Bad weather or even natural calamities do not affect every city in the world nor

every resident of the affected area. Accidents, an inevitable part of some envi
ronments, do not affect all your people or totally devalue all your assets. Terr
orist do not consider everyone a viable target nor are their actions likely to i
mpact everyone over the course of their lives. The facts remain that only a smal
l percentage of events or incidents resulting in loss of value or productivity w
ill affect your business but conversely a smaller part of your overall assets ar
e likely to succumb to these events; possibly even repeatedly. If this is the re
ality, why are there so many singular strategies for organizations, one-size-fit
s-all policy, uniformity in the approach when greater economy could be achieved
by focusing on the priority areas? Most of the threats (80%) will only likely pl
ace at risk a smaller percentage (20%) of your assets. Do you know which ones?
Too much time and deliberation is spent perfecting the process of identifying an
d qualifying the threat. While it remains a valid and useful phase the process b
ecomes unexplainably weaker or less popular once value and measurable impact are
introduced. This is in part possibly due to the skill and experience of those c
onducting the analysis/assessment who typical originate from a weak financial ba
ckground. Even for those with little resources, training or even time, a qualify
ing exercise to determine what the impact of service failure, disruption or othe
r stressors will provide you with a workable project plan for applying solutions
, counter measures or treatment options. This should have financial implications
, tangible and intangible. The higher the number, the greater the priority and e
asier to be presented to business leaders or collaborators. The easier you make
the measurement or driver, in a format most commonly used, the greater adherence
and buy-in you will get. Abstract terms, ratings, scientific pontification or j
ust made up data will only erode the objective and almost all will loose interes
t. No single person ever saved an entire organization, it takes systems and team
work that follows a plan.
Many conventions are derived from habit or transferred from what others believe
to be comparable models. Take fire sprinklers and suppression systems for exampl
e. A worthwhile investment and certainly mandated in some jurisdictions to preve
nt loss of life, undue stress on public services or even making local authoritie
s look bad. Whatever the driver they are common place. However, not every square
meter of a building is at risk of having a fire originate in that locale. Much
of the planning and installation works on the assumption it could start anywhere
, spread anywhere so lets just cover the entire structure. Not necessarily an ef
ficient or effective process but wide spread practice none-the-less. Transferrin
g this methodology to all/any other part of the business would have questionable
benefits or make financial sense. These kind of general applications of similar
strategies discredit the validity of risk management and force undue cost onto
organizations that quite reasonably at times will forego the entire solution bec
ause the bulk of the concept is unnecessary, leaving the critical minority (20%)
unprotected.
Vision and direction begins with policy. However, this policy is a guiding princ
iple with brevity and clarity not a standalone document. It should include the p
riority of care or concern such as people, brand, buildings, etc. Priority of re
sponse along with the objective of the efforts should be made clear to all. Any
and all measures, outlined in subsequent procedural documents and training, shou
ld be measurable (financially, operationally and even brand integrity) and const
antly reviewed. While policy is unlikely to change for longer periods of time, t
he process and even certain objectives may as the business changes in both cultu
re and nature. The most effective policies are a single paragraph that encompass
es all the aforementioned elements and does not dictate tactics for execution bu
t ensures everyone at least moves forward in the same direction.
Data is a great tool for creating foundation analysis but it should originate fr
om both objective and subjective sources. Single minded collection, measurement
and review lead to much bigger falls. No company knows everything about itself o
r everything else around it, no matter what some may think. Comparative informat
ion, data, review and even assessments ensure greater transparency in the final
outcome. Care needs to be applied to ensure it is not a popularity contest or ma
nagement by consensus, a final impartial decision maker is still required. Compa
nies of all sizes can apply this approach cost effectively and expediently while
enjoying maximum return on investment not just plain old return on investment (
ROI).
The clock is ticking, the world moves on and the business you had an hour ago is
not the one you operate now. The process needs to be renewable, adaptive but ab
ove all constantly applied by monitoring and surveillance. Monitoring is require
d of the business, its actions, its impact, resources, threats, disruption impac
t potential and relevance to the overall business concerns. Many events that arr
ive on the doorsteps of your business first visited your neighbor or the busines
s down the street. Just because you werenâ t watching will not get you a leave pass o
n the impact your lack of preparation may bring to your organization. Larger com
panies have internal resources for this purpose, but the smartest have both inte
rnal and external for the reasons of effectiveness previously mentioned. Smaller
companies, increasingly thanks to technology and a global market, can enjoy all
the benefits of outsourced support that the larger companies do without the cos
t of ownership or inefficiency but with all the benefits.
Only a fraction of your workforce are at risk; a percentage of your travelers to
o. Not all your fixed assets are of equal value nor will they be exposed to the
same single loss expectancy (SLE) or annual loss expectancy (ALE). Only some mar
kets need heightened levels of support and protection as much as only some marke
ts are the most valuable to your overall financial health. Every single email pi
ece of information your company possesses shares the same value. A single piece
of code could be worth thousands but a warehouse of files could be nothing more
than an administrative cost and operational burden. The problem with this all is
that most companies simply donâ t know which end is which. The one-size-fits-all app
roach is cheap, easily understood and been around for years. Secretly the more p
rofitable, efficient and even safer companies have dispensed with the rule-of-th
umb and focus their 80% resourcing on the most valuable 20% assets. Do you know
your most valuable assets and are they better preserved than the lesser value as
sets? Or are you just applying the same approach for everyone, thing, process or
bit because that is the way it has always been done?