Separating fear from risk…
When it comes to evaluating threats to businesses, four things need to be considered: * The risk itself; what causes the risk, where does it emanate from? * The likelihood, or probability, that the risk will occur; * The potential hazard, or impact, engendered if the risk does occur. Hazard is not a term bandied around very often in business continuity circles; it is basically the potential of a risk-event to cause harm or damage. * The length of time a risk event may affect the business for. Various formulas are available for making simple assessments to help decide which risks need to be mitigated and which can be accepted. For example, according to the Business Continuity Institute’s Best Practice Guide the formula: Risk= Threat impact x Probability can be used, sometimes followed by: Priority = Risk x Ability to control that risk. However, when it comes to assessing the real threat that a risk poses, risk assessment is normally intrinsically subjective; with business continuity managers and business impact analysis interviewees using their judgement to give weightings to different probabilities and impacts. This subjectivity is a weak link in the whole process. Judgements can be well informed, using, for example, past occurrences of risk events to predict the likelihood of future events and the possible extent of the impact. However, there is one factor which can cloud the judgement of the most seasoned professional; the fear factor. Fear can, and does, skew probability decisions, especially by people who are not normally involved in the business continuity management process and who may not be used to the cool, analytical and dispassionate thinking that is required. It is of course important to include key executives, board members and other non-business continuity members of staff in the business impact analysis process; but rely on their risk assessments with caution: * Understand how they came to a likelihood and impact judgement; * Try to determine their general attitude to risk taking and how this may have clouded their judgement; * Understand how aware they may be of ‘high profile’ risks and how this may have affected their assessment. For an example, let’s take two current high profile threats: Terrorism and a ‘Flu Pandemic. Both have been in and out of the mainstream news media over the last year and both have seen strong calls from high profile business leaders for organisations to make business continuity plans which cover the threats. Awareness and fear of both these threats is likely to be a strong influence on most members of staff in any organisation and if asked the simple question ‘should both these threats be given a high priority in our business continuity plan?’ the vast majority of respondents are likely to say ‘yes’, based on what they fear, fuelled by what they have been told by outside experts and opinion formers. However, when we examine the actual threats; it soon becomes obvious that in reality, for many businesses, one is a much greater risk than the other. Working through the four evaluation measures which were highlighted at the start of this article will help give a clearer picture: 1) The risk itself; what causes the risk, where does it emanate from? In terms of a ‘flu pandemic, the risk comes from the impact the disease would have on people – on their ability to do their jobs and to provide services to your organisation. The risks are predictable, but not easy to quantify since the severity of the next pandemic is an unknown. A ‘flu pandemic could affect any business anywhere in the world. There are no geographical barriers to its spread. 2) The likelihood, or probability, that the risk will occur 3) The potential hazard, or impact, engendered if the risk does occur 4) The length of time a risk event may affect the business for When all the above is taken into consideration, it seems clear that, although the fear of both threats may be very high, for many businesses, the fear of an influenza pandemic is much more justifiable in business continuity terms than the fear of terrorism. The reality of organisational-life is that business continuity operates to a limited budget; if it comes to a decision between investing in pandemic preparations or anti-terrorism measures, the former may be the best choice for the vast majority of businesses. In conclusion The fear of threats is a risk in its own right. If its influence on decision-making is not recognised, fear can cause companies to rush into hasty, expensive and later regrettable, decisions. Author READER COMMENTS: One of the biggest problems with ‘risk’ is the possibility of developing ‘tunnel vision’ in respect of the subject. You are quite right about the basic formulae for calculating quantitative risk, but I suggest that a key aspect for all contingency planning is to actually identifying the ‘risk’ that we are looking at. I would suggest that we should not just be focusing on the causative elements of an incident and should perhaps be looking at the impacts. I evidence my theory with the two following examples. Premises denial is exactly that, regardless of the cause I submit that the restoration response will be altered by the original cause - fire vs. flood vs. bomb vs. earthquake, etc, but the main tenet of the problem is that your building is unusable, the time factor and effort to fix it are the subsequent matters to be considered, admittedly mainly dictated by the cause. However, predicting the cause is almost impossible, unless you have the skills of Nostradamus (in which case you should have won the National Lottery on numerous occasions and have nothing more to do with working for a living!) Loss of staff is a similar matter: Mass resignation, industrial action, collapse of the public transport infrastructure and pandemics all require different restorative responses, but I submit that the initial impacts are all similar - not enough staff to perform the required work functions. I realise that some may disagree with my ‘simplistic’ approach, but I also believe that risk is a complex enough matter, without possibly making the subject even more opaque, than it may already be. Kevin Brear
