Systematic Disaster Planning Part 1: Charting the Course of Disaster
- Published on Tuesday, 30 October 2007 10:45
Effective disaster planning is systematic. Good plans are purposeful, methodical and, above all, built on a firm foundation. The best framework for plan foundation-building is a careful and complete risk analysis. Risk analysis attempts to identify the conditions that can lead to disastrous outcomes, and their relative likelihoods. By reasoning through the possibilities, the disaster planner gets a better idea of what's important. He or she also gains a valuable understanding of the mechanism of disaster, resulting in more useful plans. This is in contrast to the 'be ready for anything' philosophy espoused by some planners. A scattershot approach can result in a serious lack of focus that may actually hinder an organization's ability to effectively respond to disaster. In practice, most planners do prioritize planning on the basis of at least some rough estimate of the likelihood and costs associated with possible disasters. I might, quite rationally, choose to dispense with earthquake planning in a siesmically inactive area of New England. To a planner in Southern California, on the other hand, earthquakes are a major concern.
With its roots in the analysis of safety critical systems, like nuclear power plants, the scenario- based approach is an amalgam of formal methods. These include ideas from systems engineering and the theory of probability. To be truly useful, however, risk analysis must be easy to apply in practice. The perfect blend of rigor and simplicity is provided by a scenario-based risk analysis. A scenario-based analysis helps us develop a detailed analysis of disaster potential by providing a logical structure for the analysis. We make the logical structure of a scenario-based approach easy to develop, use and understand by integrating an intuitive graphical structure, in the form of flow charts.
This guide to systematic disaster planning is divided into two parts. In part 1, we describe a simple method for the formal analysis of disaster potential based on flow charts. Once completed, this analysis can serve as a rational basis for plan development and testing. This process is described in part 2 of the series. Taken together, these parts describe a ready-to-use methodology for effective disaster planning.
The Nature of Disaster
Disasters don't just happen. They develop through a dynamic chain of events. This chain always starts from some initiating event. The initiating events of most concern to modern disaster planners are things like fires, earthquakes, windstorms and chemical spills. Properly mitigated, outcomes stemming from these initiating events can turn out to be relatively minor. For example, when sprinklers act to quell a fire at its incipient stages. Other times, initiating events follow to serious, adverse outcomes ... in a word, disaster.
What governs the path from initiator to outcome is the idea of randomness, or chance. We don't, and can't, know for sure what will happen next in the chain of events. We only have some idea of each events relative likelihood, or probability. The concept of randomness that governs the process can be illustrated using simple gambling devices like cards, dice or coin tosses. We flip a penny into the air (introducing 'randomness') and then guess 'heads' or 'tails'. The nature of the process is well known. What we can't know for sure is whether the coin will land heads or tails. We know from the physical properties of the coin, as well as past experience, that a fair coin will land heads one out of two times in repeated tosses. The probability of heads is therefore 1/2 or .5. This number serves as a guide to action (e.g., when placing bets in a gambling situation) as well as an indicator of how 'expected' the event is to occur on the next try.
The chain of random events that make up the path to possible disaster can be conveniently visualized using flow charts. Most of us are familiar with flow charts. They provide a schematic representation of a sequence of events, and their outcomes. By allowing us to visualize the flow of events, flow charts give us a better understanding of the underlying processes and how they all fit together to make up the systematic whole. They also provide a structure for the systematic calculation of event probabilities. To properly respond to disaster, we need to identify possible disasters, and assess their likelihood and consequences. Flow charts help us do just that.
Creating Disaster Flow Charts
Getting a flow chart for potential disaster on paper is simple: As a general rule, if you can think of a scenario, you can flow chart it. Disaster flow chart creation starts with the 'brainstorming' of possible scenarios arising from some initiating event. The results can be captured, initially, in the form of a narrative, or story. The various scenarios developed by this 'thinking out loud' method are then plotted in flow chart form. Flow charting has the advantage of helping us to better visualize processes which may be obscured by words alone. They also provide us with a structure on which to base probability calculations, For planning purposes, scenario outcomes can be prioritized according to their probability/ consequence characteristics.
The figure on the following page shows a simple flow chart of the disaster potential of a firm engaged in the transport of hazardous chemicals. The initiating event here is a truck accident. To begin, we need to get an estimate of the likelihood of a truck being in some kind of accident during the course of a year. Company statistics show that this occurs roughly once every 5 years resulting in a probability estimate of 1/5 or .2. Now we just follow the logical progression from initiator to next steps. When a tanker truck is in an accident it can either spill its cargo, or not. Note that, in reality, the event 'cargo spill' can range continuously from 0 to the total load of the truck. Usually, one or a few options can capture the essence of events. We might, if we wanted to be a little more precise, expand the spill event to include minor, moderate and major spills, for example. Doing so, however, complicates the analysis. How complex we make a tree is a judgment made by the analyst, with the purpose of the exercise in mind. In many cases, even a very simple analysis can provide great insight into the process.
Using company records, as well as industry experience, we find that the probability of a spill given that a truck accident has occurred, is around 1/10, or .1. This means that, on average, we can expect one out of every ten truck accidents to result in some kind of spill. One branch of this event 'tree' now becomes terminal: The truck has an accident, there is no spill, and property damage to the truck amounts to approximately $45,000. This branch represents a final outcome or end-state. To determine the probability of any outcome we simple multiply the probabilities of events along the way. For example, the scenario in which a truck accident occurs, the truck is damaged and no spill of cargo occurs has a probability of .2 (truck accident) times .9 (no spill), or .18.
