Risk Tip # 14 – Disruption Related Risks
Many of your organisations, no doubt, have a Business Continuity Plan and, if it is like so many that I have experienced, the plan will detail:
- Where the alternate site is if we are unable to access our offices (in the case of fire or flood or other reason)?
- What do we do if the IT system goes down?
- What do we do if we don’t have enough people?
The only problem with developing Business Continuity Plans such as this is that you may very well be ignoring the continuity of your most critical functions – you may not be managing your disruption related risks.
The purpose of Business Continuity Management
Business continuity can be defined as:
The discipline of developing and maintaining advance plans of action to enable an organisation to respond to an ‘event’ [risk event or disaster] in such a manner that its critical business functions continue with minimal or no disruption and that the impact upon staff, customers, products and services is also minimised.
The key term here is: critical business function. What this means is that business continuity management is focussed on the maintenance of critical functions.
Current issues with Business Continuity Management
In my view, there are two key issues with business continuity as it is undertaken currently:
- Business continuity tends to be focussed more on the method of the disruption, rather than the disruption itself;
- Business continuity tends to be focussed on disruption to the resources required for the continuity of the function and not the disruption of the function; and
- Business continuity is seen as separate to risk management.
These issues are discussed further below.
Focus on the method of disruption
When reviewing Business Continuity Plans that have been developed by or for organisations, there seems to be more of a fixation with the cause of the disruption, rather than the fact that the disruption can be caused by many things. This is referred to as an all hazards approach i.e. we are not focussed on just one way that it can occur.
I worked with one Council who had developed a Business Continuity Plan for a fire in their main building that meant there was a requirement for an alternate facility. The Community Centre was chosen, and the IT was enhanced, and other facilities were added. The only problem with this – both the Council office and the Community Centre were situated in a flood plain – so if the reason they could not get into the main Council building was because of a flood, the alternate facility could not be accessed either.
At this point, it is worth highlighting by way of example, that the Tsunami was not the risk at the Fukushima Nuclear Plant, the risk was: Disruption to reactor cooling operations for a period in excess of …. The key to capturing the risk in this manner is that a Tsunami is just one possible cause for the disruption, but there are certainly others.
We will further discuss how the risks are captured in a later section.
Focus on the disruption to the resources
One of the questions I ask the participants on my business continuity course is whether doctors and nurses are a critical business function for a hospital? The answer I get is always yes. The reality is that they are not. Doctors and nurses are critical resource requirements for the critical business functions.
Essentially, an organisation is a system of systems as shown in the diagram below:
These are the critical resource requirements. When there is a disruption to one or more of the sub-systems shaded in blue in the diagram below, it can disrupt the function.
This is an important distinction as it completely changes the focus of the program away from the critical resources to the critical function.
In the case of a hospital, I believe the following are the critical business functions:
- Check-in/check-out services
- Patient care operations
- Emergency department
- Surgical operations
- Catering operations
- Waste removal operations
- Pharmaceutical operations
- Cleaning operations
For a Council, some of the critical business functions are as follows:
- Rubbish collection and disposal
- Sewage treatment operations
- Water distribution operations
- In home meal delivery operations
The next section highlights why it is so important to identify the functions.
Business continuity separate to risk management
The importance of defining the critical business functions rather than the resources stems from the third of the issues that I have encountered – the separation of risk management from the business continuity function. Business continuity is not a separate function to risk management – it is an output of the risk management function.
A Business Continuity Plan, put simply is a corrective control for a disruption related risk. But here is why it is so critical to capture them as risks: each risk will also have preventative and detective controls.
To that end, the following would be the disruption related risks to the Council:
- Disruption to rubbish collection and disposal operations for a period in excess of …..
- Disruption to sewage treatment operations for a period in excess of …..
- Disruption to water distribution operations for a period in excess of …..
- Disruption to in home meal delivery operations for a period in excess of …..
If we take just one example, it can be seen that there are causes to the risks that can be controlled through preventative and detective controls.
As we can see from the register above, there would need to be four continuity response plans developed for the disruption to rubbish collection and disposal if Council was to ensure all potential causes for the risk are addressed:
- Plan #1: Situation where vehicles and personnel may not be available;
- Plan #2: Situation where vehicles are not available but personnel to operate them are available;
- Plan #3: Situation where vehicles are available but personnel to operate them are not; and
- Plan #4: Situation where existing disposal facility is not available.
There will, of course, be overlapping in these responses so the complexity will not be as it initially appears.
These plans need to be developed in advance – not at the time of the disruption.
it is important that disruption related risks are not managed any differently to any other risk within the organisation. What is important to note is that it is possible for these risks to reduce both the causes (through preventative and detective controls) and the consequence (through business continuity planning). To that end, the key to managing disruption related risks is as follows:
- Capture the risks as disruption related risks in the organisation’s enterprise risk register;
- Identify causes and controls in the same manner that we do for any other risk;
- Develop a continuity plan for the restoration of the function; and
- Test the plan regularly.
To put it in terms that those who have read my previous blogs would be familiar: stop doing business continuity and manage disruption related risks.