Author

Saul Midler

This topic does challenge and, in some cases, frustrate practitioners because different people view the concept of Risk Management (RM) and its relationship to Business Continuity Management (BCM) differently.

In simple terms; RM is focussed on prevention, while BCM is focussed on a cure.

For example, Risk Management would view the lack of fire extinguishers in a paper factory as high risk and recommend fire extinguishers be installed to reduce the risk of losing everything in a fire. BCM would not be so concerned about the inadequacy of fire extinguishers, but rather, how to deal with the loss of the machinery that produces the paper (and the loss of other resources) regardless of the event that caused the loss.

Risk, by definition, is the chance of something happening that will have an impact upon objectives. It is measured in terms of consequences and likelihood. (Australian Standards AS4360)

The concept of consequence is reasonably straight forward and relates to the resulting outcome (one or many) of an event expressed qualitatively or quantitatively, being a loss (eg $500,000 per day), injury (eg 12 people in Hospital and three people are dead), disadvantage (eg loss 12.5% market share) or gain.

The concept of likelihood is not as straightforward and requires you to be part believer and part sceptic. You need to believe that some event will happen and you need to be sceptical enough to challenge the reality of that belief. This really requires an emotional response via the concept of chance or probability. Some readers will no doubt like to challenge this point by suggesting that it is possible, with great certainty, to use history to accurately predict the future. This is done through statistics.

It is true that in certain circumstances statistics do provide valuable insight. For example, if over the past three years it is proven that 3.5% of credit card applicants default and, of that, 20% is recovered, then the decision may be taken to tighten the credit decision criteria.

But what about lotto? If the numbers four, eight, 15, 16, 23 and 42 were actually the most drawn numbers in the history of your local Lotto operator, would that provide any comfort in speculating whether those numbers will be drawn in the next game? What if those numbers were actually the least drawn numbers, would that suggest a different position?

The concern is that Risk Managers have become too dependent on statistics (e.g. 1 in 50 chance, 1 in 100 years etc) to predict an outcome and they apply that approach to domains such as Operational Risk Management where, in reality, the statistic has little applicability.

The following example highlights how quantitative statistics doesn’t assist in developing a risk position that has meaning.

Consider fire incident data collected over the last 10 years by the Fire Brigade. This data can be filtered to highlight the number of fires that happened within a 3km radius of your Head Office building. Of those incidents, the data can be further refined to identify those that resulted in a building evacuation of over one week. Would that actually assist in understanding the likelihood of your building having a fire in the next 12 months, 12 weeks or 12 days?

There is another dimension that also receives some attention: Compounding Risks. Again, impact is easy to quantify, however, what is the likelihood that an ex-employee tailgates back into the office and logs into the network and maliciously damages the business? That is;

• 1 in 365 days (i.e. a disgruntled ex-employee attacks once per year) by
• 1 in 10 (i.e. disgruntled ex-employee that wants to cause damage) by
• 1 in 90 days (i.e. longest period that an inactive network account might expire) = 1 chance in 328,500;

So what should be done about this?

Putting the statistical element to one side for the moment, the whole approach to Risk Management, as AS4360 suggests, requires the development of the evaluation to be based on an event. But what event? Which event? Do we need to evaluate the risk against EVERY possible event or scenario? This is where the new school of thought delivers a more cost effective and pragmatic view of the business’s need than the old school.

Scenario Planning does NOT have a role to play in defining MAOs, MTOs, RTOs, MTPDs and business continuity strategy development. Pragmatically, it’s impossible to think of all the plausible scenarios that could be detrimental to the business. Even a workshop with the most knowledgeable managers from across the organisation will still not deliver a complete list of possible causes. As such, there will be some exposure.

As an accredited consulting practitioner, the thought of someone having to develop strategies, procedures and capabilities to mitigate each scenario is horrific. Even if the scenarios were arranged into themed groups (eg, Denial of Access due to; flood, storm, fire, protest etc) the organisation will still be exposed and have a document maintenance challenge on their hands.

On balance, Risk Assessment is important and the concept of ‘likelihood’ has a valid role. If the metric of likelihood is developed with the right balance of belief and scepticism then Risk Assessment becomes a comparative tool to prioritise your response to the exposures – i.e. preventative action. However it is very important to note that the implementation of risk mitigation strategies cannot deliver zero residual risk – even if you spent significant amounts of money (eg generate your own power, water, supplies, subject matter experts, duplicate your capacity in a distant geographic location etc). As a result, we need BCM.

