Home News BCI Comment: A Three Line Defence?

BCI Comment: A Three Line Defence?

by Brian Sims

In the latest column for Risk UK, Lee Glendon of the BCI considered the fact that planning for risk-based issues works well, if the risk conforms to the plan! He stated, ‘At its very core, risk management involves being prepared for, and having the ability to react to, events that could jeopardise the operations of a business or organisation. The relevant and processes are all well and good when events occur as expected, but what happens when they don’t? ‘Contingency planning is very much in fashion, whether it is the Bank of England making plans for the Eurozone crisis, smartphone manufacturers being prepared to respond to a competitor’s new product, or auto manufacturers dealing with a product recall. But is it the right approach for every type of risk? ‘We feel that” Contingency planning” needs to be seen as one element of a three line defence against uncertainty and risk, complemented by” Continuity capability” and” Crisis response”” for convenience we have termed this approach the 3Cs of Business Continuity. ‘Contingency plans are generally seen as specific plans to expected or possible events. This is both their strength and their weakness. It’s their strength when the event unfolds as per the plan, because the organisation can respond well and be seen to respond well. However, it’s their weakness when the events do not occur as planned, and can result in the exasperated cry of” who would have thought that could happen?” ‘The blame for these failures of prediction is often laid at the door of risk analysis, modelling and mapping techniques. But perhaps it is a case of expecting too much from them ­”at least from the 2×2 or 5×5 Cartesian maps. Risk analysis needs to acknowledge its limitations and encourage conversations when maths and matrixes reach their limits. ‘One fruitful area for conversation is around consequences and vulnerabilities, as these can be understood and debated. In” Black Swan”, Taleb articulated the same thinking with the example of an earthquake affecting San Francisco. ‘This is what we call the continuity capability discussion, and it is focused on generalised or abstract loss scenarios” loss of access to wholesale credit markets, loss of availability of key people, as well as loss of IT capabilities and key supply chains. ‘Pandemic planning is a good example of the interaction between contingency plans and continuity capability, with the” absence of people” being a common area of planning for Business Continuity professionals. This is supplemented by a pandemic contingency plan, which will include specific elements such as work place hygiene, social distancing, etc.. ‘So now we come to the third component of the 3Cs,” Crisis response”. ‘Contingency plans are a pre-defined scenario response, and continuity capability is based on a set of pre-defined parameters around recovery time objectives and maximum tolerable periods of disruption. So what happens when the unknown unknown, or Black Swan event, happens? ‘These events by definition are more consequential in their effects than reasonable planning could have anticipated ,and may involve issues which threaten the very existence of the organisation. ‘This is the time for top management to demonstrate leadership, and it’s a time when effective stakeholder communication is at a premium” when the left hand needs to know what the right hand is doing. ‘This brings us to the role of the Business Continuity professional. The 3Cs help to clarify the skill set that the ambitious practitioner can bring to an organisation: the Business Continuity professional understands when contingency plans will work, how a continuity capability provides a robust foundation, and how to ensure that action plans are indeed actionable. This is a valuable skill set for any organisation developing a risk response for the risks it can see … and the ones it can’t.’

You may also like