When are you prepared for a risk?

Author: Manu Steens

In this post I write my own opinion, not that of any organization.

ISO 31000 largely prescribes in outline what a risk management system can look like. It requires you to carry out a risk assessment, and to come up with measures, which you must then implement. However, it does not prescribe how to assess a measure (see my earlier blog https://emannuel.eu/en/hoe-een-maatregel-van-business-continuity-management-en-risico-management-beoordelen/)

Nor does it describe how to know if you’re prepared for a risk. That is what I want to talk about now. Because if a measure has been assessed positively, the actual work only begins.

A first step you need to take is to effectively carry out a risk assessment. There is no way around that. You have to do that. But defining a measure is only the beginning of the actual operational preparation for the risk. There are a few things you need to do / check, besides implementing it.

  • Do you have a budget?

Provide a budget that is large enough. And there are several types of budgets that you can provide.

The first is the budget you need for the implementation of the chosen measure.

A second is the budget you may need for external insurance.

A third is the budget you may need to get through the dark times, a kind of bridging budget.

A possible fourth is a budget in the form of a captive. This is only relevant for very large risks or for large risk portfolios.

These budgets must be represented in the balance sheet. Without double purposes.

  • Do you have people?

In many crises, there is always a shortage of hands in the operational activities. It is best to think in advance which people and which types of profiles you will need. Discuss this in advance with HR, to see if they can include the activities required of them in their part of the business continuity plan (BCP).Do they know people with the appropriate profiles? Do they know the necessary contacts to get them quickly? HR also needs to lend a hand.

  • Do you have material resources?

People often can’t do anything if they don’t have the necessary equipment. Do you have the necessary back-up equipment for this? Do you have the necessary goods and information to continue the work or services? Are there goods or equipment that are duplicated as back-up for multiple purposes, with multiple measures? Can the organization afford this ?

  • Do you have the necessary information (distributed)?

This can be the call tree within your organization or the log-in data of the notification system etc. Are our own employees aware of the measure where useful and necessary? Is the environment (internal and external) aware of the possible risk if this is relevant to them? The other stakeholders too?

  • Do you have an owner of the risk?

Who is responsible for addressing the risk when it materializes? Is that the process owner? Anyone else? Is the handling of the crisis delegated to another person? You previously discussed the measure with him/her in an operational assessment. (cfr. URL Supra.) Who does what and who reports to the Crisis Management Team (CMT)?

  • Do you have a sponsor of the risk?

Typically, this is a high-ranking manager who approves the budgets for the measure. In addition, you previously discussed the measure with him/her in a strategic assessment. (cfr. URL Supra.)

Finally, if a measure was not possible, do you have a plan of action? Have you talked to risk managers from other organizations who may have similar risks and who have plans? Can you exchange experiences? Can you come to agreements with competitors for the joint deployment of people when a risk occurs?

Checking off this list does not prevent your measure from failing. But after all, it can convince the interested parties that the organization has already taken the necessary steps to avert, prevent or mitigate the risk if it occurs.

How to assess a measure of Business Continuity Management and Risk Management?

Author: Manu Steens

Within Risk Management and Business Continuity Management, each management discipline does it in its own way, risks and uncertainties are assessed in order to have more certainty in a VUCA world on the success or survival of the own organization.

The more or less succinct view on the way of working is that measures are linked to threats via an assessment. (I’m deliberately limiting risks to threats here, so as not to lose focus on the story, while perhaps what follows may be partly true or analogous to opportunities.)

These measures cost money and effort and must therefore be accountable. Until now I got only two answers in literature and at conferences:

  • Look at the costs versus benefits: if the prevention or mitigation costs more than the damage when the risk manifests itself, it is not worth the effort.
  • Look at the estimate of the residual risk, if that has not decreased enough in your opinion, it is not a good measure. The difference between the original risk and the risk after the measure must therefore be sufficiently large.

