The Six Horsemen: A New Way Of Looking At Business Continuity Risk

Charlie Maclean-Bristol discusses how organizations can better prepare themselves by categorizing potential risks to their operations and the importance of being prepared for all types of risk

Business continuity has always had an uneasy relationship with risk. Yes, we recognize that risk is important and needs to guide what we prioritize to recover. In a similar way, the BIA (business impact assessment) guides what we need to recover; however, we have an issue with likelihood. Many of the risks we mitigate have low likelihoods, but we choose to mitigate them anyway. When looking at likelihood, it is difficult to be precise about the likelihood of our headquarters building burning down. An actuary may be able to tell you the likelihood for a building burning down in London, but business continuity practitioners do not have the data to be able to accurately determine the likelihood of their particular headquarters building burning down. You often see practitioners arguing about risk on LinkedIn.

The other issue I have with risk is to try to have a framework for identifying all the different risks that should be looked at when conducting a BIA and risk assessment for an organization. PESTLE analysis seems the main framework to use, but to me, the categories are too wide. PESTLE is an acronym for Political, Economic, Social, Technological, Legal, and Environmental factors. I was recently preparing for my podcast Two Men and a Business Continuity Plan with James McAlister and we were talking about risk. We sketched out a framework which I felt just worked for me. This episode can be viewed here. I am sharing the framework with you and would be interested to see if it worked for any of you.  I am also playing with the five horsemen idea and seeing if this works as a name as well!

Risk for the business continuity practitioner could be broken down into five areas:

1. It will happen risks. Over my time as a business continuity practitioner, I have helped organizations prepare for known events. These are events which you know are going to take place, they could affect an organization, but the impact is unknown. In my time, I have prepared organizations for: strikes (including transport ones), bridge closures, Brexit, Commonwealth Games, the Olympics, COP 26, protests, and severe weather. Those organizations felt these events may have an impact on their operations and wanted to prepare for the worst case. So with these types of risk, you know the event is going to happen, you just don’t know what the impact will be: will it cause riots in the streets, attacks on those going to work, and burning of buildings, or will the event proceed peacefully?
2. Traditional risks. These are the risks you typically see in risk registers, as environmental risks, safety risks, or hazard risks, and may feature on government, NGO, and insurance organization-published risks. These could include cyber threats, another pandemic, local natural disasters such as hurricanes, earthquakes, and flooding, as well as man-made risks like power or water supply failures.
3. Industry risks. These are the risks inherent in the industry your organization operates in and are generally well known. If you are an airline, you face the risks of a plane crashing, failure of your IT systems, air traffic issues, and issues at the airport from which your aircraft operate. Most industries have a set of risks associated with them, as usually most incidents have happened to the industry several times with varying impact.
4. Asset risks. These are beloved of business continuity practitioners and are often captured as part of the BIA. These look at the assets which underpin your most time-critical activities, and we develop recovery strategies and solutions to recover them if lost. This is where the issue of likelihood comes in. If an asset is vital to my delivery of goods and services, then I should think about how I will mitigate this risk. The likelihood of losing the assets is immaterial, working on the principle “if it has a significant impact, we should mitigate it”.
5. Grey Rhinos. A Grey Rhino is a highly probable, high-impact threat, that is often ignored or downplayed until it’s too late. The risk is entirely obvious, but because the solution is difficult, we don’t do anything. For society as a whole, climate change is a classic example. Most people would agree that it will have a huge impact on our environment but governments can’t agree on what to do about it. While we dither about solutions, the impact increases and gets worse. You may have old, tired machines manufacturing a key product, but your management cannot decide on how best to replace them and where to find the money, while all the time they are getting older and breaking down more often. The catastrophic failure will come sooner or later, but we know it will happen.
6. Black Swans. These are risks which could have a huge impact on our organizations, but we can’t predict them, and only after they happen do we say that we should have recognized the risk in advance. 9/11, the global financial crisis in 2008, and the Fukushima nuclear disaster, are all examples of incidents that had major impacts, yet most people didn’t foresee them as risks. On the whole, we cannot predict Black Swans, but we can ensure we have robust business continuity plans that we can use to deal with them if they occur and impact our organization.

I think the more ways we look at and categorize risks, the better, as we are then able to identify risks that we may have missed. I very rarely see Grey Rhino risks in risk registers because people often don’t want to acknowledge them. I think by rearranging our risk around these 5 + 1 (counting Black Swans as a category you can’t identify) categories, it might help better identify risks and increase the likelihood that they are captured. I think this will also help with horizon-scanning. “It-will-happen risks” should be identified by horizon-scanning, as these types of events are often agreed years in advance, so you have time to plan for them. Others, such as the Southport riots, we don’t notice, but we can quickly identify the risk to our locations and staff and take appropriate action. The better we identify and manage our risks, the more likely we will mitigate them and prevent an incident before it occurs.

 

++++++++++++++++++++++++++++++++++++++++++++++++

 

This article was originally published by BC Training Ltd.

Charlie Maclean-Bristol is the author of the groundbreaking book, Business Continuity Exercises: Quick Exercises to Validate Your Plan

“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly, how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom

Click here for your FREE business continuity exercises!