You’ll never be able to predict all the things that can possibly go wrong, says Saul Midler. Instead, you need to focus on how you get your critical systems back up, whatever the cause of their failure
This topic does challenge and, in some cases, frustrate practitioners because different people view the concept of risk management (RM) and its relationship to business continuity management (BCM) differently.
In simple terms; RM is focussed on prevention, while BCM is focussed on cure. For example, risk management would view the lack of fire extinguishers in a paper factory as a high risk and recommend they be installed to reduce that risk. BCM would not be concerned about the lack of extinguishers, but how to deal with the loss of the machinery that produces the paper (and the loss of other resources) regardless of the event that caused the loss.
Risk, by definition, is the chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood.
The concept of consequence is reasonably straightforward and relates to the resulting outcome (one or many) of an event expressed qualitatively or quantitatively, being a loss (for example $500,000 per day), injury (such as 12 people in hospital and three people are dead), disadvantage (for example loss of 12.5 per cent market share) or gain.
The concept of likelihood is not as straightforward and requires you to be part believer and part sceptic. You need to believe that some event WILL happen and you need to be sceptical enough to challenge the reality of that belief. This really requires an emotional response via the concept of chance or probability.
Some readers will no doubt like to challenge this point by suggesting that it is possible, with great certainty, to use history to accurately predict the future. This is done through statistics.
It is true that, in certain circumstances, statistics do provide valuable insight. For example, if over the past three years it is proven that 3.5 per cent of credit card applicants default and, of that, 20 per cent is recovered, then the decision may be taken to tighten the credit decision criteria.
But what about lotteries? If the numbers 4, 8, 15, 16, 23 and 42 were the most drawn numbers in the history of your local lottery operator, would that provide any comfort in speculating whether those numbers will be drawn in the next game? What if those numbers were the least drawn numbers? Would that suggest a different position?
The concern is that risk managers have become too dependent on statistics to predict an outcome and they apply that approach to domains such as operational risk management that have little applicability. The following example highlights how quantitative statistics doesn’t assist in developing a risk position that has meaning.
Consider fire incident data collected over the past 10 years by a fire brigade. This data can be filtered to highlight the number of fires that happened within a 3km radius of a specific office building. Of those incidents, the data can be refined to identify those that resulted in a building evacuation of more than one week. Would that help in understanding the likelihood of that building having a fire in the next 12 months?
There is another dimension that also receives some attention: compounding risks. Again impact is easy to quantify, however what is the likelihood that an ex-employee tailgates back into the office AND logs in to the network AND maliciously damages the system? That is:
1 in 365 days (ie 1 disgruntled employee a year) by
1 in 10 (ie disgruntled ex-employee that wants to cause damage) by
1 in 90 days (longest period that an inactive account might expire) by
= 1 chance in 328,500;
So what should be done about this?
Putting the statistical element to one side for the moment, the whole approach to risk management, as Australian and NZ Standard 4360 suggests, requires the development of the evaluation to be based on an event. But what event? Well that’s the EBITDA-dollar question (presumably your company is worth more than $64,000) and where the new school of thought delivers a more cost-effective and pragmatic view of the business’s need than the old school.
Scenario planning does NOT have a role to play in business continuity strategy development, although it does play a role in exercising your BC capability.
Pragmatically, it’s impossible to think of all the plausible scenarios that could be detrimental to the business. Even a workshop with the most knowledgeable managers will still result in some exposure.
Furthermore, the thought of someone having to develop strategies, procedures and capabilities to mitigate each scenario is horrific. Even if the scenarios were arranged into themed groups (eg, denial of access due to: flood, storm, fire, protest etc) the organisation will still be exposed.
On balance, risk assessment is important and the concept of likelihood has a valid role. If the metric of likelihood is developed with the right balance of belief and scepticism, then risk assessment becomes a comparative tool to prioritise your response to the exposures – ie preventative action.