The term Business Continuity Management consists of three concepts:

1. Business driven
2. Continuity capability
3. Management process

The continuity reference means that an organisation can continue to deliver critical product or services, regardless of any operational disruption. Two key sub-points here is to recognise that:

1. Not all product or services need to be restored (ie continue) – just the critical ones. If you have the time, manpower and money, then no objections from me; expand the scope.
2. You can’t build BC capability to respond to just the things you believe might happen. This is about being protected from any operational disruption.

While Risk Management is a discipline that reduces the likelihood of incurring such a disruption, the fact remains that the possibility exists that the disruption will be realised. When the disruption does strike, the realisation will be made that something has been lost or unavailable. In other words, a Business Function stops if one or more of its critical resources become unavailable. This could be people, software server, e-mail, G Drive, WAN link, colour printer, building, drilling bit, lathe, conveyer belt, diesel fuel, heat shrink machine, -80oC refrigerator, helicopter etc. The speed of business recovery is directly tied to the speed of resource replacement (note: a workaround is typically a temporary resource replacement).

New School of thought is gaining greater acceptance in the BC community. Resource Dependency Analysis (RDA) identifies what that restoration profile is for critical resources. Consider a call centre that normally operates eight pods of four workstations (i.e. 32 call takers). Should the call centre become non-operational due to some devastation then the call taking function may be relocated to an alternate location. The RDA would identify that an acceptable ramp-up of call taking capacity might be the establishment of one pod at T+4 hours, three Pods at T+3 days, two Pods at T+5 days etc. This will allow the Business Function to increase its operational capacity over time without jeopardising the business.

More recently, New School organisations have extended the RDA method to undertake DRA (i.e. Destination Resource Analysis). Here, an organisation identifies the destination location for a Business Function and then documents the capacity or availability of the required resources that are at that destination. For example, the destination location for the call centre described above already has 24 workstations in clusters of four (although not in a pod config). There is also a meeting room that could comfortably take another 12 workstations although those workstations would need to be sourced. The DRA would document 24 workstations and identify a shortfall of 12 requiring a procedure to source, install, configure and test them. As an aside, when searching the market for a BCM software package, the RDA and DRA type functionality should be high on the needs list since this functionality is of significant benefit to the strategy development stage of the BC cycle.

The benefit of the RDA/DRA approach is that the cause of the disruption is irrelevant. A procedure will exist to restore the business function by way of restoring the required resources.

From a methodology perspective, consider BCM as the link between Enterprise (i.e. Holistic) Risk Management and Operational Risk Management.

Corporate RM is most suitably positioned to deliver a comparative assessment of the risks on the organisation across a wide variety of disciplines or Risk Categories e.g. Financial Control, Reputation, Regulatory Compliance, Legal, Health & Safety, Regulatory etc including Business Operations (i.e. how exposed is the organisation by the level of appropriateness or substantive nature of its BC capability).

The Risk Assessment process requires the establishment of various risk tables or matrices. The scale and definition of Consequence, Likelihood and the intersecting Risk Rating for each matrix would be defined commensurately with the nature of the Risk Category and its applicability to the organisation.

With specific reference to the Risk category of Business Operation, should it be identified that the organisation is exposed then the BCM program would address this exposure by:

• Defining/confirming
• Business Functions
• Time Sensitivity order(via Business Impact Analysis) to identify Mission Critical Activities.
• Defining/confirming critical Resources required to enable those Mission Critical Activities to produce their outputs
• Undertake an Operational Risk Assessment to identify the relative exposures underpinning the organisations dependency on critical Resources.

The danger of undertaking an Operational Risk Assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that it doesn’t relate to the most time-sensitive business function.

Think about 9/11 where some 320 companies that failed to return to business, 2800 workers died and 135,000 workers lost their jobs. In contrast to this, many organisations did recover and continued operations. These include:

• Cantor Fitzgerald lost 658 staff and resumed operations two days later
• Morgan Stanley with 3,500 staff over 17 floors
• NY Port Authority with 2,000 staff over 23 floors

Without knowing it, New School thinking saved these organisations. No one could possibly have thought of the scenario that two aeroplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The organisations that did survive did so because they adopted a Resource Loss philosophy that included office facilities, equipment, technology systems and of course staff.

“Sorry – We didn’t think of that occurring!!” Is not something you can say to your stakeholders.