The latest business continuity news from around the world

The consequences of a North Korea vs United States crisis from a business continuity and risk management perspective

North Korea is yet again in the headlines, with another test demonstrating the capabilities of their intercontinental ballistic missiles. In this article, Geary W. Sikich explores the situation and asks what, if anything, business continuity planners can prepare for.

Is the current situation with the Democratic People’s Republic of Korea on your radar screen as a business continuity planning consideration?  Is this situation a realistic risk that your planning should begin to address with a thorough analysis of the potential consequences of an escalation?  What about the situation in Syria?  Ukraine?  Iran?  India/Pakistan?  Or are these risks too far away and remote to begin to understand?

From a business impact perspective, an escalation of the situation on the Korean peninsula should be getting the attention of business continuity planners.  Granted, it is not yet a Hurricane Harvey or Irma situation from the standpoint of being able to assess effects and focus on response.  But what about the implications of potential supply chain disruption, sanctions, cascade effects, collateral damage?  Many of these can be identified, categorized, assessed.  Alternative courses, ‘quick-start’ contingency plans can be developed, ‘war gamed’; becoming part of an ‘active analysis’ process rather than the ‘static’ analysis that reflect most BIA and risk management practices today.  Developing a ‘strategic warning’ process based on intent, that can be supported by a ‘tactical warning’ system that focuses on the ‘when, where, how, who’, can allow for less surprise and more resilience.

Sanctions do not work

A sanction is a penalty levied on another country, or on individual citizens of another country.  It is an instrument of foreign policy and economic pressure that can be described as a sort of carrot-and-stick approach to dealing with international trade and politics.

Let’s face it, sanctions do not work.  Iraq, Iran, Syria, Russia, Democratic People's Republic of Korea (aka North Korea), Cuba, Côte d'Ivoire, Union of Myanmar (aka Burma), the list goes on.  Sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.

Sanctions have, generally speaking, limited impact.  Clever people and governments figure work-arounds (hence the black market exists).  It may take time but there are ways to get around sanctions.  We even see that the recent sanctions being drafted have been ‘watered down’ and so, will be less effective.

From a business continuity planning perspective, have you analyzed how your organization can be impacted by sanctions?  Your organization may not be subject to the sanction; but what if your organization derives some of its raw materials, finished goods, etc. from a country that has been sanctioned?  Will some aspect of your supply chain be impacted?  Have you thought of what alternatives are available? 

The promise of massive retaliation: a war of words

The headline read: ‘North Korea vows retaliation against the United States’ (CBS News Monday 07 August 2017).  The text said, ‘North Korea is vowing thousands-fold revenge against the United States after the United Nations passed tough sanctions on the regime’.

Defense Secretary Jim Mattis on Sunday, 3 September 2017, shot back at North Korea’s latest nuclear provocation with a blunt threat, saying the US will answer any North Korean threat with a ‘‘massive military response — a response both effective and overwhelming.’’  While he said America does not seek the ‘total annihilation’ of the North, he added somberly, ‘‘We have many options to do so.’’

As the war of words continues, have you considered the ‘what ifs…?’ that indicate an action instead of words is going to occur?  On 28th November North Korea test fired a missile that landed in the sea relatively close to Japan. What if that missile had, instead of crashing into the sea, malfunctioned and landed on Japan?  Would there be more than government protests?  Would escalation be rapid and unrestrained?

The United States and its allies, Japan and the Republic of Korea (aka South Korea) are target rich.  North Korea’s target mix is less attractive from an economic standpoint.  Eliminating the threat posed by North Korea’s missiles and military carries the consequences of cascade into a larger conflagration. 

A North Korean strike against targets in the US and/or allied nations would have significant and long lasting societal and economic consequences; and one should assume that North Korea would not launch just a single missile, but rather, launch as many as they can toward multiple targets.  While the US claims success in anti-missile capabilities; the question remains, ‘what if one of the missiles gets through?’  Additionally, the radiation fallout from the destroyed missile(s) needs to be considered.

