Threat and Vulnerability Analysis
Hello and welcome to this session. What I am going to talk is a step in the business continuity program that may not be widely done my organisations. I call it the threat and vulnerability analysis. What I advocate we do as part of our business continuity progress is identify a range of threats to the critical business function that we have identified during our business impact analysis. We take our critical business function and identify the threats to the continued operation of that function and then what we do is identify how vulnerable we are to that particular threat for the business continuity function. The neat thing about this is if we identify the vulnerabilities to those particular threats we can start to reduce the vulnerability to those beforehand.
For example, let’s say we have a building that has all of its IT systems in the basement and it is in a flood plain. The continued operation of the IT is a critical business function so if we look at the threats, floods would be one of those. We would then ask the question of how vulnerable are we to that, the answer is we are extremely vulnerable due to our location as a result of that we can then make an assessment as to whether we reduce the vulnerability to that threat by potentially moving our IT servers to higher ground. In doing that, not only have we reduced the vulnerability but we have also reduced the likelihood that that critical business function is going to be disrupted during a flood event. So if we look at something like the Fukushima explosion at the Fukushima nuclear plant, they actually had 16 backup generators because the loss of power in a nuclear plant is catastrophic. All 16 of those back-up generators were underground. So when the tsunami actually breached the sea wall that they had in place, which could cope with a six meter tsunami, as opposed to a 16 meter tsunami which is what they got, every single one of those back-up generators was inundated with that flooding. As a result there was no power and we saw the consequences of that. It took over two weeks to restore power to the plant and as a result we still have contaminated water flowing into the Pacific Ocean as a rapid rate every day.
What is interesting about that story was that only a few months before that event the CEO of the company that ran it said there was zero percent probability that they would ever see a tsunami event that would breach the six meter level sea wall. It happened.
So I have spoken before about this cultural thing about “this will never happen” versus “what happens if”. The question that they should have been asking is what happens if it does breech the wall. Not saying this will never happen. If you are saying that in your business or in your government department, “this will never happen”, well I am sorry but it probably will. History is littered with those black swans that we have previously talked about that were never supposed to happen but did.
What I am advocating is identify your critical business functions, think about all of the threats to the continued function of that critical business function and then look at the vulnerability to that and if you can reduce the vulnerability ahead of time then the likelihood that you are going to see the consequence of losing that function is greatly reduced. If we take it back to Fukushima, if they had have said, “What happens if it does go above the six meter wall?” then they would know they are going to get inundated. So how can we reduce the vulnerability to that during the design, well rather than having them underground we might have them on higher ground and that way we know that we are not going to get inundated with water. It is a different way of looking at it but it is all about proactively reducing your vulnerability to those particular events or those threats. I hope that has been helpful for you and as always, let’s be careful out there!