BCI Comment: A Three Line Defence?

Posted On 12 Aug 2013
Comment: Off

In the latest column for Risk UK, Lee Glendon of the BCI considered the fact that planning for risk-based issues works well, if the risk conforms to the plan! He stated, ‘At its very core, risk management involves being prepared for, and having the ability to react to, events that could jeopardise the operations of a business or organisation. The relevant and processes are all well and good when events occur as expected, but what happens when they don’t? ‘Contingency planning is very much in fashion, whether it is the Bank of England making plans for the Eurozone crisis, smartphone manufacturers being prepared to respond to a competitor’s new product, or auto manufacturers dealing with a product recall. But is it the right approach for every type of risk? ‘We feel that” Contingency planning” needs to be seen as one element of a three line defence against uncertainty and risk, complemented by” Continuity capability” and” Crisis response”” for convenience we have termed this approach the 3Cs of Business Continuity. ‘Contingency plans are generally seen as specific plans to expected or possible events. This is both their strength and their weakness. It’s their strength when the event unfolds as per the plan, because the organisation can respond well and be seen to respond well. However, it’s their weakness when the events do not occur as planned, and can result in the exasperated cry of” who would have thought that could happen?” ‘The blame for these failures of prediction is often laid at the door of risk analysis, modelling and mapping techniques. But perhaps it is a case of expecting too much from them ­”at least from the 2×2 or 5×5 Cartesian maps. Risk analysis needs to acknowledge its limitations and encourage conversations when maths and matrixes reach their limits. ‘One fruitful area for conversation is around consequences and vulnerabilities, as these can be understood and debated. In” Black Swan”, Taleb articulated the same thinking with the example of an earthquake affecting San Francisco. ‘This is what we call the continuity capability discussion, and it is focused on generalised or abstract loss scenarios” loss of access to wholesale credit markets, loss of availability of key people, as well as loss of IT capabilities and key supply chains. ‘Pandemic planning is a good example of the interaction between contingency plans and continuity capability, with the” absence of people” being a common area of planning for Business Continuity professionals. This is supplemented by a pandemic contingency plan, which will include specific elements such as work place hygiene, social distancing, etc.. ‘So now we come to the third component of the 3Cs,” Crisis response”. ‘Contingency plans are a pre-defined scenario response, and continuity capability is based on a set of pre-defined parameters around recovery time objectives and maximum tolerable periods of disruption. So what happens when the unknown unknown, or Black Swan event, happens? ‘These events by definition are more consequential in their effects than reasonable planning could have anticipated ,and may involve issues which threaten the very existence of the organisation. ‘This is the time for top management to demonstrate leadership, and it’s a time when effective stakeholder communication is at a premium” when the left hand needs to know what the right hand is doing. ‘This brings us to the role of the Business Continuity professional. The 3Cs help to clarify the skill set that the ambitious practitioner can bring to an organisation: the Business Continuity professional understands when contingency plans will work, how a continuity capability provides a robust foundation, and how to ensure that action plans are indeed actionable. This is a valuable skill set for any organisation developing a risk response for the risks it can see … and the ones it can’t.’

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.