Old chestnut alert: this blog may ponder whether Business Continuity is a part of Risk Management, or if Risk Management is a part of Business Continuity.
Normally I’d run a mile from that kind of theorising. However this week it actually mattered and if you’ve been around in business continuity you’ll recognise the problem.
You’re looking at One Big Asset. The whole organisation depends on it. I’m not talking about a giant warehouse or call centre or computer room. The One Big Asset is something you really can’t have two of. Maximum Allowable Outage quickly loses its meaning.
Impacts Over Time? Even for a lesser disaster, you know they’re ruinous. But in the world of One Big Asset sometimes you don’t have much choice.
So we’re principally talking about a Risk Management problem. It hardly matters how much Appetite For Risk you have: it’s the only item on the menu. The pattern, I slowly realise, tends to be that organisations with One Big Asset usually had a risk management policy or study(ies) long before they started talking about business continuity.
Is business continuity now relegated to being just the “contingency plan” at the rump end of a very unpleasant risk?
At these difficult moments I turn to the helpful bowtie diagram.
This is a great way of expanding the risk management problem. There’s lots of stuff on the net about it – I won’t try to re-explain it here. Just Google/Bing it. Brace yourself for some industrial safety tutorials, but the message is sound.
The useful thing is that it breaks out controls into pro-active prevention and post-disaster reactive elements. So your classic Incident Management Plan, Communications Plan and Business Recovery all fit nicely into the post-disaster impact-reducing control. That’s where your Maximum Allowable Outage makes sense for call centre bods, computer recovery and all.
But with really big risks, you find there are multiple pro-active controls, plus threats to controls and so on. The bowtie starts to grow nodes off the pro-active controls and you build the picture where multiple layers of protection apply to prevent the Big Risk.
So here is the other place where Business Continuity has a vital part to play. The processes (controls) that prevent your risk from materialising also need to be continuous.
Because like a plane full of passengers, you only lose it once. You need your reactive capability, but you want to do everything you can to stop it from being needed, and that means never losing your preventative controls.