However, that won’t take you very far if you want to substantiate an argument as a process manager against a risk manager or business continuity manager who in turn has to discuss it with the board of directors or the Chief Resilience Officer (CRO) or in the C-suite.

What’s more, a process manager usually wants hands-on arguments, while a board member or CxO wants more strategic arguments. And then the principle comes into play: to give what is owed to them. Operational and strategic criteria are therefore needed with which to assess each measure.

Without wishing to be exhaustive in the criteria, nor the points for attention that may go with them, I would like to outline a possibility here by proposing such criteria. Note that each criteria can be viewed and further entered and supplemented by those organizations that want to use it. The examples of implementation are purely illustrative and certainly not exhaustive.

As a risk manager or as a business continuity manager, review the measure operationally with the process manager on the following criteria (where applicable):

  • Reliability (For example, if a part is out, there is a backup of processes, people, redundant structure of organization, infrastructure, …)
  • Maintainability (e.g. the building, its equipment, its processes, education and training, …)
  • Availability (e.g. emergency number, network, realizations, independence, visibility…)
  • Feasibility (For example, can it be organized? What legal structure is needed, required finances, required manpower,…)

As a risk manager or as a business continuity manager, look at the measure strategically with the higher manager (CRO, …) on the following criteria (where applicable):

  • Proportionality (Especially: Is a cost benefit evaluation possible, not only with return on investment (ROI) but especially with value on investment (VOI)? ‘More need can be met with the required money in another way than this’, would mean that this is disproportional; what kind of evaluation models are needed for that?)
  • Prudence (For example, what is a life worth? There is no rule of maximum caution here, I think, rather the question whether you can be more careful within budgets?)
  • Effectiveness (Among other things, are the benefits great in the cost-benefit analysis? Is the information flow between the right players? Is there an eye for quality by mapping the risks? Is the organization supportive of the operational and strategic requirements? Does it meet targets in time (for predictable crises to occur) to be able to perform exercises to create preparedness for future crises?)
  • Efficiency (Among other things, is the cost small in the cost-benefit analysis? Is the information flow smooth? Is there a will to collaborate within the networks, and is this with a subsidiary decision-making authority (which is a quality requirement)? Can the organization be reorganized flexibly, and is there a smooth collaboration with government? Are milestones for the plans met in a timely manner?)

Using such a well-thought-out framework of argumentation to substantiate the correctness of a measure, it can help to prevent misunderstandings or arbitrariness when formulating measures to be implemented.

If it has then been established in a subsidiary way at both the operational level and the strategic level that the measure makes sense, it may be safer to implement the measure for all parties, as a justification for a possible audit afterwards if things still go wrong later.

However, although there are the concepts of operational and strategic crisis management, it is not clear to me whether this way of working can be implemented in crisis management. This may be possible in the case of project operation in the aftercare phase. But that in itself may be an idea for others to check.

What is the BC Manager profile?

Author: Manu Steens

Inspired by the pdf of I. Helsloot “Veiligheid als (bij)product” available at https: // www.ifv.nl/kennisplein/Documents/2012-helsoot-veiligheid-als-bijproduct.pdf

I divide this question into the following questions:

” Why should BC Managers have a good interaction with and knowledge of Crisis? What responsibility do they have in crisis? So what position should they have?

​There are all kinds of principles that apply in safety, which make safety what it is.​

One such principle is that “the BC Managers (basically) serve their boss” 

​More detailed this could mean the following:​

that they must be employed by their boss (for his strategic goals) because otherwise there is a threat to the organization that the advice of BCM would be one-sided, it would benefit ‘their own’ subject (partial interest, preferences), without meaningful management. Meaningful management is very often about available money to realize the strategic goals. This means that an external or poorly placed BC Manager cannot make a balanced assessment of interests. This can lead to inefficient and ineffective operation.​

This means that the advice in such a situation would be one-sided, dogmatic (“Just do it!”) and that there is no integral advice.​

​What does that mean?​

In fact, it comes down very much to countering an advice trick of one-sided advisors, who repeat the words (attributed to Trevor A. Kletz) that sound very nicely as a one-liner: 

“If you think safety is expensive, try an accident”.

