing companies, then other business entities and now they also apply to organizations providing key public services. Even more important than contingency plans, however, is the prevention of failure. And here the example of striving for technical reliability is the most valuable. In special cases, instead of focusing on the reliability of technical resources, one can focus on finding ways to compensate for downtime, which are described by method of Total Productive Maintenance (TPM) [30]. TPM is considered the most effective approach to maintaining the reliability of production systems as a development of the preventive maintenance system [19] and involves employees ensuring the technical efficiency of machines, devices and instrumentation. Reading the above paragraphs, a simple idea arises in replacing the words ‘machinery, equipment, instrumentation’ with the terms ‘public services, public organizations, community’. Unexpectedly, such a transformation renders the text valid, but now in the public sphere of human activity.

The manuscript signals the relationship between methodical operational risk management and public crisis management [6] as ensuring the reliability of public service delivery systems with the existing reliability of technical systems. The order of analogies between the theory of reliability and the title concepts of management is that the first is to use the approach of reliability theory in shaping the approach to operational risk and only then can public crisis management use the achievements of both. The issue of technical failures, their causes and effects, is inscribed in the practice of engineering behaviour and extensive experience verifies scientific findings as well as forming professional good practice in the design of devices and systems with assumed reliability, as well as the creation of organizational and operational solutions taking into account the expected failure devices. Analogously advanced theory regarding the efficiency of business and administrative entities was missing for a long time. Their efficiency is violated by the impact of operational (largely organizational) risk factors, i.e. threats to which the organization is vulnerable. The analogy is obvious when the problem becomes the subject of analysis in the engineering approach. The tradition of management sciences connects them with technical sciences and contemporary achievements are solutions under the concept of operational risk management and public crisis management. The primary reason is the resource nature of most of the challenges which both concepts face. The thing is that operational risk, in essence, lies in the possibility of losing resources or their usefulness, a typical example of which is the failure of a device or technical system relevant for the provision of a public service.

The referred research adopted a dual approach to operational risk, indicating that analysing it must distinguish between causes, when the sources of threats and the characteristics of the vulnerability of resource and organizational solutions are important and effects, when the challenge is to deal with the disruption. In particular, the principles of corrective maintenance, developed for technical systems, involving the reconstruction of existing systems in order to reduce their susceptibility to interference, are unusable in risk management. Maintaining the reliability of both technical and social systems clearly requires skilfully-applied human involvement. The process of adapting the achievements of reliability theory to social systems is only just beginning and takes place according to top-down logic. The manuscript presents the first step - adopting the same logic of reasoning. An open challenge is further work on adapting the achievements of reliability theory to maintain social services and manage their continuity of service.

Public crisis management as an interdisciplinary problem is no longer a simple continuation of civil defence [25]. One can see from analysing the structures of EU countries’ expenditure on institutions responsible for internal security (police, army, civil defence), that expenditures devoted to the police are rising to equal expenditures on the army, thus proving the growing importance of internal security. Civil defence is marginalized in most countries [9], but there is a visible trend towards a pragmatic attitude towards the crisis, i.e. involvement and self-organization of any given community. Two perspectives are important:

a) This particular community and its organization,
b) Entities that operate elements of state infrastructure systems located in the area of this community.

This indicates the need for such a view on public crisis management, which includes social and technical sciences. Research has confirmed that it is justified that public crisis management (a set of exceptional tasks carried out in the public sphere by public authorities and units of relevant services) is used on the basis of close analogy with the scientific achievements of the latest operational risk management theory. It should be emphasized that the base of public services implemented as part of social logistics is the critical infrastructure of the state, predominantly composed of complex infrastructure, technical and logistic systems.

The developed methodologies are open, which means that they outline the framework and provide guidelines for recommended procedures and assume that a specific user, by adhering to them, will give them a profile consistent with local conditions and will strengthen their impact by implementing processes:
A. Systematic development of methodologies in a version dedicated to its conditions,
B. Management of acquired knowledge about threats and risks,
C. Knowledge management about the social, technical and organizational context of the functioning of critical state systems and social logistics services.

Activation of the community (counties, regions, districts) is the pillar of the attribute of openness. Hence, in terms of methodology:
a) The regional foresight approach was adapted [31],
b) The concept of knowledge management was used [2,32], seeing the power of methodology in collecting and organizing experiences,

It was pointed out how in a socially and professionally heterogeneous and partly nonprofessional society, one can use the principles of building an analytical and design team, using classic techniques of stakeholder analysis, assessment of competences and stimulation of creativity [33].

