Understanding actual risks to your organization is a good place to start with any competent business continuity and resilience plan.
There is not a single risk profile. Depending on the type of business, facility location, public perceptions, etc., the same event may be more or less likely to occur or may have a different impact. This may be an obvious statement, but how many of us in the risk or business continuity area evaluate the actual risks to our organization rather than looking at risk in the same old way or with the same bias? The following are items or areas to consider. While not necessarily complete, this list may prompt thoughts specific to your organization.
When I work with clients, I find that they almost always use natural events for disaster scenarios. Interestingly, those are typically the areas for which preparations are more mature and mitigations are in place – at least from a technology or facilities perspective. Data centers are hardened and relocation and evacuation plans are in place. However, the impact to people has often not been evaluated. Will employees’ homes be impacted? What if employees are unavailable? Is remote access sufficient? Remote access may be available, but that may not be the issue. I know of a company that was dealing with flooding in the area. The data center and business location were not impacted, but a significant number of peoples’ homes were flooded – those people were either not available to work or had to drop off unexpectedly during calls because their sump pumps could not keep up with the flow of water into their homes.
What is the nature of your organization’s staffing? Are there multiple areas with only one person responsible for tasks? As an example: an organization has dual coverage for a certain function. This is a specialized function that would require resources from other locations to assist if needed. Each person takes their 6 – 8 weeks of vacation annually, often in a single vacation. So, for up to 16 weeks a year, there is only 1 person available to perform the functions, often for weeks at a time.
What is the nature of your organization’s staffing? Are there multiple areas with only one person responsible for tasks? As an example: an organization has dual coverage for a certain function. This is a specialized function that would require resources from other locations to assist if needed. Each person takes their 6 – 8 weeks of vacation annually, often in a single vacation. So, for up to 16 weeks a year, there is only 1 person available to perform the functions, often for weeks at a time.
It is not enough to simply know what your unmitigated risks are, or to know when your risk mitigation is not sufficient. A risk that most companies acknowledge, but for which they may or may not be prepared, is the potential for security breaches. Unfortunately, what we hear is true: it is not if, but when a breach will occur. Organizations must have a well thought out, tested, and comprehensive plan. You must recognize the risk of a data breach to your organization. Identify any proprietary, personal, or sensitive data. What would the impact be if any or all of these data stores were compromised?
Has your organization grown, decreased or changed its product or service suite? How have acquisitions impacted your risk profile?
How much of a risk is there? Is the show of security enough – think of a security sign outside a house, but no actual security system? Criminals may not take the chance. What are the security issues? Should you place more emphasis on keeping your employees safe or on the risk of theft (internal or external)? Is your organization in a location that could have collateral damage due to protests (even though your business is exceedingly innocuous)? Has the neighborhood changed over the years? Is there a need for different security from years past?
We often hear “insurance will cover any losses.” There are typically specific notification and documentation requirements, along with preventative measures that are part of the insurance policy. Have those clauses been reviewed? Are you in compliance, or are you prepared to comply during an event? Are the notification and documentation requirements included in the appropriate crisis and recovery plans? As part of the risk review and mitigation process, you should review and update your insurance needs as well.
Risk management and mitigation are an important part of our role in continuity planning, but we must improve our understanding of actual risks, especially those that will have the largest impact and those with the highest probability of occurring. It is critical to put the appropriate mitigation strategies in place. Possibly the most important aspect of Risk Management is bringing the risk and impacts to light; ignore them at your own peril.