Are we often tempted to focus on the latest trendy threat simply because it has a high media profile? Mel Gosling thinks so.
Two separate items that appeared in Continuity Central’s May 2008 Business Continuity Roundup reminded me of the tendency of elderly and experienced generals to use the weapons and tactics that were successful in the last war to fight the next one. The classic example of this was in France after the First World War where huge resources were put into building the Maginot Line in the expectation that static defensive warfare would continue to dominate the battlefield. When war came in 1939, Germany had developed new tactics and weapons that enabled it to successfully take the offensive and defeat France in a matter of days with a blitzkrieg using tanks and air power.
The first item which caught my attention was by Dr David Hillson, in which he explained, “Risk management is all about the future. Of course we are also interested in the past, to learn from what has happened before, to avoid making the same mistakes again, and to capture opportunities that we previously missed. But the main focus of risk management is looking to the future, to see what might be coming, and to get as ready as possible.”
The second item was a summary of some of the findings from Chubb’s 2008 Multinational Risk Survey (which was conducted jointly in February and March 2008), which stated, “Senior-level executives and risk managers agreed that the top three threats to their business operations or business conducted outside the United States and Canada are currency risk (23 percent), supply-chain failure (16 percent) and credit risk (13 percent). In the 2007 Chubb Multinational Risk Survey, the top three threats were terrorism, natural catastrophes and political instability.”
So, why did the combination of these two items remind me of the tendency of elderly and experienced generals to use the weapons and tactics that were successful in the last war to fight the next one? Quite simply, there seems to be a high degree of correlation between major international events in the year before the survey was undertaken, and the top three threats identified by senior-level executives and risk managers.
Look at the top three for 2008, and compare these to what happened in the previous year:
• Currency risk – by February 2008, following months of decline, the US dollar had fallen to a record low against the euro as traders bet that further interest rate cuts would be needed to stem a US recession.
• Supply-chain failure – following the third major recall of Chinese-made products in a month by Mattel, the world's biggest toy maker, and after a succession of recalls of Chinese exports ranging from tyres to toothpaste, China’s health minister Chen Zhu insisted Beijing was "highly sensitive" to concerns over product safety.
• Credit risk – the latter half of 2007 and the first few months of 2008 saw the global credit crisis intensifying with many highly leveraged investment vehicles and banks admitting that they were suffering huge losses and facing severe liquidity problems.
Now take a look at the top three for 2007, when the survey would have taken place early that year, and compare these to what had happened in the previous 18 months:
• Terrorism – on 7 July 2005 four suicide bombers struck in central London, killing 52 people and injuring more than 770, and exactly two weeks later there were four more attempted bombings.
• Natural catastrophe – the New Orleans flood of 29 August 2005 was very much in the news with reconstruction efforts well underway, the plight of many displaced people still living in temporary trailer parks was in the news, and reports by numerous agencies were being published.
• Political instability – on Tuesday 19 September 2006 the Royal Thai Army staged a coup d'état against the elected government of caretaker Prime Minister Thaksin Shinawatra, and on 28 July 2006 Somalia's transitional government was close to collapse after 19 members resigned and its Islamist opponents took over the presidential palace in the capital, Mogadishu, reinforcing their control over more than half of the country.
Now, I may be a cynic, but it appears to me that senior-level executives and risk managers have taken Dr David Hillson ideas of learning from what has happened before too literally, seeing current and relatively recent incidents as the greatest threats for the coming year. In reality, the reverse can often be true.
So, in 2007, senior-level executives and risk managers concerned themselves with terrorism, natural catastrophes and political instability, whereas the threats that actually materialised were currency risk, supply-chain failure, and credit risk. What do I predict for the rest of 2008 and early 2009? I am afraid that my record on predictions is as poor as elderly and experienced generals, but I certainly won’t be putting my money on currency risk, supply-chain failure, and credit risk.
