Proactive versus Reactive – Business Continuity’s Role in Treating Risk, Not Just Reacting to It

Avalution Team Avalution Team | Mar 10, 2008

proactive vs reactiveAs our industry evolved, we moved from methodologies based on information technology-focused disaster recovery to more holistic, but still reactive, business continuity.  Now, our industry’s rhetoric, and a growing number of its standards, point to more proactive practices, commonly called business resiliency.  Still, all of the approaches start from the same point; something bad has or will happen. Even business resiliency is primarily concerned with structuring an organization to withstand events, not prevent or avoid them altogether.

In many organizations, operational risk management is viewed as an insurance-related matter, and risk assessments are often driven by insurance concerns.  The assessments are performed by engineers engaged through a company’s insurance brokerage in conjunction with the internal facilities or engineering department.  While these types of assessments serve a useful purpose and are necessary, they generally fail to tie the identified hazards to the impacted business activities and thus actual business risk.

With the movement towards a more unified Enterprise Risk Management viewpoint in many companies, there has been an attempt to more fully understand and integrate operational risk issues.  In other words, why perform separate business continuity and insurance risk assessments?  Effectively evaluating risks within the context of critical business processes provides a clearer picture of the return provided by a wide range of risk mitigation options.

Recognizing the value and efficiency derived from cross-functional risk assessment and risk treatment, the business continuity industry developed numerous methodologies designed to enable and influence this linkage and assist in the development of comprehensive risk treatments, in addition to our traditional focus areas, response and recovery plans. In late 2007, the British Standards Institute (BSI) released a new, industry independent standard addressing the implementation and operation of a Business Continuity Management Systems (BCMS).  This standard, BS25999, includes a focus on risk assessment and risk treatment as an integral part of a comprehensive BCMS. The BS25999 standard mandates in Section 4.1.2 that:

There shall be a defined, documented and appropriate method
for risk assessment that will enable the organization to understand the
threats to and vulnerabilities of its critical activities and supporting
resources, including those provided by suppliers and outsource partners.

and that

The organization shall understand the impact that would arise if
an identified threat became an incident and caused a business
disruption.

While a specific methodology is not mandated by the specification, the intent is clear that risks must be assessed in the context of critical business activities.  A tool such as the Failure Modes and Effects Analysis (FMEA), derived from the Six Sigma process improvement discipline, lends itself well to this BS 25999 objective, particularly when used in a group workshop setting.  Participants are asked to characterize a risk in terms of “inability to produce” or “inability to perform” in order to focus on business processes. Failure modes are specific threats such as the unavailability of raw materials or the inability to generate a purchase order. Specific, potential causes of the failure can be identified, and likelihood of occurrence, severity and detection ratings can be assigned by management. Arguably the most valuable, current controls can then be identified and assessed for efficiency and effectiveness. Additional controls can be identified to further mitigate the identified risks and the ratings can be combined to rank order potential failure modes and provide a guide to the relative value of additional mitigation efforts.  BS25999 also mandates that attention be paid to “risk treatments”.  The standard states that:

For each of its critical activities, the organization shall identify
available risk treatments that:
a) reduce the likelihood of a disruption;
b) shorten the period of disruption; and
c) limit the impact of a disruption on the organization’s
key products and services

and

The organization shall choose and implement appropriate risk
treatments for each critical activity in accordance with its level of risk
acceptance.

While the term “risk treatments” is used broadly by BSI and includes traditional reactive business continuity recovery strategies to limit the duration and impact of a disruption,  it also includes proactive mitigation strategies designed to reduce the likelihood of a disruption.  This concept is strongly encouraged by business continuity program sponsors.

Overall, current business continuity management trends (and executive management guidance) align BCMS more closely with strategic enterprise risk management programs. By leveraging the business process criticality information generated through the traditional business analyses and using the results as a lens to focus risk management activities more closely on critical business processes, organizations are able to allocate limited resources to risk mitigation projects in a much more precise manner.  Scarce resources can be directed where they can have the most impact and return and can be quantified and tracked, directly tying BCMS to strategic corporate goals and metrics.