​The trick to countering this nice-sounding but hollow phrase is as follows:​

The situation of the advice is dismissed as to whether you can compare the costs of the measures against one risk with the costs of the misery that arises when that one risk materializes. However, you do not know in advance which risk will ultimately lead to misery, so you would have to prepare your organization for all risks (the costs of which amount to infinite) while only one risk ultimately leads to misery.​ Do you have to choose? No, the measures must be carefully considered and coordinated where possible. Where possible, a measure should cover as many risks as possible.

An example could be “optimum telework” which is useful when a building is unavailable, but which can also help when a pandemic occurs, when a slope shear is imminent at the main building, when heavy storms are imminent, etc.

Even in a crisis, there is too little time to coordinate several possible matters.​

  • That is why the BC Manager must present the proposed measures in an integrated manner. And not just as a sum of advice swept together.​
  • Therefore, BC Managers must be well aware of the other matters and purposes of their own organization.​
  • That is why priorities must also be made in Risk Management and integrated measures must be taken.​
  • That’s why a BIA and an RA are needed before starting a BCP document set . 
  • And finally: that is why the BC Manager must also be well informed about the target group of the BCP: the Crisis teams and the CMT of the
    organization: what the structure is, who is in it, who needs to know what about BCM.​ What BCM can mean for them.

​To be able to do this efficiently and effectively, a BC Manager must also have sufficient capabilities, and be able to talk to the management team at level, so also have insight into their budgets.​

​This reasoning applies not only when preparing for a potential crisis, but also during and after a crisis in its aftermath, when advice to the CMT, sponsor and senior management is needed.​

​For such goals to be realized by the BC Manager, they must have a holistic view of the organization, internally but also externally in its environment.​

​To meet these requirements, a heavy profile is needed.

The answer whether the BC Manager should be included in the C-suite for this reason is still not given. Personally, I’d rather let that question pass by.

Business Continuity Management – Building an effective Incident Management Plan.

Author: Michael Blyth

In this book the author works steadily towards his goal in the first three chapters: demonstrating the importance of Incident Management Plans (IMP), in addition to a BCP.

In addition, in chapter 4 he describes the inevitable: “what if?” Is the key question for some 40 cases, each of which is explained in text form, with chapters 5 and 6 providing the promising basis for the elaboration plans and questionnaires.

Chapter 5 gives the guidelines of the plans, in which there is a principle of a triptych: a first table is filled in to get an idea of ​​which (part of) the organization is involved. An outline of entity, place, time … Then the steps to take are taken: these have been drawn up as a so called “Guideline”, not to follow slavishly, but by interpretation. The third part of the guidelines forms the framework with suitable organizations / key persons that can be contacted.

Chapter 6 provides questionnaires, one per IMP, that can be used to estimate the situation, in addition to the questions of “SAD CHALETS”, the mnemonic used by the English Police to get a view of the situation. In addition, this chapter also contains a template for a risk assessment, which can be used during the crisis, to estimate the evolution of the crisis.

The book also contains a URL with password, where you can find the English text of chapters 5 and 6 in a word document for further development tailored to your own organization.

The book is thus actually a book for doers, with, to a limited extent, an introductory theoretical exposition.

However, in terms of IMP for cybersecurity it has not been worked out enough (which I think could have been a separate piece). Other threats have been worked out. Some threats are becoming more and more relevant for affiliates in the USA and elsewhere with current climate changes. Other are more universal in nature.

Self-assessment BCM – tools

If you want to know how far you stand with the implementation of your BCM operation, you must carry out a (self-) assessment.

There are specialists for hire to do an audit and write an expensive report. But often you do not have the money in times of crisis. Then you have to do it yourself. You need a tool for that. Here you will find a Dutch simple Excel tool (and an English translation) that you can still adapt to your own needs.