Mel Gosling is a Member of the Business Continuity Institute, and is the Managing Director and principal business continuity consultant of Merrycon Ltd. He can be contacted by email at firstname.lastname@example.org
I found Mel's article very interesting as it bears out my own experiences with the business continuity industry. We all find the concept of new problems a little daunting and would much prefer to face problems that we've already developed our response to. We derive comfort from our knowledge that ‘we've got through this before’. Perhaps we do not feel comfortable not knowing what to do, perhaps it is the fear of failure, but I think we all attempt to leverage previous experiences to a new situation, often with poor results.
For a time, collectively we appear to have been lurching from one major incident to another - anybody who has been in the industry for any period of time will remember writing plans for specific threats. I recall writing plans for white powder incidents following the spate of deliveries in 2001 and thinking "Any terrorist worth their salt will be changing the nature of their approach every year or so, as we'll probably be looking at their old methods". September 11th was such a global shock as all of our experiences with terrorists did not prepare us for the changed approach.
Another driver for our responsive thinking is the media. Last year, their focus was on avian influenza, the inference to the public being that it could trigger a global influenza pandemic. Probably all of us in the industry were asked at some point if we had written a plan to cover the impacts of a pandemic (I know I'd be much richer now if I had a pound for every time I was!). Come Christmas and happily the world was not in the throes of the predicted pandemic, but the media had found a new story by then - the country was in the grips of the winter vomiting bug, or norovirus. This highly contagious virus causes acute gastroenteritis, though is rarely fatal. Outbreaks are known to occur every year and yet again, how many of us were asked to put emergency arrangements in place? Hands up if you were asked to respond to the potential outbreak of norovirus in your organisation (but please, just make sure you've washed them thoroughly first).
So what are the solutions? Horizon scanning can be useful, but there is always the danger, as Mel points out, of focusing on one scenario which simply doesn't occur. In addition, there is a danger of ranking risks to deflect the focus from the impact upon our operations. Yes, the top three risks identified in the Chubb survey may be very real to some organisations but ask yourself first how likely they are and what the impact would be in your organisation before putting strategies into place. In his book, ‘The Black Swan: The Impact of the Highly Improbable’, Nassim Nicholas Taleb suggests that we may be better embracing uncertainty - relish the challenge that each incident presents us with and assimilate the learning. In addition, sharing this learning throughout the organisation can help to reduce the exposure of the risk event occurring again and shortening the response time if it does.
Secondly, rather than focus on specific scenarios, plans should focus on outcomes. Yes, you may have a flu pandemic plan in place, but what if a lottery syndicate wins the jackpot? The outcome is largely the same - you don't have people. The duration may differ, but the strategies that you might adopt will be the same: recruit new staff; bring in temps; ask staff to do overtime; bring in cross-trained staff; ask old staff to return to that function. BS 25999-1 gives us six impact categories: people, premises, technology, data, supplies and stakeholders. Any incident can impact on one or more of these categories, but by establishing strategies that can be used in any circumstance, you will be able to ‘cherry-pick’ your organisation's response.
Finally, in her paper last year published in The Business Continuity Journal, Lorna Anderson proposed seven essential non-technical competences for crisis management team members and of all the listed competences, creativity stood out for me. No incident will ever unravel as you have predicted it to do so or even as it has before. The engineers at NASA had never considered how to make a carbon dioxide scrubber from a command module fit a landing module, but not only were they able to create a solution during the Apollo 13 mission, they were also able to successfully communicate the instructions to a frazzled crew, still some distance from safety. Whilst NASA engineers are used to displaying creativity as part of their day-to-day activities, there is no reason why our managers could not develop the same competences, given the freedom to do so. This may not only help with incident management, but may even contribute to competitive advantage over time. However, it is important to recognise that our crisis managers may need some experience to draw upon and any crisis team should have a few ‘old hands’ who have seen the organisations response.
To take Mel's military simile further - recognise in your organisation that there are old soldiers, there are bold soldiers, but there are very few old, bold soldiers...
Richard Jones, MBCI
Skandia UK Business Continuity Manager
Make a comment
•Date: 16th May 2008• Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 22ND MAY