By Saul Midler
This topic challenges and, in some cases, frustrates security practitioners because different people view the concept of risk management and its relationship to business continuity management differently.
In simple terms, risk management is focussed on prevention, while business continuity management is focussed on cure. For example, risk management would view the lack of fire extinguishers in a paper factory as a high risk and recommend fire extinguishers be installed to reduce that risk. Business continuity management would not be concerned about the inadequacy of fire extinguishers but rather how to deal with the loss of the paper or the building, for example, regardless of the event that caused the loss.
Risk by definition is: the chance of something happening that will have an impact upon objectives. It is measured in terms of consequences and likelihood.(1)
The concept of consequence is reasonably straightforward and relates to the resulting outcome (one or many) of an event expressed qualitatively or quantitatively, being a loss (for example, $500,000 per day), injury (for example, 12 people in Hospital and 3 people are dead), disadvantage (for example, 12.5% market share loss) or gain (2).
The concept of likelihood is not as straightforward and requires you to be part believer and part sceptic. You need to believe that some event WILL happen and you need to be sceptical enough to challenge the reality of that belief. This really requires an emotional response via the concept of chance or probability. Some readers will no doubt like to challenge this point by suggesting that it is possible, with great certainty, to use history to accurately predict the future. This is done through statistics.
It is true that in certain circumstances statistics do provide valuable insight. For example, if over the past three years it is proven that 3.5 percent of credit card applicants default and eventually 20 percent is recovered, then the decision may be taken to tighten the credit decision criteria.
Consider lotto: If the numbers 4, 8, 15, 16, 23 and 42 were actually the most drawn numbers in the history of your local Lotto operator, would that provide any comfort in speculating whether those numbers will be drawn in the next game? What if those numbers were actually the least drawn numbers, would that suggest a different position?
The concern is that risk managers have become too dependent on statistics to predict an outcome and they apply that approach to domains such as operational risk management that have little applicability. The following example highlights how quantitative statistics do not assist in developing a risk position that has meaning.
Consider fire incident data collected over the last ten years by the Fire Brigade. This data can be filtered to highlight the number of fires that happened within a 3km radius of a specific office building. Of those incidents, the data can be further refined to identify those fires that resulted in a building evacuation of over one week. Would that actually assist in understanding the likelihood of that building having a fire in the next 12 months?
Putting the statistical element to one side for the moment, the whole approach to risk management, as the Australian Standard AS4360 suggests, requires the development of the evaluation to be based on an event. But what event? Well that is the multi-million dollar question (presumably your company is worth more that $64,000!) and where the new school of thought delivers a more cost effective and pragmatic view of the business’s need than the old school.
Scenario planning does NOT have a role to play in business continuity plan development. Fundamentally, it is impossible to think up all the plausible scenarios that could be detrimental to the business. Even a workshop with the most knowledgeable managers from across the organization will still result in some exposure. Furthermore, the thought of someone having to develop procedures and capabilities to mitigate each scenario is horrific. Even if the scenarios were arranged into themed groups (for example, denial of access due to: flood, storm, fire, protest and so on) the organization will still be exposed.
On balance, risk assessment is important and the concept of Likelihood has a valid role. If the metric of likelihood is developed with the right balance of belief and scepticism then risk assessment becomes a comparative tool to prioritise your response to the exposures – that is, preventative action. However, it is very important to note that the implementation of risk mitigation cannot deliver zero residual risk – unless of course significant amounts of money are spent (for example, generate your own power, water, supplies, duplicate your capacity in a distant geographic location and so on). As a result, we need Business Continuity Management.
The term business continuity management consists of three concepts. The continuity reference means that an organization can continue to deliver products or services, regardless of any operational disruption. While risk management is a discipline that reduces the likelihood of incurring such a disruption, the fact remains that the possibility exists that the disruption will be realised. When the disruption does strike, the realisation will be made that something has been lost or is unavailable. In other words, a business function stops if one or more of its critical resources become unavailable. This could be: people, software server, e-mail, G Drive, WAN link between your site and the data centre, colour printer, building, cheques etc. The speed of business recovery is directly tied to the speed of resource replacement (note: a work-around is typically a temporary resource replacement).
A new school of thought is becoming more prevalent. Resource dependency analysis (RDA) identifies what the restoration profile is for critical resources. Consider a call centre that normally operates eight pods of four workstations (that is, 32 call takers). Should the call centre become non-operational due to some incident, then the call taking function may be relocated to an alternate location. The RDA would identify that an acceptable ramp-up of call taking capacity might be the establishment of 1 Pod at T+4 hours, 3 Pods at T+3 days, 2 Pods at T+5 days etc. This will allow the business function to increase its operational capacity over time without jeopardising the business.