In reading the article ‘Separating fear from risk’, I wonder whether the title should be changed to ‘Separating probability from risk’? Looking at risk from a logical point of view, anything can happen at any time to any one. There will always be fear because fear is normal and fear is good - it is part of being human. Probability is a different story. Probability is the term that can hurt a business in being prepared. Why? Because businesses do not plan based on logic or based on worst case which allows for response adjustments to any type of incident, they base the plan on risk associated to the probability that something will happen, not on fear. This planning direction seems to create poor decisions, lack of funding, and more embarrassment then is necessary - case in point, hurricanes Katrina and Rita. Fear arises when there is little or no understanding of the threat that can impact the business. Fear can be reduced with continued education, training and communication, but logical planning is not formulated on fear but rather on the acknowledgement that threats will occur, impacts could be devastating, and loss of income, jobs, and market share are real. My experience in performing risk analysis, assessments, and business impact analysis, is that probability is the issue that comes up and is talked about more than anything. Why? I have found that businesses tend to dwell too much on whether some threat is going to happen versus developing a plan of action to deal with any threat that occurs. I have not found fear to be an issue as much as spending money on something that may or may not occur - i.e. the probability of the threat. Why can't a business take the information from a BIA or assessment to logically create a plan that prioritizes critical business functions, classifies information / data, creates workarounds to be used as needed, and develops a cross training program to deal with a lack of staffing that occurs from an impacting incident? Some say that is what BCP is all about. I think that is not the case when reading articles about the impact disasters have on populations; people saying that planning could have been better; BCP should think about the worst case scenario; risk assessment is the foundation of BIAs, etc. I just think that when we start talking about risk and fear, we should really think about eliminating probability from any equation. The way business is conducted more globally today versus a few years ago, any threat or incident that occurs anywhere will impact everyone in some manner at some time. The question should be how prepared are we to deal with a threat when it occurs? Steve Schulze, CBCP
The greatest impact that serious and unwanted incidents, potential or otherwise produce, is the cost of taking decisions without sufficient information upon which they may be based. That which produces fear or panic to varying degrees carries the understandable temptation to make a decision when the better option is to wait until the picture becomes clearer. Unlike the theatre of armed combat when, "He who hesitates is lost", most situations demand cool thought in order that the most effective decisions may be taken. What is compelling about fear and panic fuelled issues, is that if they are over discussed and over debated; they mutate and exaggerated assumptions become the norm and lies become the truth. Post 7/7, stories abounded about the fatal shooting in Canary Wharf on that fateful day; but of course there wasn’t one. Edgware station was declared a site of terrorist attack and broadcast as such by the media; albeit later retracted. So to either overly embellish upon what is already known or, in the absence of fact, to add speculation in order that the story carries more weight, has the unerring result of tempting you to take any of the many wrong turnings available. 7/7 is a good example, particularly in the case of one of our worthy clients where, on the day itself, what was genuinely known, i.e. the facts, were used to douse the flames of the story. Our contact at this client is the head of business continuity, an ex-military man, for the purposes of this we will call him John. As soon as events began to unfold, John's telephone started ringing and did not stop; so he turned it off because it simply became a distraction. By holding regular update meetings, he was able to provide information that he knew to be true and he was able to calm matters and assume control where such would have otherwise been lacking. The euphoria produced by fear, panic and sheer amazement was met by the cold announcement of the facts and what they meant to this particular organisation. It had the effect of sobering those intoxicated by televised and excitable events. Timely decisions were taken and communicated and from a very early stage, those that had a need to know, did so, and were better able to make telling decisions in their own domain. When fear or panic drives response, control is a likely casualty and you can guarantee that costs to fix will soar. And insurers may pay out for claims against cover, but they will not pay out for bad management decisions. Allen Johnson
•Date: 17th Feb 2006 • Region: UK/US/World • Type: Article •Topic: BC general |
