We are living in a troubled world.
Extremist terrorism on the rise and expected to get worse. Weather patterns are changing and getting more extreme. Polar ice is rapidly melting, causing ocean levels to rise. We have a better understanding of seismic risk, and it is not good news.
Business needs to redefine “resilience.” It is a word that is reserved by business leaders only to describe what I call “Right Spectrum Risk” when in fact, it should be used along the entire risk continuum.
Let me explain:
The risk continuum can be divided into three categories, classifiable by order of magnitude. Small risks, consistent risks and predictable risks are all Left Spectrum. More moderate risks that require effective thought and navigation are Middle Spectrum. Major risks, compounding, disastrous and unpredictable risks are in the Right Spectrum.
Left Spectrum risk is so ordinary that businesses generally include it when making decisions. For example, leaders consider Left Spectrum risk when deciding whether to adjust a production schedule to produce more product for one customer over another. These decisions are likely supported by financial calculations, productions schedules, inventory levels and other metrics necessary to support a leader’s decision. Left Spectrum risks are tactical and their risk-consequences do not reach very far down the time continuum.
Beyond tactical decisions, business must toil over longer term decisions and consider operational or “Mid Spectrum” risks. Business leaders ponder such questions as, “Do I need to expand the workforce?” or “Can I afford that new production machinery or a new production plant?” These operational risk decisions weigh opportunity costs versus expenditure of the same money for a needed business capability. These so-called Return on Investments or ROI are Mid Spectrum risks. If poorly managed, a Mid Spectrum Risk can set you behind the competition, but a single occurrence rarely leads to business failure. They are risks to the long term performance of the business.
Right Spectrum risks can literally kill your business – overnight. Right Spectrum risks are strategic; therefore, failure to control them can mean the end of your business. Right Spectrum risks are normally natural disasters. They are high consequence, low probability events that business leaders usually shuffle off to the side. They are difficult to characterize or measure and have exponential costs, so they are much harder to prepare for. They can cause business leaders to throw up their hands and leave the fate of their business in the hands of luck.
This is understandable, because psychologically, humans tolerate natural risks. We accept it, shrug our shoulders and roll the dice, hoping that our turn doesn’t come up. But playing at the casino like this is negligent and responsible business leaders should have a plan to manage their Right Spectrum Risks.
We must redefine resilience to include the full spectrum. To be effective in the future, leaders need a plan deal with not only their everyday risks –but catastrophic risks as well. Dealing with disaster is possible and, in fact, socially responsible. To be effective, leaders must make resilience planning around Right Spectrum Risks a part of their regular business planning effort.
10 steps leaders should take to indemnify their businesses against strategic failure:
- Understand your strategic dependencies – thus strategic risks.
Strategic dependencies are your company’s reliance on large-scale services or infrastructure. For example, if you are a shipping company, you are dependent upon free waterways, working port facilities, petroleum supplies and other infrastructure. Many of these items are the responsibility of governments, as they have the power through taxation to finance grand-scale and very expensive mitigation strategies. Nevertheless, you should have a reasonable assessment of what natural hazards exist, how likely they are to occur and what effect the disruption of this service will have on your business’ strategic purpose. You will likely not have the financial wherewithal, nor the responsibility to mitigate risks to infrastructure. But you should have a method to successfully deal with the consequences of a risk event.
- Adopt a good Business Continuity planning model such as ISO 22301 (Societal security – Business continuity management systems)
Once you understand your Right Spectrum risks, you should understand exactly how these will affect your business operations. You should characterize your business’ resilience by analyzing and establishing the following:
Strategic Objectives – These are your high-level critical business functions. The value of your company to your customers and your shareholders rides on the fulfillment of these functions. Strategic objectives normally have strategic dependencies; thus, strategic risks associated with them.
Recovery Time Objective (RTO) – This is the amount of time that you will allow to pass before a business operation is restored. A business should attempt to prioritize which sub-processes or systems are most critical to the strategic objective, in order to be able to concentrate recovery resources where they will do the most to reduce the recovery time.
Recovery Point Objective (RPO) – This the amount of data latency you will allow due to an interruption. Many companies, for example, have enterprise systems that have order entry routines that store data locally and update the enterprise system every 4-6 hours. If an interruption occurs, they risk losing 4-6 hours of orders. So their MBCO (see below) will likely need to address how they intend to restore that data up to the point where the function is restored.