More recently, new school organizations have extended the RDA method to undertake DRA (that is, destination resource analysis). Here, an organization identifies the destination location for a business function and then documents the capacity or availability of the required resources that are at that destination. For example, the destination location for the call centre described above already has 24 workstations in clusters of four (although not in a Pod configuration). There is also a meeting room that could comfortably take another 12 workstations although those workstations would need to be sourced. The DRA would document 24 workstations and identify a shortfall of 12 requiring a procedure to source them. As an aside, when searching the market for a business continuity management software package, the RDA and DRA functionality should be high on the needs list since this functionality is of significant benefit to the development stage of the business continuity life cycle.
The benefit of the RDA/DRA approach is that the cause of the disruption (that is, one that might be developed as a planning scenario) is irrelevant. A procedure will exist to restore the business function by way of restoring the required resources.
From a methodology perspective, consider business continuity management as the link between corporate (that is, holistic) risk management and operational risk management.
Corporate risk management is most suitably positioned to deliver a comparative assessment of the risks on the organization across a wide variety of disciplines, for example financial control, image and reputation, regulatory compliance, legal, OH&S etc including business operations (that is, how exposed is the organization by the level of appropriateness or substantive nature of its business continuity capability).
Should it be identified that the organization is exposed, then the business continuity management program would address this exposure by:
1. Defining/confirming business functions in time sensitivity order (via business impact analysis (BIA)) to identify mission critical activities.
2. Defining/confirming critical resources required to enable those mission critical activities to produce their outputs.
3. Undertake an operational risk assessment to identify the relative exposures underpinning the organizations dependency on the critical Resources. The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.
Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:
• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.
New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.
Saul Midler, MBCI, is the managing partner of Linus Information Security Solutions Pty Ltd www.linus.com.au
1 Australian Standards – AS4360
2 Australian Standards – AS4360
Make a comment
It was very interesting to read the article above. I was particularly interested, since I have been working with corporate and information security since September 1st, 1984, both as a consultant, and as a information security manager of quite large organisations. I have also been for about four years as an employee of a corporate risk management organisation.
The article, however, left me with much more questions than answers. I am pretty sure, that not all of this is explained by my mother tongue being other than English. Therefore, I will present at least some of them in my comment:
1) What is your definition of scenario? For me, it is an imaginary happening of something that is useful in future planning. In this case, the scenario might be a risky future event. However, the scenario does not need to be specific, as I understood Mr. Midler's scenario to be, or not something that restricts the freedom of thought, when analysing and planning the continuity of the business. Instead of applying the scenario as a detailed story, and solving only part of those details, one could as well apply it the other way round: once a disruption has occurred, how do we recover back to normal in the best way?
2) Where are those old and new schools needed, or existing? Is it due to hierarchical organisations, where the silos between corporate risk management, business continuity management, and operational risk management are isolated so that it is impossible to even see the interoperability needs, not to speak of the transparency? As a solution, I would rather have expected the process approach (e.g. business continuity management process), and not definition of dos and don’ts of different functions. Who is doing what is an issue, but how do we co-operate in the organisation, once something unwanted has happened, with those remained resources is much more important.
As a summary: please do not categorise isms, schools, etc. rather keep the freedom of thought. In commedia dell'arte, scenario is defining the beginning and the end of the commedia - between those points the actors are improvising. If we manage to apply our scenario to create what to do instead of everything taking an end, I would not mind applying it, no matter what school it is inherited from.
Ilkka Roman, Consultant, Expericon Oy, Finland
I felt this was an excellent article in the clarity and relevance of content to BCMs. It is probable that this spoke to me so directly because the narrative closely reflects the thinking and set-up that we have in our organisation. Good to see it so well presented.
Alison Wagstaff, Manager, Business Continuity, UK Continuity Team, KPMG LLP
Challenging article, which re-ignites the old debate about the relative roles of risk management and business continuity management. I would be interested to hear the views of the Institute of Risk Management and the Association of Insurance and Risk Managers on the statement that: 'risk management is focussed on prevention'. In my personal view and experience (and I would guess that of the IRM and Airmic also), risk management is about much more than this, and covers the full spectrum of identification, evaluation, control / mitigation / prevention, financing, transfer, administration and so on.
Chris Rigby Smith, Partner, JLT Risk Solutions Limited
•Date: 8th Dec 2006• Region: Australia/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 14TH DECEMBER