Operational risk management and business continuity

Get free weekly news by e-mailBy Leslie T Whittet FBCI MACS MRMIA.

The requirement by national regulators, based upon guidelines from the Bank for International Settlements (Basel II), for financial institutions to manage operational risk in addition to credit and market risk, has raised a number of issues and much debate. Precisely what is operational risk? How is it delineated from credit and market risk? How can it be quantified? How can one separate the sources of operational risk when some, such as employee-related examples, may be a common cause?

Basel II defines operational risk as, “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It further breaks loss events into seven general categories:
• Internal fraud;
• External fraud;
• Employment practices and workplace safety;
• Clients, products and business practice;
• Damage to physical assets;
• Business disruption and systems failures;
• Execution, delivery and process management.

It is easy to see that there may be considerable overlap between these in terms of the source of a particular loss. It is also apparent that some are closely related to the discipline of business continuity management whereas others must be treated via standard risk management and/or good corporate governance practices. Damage to physical assets is a typical BCM issue leading to the preparation of a business continuity plan, possibly underpinned by a number of subsidiary plans such as an information and communications technology disaster recovery plan. Conversely fraud issues will usually be addressed through conventional risk management practices supported and strengthened by strong company policies and procedures.

The difficult operational risk question – what risks are to be addressed - will be confirmed in the business impact analysis (BIA) phase of the business continuity management program if it has not already been separately considered. Indeed it is better to resolve it through the BIA process as this rigorous process may offer unexpected solutions. The BIA is the foundation of effective business continuity planning and it is the appropriate stage in which to examine all supporting processes and activities.

The process of developing the plans (see below) – especially the BIA – will identify options to minimise likelihood of interruption to critical activities. It is essential to recognise the criticality of the pre-incident activities which should also be revealed through the BIA. These may include, for example:
• Good health and hygiene practices as a preventative for pandemics and epidemics (in fact, for a healthy workplace at any time!);
• Comprehensive succession planning;
• Comprehensive knowledge management practices including the provision of clear and concise standard operating procedures (SOPs) – these may be critical in business recovery if inexperienced personnel are required to perform unfamiliar tasks;
• Job rotation practices;
• Rotation of key processes and/or activities through alternate sites.

It is useful to bear in mind, however, that business continuity plans primarily deal with the post-incident timeframe. It is the retained risks flowing from the BIA for which effective continuity and recovery plans must be developed. Attention must also be given to the impact upon the risk profile if/when certain continuity measures are implemented. For example the loss of a primary data centre, with attendant fail over to a standby centre, has a dramatic impact on the risk profile as the organisation now has multiple single points of failure. This is not to suggest that we establish a standby to a standby to a standby... but rather to stress that consideration must always be given to alternative solutions – e.g. manual methods – at least for short-term response.

For those operational risk areas that are to be treated through the business continuity management program standard practices should be applied:
• Establish business continuity policy and scope;
• Establish resourcing and funding;
• Define the organisation’s key products and services;
• Determine the maximum tolerable period of disruption (MTPD) for each;
• Conduct a business impact analysis to establish and prioritise the critical activities and their MTPDs – this stage includes using standard risk management practices (e.g. AS/NZ 4360 – 2004) to assess risks and establish treatment options;
• Present retained risks and management strategies to the executive for determination;
• Develop continuity and recovery plans - BCP(s) - to address the retained risks in accordance with the agreed strategies including, inter alia:
o Scope;
o Team briefs;
o Team action plans;
o Key stakeholder contact lists;
o Resources;
o Supporting plan references.
• Exercise business continuity plans;
• Undertake training and cultural awareness;
• Maintain business continuity plans within business continuity management program reviews.

Note that this is merely a brief summary of key aspects and the reader is directed to international best practice materials for further information (1). Perhaps the key requirement in an on-going sense is to ensure that the entire business continuity management program is formally established and managed, including periodic – at least annual – reviews. There is a real danger that the focus is trained squarely on exercising and updating business continuity plans without ensuring that they remain aligned with the changing requirements and practices of the organisation. This can only be addressed through regularly reviewing the entire program in accordance with the process used to initially develop the business continuity plans.

I would suggest that most reviews go no further than the business continuity plans and possibly exercise outcomes yet the organisation may have changed to such an extent that the BIA, today, would yield quite different results to when it was first undertaken. As a consequence the strategy forming the basis for the business continuity plans may also require significant review. Some of the plans will have been updated to accommodate a new process here and there, or some new ICT capability, but no systematic approach has been undertaken to ensure that the wheel remains round rather than having an irregular shape with random air bubbles, patches and punctures! There is a very real danger that the business continuity plans themselves will, over time, become quite dysfunctional and unsuited to the current needs of the organisation if due attention is not given to the entire business continuity management program.

Much of what contributes to effective business recovery is really in the preparatory planning and this aspect gets primary focus during the BIA and strategy development phases. Unless there is organisational commitment and a process to revisit these business continuity management foundation steps it is likely that we will experience a widening gap between our business resilience capability and what is potentially achievable. In other words we are diminishing the real value add that effective business continuity management brings to an organisation.

(1)Business Continuity Institute Good Practice Guidelines, 2007
British Standards Institute BS 25999-1 Business Continuity Management - Code of Practice, 2006
British Standards Institute BS 25999-2 Business Continuity Management - Specification, 2007

Leslie T Whittet FBCI MACS MRMIA
Managing Consultant
Leslie Whittet & Associates Pty Ltd
P O Box 136

Date: 19th August 2008• Region: Australia/World •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help