However it is very important to note that the implementation of risk mitigation strategies cannot deliver zero residual risk – unless, of course, significant amounts of money are spent. For example you generate your own power, water, supplies, subject matter experts, and duplicate your capacity in a distant geographic location. Thus, we need BCM.
The term business continuity management consists of three concepts. The continuity reference means that an organisation can continue to deliver product or services, regardless of any operational disruption.
While risk management is a discipline that reduces the likelihood of incurring such a disruption, the possibility still exists that the disruption will be realised. When the disruption does strike, the realisation will be made that something has been lost or is unavailable. In other words, a business function stops if one or more of its critical resources become unavailable.
This could be people, software server, e-mail, G-drive, WAN link between your site and the data centre, colour printer, building, cheques. The speed of business recovery is directly tied to the speed of resource replacement (note: a workaround is typically a temporary resource replacement).
A new school of thought is gaining greater acceptance in the BC community. Resource dependency analysis (RDA) identifies what that restoration profile is for critical resources.
Consider a call centre that normally operates eight pods of four workstations (ie 32 call-takers). Should the call centre become non-operational due to some devastation,the call-taking function may be relocated. The RDA would identify that an acceptable ramp-up of call-taking capacity might be the establishment of one pod at T+4 hours, three Pods at T+3 days, two pods at T+5 days etc. This will allow the business function to increase its operational capacity over time without jeopardising the business.
More recently, organisations implementing the new school of thought have extended the RDA method to undertake DRA (destination resource analysis). Here, an organisation identifies the destination location for a business function and then documents the capacity or availability of the required resources that are at that destination.
For example, the destination location for the call centre described above already has 24 workstations in clusters of four (although not in a pod configuration).
There is also a meeting room that could comfortably take another 12 workstations, although those workstations would need to be sourced. The DRA would document 24 workstations and identify a shortfall of 12 requiring a procedure to source them. As an aside, when searching the market for a BCM software package, the RDA and DRA type functionality should be high on the needs list because this functionality is of significant benefit to the strategy development stage of the BC cycle.
The benefit of the RDA/DRA approach is that the cause of the disruption (ie one that might be developed as a planning scenario) is irrelevant. A procedure will exist to restore the business function by way of restoring the required resources.
From a methodology perspective, consider BCM as the link between corporate (ie holistic) risk management and operational risk management. The following diagram highlights the relationship:
Corporate RM is most suitably positioned to deliver a comparative assessment of the risks on the organisation across a variety of disciplines such as financial control, image and reputation, regulatory compliance, legal, and OH&S, including business operations (ie how exposed the organisation is by the level of appropriateness or substantive nature of its BC capability).
Should it be identified that the organisation is exposed, then the BCM program would address this exposure by:
1. Defining/confirming business functions in time sensitivity order via business impact analysis (BIA) to identify mission-critical activities.
2. Defining/confirming critical resources required to enable those mission-critical activities to produce their outputs
3. Undertaking an operational risk assessment to identify the relative exposures underpinning the organisation’s dependency on the critical resources.
The danger of undertaking an operational risk assessment before the BIA/RDA activity is that a business case may be built to remediate the biggest operational risk without realising that it doesn’t relate to the most time-sensitive business function.
Think about 9/11 where 320 companies failed to return to business, 2800 workers died and 135,000 workers lost their jobs. But a number of organisations did recover and continued operations. These include:
• Cantor Fitzgerald, who lost 658 staff and resumed operations two days later
• Marsh & McLennon, with 3200 staff over eight floors
• Morgan Stanley, with 3500 staff over 17 floors
• New York Port Authority with 2000 staff over 23 floors
The new school of thinking saved these organisations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct.
The businesses that did survive did so because they adopted a resource-loss philosophy that included office facilities, technology systems and, of course, staff.
Saul Midler MBCI is the Managing Director of Linus Information Security Solutions Pty Ltd
News