Risk and business continuity:

a cautionary tale of Divergence, Devolution, Divas and Dinosaurs

The orig ins o f

Disa ster - 197 Reco very 0 s Plan ning

busi ness cont inuit y

"and I saw in my dream and behold seven ears came up in one stalk, full and good. And behold seven ears withered, thin and blasted with the east wind, sprung up after them Genesis 41:22

Joseph: Status Authority Resources Capability

DEVO LUTIO N

The orig ins o f

risk man agem ent

The Cod e of

Ham mur abi

If any one be too lazy to keep his dam in proper condition, and does not so keep it; if then the dam break and all the fields be flooded, then shall he in whose dam the break occurred be sold for money, and the money shall replace the corn which he has caused to be ruined

17 th Age Cen tury of E nligh tenm ent

Mat hs & Scie nce

18 th Will Centu iam ry Mor gan Mat hem of ri atical p sk m rinci anag ples eme nt

19 th Insu Cen ranc tury e co mpa nies

"Insurance companies writing life business were breeding like flies in the summer sky, and disappearing just as fast".

853 ormed 44 -1 ere f 18 49 w rvived - 1 su - 59

0 s ject 194 Pro ttan anha M

Nich Mo olas M nte etro Carl o an polis alys is

s ians ard atic nw em s o ath 50 m 19 the of rise The

John Nash game theory Harry Markowitz Investment Theory Benoit Mandelbrot fractal geometry

s - ants ear e Q 0 y f th st 3 e o La nc ina dom The ers ine s Eng arie ts ctu nalys A la cia nan Fi

tion rdisa anda of st rise The

The dumbing down of a discipline

hies sop hilo tp ren iffe D gies olo hod et M tion ifica pl s sim ros G nce ora Ign

The problems and failures of business continuity

All systems have a propensity towards failure

Not if - but when

Examples of BCM failure appear more widespread than tales of its success

Highly process focused Yet often ignores the wider control environment: -Preventive controls -Detective controls -Corrective controls

Significant focus on the big disaster

A comprehensive management systems approach ..resulting in an emergency, crisis, or disaster. ASIS SPC-1

Significant focus on the big disaster

.approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption BS25999

Significant focus on the big disaster

Ignorant of the creeping failures and The most common causes of potential organisational disruption

2007 2010 2009 2008 2006 2005 2004 2003 2002 2001
Source= ICM 2010

Narrow understanding of risk

Risk management seeks to manage risk around the key products and services that an organization delivers BS25999 -1

Narrow understanding of risk

Still event focused All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism BS25999 -1

T pro he mo scrip ve t owa tive syst man rds em age stan men dard t s
ISO 9001: Research- variable results Some improvement in consistency and process efficiency

Compared to no formal QM approach

sider ly con quate ter e ot ad s of in oes n twork D ne ships lation re

Such as: - internal informal relationships - external relationships - extended supply chains

Disruptions present complex problems !

However, much of the thinking in BCM is highly bounded, linear and ultimately overly simplistic

ration nside ces ate co of for dequ ction a An in intera of the

Env iro nm ent

ge llen Cha n izo hor

Disruption Operation

Organisation

Risk 1

Risk 1+2

Risk 3

Risk 2

Risk 1

Risk 1+2+3

Risk 3

Risk 2

Safety

Safety & Workload

Urgency

Workload

Safety

Safety & Workload & Urgency

Urgency

Workload

The issues with risk management

Heu rist ics

Pea k en d ru le

Problems of perception
s bia ple m l sa al Sm

ility bab Pro

Problems with probability

Space shuttle Probability of a vehicle loss

Management: 1: 100,000 flights Engineers: Reality: 1:100 flights 2: 135 flights

Culture and emotion

Emotional beliefs misconception of reality Lack of emotional resources to deal with adverse situations Willingness to step up

Emotional versus Analytical

Kahneman 2003

Ignores the influence of luck

Simkin & Roychowdury (2008)

Little basis on scientific theory or evidence Largely intuitive

is alys n ive a pect s etro and fr o back ack L look e y arel alidat r v We

nal risk putatio ating re rm Cre & ha

ORGANISATION

RISK/EVENT

STAKEHOLDERS

ENVIRONMENT

PARTNERS COMPETITORS

Funding sources primary CUSTOMERS secondary

STAKEHOLDERS

Alliances

EMPLOYEES REGULATORS SUPPLIERS FUTURE RECRUITS

ENVIRONMENT

Certainty?

