Breaking Down Silos – Using Common Criteria to Assess and Prioritize Risks

Breaking Down SilosAn isolated approach to business continuity (and risk management in general) is holding many organizations back.

Business Continuity is one of many disciplines that helps organizations to become more resilient – that is, to increase an organization’s capacity to adapt to evolving circumstances and survive (or even thrive) during periods of disruption or change.  Other related disciplines – such as Information Security, IT Disaster Recovery, Emergency Management, Enterprise Risk Management, and Physical Security –ultimately have the same strategic purpose.  The goals and objectives of the individual disciplines may be more focused, but if we, as practitioners of these disciplines, force ourselves to look outside the artificial walls we sometimes build around our responsibilities, we should find that we are striving for something bigger than we can deliver on our own. Continue reading

Risky Business (Part 3): A Supply Chain Continuity Case Study

Risky Business - Supply ChainMuda. It’s the Japanese word for waste and the enemy in modern supply chain management and manufacturing. Since the 1980s, lean thinking has revolutionized the way businesses operate by seeking to eliminate muda and free capital held in wasteful assets—that is, assets that do not add value to the overall process (e.g. excess inventory or underutilized equipment). Lean thinking is important and helps businesses to improve their processes and their bottom lines. It does however beg one key question that risk managers and business continuity professionals must ask: “how lean is too lean?” Wantonly cutting out all perceived muda to save money can actually have the opposite effect down the road. Organizations with global supply chains inherit significant risk due to the potential impact associated with a supply chain disruption.  In some cases, a disruption could threaten an organization’s ability to continue business or require large amounts of capital to recover. Organizations must fully examine their processes and supply chains to identify risk and make informed decisions on how lean is too lean.

This perspective—the third in the Risky Business Series—leverages a case study of the recent west coast dock worker strike to demonstrate the inherit risk of a supply chain that is too lean due to a virtual monopoly. This article also revisits evaluation and mitigation strategies from the first two Risky Business perspectives that organizations can use to reduce risk to an acceptable level. Continue reading

Risky Business (Part 2): Too Lean, Too Late

Risky Business - Supply ChainMany organizations today aim to make operations as lean as possible. But, in doing so, are these organizations unknowingly increasing the risk of operational downtime and excess cost? Due to streamlining operations and eliminating redundant activities or suppliers, one misstep or disruption (either internally or externally), can result in time-consuming and costly operational delays, or much worse, impact market positioning or even threaten the survival of the organization.

This perspective is part two of a supply chain risk management-focused series called “Risky Business”. In part one, Managing Third-Party and Supplier Risk, we discussed the importance of protecting your organization from risks associated with a dependence on suppliers (and service providers), as well as how to analyze potential impacts and prioritize these risks.

In this perspective we’ll discuss the specific business continuity strategies and risk treatment options available to mitigate the risk associated with supplier dependencies to an acceptable level. Continue reading

Risky Business (Part 1): Managing Third-Party and Supplier Risk

Business continuity planning is inherently cross-functional with a necessity to address risks to an organization’s product and service offerings, as well as the resources necessary to meet obligations.  As organizations increasingly rely on a global network of suppliers and service providers, business continuity practitioners have the responsibility to understand and analyze these relationships and lead strategy identification efforts to protect their organization when faced with a third-party disruption.

Developing and implementing business continuity strategies and risk treatment options related to third parties can be a difficult endeavor because strategies may seemingly contradict an organization’s strategic efforts to leverage single-source suppliers, make supply chains “lean”, and reduce stored inventory levels. However, business continuity practitioners must provide top management with the information needed to balance strategic initiatives with the need to reduce single points of failure and protect an organization should a resource become unavailable.

This perspective discusses the tools available to identify and document third-party resources and methods by which risks can be presented to top management for review and action. Continue reading

The Relationship Between the Business Impact Analysis and Risk Assessment

Avalution’s Approach to Establish Business Continuity Requirements

The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes.  This confusion often results in outcomes that fail to drive preparedness.

Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each.  We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk. Continue reading

Rethink Your Argument Approach to Resiliency!

Have you ever recommended additional redundancy for a process, department, or facility, only to be told that your organization couldn’t afford it or have the project repeatedly delayed until next year? I have. It’s pretty common in our profession.

Casey Haskins and Peter Sims recently wrote an article that you should consider a must read (and so should your senior leadership team responsible for continuity). It may just provide the viewpoint needed to help your organization be more resilient. Continue reading

Don’t Reinvent – Be Successful by Leveraging “Non-Business Continuity” Tools and Methodologies

Non-Business Continuity” Tools and MethodologiesA critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value.  To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output.  Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.

The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead.  Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization? Continue reading

What Makes a Great Recovery Plan?

The goal of any recovery plan, regardless of the size or nature of the organization, is to protect life, minimize damage from an event, and quickly resume the delivery of critical products and services to meet customer requirements.  How this is accomplished, however, not only depends on the nature of the organization, but also its customers, size and resources, and culture.  The objective is to build plans that are based on realistic requirements, fit within the organization’s culture, and remain cost effective and appropriate.  The remainder of this article will discuss these characteristics and how they are incorporated into recovery plans. Continue reading

Organizational Resilience: What it could, or should, mean in the standards landscape

As Posted in the Digital Edition of Continuity Insights Magazine

Admittedly, I wrote this article to better get my mind around the swirling debate regarding the concept of organizational resilience and what it means – or better yet, what it should mean – to business continuity, risk management and security professionals.  I am a member of the US Technical Advisory Group to ISO Technical Committee (TC) 223, which is charged with developing the ISO 22323 standard (Societal Security — Management system for resilience in organizations — requirements and guidance for use). Continue reading

Business Continuity Tools for Small Businesses – We Can Do Better!

Last month, we published a perspective (Business Continuity for Small Businesses – We Can Do Better!) on how most small and medium-sized organizations escape the complexity of larger organizations and thus have the opportunity to implement streamlined business continuity planning processes, which should include: Continue reading