Don’t touch the business continuity risk assessments!

FOREWORD

Days off work can be relaxing and fun, but if you are passionate about your job, they also give you a chance to read opinions and debates surrounding hot topics in your industry. Last week, for instance, I came across an interesting piece by Charlie Maclean-Bristol on Continuity Central about the need to look at the likelihood of a given risk as part of routine business continuity risk assessments. Interestingly, his article ‘was inspired by a talk given by Tony Thornton, ARM Manager for ADNOC Refining, which I [Charlie] heard at The BCI UAE Forum in February’.

I’d start by saying that I generally agree with Charlie, who makes valid points that I will not repeat. I should also clarify that, since I did not attend the BCI UAE Forum in February and I am not sufficiently familiar with Tony’s view on business continuity risk assessment, my article is not meant to be a comment or a response to his talk.

My contribution is rather aimed at:

• Addressing what I think are the most common issues around risk assessments in a business continuity management system;
• Reaffirming the principles of international standards and professional best practices, which already guide practitioners in an excellent way when facing these dilemmas.  

ISSUE #1 – WHY A RISK ASSESSMENT?

Some still say that we perform business continuity risk assessments: ‘only because auditors and/or regulators want them’, but I could not disagree more. A risk assessment is not just a document we have to produce for mere regulatory purposes. It is ‘a structured process that identifies how objectives may be affected, and analyses the risk in term of consequences and their probabilities before deciding on whether further treatment is required’ [Source: IEC/ISO 31010:2009]. It is also, at the same time, a practical tool to support managers in reaching their business targets and a means to create and spread awareness on the importance of risk management across different departments. In the context of a business continuity management system, then, risk assessments are fundamental to understanding which events might generate a disruption and to estimating their likelihood (or frequency) and impacts.

ISSUE #2 – DOES IT NEED TO BE DOCUMENTED?

Yes, of course. And let’s face it once and for all: this is because we do not trust the ability of all managers to identify, analyze, and treat all their risks without documenting a risk assessment. Would anybody trust a doctor treating someone without any medical record collected through proper examinations? Why should a stakeholder trust a manager’s ‘common sense’, then? We should leave leaps of faith out of any professional consideration. I also think it needs to be documented because managers should have the courage to raise concerns, even when they do not have an immediate solution, and board members must be formally aware of any risk. At the same time, though, it is important to stress that documentation does not necessarily entail tons of paper and that there is in fact no reason for being dramatic about the requirements of international standards. ‘Risks should be expressed in understandable terms, and the units in which the level of risk is expressed should be clear’ [Source: IEC/ISO 31010:2009]. An excellent risk assessment is simple, intuitive, and easy to update.

ISSUE #3 – IS LIKELIHOOD A RELEVANT ELEMENT?

I understand why this point can be controversial: ‘Significant disruptions typically occur infrequently, meaning estimations based on the probability of a threat occurring are based on limited data set and historic information, and the time frame under consideration’ [Source: BCI Good Practice Guidelines]; however, it is worth remembering that a business continuity risk assessment is meant to ‘identify unacceptable levels of risk and single points of failure’ to ‘maximise the benefit of any investment (e.g.: threat mitigating measures), and reduce the frequency or impact of disruptions’ [ibid.]. Resources are always limited, and we cannot mitigate all risks at the same time and with the same level of confidence. Therefore, I believe likelihood is a relevant element. And it does not even mean that we are underestimating low probability disruptions, because we must always plan according to the prioritization of critical processes resulting from the business impact analysis (which does NOT consider the likelihood element).

ISSUE #4 – WHO SHOULD BE IN CHARGE OF THE RISK ASSESSMENT PROCESS?

Many business continuity professionals argue that risk assessments should not be part of their duties. This argument is only partially correct, and it really depends on the dimension and complexity of the organization they are working for. In large organizations, formal risk management processes (including risk assessment) should usually be already in place and coordinated by dedicated functions. In these cases, or when a risk assessment is mandatory, this document is supposed to be used (and possibly expanded) by the business continuity professional to ensure that the ‘known’ threats provide a basis to identify single points of failure and unacceptable levels of risks related to critical processes. Differently, smaller businesses should at least try to set-up a simple business continuity risk assessment. The selection of risk assessment techniques should be based also on ‘the skills, experience, capacity, and capability of the risk assessment team’ [Source: IEC/ISO 31010:2009]. In any case and with different degrees of complexity, someone must do something for the sake of the organization. To this end, effective communication and consultation with stakeholders are always helpful, as international standards rightly suggest.

ISSUE #5 – WHO SHOULD BE THE RISK OWNERS?

The risk manager does NOT bear the ultimate responsibility for specific risks in an organization, just like the business continuity manager does NOT bear the ultimate responsibility for the continuity of specific processes. They are basically coordinators of different programmes as well as facilitators who need to empower and support line managers in dealing with their own risks (or their continuity) directly. They act as a second line of defense when risks (or disruptions) materialize. The risk owner is the person who is in the trenches every single day (a product/service, process or activity owner, typically), and is the only one who should be entitled to define probability and impact levels for his/her own risks.  

ISSUE #6 – HOW DO WE LIMIT SUBJECTIVITY?

A risk assessment should be as objective as possible. What is tolerable and what is not? What – for instance – do we mean by ‘low’, ‘medium’ and ‘high’? These points should be defined and resolved by the organization’s top management in advance. It is crucial to avoid confusion, misunderstanding and inconsistencies along the process. It is neither a risk manager’s nor a risk owner’s prerogative to override thresholds determined by the top management. The former are not necessarily business experts and may not have the right sensibility regarding the likelihood/frequency of occurrences – they may even overlook certain potential impacts of specific risks; at the same time, the latter could be biased by their own needs or perception, instead of considering the organization as a whole. Risk management (and risk assessments, consequently) will never be an exact science. There will always be a margin of error leading under-estimated risks to materialize. This is one of the reasons why business continuity planning is so important. Nonetheless, I believe this innate flaw of risk assessments on its own is not sufficient to state they are useless and do not bring any added value to a business continuity management system.

ISSUE #7 – ARE RISK ASSESSMENTS TIME-CONSUMING?

With the caveat that ‘time-consuming’ does not equal ‘worthless’, if these issues are addressed properly and the process is buttressed with proper resources/support, they really are not!  

CONCLUSIONS

Risk assessments are still an integral part of a business continuity management system. They are not rocket science and can be done relatively easily, with a reasonable amount of resources. And this is a fact.

My view is that omitting core activities or processes of a management system just because they can present challenges, or you struggle with them, is dangerous and somewhat unethical. Professional bodies and global/local organizations for standardization have developed several guidelines that can help. Of course, these can be discussed, improved or updated; however, they do not have to be over-simplified by dismissing essential elements just because some people or organizations tend to be lazy and mediocre.

Instead of thinking about shortcuts, we should rather discuss how to raise the bar of professionalism and engage people more effectively in a way that makes our risk assessments relevant and immediate. In the end, all we want is to make our organizations aware of their risks, able to prevent them, and ready to react.