This week there was a storm in the South of England called Storm St Jude, which killed four people and caused a swathe of damage. There was lots of warning before the storm and so most people made some preparation. The day after the storm I heard from one of our clients, who gleefully told us that he was using his business continuity plan. His main office had no power due to the storm. The first day he sent all staff home but on the second day he set up an office in the local hotel, as per his plan. He was going to work from there until the power was back on. We felt heartened by this story in that his plan worked and his company was back up and working. Six months earlier he would not have been working as if the power went off he would have had no IT. This is living proof that business continuity does work! This got me thinking about worst case scenarios and what was the worst case scenario for this company. I was reminded of an article by Geary Sikich I saw on Continuity Central in which he talked about worst case scenarios and how they were not really a useful concept.
I had always been taught that when completing a BIA and looking at the impacts on the organisation you should look at the impact of the worst case scenario. Some colleagues have said to me you should look at the worst case scenario at the “worst time of the year”.
This to me is nonsense. If you ignore likelihood, then the worst case scenario for all organisations is when a meteorite collides with earth and the whole of humanity is wiped out in an instant. There is no such thing as a worst case scenario. If we agree that the worst case scenario does not really add very much to our risk management and business impact analysis, how should we look at risk?
1. We could look at scenarios but as we have said in previous bulletins and training sessions, the next incident is always the one we have never thought of. We can never think of all the scenarios and many scenarios result in the same thing – either loss of premises, people, resources and suppliers. So as many of us do we should look at risk in terms of loss of assets rather than the scenario that caused the impact.
2. I like looking for single points of failure and I always think they are a very good place to start. If you can identify some single points of failure, which would have a major impact on the organisation if they failed, and you can persuade the organisation to do something about them, then I think you have justified your salary. For a while at least!
3. When you are conducting your business impact analysis, one of the items you have to look at is the impact on the organisation if an activity is lost. When I do this, I say, that the activity as a whole does not do anything. Some people struggle with this as they say that they can’t envisage a scenario that could cause it. I ask them not to worry about how it could happen. Once they accept the concept this works very well. It makes you consider all activities equally and you can concentrate on the actual impacts rather than the impacts being driven by the scenario you choose.
4. One of the concepts I like which Ian Charter explained to me is – ‘what is the level or risk or scenario that your business continuity plans cater for?’ This is a useful concept to have signed off at board level. Your planning assumption could be that you have an office in New York and an office in London. If you eliminate all single points of failure your planning assumption is that owing to geographical separation, you are very unlikely to lose both offices at once so you will design your recovery strategies accordingly. If you have this assumption signed off by your board then if the worst was to happen at least you can say that this was outside your planning assumptions!