Maximum Allowable Outage (MAO) – This the point of no return. If a business cannot restore operations before this point in time, they will likely lose a key customer, lose capacity or bleed so much cash that they cannot recover.
Minimum Business Continuity Objectives (MBCO) – These are objectives that are nested with the stated strategic objectives of the company and support the RTO and RPOs of the strategic objectives. Each critical business function should establish these objectives and devise realistic alternatives for anticipated interruptions caused by the risk.
- Create a Business Continuity Policy
Write a policy. Using a business standard such as ISO 22301, establish a business continuity framework within your organization. I like the ISO standard, because many companies already use the ISO 9001/14001 standards for quality and environmental management. 22301 allows you to fall in line with your existing investment and use the same management controls, documentation methods and management review processes to manage your business continuity system.
- Pull BC plans into your management review
Hold sub-process managers accountable by regularly reviewing the status of their BC plans. If you enforce a policy of annual plan testing (see next paragraph), you should review the results of the test with your sub-process manager. You should insist on a corrective action plan (just like in your quality system) and help resource resilience improvements.
- TEST YOUR PLANS!
A plan without a proper test is not a plan! A business unit should attempt to use their planned alternatives before the disaster hits. After the disaster hits is no time to learn that it does not work. Table top exercises, functional exercises and simulations are all excellent means to test functional resilience plans. In one successful case, the Missouri Hospital Association devised a simulations based method to test hospital evacuation plans. The hospital managers loaded plan information into a computer simulation to determine if the plan was adequate to achieve their evacuation objectives.
- Follow Up
If you go through the trouble to test your plans, you should seek ways to improve your alternative’s performance. A corrective action plan that lists your necessary improvements but doesn’t inspire management to act is useless. Pull the corrective action plan into the Management Review Process and ensure your management team is completing these vital corrections.
- Don’t Bite Off More Than You Can Chew!
As my Italian mother was fond of saying, “Rome! It wasn’t ‘a built in a day!” A good business continuity policy is iterative. Start slow, but remain steady. Choose a multi-year strategy that allows your company to develop a culture of continuity by absorbing the new processes into their daily routines. If you try to ram everything in at once, you will overwhelm your management team. Just like at the gym, start with small, low weight repetitions and then gradually increase the weight as your company gets stronger.
- Reward a Culture of Continuity
Chances are your sub-process managers have already thought about the things that can hurt them. However, they may not feel they have the tools to address the problems. Give them a program and a framework to use. Test them with a regular exercise program and reward their behavior with resources to fix some of their nagging problems.
- Model Continuity Behavior at Home and at Work
Continuity is something that is relevant at both home and at work. Creating a great continuity program at work will quickly break down if you do not focus on resilience in the home. Any employee whose family is not taken care of in a disaster, will not come to work (at least not right away). You can model this behavior by having a resilience plan at home. Do you have back-up food supplies, water and heat? What about a plan to communicate with your spouse and children should a disaster strike? Does everyone know where to go, or how to contact each other if they get separated? When was the last time you practiced this plan (a family table top exercise is very effective for this).
- Do Not Forget About Public Services
Many businesses believe they will be on their own in a disaster. This is not necessarily true. The purpose of emergency response is to preserve life and property. Once life-saving is over, emergency services change focus to economic recovery. A business leader should know their local emergency managers and politicians. When recovery starts, there will be many interests competing for public resources and priorities to restore critical infrastructure. If you have one or more strategic dependencies, your local emergency managers and politicians should be aware of this prior to the event.
It Is Your Responsibility
As a strategic leader, you alone are responsible for the mortality of your company. If you are pushing your Right Spectrum Risks off to one side, you are jeopardizing not only your company, but the people that rely upon it for their living. Great leaders take care of their people. Business continuity is the best way to show your employees that you are, at least, trying to take care of them.
Latest posts by James Rollins (see all)
- Worried About a Cyber Incident? Here’s How to Prepare - October 8, 2017
- Training Pipelines: 7 Ways to get your training investment to stick - February 12, 2017
- Dialing 911: 5 Things You Should Know About Cyber Attacks - January 19, 2017