Close This site uses cookies. If you continue to use the site you agree to this. For more details please see our cookies policy.
Contact   |   Sign in   |   Subscribe

Search

Type your text, and hit enter to search:
SearchSearch Icon
Receive a
FREE copy!Subscribe to
Newsletter

The six horsemen of business continuity risk 

Charlie Maclean-Bristol discusses how organisations can better prepare themselves by categorising potential risks to their operations and the importance of being prepared for all types of risk for BC Training Ltd.

Charlie Maclean-Bristol
Image by Spirited | Freepik 

Business continuity has always had an uneasy relationship with risk. Yes, we recognise that risk is important and needs to guide what we prioritise to recover. In a similar way, the Business Impact Assessment (BIA) guides what we need to recover. 

However, we have an issue with likelihood. Many of the risks we mitigate have low likelihoods, but we choose to mitigate them anyway. When looking at likelihood, it is difficult to be precise about the likelihood of our headquarters building burning down. An actuary may be able to tell you the likelihood of a building burning down in London, UK, but business continuity practitioners do not have the data to be able to accurately determine the likelihood of their particular headquarters building burning down. You often see practitioners arguing about risk on LinkedIn.

The other issue I have with risk is trying to have a framework for identifying all the different risks that should be looked at when conducting a BIA and risk assessment for an organisation. PESTLE analysis seems the main framework to use, but to me, the categories are too wide. PESTLE is an acronym for Political, Economic, Social, Technological, Legal, and Environmental factors. 

I was recently preparing for my podcast Two Men and a Business Continuity Plan with James McAlister, and we were talking about risk. We sketched out a framework which I felt just worked for me (the episode can be viewed here). 

I am sharing the framework with you and would be interested to see if it worked for any of you. I am also playing with the five horsemen idea and seeing if this works as a name as well!

Risk for the business continuity practitioner could be broken down into five areas:

It will happen with risks: Over my time as a business continuity practitioner, I have helped organisations prepare for known events. These are events which you know are going to take place; they could affect an organisation, but the effect is unknown. In my time, I have prepared organisations for: strikes (including transport ones), bridge closures, Brexit, the Commonwealth Games, the Olympics, COP26, protests, and severe weather. Those organisations felt these events may have an effect on their operations and wanted to prepare for the worst case. So with these types of risks, you know the event is going to happen; you just don’t know what the effect will be: will it cause riots in the streets, attacks on those going to work, and burning of buildings, or will the event proceed peacefully?

Traditional risks: These are the risks you typically see in risk registers, such as environmental risks, safety risks, or hazard risks, and may feature in government, NGO, and insurance organisation-published risks. These could include cyber threats; another pandemic; local natural disasters such as hurricanes, earthquakes, and flooding; as well as man-made risks like power or water supply failures.

Industry risks: These are the risks inherent in the industry your organisation operates in and are generally well known. If you are an airline, you face the risks of a plane crashing, failure of your IT systems, air traffic issues, and issues at the airport from which your aircraft operate. Most industries have a set of risks associated with them, as usually most incidents have happened to the industry several times with varying effects.

Asset risks: These are beloved of business continuity practitioners and are often captured as part of the BIA. These look at the assets which underpin your most time-critical activities, and we develop recovery strategies and solutions to recover them if lost. This is where the issue of likelihood comes in. If an asset is vital to my delivery of goods and services, then I should think about how I will mitigate this risk. The likelihood of losing the assets is immaterial, working on the principle ‘if it has a significant impact, we should mitigate it’.

Grey Rhinos: A Grey Rhino is a highly probable, high-impact threat that is often ignored or downplayed until it’s too late. The risk is entirely obvious, but because the solution is difficult, we don’t do anything. For society as a whole, climate change is a classic example. Most people would agree that it will have a huge effect on our environment, but governments can’t agree on what to do about it. While we dither about solutions, the effect increases and gets worse. You may have old, tired machines manufacturing a key product, but your management cannot decide on how best to replace them and where to find the money, while all the time they are getting older and breaking down more often. The catastrophic failure will come sooner or later, but we know it will happen.

Black Swans: These are risks which could have a huge effect on our organisations, but we can’t predict them, and only after they happen do we say that we should have recognised the risk in advance. 9/11, the global financial crisis in 2008, and the Fukushima nuclear disaster are all examples of incidents that had major effects, yet most people didn’t foresee them as risks. On the whole, we cannot predict Black Swans, but we can ensure we have robust business continuity plans that we can use to deal with them if they occur and affect our organisation.

I think the more ways we look at and categorise risks, the better, as we are then able to identify risks that we may have missed. I very rarely see Grey Rhino risks in risk registers because people often don’t want to acknowledge them. By rearranging our risk around these 5 + 1 (counting Black Swans as a category you can’t identify) categories, it might help better identify risks and increase the likelihood that they are captured.

This will also help with horizon scanning. ‘It-will-happen risks’ should be identified by horizon scanning, as these types of events are often agreed years in advance, so you have time to plan for them. Others, such as the Southport riots, we don’t notice, but we can quickly identify the risk to our locations and staff and take appropriate action.

The better we identify and manage our risks, the more likely we will mitigate them and prevent an incident before it occurs.

Charlie Maclean-Bristol is the author of the groundbreaking book Business Continuity Exercises: Quick Exercises to Validate Your Plan.

This article was originally published by BC Training Ltd and is reproduced with permission of BC Training Ltd and Rothstein Publishing.
  • For more information, contact Philip Jan Rothstein FBCI, President, Rothstein Publishing, pjr@rothstein.com.
    Tweet       Post       Post
LoginRegister
Oops! Not a subscriber?

This content is available to subscribers only. Click here to subscribe now.

If you already have a subscription, then login here.