We've been talking about risk for a month now, and I'd like to talk now about a different kind of risk management: business continuity. Business continuity is the ability of a business to get back to work after something has interrupted it: hurricane, fire, flood, pandemic, or whatever. In fact that's almost exactly the formal definition. ISO 22301:2019, Business continuity management systems — Requirements, defines business continuity as the "capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption."
As an example, think back to March 2020. The world was beginning to react to COVID-19, and there was a lot of excitement as organizations frantically tried to improvise what to do. But I worked for Bosch at that point, and some years earlier Bosch had required every plant and every office to define (and regularly review) a Business Continuity Plan for how we would respond to various kinds of disruption. One of the entries on the form was "global pandemic." I remember the meetings where we reviewed this plan, and back in the 2010's nobody rated that as a likely risk. But we worked out a plan for it, just to be complete. Then when March 2020 came and other companies were caught flat-footed, our General Manager pulled our plan off the shelf and it already spelled out exactly what to do.
How do you plan for business continuity?
I want to proceed in three steps. In this post I'll review the basics of risk handling, keeping in mind some of the salient points we've discussed in recent weeks.* In my next post I'll talk about why your business continuity planning has to be driven from the very top. And then in a third post I'll describe how to embed it into the organization as a living practice instead of a show for the auditors.
When I describe basic risk handling, I usually start with a concrete example that everyone can imagine. Think of the Safety Committee in a grocery store. They think of all the ways somebody could get hurt, and then define measures to keep it from happening. If someone breaks a jar of spaghetti sauce in Aisle 3, put up a “Wet Floor” marker and mop it up. Don’t put heavy things on high shelves. And so on.
Sometimes they identify a risk that’s not very likely: What if a customer brings his dog and the dog bites somebody? Yes, you want to know what risks you face; but you can’t prevent everything. So you rank your list in order of importance. Plan for the ones that really matter, and let the rest go. In general your ranking should consider at least two things:
- How likely is the risk?
- And how bad will the impact be if it happens?
In the simplest case (there are ways to make this a lot more complex!) you ask each question about each risk and answer with Low, Medium, or High. Then you use these two scores to assign a priority to each risk as follows:
Priority = Likelihood x Impact
| High | Medium | Low |
High | High | High | Medium |
Medium | High | Medium | Low |
Low | Medium | Low | Low |
On this scale, for example, “getting bitten by a customer’s dog” probably ranks Low for likelihood but High for impact, giving a composite priority of Medium.
(You can see that this rating method is similar but not identical to the one we saw for evaluating risk in audits: there we said priority = {number of nonconformities} x {severity}. The overall approach is very flexible.)
Then address all the important ones: this means at the very least all the ones where priority = High, but consider the others too to see if there is something you can do where the balance between effort and outcome is reasonable.
"Addressing" a risk means:
- If possible, prevent it.
- If you can’t prevent it, take steps now to mitigate the impact when it happens.
- Also, consider how you will respond when it does happen: those are your contingency actions.
- To make sure this gets done, assign the risk to an Owner, and assign a deadline by when the actions have to be in place. Then be sure to follow up that they really are.
- And remember that root cause analysis of a risk can help you find the most effective approach.
What about the risks you choose not to address? They stay on the list anyway. And your priority ratings aren’t static. From time to time—at least once a year, if not more often—review your list to see if things have changed.
- As you take mitigation steps, for example, the impact of some risks will drop and so their priorities will change.
- The priority of others might rise, depending on changes in the outside world. Think how low most companies rated the likelihood of "global pandemic" in 2019.
- Check whether your contingency plans are still correct and current. Is that still the best way to handle this risk, if it comes about?
- Are the responsibilities all assigned to the right people? Are your supplies all in stock and up to date?
- Assign actions as needed, and follow up to ensure the actions are closed on time.
In other words, your risk handling becomes a living system.
So even if a risk falls below your threshold and you don't address it right now, keep it on the list. Then the next time you review the list—next quarter, next year, or whenever—you can think about it again. And as long as it stays on the list, you won’t forget.
__________
* What follows in the rest of this post borrows heavily from a post I wrote more than a year and a half ago about basic risk management. But I have updated my remarks by taking into consideration the last month's sequence of articles. You will find links throughout.
Excellent post. Bow Tie is a good technique to do risk management along with ISO 31000 and ISO 22301. Thanks
ReplyDelete