DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Recovery professionals agree that the first step in establishing effective disaster plans is a systematic risk assessment. The occurrence of disruptions of the type the disaster planner deals with and their affects can rarely be determined in advance. They are governed by the element of chance. The best we can do is determine the exposures long run relative frequency of occurrence, or what we refer to as its probability. A risk assessment consists of the identification of the organization's exposures to disruption, and the subsequent determination of each exposure's probability/ consequence characteristics.

While each exposure to potential disruption of operations is unique, we can summarize their properties using the probability/ consequence data obtained through a formal risk assessment. We can not predict the occurrence of the next disaster with this data, but we can use it to make reasoned decision about dealing with disaster. Among these is the ability to effectively prioritize disaster recovery plans. The ability to deploy effective disaster recovery plans remains one of the most important factors in the survival of the organization in the face of risk.

As the world gets more and more complex, we need to use more sophisticated methods to deal with the risk. A formal risk assessment is one of these. However, formal methods are only valuable to the extent that they are used by real-world planners. We need to introduce methods that are not only powerful in scope, but also easy to implement. We review several such methods here, and discuss their application to the prioritization of disaster recovery plans. Our goal is the development of practical methods for improving disaster response.

Knowing Your  Exposures
We obtain probability/ consequence information on exposures to disruption in a variety of ways. Often, expert judgement can be used. Experts in a particular area often gain a feel for the effects of disruption and their relative likelihoods through experience. A variety of more rigorous risk assessment methods exist as well. Many organizations gather statistics on disasters and their causes, and make this data available to the public through a variety of means. When statistics are scarce, we can turn to the logical analysis of hazard models to determine probabilities. Among these are the use of so-called event trees and other scenario-based methods that attempt to logically outline the flow of potential disasters.

he results of the risk assessment can be conveniently displayed using risk maps. Risk maps are two dimensional charts that show the exposures annual probability of occurrence on one axis, and the consequences, usually in terms of monetary loss, on the other. The accompanying figure shows a simple risk map. The points on the chart represent the probability/ consequence characteristics of each individual exposure to disruption. Point A, for example, might represent the probability/ consequence characteristics of a hurricane in our region. Its consequences are severe, and its probability is in the moderate to high range. While point F represents an exposure of similar severity to point A, its likelihood is much lower. This point might represent the earthquake exposure of a business located in an area that is, seismically, relatively inactive. As opposed to points A and F, point D is at the lower end of the severity scale. It does, however, have a relatively high probability. It is typical of minor, yet bothersome, disruptions such as the collision of a delivery truck. Each event can be, in this way, categorized according to its properties.

isk maps have a variety of uses in the management of risk. They can help us assess risk financing options, as well as judge the effectiveness of loss prevention efforts. While risk management options such as financing and loss prevention can help reduce risk, they can not eliminate it. As a result, we need to be able to plan for disaster. Unlike financing and loss prevention efforts, disaster recovery helps us minimize the effects of untoward events after they occur. We will show here how the risk maps resulting from a comprehensive risk assessment can be used to prioritize disaster recovery planning efforts.

A Focus on Risk

To plan effectively, we need to know what to plan for. The way we respond to an earthquake is different from the way we respond to a crippling strike by our work force. While both may spell disaster to our organization if not effectively handled, the success of our response depends on our ability to tailor it for maximum effect. Every organization is faced with a myriad of exposures to disruption. The question naturally arise, 'What exposures should we tend to first?'. Therein lies the challenge of prioritizing our recovery planning efforts.

he risk maps that result from a comprehensive risk assessment present a simple and effective method of prioritizing risks based on their probability/ consequence components. Using risk maps we can proceed with the prioritization effort by getting a relative feel for 'how bad' each exposure is. First, we identify that corner of the risk map that represents the worst case scenario of risk: A high likelihood of absolutely terrible consequences (say, loss of the business). We label this intersection our risk focus. Our worst case established, we assess the significance of each exposure from the risk focus point. Those exposures that map closest to the risk focus are obvious candidates for primary attention.

We have added to our simple risk map figure the risk focus point and arrows that show the distance of our various exposures from the focus. By inspection, the closest exposure to the risk focus is A. It is this exposure that we put at the top of our planning priority list. Next comes exposure B, then C, and so on. In this way, we pay attention to the 'riskiest' exposures first. Note that the risk focus is simply a method for ordering risks, not measuring them. The length of the line connecting exposure point to risk focus is used for establishing the relativities of risk only.

Further enhancements to the system can be easily incorporated. For example, more and more risk assessment and mapping efforts are proceeding with the help of the computer. The idea behind the risk focus, the distance between the focus and our exposures, requires only a little bit of high school math to implement in a computerized environment. The Pythagorean Theorem provides us with a simple formula for measuring the distance between two points on a risk map. The formula can be easily programmed in, let's say, a computer spreadsheet. We can then use risk map data directly to calculate distances, and hence rank our exposures automatically. This allows the prioritization of complex risk maps, where the purely visual approach may become difficult. With the aid of the computer, a large number of exposures can be quickly classified.

The Master Plan

The idea of a risk focus, and the proximity of exposures to it, gives us a clear visual representation of importance in terms of risk. It helps us integrate two important phases of risk management: Risk assessment and the prioritization of recovery efforts. While the idea that we need to assess the risks facing us seems intuitively clear to most planners, the method of linking risk to planning action may not be. Using the risk maps combined with the idea of a risk focus lets us neatly and simply assess the priority of planning efforts in response to risk. The link between a reasoned risk analysis and recovery planning is essential if we are to develop a rational plan of action.

After we prioritize our exposures, we can tailor our plans to the risk at hand. This concentrates scarce planning resources in the areas that they will be most effective. Obviously, we can't plan for everything. A focus on risk at least assures us that we will be planning for the most important things. This is in contrast to the 'be ready for anything' approach. Those planners that attempt to plan for everything usually end up planning for nothing. A scattershot approach subjects the planner to an infinite, and hence unknowable, number of potential disruptions.
The ability to demonstrate the prioritization process is also a valuable tool for making our efforts clear to management. The first step in 'selling' a business continuity plan to management is making people aware of the risks that face the organization. That is what risk assessment is all about. Equally important is the ability to present a cogent plan of action. This is where the prioritization process comes in. We need to show how our proposed activities 'fit' the risk assessment.

Once we determine our priority exposures, we can use a wide variety of available planning resources that specifically address these exposures. This allows us to not only concentrate our efforts, it also lets us focus on the methods most useful for dealing with a particular exposure. Some exposures, of course, share a commonality of response. For example, destruction of property due to a variety of natural perils can result in similar responses. We can combine these with the prioritization in mind.

Overall, prioritization based on the risk focus provides us with a guide to better disaster recovery planning. It provides a rigorous link between risk assessment and action that is easily understandable. This promotes greater acceptance of the planning effort among stakeholders, including senior management and those affected by the plan. When the people who are expected to implement the plans have faith in them, they will work better when the time comes to use them. Good disaster recovery plans, in turn, assure the survival of our organization.

Mark Jablonowski, ARM, CPCU, is Risk Manager for Hamilton Sundstrand, a manufacturer of aerospace and industrial products with over $3 billion of sales worldwide. Hamilton Sundstrand is headquartered in Windsor Locks, Connecticut. Mr. Jablonowski has over 20 years of experience in risk management, risk assessment and contingency planning.