Friday, 2 May 2014

The Business Continuity Risk Myth


Have you ever done something for so long and no one really ever tells you if you’re doing it wrong so you’ve never had to question or change it? I recently experienced this in my world of risk management and business continuity. My mind is still blown so answers on a post card please…

Here is an example of a conversation I recently overheard…


BC Manager - “So we need to include the absence of a backup printer as a business continuity risk?”

Risk Manager – “No, that’s what we call an “Issue” in the world of risk management”

BC Manager – “Okay then, so what about the possibility that the printer might fail? Should that be logged as a business continuity risk?”

Risk Manager - “Nope, that’s an “Operational Risk””

BC Manager – “Right…so what about there being only one chap on site who knows how to fix this printer?”

Risk Manager – “Still an Issue”

BC Manager – “Really? Well what about the possibility of losing the one guy in the building that’s trained to fix the printer when it breaks? Surely THAT is a business continuity risk?”

Risk Manager- “Nope – That’s a Key Personnel Risk”

BC Manager – “Fine I give up!”

Is anyone else confused? I know I am.

So following this conversation I returned to my online articles and books to review various chapters on BC risk and I’m still none the wiser. I’ve even questioned some more experienced BC professionals of which none of whom could provide me with a definitive answer to my question:

What exactly is Business Continuity Risk and how does fit in the wider risk management strategy of an organisation? I’m pretty sure there is an answer out there but the water is muddy. The cynic inside me suggests that “BC Risk” was one of many attempts to break our trade up in to specialisations but in this case it hasn’t worked.

The most definitive guidance I came across was from a free webinar on Continuity Central from a company called Fusion Risk Management. They suggest that Risk Managers are more interested in Property Loss, Injuries, liability, claims and financial impact. They also suggest that the BC manager is more focused on process disruption and about their operations surviving impacts. However, they argue that the process is a joint responsibility (along with the estates management). Unfortunately they then seem to go down the same route as everyone else and begin to articulate a classic risk framework approach e.g. policy, assessments etc. and imply that BC risk is an element of this…so I’m still not 100% clear.

Old Habits

In the last few years my approach to risk in business continuity has very much been a case of monkey see monkey do. My mentors, lecturers and colleagues all seemed to apply the same methodology. As far as my understanding goes the approach tends to be something like this:

1) Important people decided what’s important –provide a list a services delivered by your organisation and present them to senior management with a suggestion of those which should be considered “critical” and ask them to approve/amend the list.

2) Business Impact Analysis- Once the critical services are identified you then work with the managers to complete a template which helps to establish the most essential activities, maximum outage times before impact and the resources required to recover or maintain them in a disruption.

3) Risk and Threat Analysis – I then look at the classic BC risks namely the loss of people, premises, technology and supply to understand the threat against the essential activities.

4) Business Continuity Plan – Based on the BIA and Risk Assessment I would then populate a Plan.

5) I’d also escalate/log any significant risks identified on the corporate risk register/ management team.

I was taught to do it this way and I’ve never been challenged on this process so in the absence of specific guidance I have simply assumed that this is the right way. It’s only now that I’m becoming confused!

As I never suffer in silence I took to asking my friends who work in risk management and have had an exposure to the concept of “BC Risk” and this is what I got:

“Just do it out with the routine risk management processes because it gets too complicated”
“Just check the standard and give the auditor what they need”
“In my experience there is no definitive answer”
“It’s basically operational risk and we should really be aligning to that but we don’t”
Having given it some wider thought I suggest the following approach:

1) Identify the generic risks that affect the entire organisation to some extent i.e. loss of building, staff, technology and supply.

2) Produce a risk assessment template to document these risks inclusive of top-level mitigation strategies to explain how the organisation controls the risk.

3) Provide the populated template to critical departments and request that they consider more localised risks e.g. Joe Blogs is the only one who knows how to use this software and add this to their template.

4) Advise all business critical staff to only identify risk that have not already been logged as part of routine risk management process e.g. registers.

5) Complete all of the above out with the wider risk management process to avoid confusion.

6) Pass to Auditor and smile...

4 comments:

  1. It's a valid question and there is much confusion. BC and risk are two disciplines that complement each other as part of the wider resilience strategy. Risk is speculating what can go wrong and what could be done. BC is based on a logical approach of analysis if done correctly and is the response that will be carried out once the plans are proven through testing. It can all get confusing and each practitioners approach will differ but isn't that the same in most industries? Surely that's what make it interesting?

    ReplyDelete
  2. werner verlinden20 July 2014 at 01:38

    There has always been confusion between the risk and bcm disciplines and the terminology/practices used within each. When we developed ISO22301, out technical committee has to my knowledge been the first trying to attempt to create "peace" between the disciplines. When you check out ISO22301 you will see that BCM clearly says that with regards to risk management, the preferred way is to apply a risk management system like ISO31000. This approach has since been followed by ISO27001 which had historically a chapter on BCM, they now also write that should you consider BCM from an info sec point of view, you should apply a management system like ISO22301. Hopefully when ISO31000 is up for review they take on board the same approach ;-)

    ReplyDelete
  3. There is a lot of overlap of business continuity with overall risk management and it is also not clear to me what exactly defines them. Many professionals take risk management to include business continuity.
    business brokers brisbane

    ReplyDelete
  4. This is very important question. I feel BC and risk managements are two completely different terms. Well I’ll ask my professor Dr. Aloke Ghosh to explain these terms in detail. He would definitely clear my doubts.

    ReplyDelete