1. Zawila-Niedzwiecki J (2014) Operational risk as a problematic triad: risk - resource security -business continuity. Krakow: Edu-Libri.
2. Zawila-Niedzwiecki J (2015) Structuring knowledge management (part 1 and 2). Foundations of Management 1: 253-266.
3. Wisniewski M (2020) Methodology of situational management of critical infrastructure security. Foundations of Management 12(1): 43-60.
4. Wisniewski M (2019) Application of matrix equations in the aida method. Foundations of Management 11(1): 267-276.
5. Ouyang M (2014) Review on modelling and simulation of interdependent critical infrastructure systems. Reliability Engineering & System Safety 121: 43-60.
6. Kosieradzka A, Zawila-Niedzwiecki J (2017) Advanced risk assessment methodology in public crisis management. Warsaw: Monographic Series of the Faculty of Management at the Warsaw University of Technology.
7. Skomra W (2017) Risk management as part of crisis management tasks. Foundations of Management 9(1): 245-256.
8. Kunikowski G, Kosieradzka A, Kakol U (2019) Methodology for the preparation of rescue plans - a Polish case study. Disaster Prevention and Management 29(3): 313-321.
9. Kunikowski G, Rostek K (2017) Good practices in civil planning and crisis management in the world and their implementation in Poland. Jagiellonian Journal of Management 3(3): 135-150.
10. OGC (2010) Management of risk: Guidance for practitioners. TCO, London.
11. Knight FH (1954) Risk, uncertainty and profit. Kelley & Millman, New York, USA.
12. The Basel Committee on Banking Supervision (BCBS).
13. Directive 2009/138/EC of the European Parliament and of the council of 25 November 2009 on the taking-up and pursuit of the business of insurance and reinsurance (Solvency II).
14. Directive 2014/65/EU of the European Parliament and of the council of 15 May 2014 on markets in financial instruments and amending directive 2002/92/EC and Directive 2011/61/EU (MiFID).
15. Galati R (2003) Risk management and capital adequacy. McGraw-Hill Education, New York, USA.
16. Cummings S, Bridgman T, Hassard J, Rowlinson M (2017) A new history of management. Cambridge University Press, Cambridge, UK.
17. Birolini A (2017) Reliability engineering. Theory and practice. Springer, Basel,
18. Todinov (M) 2016 Reliability and risk models: Setting reliability requirements. Wiley, New York, USA.
19. Agustiady TK, Cudney EA (2018) Total productive maintenance. Total Quality Management & Business Excellence.
20. Hill T (2005) Operations management. Palgrave Macmillan, New York, USA.
21. Zawila-Niedzwiecki J (2016) Crisis management in social logistics. In: Jaki A, Rojek T (Eds.), Effectiveness and competitiveness of modern business. Concepts - Models – Instruments, Foundation of the Cracow University of Economics, Krakow, Poland, pp. 99-106.
22. Decision 2019/420/EU of the European Parliament and of the council of 13 March 2019 amending decision no 1313/2013/EU on EU civil protection mechanism.
23. Ostrowska T, Krupa T, Wisniewski M (2015) Dynamic hazards in critical infrastructure of the state. Foundations of Management 7: 143-158.
24. Smagowicz J (2020) Public crisis management maturity model. Foundations of Management [in preparation].
25. Alexander D (2002) From civil defence to civil protection - and back again. Disaster Prevention and Management: An International Journal 11(3): 209-213.
26. Alcaraz C, Zeadally S (2015) Critical infrastructure protection: Requirements and challenges for the 21st century. International Journal of Critical Infrastructure Protection 8: 53-66.
27. Chen Y, Milanovic J (2017) Critical appraisal of tools and methodologies for studies of cascading failures in coupled critical infrastructure systems. 7th IEEE International Conference on Smart Technologies, Conference Proceedings, pp. 599-604.
28. Bloomfield R, Popov P, Salako K, Stankovic V, Wright D (2017) Preliminary interdependency analysis: An approach to support critical infrastructure risk assessment. Reliability Engineering & System Safety 167: 198-217.
29. Griffin R (2016) Management. Cengage Learning, Boston, Massachusetts.
30. Shirose K (1992) TPM for supervisors. Productivity Press, Portland, Oregon.
31. Battistella C, Pillon R (2016) Foresight for regional policy: Technological and regional fit. Foresight 18(2): 93-116.
32. Baskerville R, Dulipovici A (2006) The theoretical foundations of knowledge management. Knowledge Management Research and Practice 4(2): 83-105.
33. Carayannis EG (2013) Encyclopedia of creativity, invention, innovation and entrepreneurship. Springer, New York, USA.