As Simon Baptist, The Economist, (Intelligence Unit) writes, “For North Korea, the fundamental calculus is unchanged.  Regime survival is paramount, and a nuclear deterrent is its most powerful guarantee.”

In their recent book, ‘Warnings’, Richard A. Clarke and R.P. Eddy analyzed the effect of a limited nuclear exchange between India and Pakistan.  Their conclusion, ‘Nuclear Winter’.  In their chapter, entitled, ‘The Weatherman: Nuclear Ice Age’, they cite a study done that looked at a limited nuclear exchange between India and Pakistan using only 50 nuclear bombs of the Hiroshima size (small by today’s standards).  The study model suggests that the flammable cities would create 5 million tons of soot and smoke that would quickly find its way into the upper atmosphere, creating global effects, all from the effects of using fewer than 1/10 of 1 percent of the world’s nuclear weapons.

Uncertainty: exploring risk

Risk is all about uncertainty.  There is uncertainty associated with identification, recognition, mitigation, establishing and maintaining risk parity, etc.  There is a negative and a positive side of risk; or to be clearer, there are negatives and positives that represent multi-dimensional aspects of risk.  Where does potential, unrecognized value reside?  Where are the negative pitfalls that lurk in the false positives created by risk compliance?  Viewing risk through a multi-dimensional lens can facilitate the identification and management of risk.  Think of risk in terms of a kaleidoscope; when viewed, a simple twist can change the entire picture, perspectives and analyses.

Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics, and abundant stochastic variation in risk parameters.  Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.

At a recent conference on disaster management that I participated in the following equation was offered by one of the speakers:

Threat x Vulnerability x Impact = Risk

I would argue that this equation provides the illusion of risk, not the reality of risk.  For example, you conduct a risk assessment and determine that there is a threat (i.e., possibility of terrorist attack using a scale of 1 – 10 with 1 being not likely and 10 being extremely likely).  Now you have to determine how vulnerable you are to this threat (i.e., say on a scale of 1 – 10 with 1 being not vulnerable and 10 being extremely vulnerable).  Next, you determine the impact, again using the scale of 1 – 10 with 1 being no effect and 10 being extreme effect.  You calculate according to the above equation and come up with a number.  Now you begin to seek to determine the probability.  You establish the probability using a scale of say on a scale of 1 – 10 with 1 being not probable and 10 being extremely probable.  The result is a risk ranking.  However, this process does not take into account observer bias or uncertainty.  Uncertainty actually would carry more weight that observer bias simply because of all the unknowns that uncertainty presents.  So, one may wish to re-write the equation as follows:

Threat x Vulnerability x Impact = Risk (current state – non-static)
Uncertainty

Since the risk that we have identified is not static, uncertainty becomes more of a factor over time than probability, threat, vulnerability and impact.  Over time the risk will change, especially due to the fact of uncertainty, non-static nature, potential unintended consequences, etc.  Therefore the scale for uncertainty could be a positive or a negative number that extends to infinity.  Risk assessment based on probability of occurrence is, in itself, a risky decision.

“The Pentagon says it is confident its missile defense system - 42 interceptors based in Alaska and California - can shoot down a North Korean ICBM, although the test record shows only a 55 percent success rate.”

The need for risk parity

Risk parity is a balancing of resources to a risk.  You identify a risk and then balance the resources you allocate to buffer against the risk being realized (that is occurring).  This is done for all risks that you identify and is a constant process of allocation of resources to buffer the risk based on the expectation of risk occurring and the velocity, impact and ability to sustain resilience against the risk realization.

