However, if a real threat is unknown, we will not necessarily carry out any measures to protect ourselves against that threat. Consequently, that is why we have the continuity facet to our program, to provide us recoverability against all possible threats. The continuity agenda exists to safeguard us should our protection measures fail us or we incur the wrath of a threat we did not consider.
The second role that probability plays in our BCP is in the development of viable business continuity or recovery strategies. We need to develop business continuity or recovery strategies that provide us a high-probability of being successfully carried out in case of a disruption of operations or a disastrous event.
This includes such considerations as having adequate availability of sufficiently skilled and trained personnel, access to critical information and resources, and timely access to an alternate location.
For example, we would not place critical recovery resources in an off-site storage location that is subject to a high risk or threat, or that is highly likely to suffer disastrous consequences from the same event that disrupts our critical operating site. This could occur if we were to locate our off-site storage facility in a known floodplain, if both sites were in the same utility power grid, or both sites were in alignment with the path that tornadoes are known to frequent in the area, etc. Performing risk assessments using the principles of probability provide us a basis for making more viable strategy selections.
However, the knowledge of all possible threats is unknown, and probabilities are only a compilation of past experiences with qualifying assumptions. They do not necessarily represent the possibility or consequences of events in the future.
Consequence
Consequence is the fundamental basis of our BCP. To establish the requirements for our program we do a business impact analysis (BIA). The BIA is the gathering and evaluation of information about the organizational consequences of interrupting our day-to-day business functions and processes. This evaluation provides us a sense of the relative criticality and importance of all our functions, processes and resources as they relate to the functioning of the whole organization.
Additionally, it provides a clear business rationale and cost justification for the development and selection of cost-effective business continuity and recovery strategies. This is because learning the financial impact of disrupting functions and processes is an important part of the BIA
Project.
Consequence is also the fundamental basis for how we tend to manage our day-to-day lives and make life-important decisions. For example, why is it that we do not usually purchase any measurable life insurance coverage until after we enter into the commitment of marriage? Then we continue to increase that coverage as our family continues to grow. Is it because we are concerned with the probability of our mortality, which is one or 100 percent? Or, is it because of the consequence that our absence would have on our family unit? Additionally, why do we couple a financial plan and a will along with our insurance program to address a specific approach for carrying out the disposition of our estate? Sounds like a family continuity program to me! How is that different from a business continuity program? Why should we look at business continuity any differently? Is one more important than the other?
We can continue to site examples of our consequence-based world and behavior. For example, we often relate crime and punishment consequentially (e.g., If you can’t do the time, don’t do the crime, etc.). We bet on long shots at the track, on the lottery, and other gaming events. Surely, this is not because of the probability of losing. Is it not the consequences of winning?
What is the real question?
Why do we selectively decide to play the probability card when it comes to supporting business continuity? Is it to diffuse the spending of monies on something that does not appear to support getting product and services out the door?
Experience shows us that development of a sound business continuity program provides us with better business processes for day-to-day operations and greater resiliency from the consequences of day-to-day interruptions. So that can’t be the issue.
Does our management team truly believe they are invincible? Do we not believe in ensuring our own mission, vision, and values statements that proclaim that we will always be the best provider to our customers, employees, and stakeholders? What do you think?
Disruptions do occur and they continue to emanate from the most obscure and unknown events and threats. In a perfect world we would know all the threats that face us and could predict the probability of their occurrence to manage our daily lives. But we do not live in such a place. Our world will always be vulnerable, either directly or indirectly from the misfortune of others, to the consequences of disruptions that we can only partially predict or control.
So, what is the real question? Do we believe it is prudent to manage your organization in such a manner so as to ensure continuity and perpetuity, or are we only there for the short-term without regard for the welfare of our customers, employees, and stakeholders?
If we take the latter view, it will be a short-term relationship for both our organization and us! Most importantly, business continuity is not the responsibility of one individual or even a team.
Every employee, manager, and officer of the organization must be held accountable to ensure success. Like safety and security, it does not work unless everyone believes it is important and consequential. But once we all believe, the resulting consequences are preferable for everyone. This we know with a probability of one!
Barney Pelant, MBA, MBCP is founder and managing director of Barney F. Pelant & Associates, a practice dedicated to business continuity planning and development for mid-sized and Fortune 500 companies. For more information call (630) 894-6989 or e-mail Barney at Bpelant@cs.com.