Focusing now on the other branch emanating from a possible accident, we notice that a cargo spill itself can be followed by various events. A spill can result in loss of cargo only, resulting in substantial clean up costs, a fire or, in the worst case, a fire and explosion. These events are represented by a further branching of our tree. Using expert opinion and perhaps some actual accident data we determine the mutually exclusive probabilities of the events that occur given that an accident has resulted in a cargo spill. The most likely result is a spill with no fire. This happens 90 percent of the time when an accident initiated spill occurs. There is a far lower chance (.099, or roughly one in ten) that the spill catches fire. Should the spill catch fire, the results are serious. Monetary damage to persons and property can run as high as $1,000,000. At this stage of the analysis we are looking at outcomes that could truly be labeled as 'disasters', at least from the perspective of our transporter. In some rare cases (one in a thousand) the cargo can actually explode. The resulting damage of this outcome is $2,500,000. Once again, to determine the probability of these final outcomes we multiply the probabilities along the tree. For the worst case scenario of a truck accident that results in a cargo spill that ultimately catches fire and explodes (causing $2,500,000 in damages) is .2 x .1 x .001 = .00002. This amounts to a probability of two in one hundred thousand. We can look at this number in terms of annual event frequency - we expect two such events every one hundred thousand years of operation - or as the probability of such an event occurring this year among a population of one hundred thousand similar firms (we would expect two of these to suffer a $2,500,000 disaster).
While some of these numbers appear imperceptibly small they become more tangible when we look at them from the perspective of the collective. In a group of one thousand entities, each facing a seemingly small probability of disaster of 1 /10,000, or .0001, we are virtually assured that at least one of these will face some serious event within the next ten years. The question for the planner is: If that firm is yours, will you be ready? This is where a systematic plan for disaster recovery comes in.
As noted above, the do-it-yourself potential of flow charting is high. Initial tries can be carried out with pencil and paper. Added structure, and a neater appearance, can be gained through the use of one of the many computer flow charting programs available. Often, flowcharts can be set up using computer spread-sheet programs. These permit the rapid calculation and recalculation of event probabilities as well. The flow charting of disaster scenarios is very much a learn-by- doing exercise. Computer tools make this learning process all that much easier.
The need to establish probability estimates is perhaps the most daunting task in creating a good flow chart analysis of disaster potential. Statistical data is usually very limited. Expert judgement can often be substituted for data, with good results. When uncertainty enters, it can be communicated using interval estimates. For example, we may estimate the uncertain probability of a truck accident as a range from one in three (1/3, or .33) to one in ten (1/10, .1). The width of this interval can serve as a measure of uncertainty. The analysis can then be run using 'high' and 'low' estimates, along with perhaps a 'best guess' (in our example, 1/5, or .2). When uncertainty exists it is important that it is adequately captured. What we don't know can be as important as what we do know.
It is, of course, axiomatic that we can't capture every possibility in our charts. This is no reason, however, for us to not at least make the attempt. If done properly, we can take comfort in knowing that most, and the most serious, disaster scenarios facing our organization will be properly accounted for. It is only the most pessimistic among us that can genuinely believe that nature somehow conspires to present us only with those disasters that we have failed to account for.
Using the Results
While this example is highly simplified, it does bring out the points of value in a well thought out analysis of possible disaster scenarios. We gain a deeper understanding of how the process proceeds, as well as an estimate of the probabilities of various outcomes along the way. These probabilities allow us to prioritize our recovery and planning efforts. In the happy case where the probability of disaster is virtually nil, or where the consequences of an unexpected event are relatively minor, we might dispense with such preparation altogether. This frees resources for other uses. For more serious situations, the charts themselves serve as a framework for action. We leave a more detailed description of how this may be accomplished for part 2 of Dynamic Disaster Planning: From Ideas to Actions.
The branch points along a scenario 'tree' also provide us with guidance as to where and how the probability of disaster could be mitigated. For example, disaster probability could be greatly reduced in our example by increasing the probability of early notification and successful evacuation. To the extent that all reasonable actions can reduce this probability no further, we can at least go into future and use decisions with an idea of the risk involved. These may, or may not be, acceptable. At any rate, further damage could be mitigated with an effective plan of disaster recovery. Financial damages may be addressed with insurance or the sharing of community resources (e.g., disaster relief).
Scenario-based analysis of exposure to adversity using flow charts can be applied to a variety of perils at the enterprise, societal and even personal levels. While these perils may be very different in each case, there is a commonality in terms of the 'flow' from initiator to outcome that the graphical approach captures so well. This means that the knack for developing flow charts, once gained, can easily be applied to many different exposures. Flow chart analysis is also very modular, in the sense that we can start with simple representations and build from there. This allows for incremental construction of charts as the need for more detail arises. Our truck accident analysis, for example, could be expanded to identify the effectiveness of different types of evacuation and notification processes. Detailed flow chart analysis can also be focused on a particular event along the tree.
Systematic disaster planning starts with an understanding of the causal mechanisms of disaster. An easy and effective way to gain this understanding is through the construction of scenario flow charts. Is it worth the effort? Much disaster planning today is based on a 'seat-of -the-pants' approach. Indeed, informal analysis based on planner's intuition of disaster potentials has generally been rather successful. The problem is that the world isn't getting any less complex - only more. This means we have to keep one step ahead of the potential for disaster in our planning efforts. To do so, we need to introduce more formal methods of analysis - like the scenario-based approach to risk analysis. So the question is really not whether we can afford to introduce a more formal approach to disaster planning, but rather, how can we afford not to?