Risk parity is not static as risk is not static.  When I say risk is not static, I mean that when you identify a risk and take action to mitigate that risk, the risk changes with regard to your action.  The risk may increase or decrease, but it changes due to the action taken.  You essentially create a new form of risk that you have to assess with regard to your action to mitigate the original risk.  This can become quite complex as others also will be altering the state of the risk by taking actions to buffer the risk.  The network that your organization operates in reacts to actions taken to address risk (i.e., ‘value chain’ - customers, suppliers, etc.) all are reacting and this results in a non-static risk.

I think that ‘relevance’ is a very significant word relative to KRIs.  You can have an extensive list but if they are not relevant to the organization and its operations they do little to enhance the risk management efforts.  That said, we have to assess non-linearity and opacity with regard to the potential obfuscation of relevance.

Conclusion

Traditional approaches to business continuity, disaster recovery, crisis management, emergency response and concepts such as incident command, National Incident Management System, etc. are faced with ‘new ground’ so to speak, as traditional approaches may not be as effective in dealing with the risk realities faced today.   The nature of risk is: ‘uncertainty’, hence the projection of risk in terms of probability of occurrence can only provide limited value for a brief period.  Threat dynamics are changing resulting in more uncertainty not less; this requires a planning approach that integrates, tactical, operational and strategic planning, combining continuity, emergency, crisis, disaster and contingency planning into an integrated process.

We live in a world full of consequences.  Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability know everything; uncertainty.  Our focus should be on how our flawed decisions establish a context for flawed risk, threat, hazard, vulnerability (RTHV) assessments, leading to flawed plans, resulting in flawed abilities to execute effectively.  If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty we may find that the decisions we are making have more upside than downside.

About the author

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

Geary is well-versed in contingency planning, risk management, human resource development, ‘war gaming’, as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary has developed more than 4,000 plans and conducted over 4,500 simulations from tabletops to full scale integrated exercises.

Geary began his career as an officer in the US Army after completing his BS in Criminology.

As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

Contact G.Sikich@att.net or gsikich@logicalmanagement.com

References

  • Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
  • Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808
  • Heisenberg, Werner; “Uncertainty Principle” 1927 (Wikipedia)
  • Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3
  • Kelly, Kevin, author of "The Inevitable," on the next 30 digital years at the Long Now Foundation. http://f4a.tv/2aF8g6T https://youtu.be/tvR5zZQgtGo
  • Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
  • Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
  • Sikich, Geary W., "Risk and Compliance: Are you driving the car while looking in the rearview mirror?” 2013
  • Sikich, Geary W., "“Transparent Vulnerabilities” How we overlook the obvious, because it is too clear that it is there” 2008
  • Sikich, Geary W., "Risk and the Limitations of Knowledge” 2014
  • Sikich, Geary W., “Complexity: The Wager – Analysis or Intuition?” 2015
  • Sikich, Geary W., Remme, Joop “Unintended Consequences of Risk Reporting” 2016, Continuity Central
  • Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
  • www.rims.org/resources/ERM/Pages/WhatisERM.aspx
  • www.theiia.org/guidance/standards-and-guidance/ippf/position-papers/
  • https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx
  • http://www.investopedia.com/articles/economics/10/economic-sanctions.asp
  • North Korea vows retaliation against the United States CBS News Monday 07 August 2017
  • https://www.bostonglobe.com/2017/09/03/see-trump-says-about-whether-would-attack-north-korea/o3RjjTUTUsNxbhabjsovuJ/story.html (By Eric Talmadge and Catherine Lucey Associated Press September 03, 2017)
  • Simon Baptist, The Economist, Intelligence Unit; 7 September 2017, “Testing Boundaries”
  • Richard A. Clarke and R.P. Eddy, “Warnings Finding Cassandras to Stop Catastrophes” Publisher: Ecco; 1st edition (May 23, 2017), ISBN-10: 0062488023, ISBN-13: 978-0062488022
  • Defending the U.S. from North Korea's nuclear threat; Produced by Mary Walsh. Tadd J. Lascari, associate producer. © 2017 CBS Interactive Inc. All Rights Reserved.  David Martin is CBS News' National Security Correspondent.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.