Level/duration/ frequency of harm RISK/EVENT Severity Level of association Control? Deviance

hy rap og typ isis Cr

ter clus ctim Vi
ster a l dis tura Na

nce le evo l Ma

our Rum

Coombs & Holladay 2002

hy rap og typ isis Cr

ster l clu nta own ide akd l bre Acc nica
h Tec

hy rap og typ isis Cr

ter lus le c tab ven rror Pre an e

Hum t duc n isco M

Development of a crisis

HISTORY

Reputational capital

ORGANISATION

RESPONSE

ORGANISATION

RISK/EVENT

STAKEHOLDERS

ENVIRONMENT

king or w ors fact dem tiple tan l Mu in

ns inty o erta acti C ble la trol Con n atio i soc s er a iant old Dev keh Sta rage e cov edia M

Development of a crisis

Defensive factors Operational & people

Strategic & policy

Socio-ecopolitical

A failure of response
Understanding & ownership of risk Forget transient nature Slow to act Inadequate/incompetent Underplays significance Discounts new information Eventually overcompensates Dishonesty perceived

tive eac dr an tive ent oac em Pr ag an m

Crisis Management
Operations
Co mm un ica tio ns

Legal advice

Cr M itica an l In ag ci em de en nt t

Crisis Control
s itie il Fac

HR advice

Sa f Se ety c

uri & ty

Finance & Logistics

Operations

Response hierarchy
Accuse Deny Excuse Victimised Justify Ingratiate & deflect Correct Apologise

con Ma tro nag lled ing cha inte un cer nge lligen tai in t t a nf he nd utu fa res ce o f

ent M BC agem man ent ency agem ting man Con isk nce R silie re

Risk mgt Resilience Emergency mgt BCM

Into the future

GRC: Governance, Risk & Compliance

Resilience

Event commences

Activity

Time
Stabilisation Preparedness Continuity Recovery

Pre-event

Event commencement

Post-event commencement

Recovery Strategies Continuity Strategies Stabilisation strategies

Preparedness
Evaluation Planning Capability development Vulnerability mgt Exercise & testing Resource allocation

Emergency response Containment Suppression Isolation Quarantine Loss control

Continuity of operations Continuity of strategy Consequence mgt Hibernation Salvage Leakage control

Functional restoration Capability recovery Infrastructure restoration Operational redevelopment Withdrawal / divestment Performance improvement

Time

Activities & Capabilities

Governance Decision making processes Through chain capability Compliance Risk management People capability BCM & Crisis management Emergency management Resource capability Financial management Infrastructure & technology capability

Communication

Relationship management

Resilience

Leadership Strategic surety

Culture Stress coping

Values Acuity

Behaviours

Trust

Creativity Agility

Ambiguity tolerance

Learnability

Interconnections

Characteristics

Context dependant
Attributes Resources Infrastructure Resilience High resilience Resilient Attributes Resources Infrastructure Resilience capability
+

Vulnerable Low resilience

Changing context (conditions, affects & time)

RE SI LIE NCE

&i nfr ast ruc tur ec apa bili ties

es iliti pab s ca ces Pro

Context
RE SI LIE NC E

Context
NCE SI LIE RE

Fitness for purpose

Tenacity

Flexibility

Res our ces

Capacity

Leadership, people and knowledge capabilities Context

R ES I L IE NC E

Scientific based & analytical

Head

process

Hand

Heart
emotional