How to assess a measure of Business Continuity Management and Risk Management?

Author: Manu Steens

In this contribution, I write my own opinion, not that of any organization.

Context

Within Risk Management and Business Continuity Management, each management discipline does it in its own way, risks and uncertainties are assessed in order to have more certainty in a VUCA world on the success or survival of the own organization.

The more or less succinct view on the way of working is that measures are linked to threats via an assessment. (I’m deliberately limiting risks to threats here, so as not to lose focus on the story, while perhaps what follows may be partly true or analogous to opportunities.)

These measures cost money and effort and must therefore be accountable. Until now I got only two answers in literature and at conferences:

  • Look at the costs versus benefits: if the prevention or mitigation costs more than the damage when the risk manifests itself, it is not worth the effort.
  • Look at the estimate of the residual risk, if that has not decreased enough in your opinion, it is not a good measure. The difference between the original risk and the risk after the measure must therefore be sufficiently large.

So far, it won’t take you very far.

However, that won’t take you very far if you want to substantiate an argument as a process manager against a risk manager or business continuity manager who in turn has to discuss it with the board of directors or the Chief Resilience Officer (CRO) or in the C-suite.

What’s more, a process manager usually wants hands-on arguments, while a board member or CxO wants more strategic arguments. And then the principle comes into play: to give what is owed to them. Operational and strategic criteria are therefore needed with which to assess each measure.

Without wishing to be exhaustive in the criteria, nor the points for attention that may go with them, I would like to outline a possibility here by proposing such criteria. Note that each criteria can be viewed and further entered and supplemented by those organizations that want to use it. The examples of implementation are purely illustrative and certainly not exhaustive.

Operational review

As a risk manager or as a business continuity manager, review the measure operationally with the process manager on the following criteria (where applicable):

  • Reliability (For example, if a part is out, there is a backup of processes, people, redundant structure of organization, infrastructure, …)
  • Maintainability (e.g. the building, its equipment, its processes, education and training, …)
  • Availability (e.g. emergency number, network, realizations, independence, visibility…)
  • Feasibility (For example, can it be organized? What legal structure is needed, required finances, required manpower,…)

Strategical review

As a risk manager or as a business continuity manager, look at the measure strategically with the higher manager (CRO, …) on the following criteria (where applicable):

  • Proportionality (Especially: Is a cost benefit evaluation possible, not only with return on investment (ROI) but especially with value on investment (VOI)? ‘More need can be met with the required money in another way than this’, would mean that this is disproportional; what kind of evaluation models are needed for that?)
  • Prudence (For example, what is a life worth? There is no rule of maximum caution here, I think, rather the question whether you can be more careful within budgets?)
  • Effectiveness (Among other things, are the benefits great in the cost-benefit analysis? Is the information flow between the right players? Is there an eye for quality by mapping the risks? Is the organization supportive of the operational and strategic requirements? Does it meet targets in time (for predictable crises to occur) to be able to perform exercises to create preparedness for future crises?)
  • Efficiency (Among other things, is the cost small in the cost-benefit analysis? Is the information flow smooth? Is there a will to collaborate within the networks, and is this with a subsidiary decision-making authority (which is a quality requirement)? Can the organization be reorganized flexibly, and is there a smooth collaboration with government? Are milestones for the plans met in a timely manner?)

Final thoughts

Using such a well-thought-out framework of argumentation to substantiate the correctness of a measure, it can help to prevent misunderstandings or arbitrariness when formulating measures to be implemented.

If it has then been established in a subsidiary way at both the operational level and the strategic level that the measure makes sense, it may be safer to implement the measure for all parties, as a justification for a possible audit afterwards if things still go wrong later.

However, although there are the concepts of operational and strategic crisis management, it is not clear to me whether this way of working can be implemented in crisis management. This may be possible in the case of project operation in the aftercare phase. But that in itself may be an idea for others to check.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts