How to assess a measure of Business Continuity Management and Risk Management?

Author: Manu Steens

Within Risk Management and Business Continuity Management, each management discipline does it in its own way, risks and uncertainties are assessed in order to have more certainty in a VUCA world on the success or survival of the own organization.

The more or less succinct view on the way of working is that measures are linked to threats via an assessment. (I’m deliberately limiting risks to threats here, so as not to lose focus on the story, while perhaps what follows may be partly true or analogous to opportunities.)

These measures cost money and effort and must therefore be accountable. Until now I got only two answers in literature and at conferences:

  • Look at the costs versus benefits: if the prevention or mitigation costs more than the damage when the risk manifests itself, it is not worth the effort.
  • Look at the estimate of the residual risk, if that has not decreased enough in your opinion, it is not a good measure. The difference between the original risk and the risk after the measure must therefore be sufficiently large.

However, that won’t take you very far if you want to substantiate an argument as a process manager against a risk manager or business continuity manager who in turn has to discuss it with the board of directors or the Chief Resilience Officer (CRO) or in the C-suite.

What’s more, a process manager usually wants hands-on arguments, while a board member or CxO wants more strategic arguments. And then the principle comes into play: to give what is owed to them. Operational and strategic criteria are therefore needed with which to assess each measure.

Without wishing to be exhaustive in the criteria, nor the points for attention that may go with them, I would like to outline a possibility here by proposing such criteria. Note that each criteria can be viewed and further entered and supplemented by those organizations that want to use it. The examples of implementation are purely illustrative and certainly not exhaustive.

As a risk manager or as a business continuity manager, review the measure operationally with the process manager on the following criteria (where applicable):

  • Reliability (For example, if a part is out, there is a backup of processes, people, redundant structure of organization, infrastructure, …)
  • Maintainability (e.g. the building, its equipment, its processes, education and training, …)
  • Availability (e.g. emergency number, network, realizations, independence, visibility…)
  • Feasibility (For example, can it be organized? What legal structure is needed, required finances, required manpower,…)

As a risk manager or as a business continuity manager, look at the measure strategically with the higher manager (CRO, …) on the following criteria (where applicable):

  • Proportionality (Especially: Is a cost benefit evaluation possible, not only with return on investment (ROI) but especially with value on investment (VOI)? ‘More need can be met with the required money in another way than this’, would mean that this is disproportional; what kind of evaluation models are needed for that?)
  • Prudence (For example, what is a life worth? There is no rule of maximum caution here, I think, rather the question whether you can be more careful within budgets?)
  • Effectiveness (Among other things, are the benefits great in the cost-benefit analysis? Is the information flow between the right players? Is there an eye for quality by mapping the risks? Is the organization supportive of the operational and strategic requirements? Does it meet targets in time (for predictable crises to occur) to be able to perform exercises to create preparedness for future crises?)
  • Efficiency (Among other things, is the cost small in the cost-benefit analysis? Is the information flow smooth? Is there a will to collaborate within the networks, and is this with a subsidiary decision-making authority (which is a quality requirement)? Can the organization be reorganized flexibly, and is there a smooth collaboration with government? Are milestones for the plans met in a timely manner?)

Using such a well-thought-out framework of argumentation to substantiate the correctness of a measure, it can help to prevent misunderstandings or arbitrariness when formulating measures to be implemented.

If it has then been established in a subsidiary way at both the operational level and the strategic level that the measure makes sense, it may be safer to implement the measure for all parties, as a justification for a possible audit afterwards if things still go wrong later.

However, although there are the concepts of operational and strategic crisis management, it is not clear to me whether this way of working can be implemented in crisis management. This may be possible in the case of project operation in the aftercare phase. But that in itself may be an idea for others to check.

What is the BC Manager profile?

Author: Manu Steens

Inspired by the pdf of I. Helsloot “Veiligheid als (bij)product” available at https: // www.ifv.nl/kennisplein/Documents/2012-helsoot-veiligheid-als-bijproduct.pdf

I divide this question into the following questions:

” Why should BC Managers have a good interaction with and knowledge of Crisis? What responsibility do they have in crisis? So what position should they have?

​There are all kinds of principles that apply in safety, which make safety what it is.​

One such principle is that “the BC Managers (basically) serve their boss” 

​More detailed this could mean the following:​

that they must be employed by their boss (for his strategic goals) because otherwise there is a threat to the organization that the advice of BCM would be one-sided, it would benefit ‘their own’ subject (partial interest, preferences), without meaningful management. Meaningful management is very often about available money to realize the strategic goals. This means that an external or poorly placed BC Manager cannot make a balanced assessment of interests. This can lead to inefficient and ineffective operation.​

This means that the advice in such a situation would be one-sided, dogmatic (“Just do it!”) and that there is no integral advice.​

​What does that mean?​

In fact, it comes down very much to countering an advice trick of one-sided advisors, who repeat the words (attributed to Trevor A. Kletz) that sound very nicely as a one-liner: 

“If you think safety is expensive, try an accident”.

