It seems that every week, there’s a story in the news about a catastrophic disaster happening somewhere in the world. The last five to ten years have seen what appears to be unprecedented numbers of global natural disasters, leaving some to wonder if the whole 2012 end of days conspiracy theorists are perhaps onto something. While it might seem like the world is ending, overacting to these events or trying to plan for every worst case scenario is not productive and could DAMAGE your business continuity program. This article will discuss why focusing on these types of outlier events do not generate value or management interest, as well as discuss ways you CAN tweak your risk assessment and planning to ultimately gain more value without trying to tackle impossible planning standards.
Mass Hysteria is No One’s Friend
First off, no one likes a “chicken little” business continuity planner, running around screaming “the sky is falling” every time an event happens somewhere around the world or a small business interruption has potential to escalate. As an example, while global earthquake activity has seen an increase in the last five years (with 42 5.0 or higher earthquakes so far in 2012) that does not mean odds are necessarily higher in your neighborhood, even if you work in a high-risk area. Catastrophic events elsewhere in the world are vital reminders that events do happen and you must be prepared, but reading into one event as “prophetic” that the same event could strike your organization won’t win you any believers.
In addition, proactively executing strategies that prepare for OTHER’S risks or experienced disasters won’t actually protect you if you don’t take the time to truly understand the risks facing your organization and the potential impacts should the risks occur. Whether selling management on additional internal preparedness or executing internal strategies to strengthen planning, it’s important to learn from other’s experiences, but don’t place your bet on the exact same scenario affecting your organization.
Why Planning for Black Swan Events Doesn’t Work
It’s also important to realize that while it’s important to be cognizant of the threats your organization faces, it’s not possible to plan for black swan events, even though one may eventually strike your organization. By its very definition, a black swan event cannot be predicted. As such, the event is unprecedented. Author Nassim Nicholas Taleb defines three characteristics of a black swan event:
- The event must be unprecedented or have no empirical evidence or history to justify its possibility.
- The event must result in an extreme impact.
- After the fact, people will analyze the factors leading up to the event to define it as explainable and predictable, believing those responsible for planning just missed the signs.
Before September 11, 2001, no one would have imagined terrorists could simultaneously hijack four jetliners and fly them into NYC and WDC, attacking some of our most visible landmarks. After the fact, people asked how such events could have happened and looked to direct blame. However, very few people, if anyone, could have known the chain of nation-wide vulnerabilities that existed to make such a plot possible. In addition, no one predicted that an Icelandic volcano eruption could shut down travel across continents for multiple weeks, or that a tsunami would result in a nuclear plant meltdown with global repercussions.
Although no one could have predicted these types of events before they occurred without being laughed out of the board room, there were companies directly affected by these events that not only survived the experiences, but did so without significant business interruption. These organizations did not have foresight to anticipate such events; however, they had previously implemented flexible strategies applicable in almost any type of scenario to manage their responses to such events. It’s this level of loss-based assessment and planning that enables organizations to both sell management on risks and assure adequate planning, no matter the situation.
Loss-Based Assessment and Planning
While it may feel comforting to have response scenarios defined for those events that most threaten your organization, focusing on loss-based assessment and planning provides a resiliency and flexibility that threat-based planning cannot. Loss-based assessment works by helping you:
- Understand your organization’s dependencies on the availability of certain critical resources;
- Analyze impacts should each critical resource become unavailable; and
- Identify individual, potentially unique threats that could result in loss of each critical resource.
It’s also important to perform traditional threat-based assessments to enable organization-wide resiliency and strengthening measures against likely impactful threats, but loss-based assessment helps prepare for threats that can’t necessarily be predicted in advance – making you more resilient in any type of event, whether just unexpected or a true black swan event.
Loss-based strategy development and planning again looks at the resources upon which the organization is dependent, enabling organizations to develop both workarounds following loss and strategies to reacquire resources within defined recovery objectives. When developing your response to a disruptive event, it doesn’t matter if it’s a fire or hurricane interrupting your business. Being able to adequately respond depends on having the right response structure in place and having performed the appropriate loss and recovery planning to enable resumption of critical activities within defined timeframes.
How to Connect with and Present to Executive Management
Executive management is ultimately responsible for adequately preparing the organization for a potential business interruption, and most management teams are interested in understanding their organization’s key risks and real response capabilities. That said, approaching them with an attitude that “it’s only a matter of time before our sky falls” or with presentations that highlight black swan events around the globe will only serve to alienate you from them. Management wants to understand the true risks and impacts faced by their organization so they can execute a balanced approach that addresses likely risks with reasonable strategies, as well as puts the appropriate response structure and situational awareness in place to enable effective and timely response.
When presenting a loss-based risk assessment to management, start by outlining critical products and services that stakeholders rely upon the organization to produce, as this presents the organization in the same view they often see it. Once they’re on board with what you’re trying to protect, present the functions and resources that enable execution and delivery of these products and services, and then present the anticipated impacts should these resources become unavailable. Finally, present identified threats that could result in resource loss and potential strategies that could mitigate the risk (whether likelihood, impact, or both) or enable recovery following loss. This approach enables management to clearly understand the connection between the critical products and services they know to the strategies you would like to implement to protect the organization’s ability to continue or resume services.
For additional information on how to connect and present to executive management, check out:
- Connecting with Management and Staying Relevant
- Selling the Business Continuity Case to Executive Management
- Quality Metrics – Business Continuity Program Performance versus Recoverability
Overall, no matter what risk assessment approach you use, it’s important to stay realistic when performing risk assessments, developing response strategies, and presenting to management, as this approach helps keep you centered on priorities and strengthens your business case and response capability. Loss-based risk assessment and planning helps you justify investments to management while still enabling a capability that should enable effective response to any event, even the unpredictable black swans.
Avalution Consulting: Business Continuity Consulting