Have you ever done something for so long and no one really ever tells you if you’re doing it wrong so you’ve never had to question or change it? I recently experienced this in my world of risk management and business continuity. My mind is still blown so answers on a post card please…
Here is an example of a conversation I recently overheard…
BC Manager - “So we need to include the absence of a backup printer as a business continuity risk?”
Risk Manager – “No, that’s what we call an “Issue” in the world of risk management”
BC Manager – “Okay then, so what about the possibility that the printer might fail? Should that be logged as a business continuity risk?”
Risk Manager - “Nope, that’s an “Operational Risk””
BC Manager – “Right…so what about there being only one chap on site who knows how to fix this printer?”
Risk Manager – “Still an Issue”
BC Manager – “Really? Well what about the possibility of losing the one guy in the building that’s trained to fix the printer when it breaks? Surely THAT is a business continuity risk?”
Risk Manager- “Nope – That’s a Key Personnel Risk”
BC Manager – “Fine I give up!”
Is anyone else confused? I know I am.
So following this conversation I returned to my online articles and books to review various chapters on BC risk and I’m still none the wiser. I’ve even questioned some more experienced BC professionals of which none of whom could provide me with a definitive answer to my question:
What exactly is Business Continuity Risk and how does fit in the wider risk management strategy of an organisation? I’m pretty sure there is an answer out there but the water is muddy. The cynic inside me suggests that “BC Risk” was one of many attempts to break our trade up in to specialisations but in this case it hasn’t worked.
The most definitive guidance I came across was from a free webinar on Continuity Central from a company called Fusion Risk Management. They suggest that Risk Managers are more interested in Property Loss, Injuries, liability, claims and financial impact. They also suggest that the BC manager is more focused on process disruption and about their operations surviving impacts. However, they argue that the process is a joint responsibility (along with the estates management). Unfortunately they then seem to go down the same route as everyone else and begin to articulate a classic risk framework approach e.g. policy, assessments etc. and imply that BC risk is an element of this…so I’m still not 100% clear.
In the last few years my approach to risk in business continuity has very much been a case of monkey see monkey do. My mentors, lecturers and colleagues all seemed to apply the same methodology. As far as my understanding goes the approach tends to be something like this:
1) Important people decided what’s important –provide a list a services delivered by your organisation and present them to senior management with a suggestion of those which should be considered “critical” and ask them to approve/amend the list.
2) Business Impact Analysis- Once the critical services are identified you then work with the managers to complete a template which helps to establish the most essential activities, maximum outage times before impact and the resources required to recover or maintain them in a disruption.
3) Risk and Threat Analysis – I then look at the classic BC risks namely the loss of people, premises, technology and supply to understand the threat against the essential activities.
4) Business Continuity Plan – Based on the BIA and Risk Assessment I would then populate a Plan.
5) I’d also escalate/log any significant risks identified on the corporate risk register/ management team.
I was taught to do it this way and I’ve never been challenged on this process so in the absence of specific guidance I have simply assumed that this is the right way. It’s only now that I’m becoming confused!
As I never suffer in silence I took to asking my friends who work in risk management and have had an exposure to the concept of “BC Risk” and this is what I got:
“Just do it out with the routine risk management processes because it gets too complicated”
“Just check the standard and give the auditor what they need”
“In my experience there is no definitive answer”
“It’s basically operational risk and we should really be aligning to that but we don’t”Having given it some wider thought I suggest the following approach:
1) Identify the generic risks that affect the entire organisation to some extent i.e. loss of building, staff, technology and supply.
2) Produce a risk assessment template to document these risks inclusive of top-level mitigation strategies to explain how the organisation controls the risk.
3) Provide the populated template to critical departments and request that they consider more localised risks e.g. Joe Blogs is the only one who knows how to use this software and add this to their template.
4) Advise all business critical staff to only identify risk that have not already been logged as part of routine risk management process e.g. registers.
5) Complete all of the above out with the wider risk management process to avoid confusion.
6) Pass to Auditor and smile...