In this week’s bulletin, Charlie discusses how organisations can better prepare themselves by categorising potential risks to their operations, and looks at the importance of being prepared for all types of risk.

Business continuity has always had an uneasy relationship with risk. Yes, we recognise that risk is important and needs to guide what we prioritise to recover, in a similar way, the BIA guides what we need to recover, but we have an issue with likelihood. Many of the risks we mitigate have low likelihoods, but we choose to mitigate them anyway. When looking at likelihood, it is very difficult to be precise about the likelihood of our headquarters building burning down. An actuary may be able to tell you the likelihood for a building burning down in London, but business continuity practitioners do not have the data to be able to accurately determine the likelihood of their particular headquarters building burning down. You often see practitioners arguing about risk on LinkedIn.

The other issue I have with risk is to try and have a framework for identifying all the different risks which should be looked at when conducting a BIA and risk assessment for an organisation. PESTLE analysis seems the main framework to use, but to me, the categories are too wide. I was preparing for my podcast Two Men and a Business Continuity Plan with James McAlister on Wednesday, and we were talking about risk and sketched out a framework which I felt just worked for me. This week’s episode can be viewed here. I am sharing the framework with you today and would be interested to see if it worked for any of you.  I am also playing with the five horsemen idea and seeing if this works as a name as well!

Risk for the business continuity practitioner could be broken down into five areas:

1. The Herald – It will happen risks. Over my time as a business continuity practitioner, I have helped organisations prepare for known events. These are events which you know are going to take place, they could affect an organisation, but the impact is unknown. In my time I have prepared organisations for: strikes (including transport ones), bridge closures, Brexit, Commonwealth Games, the Olympics, COP 26, protests, and severe weather. The organisation felt these events may have an impact on their operations and wanted to prepare for the worst case. So with these types of risk, you know the event is going to happen, you just don’t know what the impact will be: will it cause riots in the streets, attacks on those going to work, and burning of buildings, or will the event proceed peacefully.
2. The Reaper – Traditional risks. These are the risks you typically see in risk registers, as environmental risks, safety risks, or hazard risks, and may feature on government, NGO and insurance organisation-published risks. These could include cyber threats, another pandemic, local natural disasters such as hurricanes, earthquakes, and flooding, as well as man-made risks like power or water failure supplies.
3. The Insider – Industry risks. These are the risks inherent in the industry your organisation operates in and are generally well known. If you are an airline, you have the risks of a plane crashing, failure of your IT systems, air traffic issues and issues at the airport your aircraft operates from. Most industries have a set of risks associated with them, as usually most incidents have happened to the industry several times with varying impact.
4. The Wrecker – Asset risks. These are beloved of business continuity practitioners and are often captured as part of the BIA. These look at the assets which underpin your most time-critical activities and we develop recovery strategies and solutions to recover them if lost. This is where the issue of likelihood comes in. If an asset is vital to my delivery of goods and services, then I should think about how I will mitigate this risk. The likelihood of losing the assets is immaterial, working on the principle “if it has a significant impact we should mitigate it”.
5. The Grey Rider – Grey Rhinos. A Grey Rhino is a highly probable, high-impact threat, that is often ignored or downplayed until it’s too late. The risk is entirely obvious, but because the solution is difficult, we don’t do anything. For society as a whole, climate change is a classic example. Most people would agree that it will have a huge impact on our environment but governments can’t agree on what to do about it. While we dither about solutions, the impact increases and gets worse. You may have old, tired machines manufacturing a key product, but your management cannot decide on how best to replace them and where to find the money, while all the time they are getting older and breaking down more often. The catastrophic failure will come sooner or later, but we know it will happen.
6. The Phantom – Black Swans. These are risks which could have a huge impact on our organisations, but we can’t predict them, and only after they happen do we say that we should have recognised the risk in advance. 9/11, the global financial crisis in 2008, and the Fukushima nuclear disaster, are all examples of incidents which had major impacts, yet most people didn’t foresee them as risks. On the whole, we cannot predict Black Swans, but we can ensure we have robust business continuity plans which we can use to deal with them if they occur and impact our organisation.

I think the more ways we look at and categorise risks, the better, as we are then able to identify risks which we may have missed. I very rarely see Grey Rhino risks in risk registers because people often don’t want to acknowledge them. I think by rearranging our risk around these 5 + 1 (counting Black Swans as a category you can’t identify) categories, it might help better identify risks and increase the likelihood that they are captured. I think this will also help with horizon-scanning. ‘It will happen risks’ should be identified by horizon-scanning, as these types of events are often agreed years in advance, so you have time to plan for them. Others such as the Southport riots we don’t get notice, but we can quickly identify the risk to our locations and staff and take appropriate action. The better we identify and manage our risks, the more likely we will mitigate them, and prevent an incident before it occurs.