​The trick to countering this nice-sounding but hollow phrase is as follows:​

The situation of the advice is dismissed as to whether you can compare the costs of the measures against one risk with the costs of the misery that arises when that one risk materializes. However, you do not know in advance which risk will ultimately lead to misery, so you would have to prepare your organization for all risks (the costs of which amount to infinite) while only one risk ultimately leads to misery.​ Do you have to choose? No, the measures must be carefully considered and coordinated where possible. Where possible, a measure should cover as many risks as possible.

An example could be “optimum telework” which is useful when a building is unavailable, but which can also help when a pandemic occurs, when a slope shear is imminent at the main building, when heavy storms are imminent, etc.

Even in a crisis, there is too little time to coordinate several possible matters.​

  • That is why the BC Manager must present the proposed measures in an integrated manner. And not just as a sum of advice swept together.​
  • Therefore, BC Managers must be well aware of the other matters and purposes of their own organization.​
  • That is why priorities must also be made in Risk Management and integrated measures must be taken.​
  • That’s why a BIA and an RA are needed before starting a BCP document set . 
  • And finally: that is why the BC Manager must also be well informed about the target group of the BCP: the Crisis teams and the CMT of the
    organization: what the structure is, who is in it, who needs to know what about BCM.​ What BCM can mean for them.

​To be able to do this efficiently and effectively, a BC Manager must also have sufficient capabilities, and be able to talk to the management team at level, so also have insight into their budgets.​

​This reasoning applies not only when preparing for a potential crisis, but also during and after a crisis in its aftermath, when advice to the CMT, sponsor and senior management is needed.​

​For such goals to be realized by the BC Manager, they must have a holistic view of the organization, internally but also externally in its environment.​

​To meet these requirements, a heavy profile is needed.

The answer whether the BC Manager should be included in the C-suite for this reason is still not given. Personally, I’d rather let that question pass by.

Business Continuity Management – Building an effective Incident Management Plan.

Author: Michael Blyth

In this book the author works steadily towards his goal in the first three chapters: demonstrating the importance of Incident Management Plans (IMP), in addition to a BCP.

In addition, in chapter 4 he describes the inevitable: “what if?” Is the key question for some 40 cases, each of which is explained in text form, with chapters 5 and 6 providing the promising basis for the elaboration plans and questionnaires.

Chapter 5 gives the guidelines of the plans, in which there is a principle of a triptych: a first table is filled in to get an idea of ​​which (part of) the organization is involved. An outline of entity, place, time … Then the steps to take are taken: these have been drawn up as a so called “Guideline”, not to follow slavishly, but by interpretation. The third part of the guidelines forms the framework with suitable organizations / key persons that can be contacted.

Chapter 6 provides questionnaires, one per IMP, that can be used to estimate the situation, in addition to the questions of “SAD CHALETS”, the mnemonic used by the English Police to get a view of the situation. In addition, this chapter also contains a template for a risk assessment, which can be used during the crisis, to estimate the evolution of the crisis.

The book also contains a URL with password, where you can find the English text of chapters 5 and 6 in a word document for further development tailored to your own organization.

The book is thus actually a book for doers, with, to a limited extent, an introductory theoretical exposition.

However, in terms of IMP for cybersecurity it has not been worked out enough (which I think could have been a separate piece). Other threats have been worked out. Some threats are becoming more and more relevant for affiliates in the USA and elsewhere with current climate changes. Other are more universal in nature.

Self-assessment BCM – tools

If you want to know how far you stand with the implementation of your BCM operation, you must carry out a (self-) assessment.

There are specialists for hire to do an audit and write an expensive report. But often you do not have the money in times of crisis. Then you have to do it yourself. You need a tool for that. Here you will find a Dutch simple Excel tool (and an English translation) that you can still adapt to your own needs.

 

In Hindsight – A compendium of Business Continuity case studies

Edited by Robert A Clark

In Hindsight reflects on a series of disasters from a BCM perspective. Some organizations have scored good, others did not. Five organizations were not prepared and did not make it. A sixth has made it thanks to an extraordinary portion of luck. Some disasters had extraordinary proportions and global consequences. Others stayed local. The causes vary, from brutal bad luck like acts of God and accompanying volcanic eruptions, to things that could be prevented like the Herald of Free Enterprise, in which somebody is clearly to blame.

Other causes of human nature are lack of insight or poor management, profiteering, stupidity, terror, … All these things have in common that they are in the environment of many organizations.

The consequences can be equally diverse: environmental damage, death, safety and health problems, global economic crisis, legal prosecutions …

This diversity of topics makes the book very suitable as an eye-opener for managers and boards of directors.

The penultimate chapter also emphasizes the importance of small sparks: fraud, cyber attacks, employee dissatisfaction, the media, small and large fires, including those of the neighbors, poor planning of major projects, breaches of information security such as data theft, floods, diseases, etc.

But the final message, perhaps the most important, is in a quote from Vince Lombardi, a former American football player, who said: “It is not whether you get knocked down; it’s wheter you get up “. And that requires preparation.