Business continuity and cascading risks

Over the last two weeks, I've been talking about how to set up your business continuity planning. But there's an important step I haven't discussed yet.

Two weeks ago, I described a basic risk-handling protocol. Then last week, I described how you turn regular risk-handling into business continuity planning. But of course it’s complicated. Some risks can wipe you out; others are nuisance level; many are somewhere in between. Some risks require specialized expertise to address them, but their consequences are grave enough that you can’t just delegate them to the specialists and then forget about them. How do you focus?

The answer is that you have to distribute risk-handling throughout your organization so that risks are addressed by the right people, but in a way that always traces back to top management (who have, after all, final responsibility for the organization as a whole). 

Last week, I said that each member of the Executive Team has to go back to his (or her) people to work out the details of that area’s approach. That step is the key to setting up a system of cascading risk management.

After all, even though business continuity affects everyone, there will always be some actions or some risks that are specific to a particular department or to a particular kind of disaster.

• In case of fire or flood, your operations functions have to think about shutting down their work in a controlled way and getting to safety. Your warehouse function (if you have one) has to think about how to protect your inventory. But your office functions may be able to resume work remotely (once they have all gotten to safety), provided they still have access to your network.
• In case of a pandemic, there should be no significant risk of physical destruction, but you may have more concerns around isolation or availability of personnel.

So yes, you have to start at the top. And the risks you track at the top level are the ones that can wipe you out. But then the members of your Executive Team go back to (let’s say) the middle managers who work for them, to do two things:

• Figure out in detail how to implement the overall strategic approach. (All these steps should be traceable back up through the elements of the high-level strategy.)
• Do an independent risk analysis at that level to see if there is anything special to their areas that was missed at the higher level. Use the same method I described two weeks ago—the very same method that the Executive Team already used.

And then the middle managers do the exact same thing again, engaging with their employees at the working level, to achieve the exact same two goals. 

Naturally if (during one of these lower-level reviews) anyone discovers a risk that affects a wider group (or even the whole organization) but was accidentally missed, escalate it on up the management chain to where it belongs and then ask everyone to update their work to account for it.

In the end, every unit in your organization—every division, every department, every plant, every team—ends up doing some level of business continuity analysis, and tracking the measures that apply at their level. And every year, the whole organization repeats the analysis: to identify what’s changed and to check if all the defined measures are still correct and current.