DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Is it the probability or the consequence of an outcome that drives our actions? Often, when trying to introduce awareness of the need for a business continuity program we are confronted with such responses as:

- What is the probability of that ever happening?
- We have never had a disastrous event in our history! What makes you think we will have a disaster in the future? And so forth …

Have you ever stopped to think about the legitimacy of these questions? Are they merely a test of our resolve and understanding of human logic, or are they something more? Let’s look at each of these views and their relationship to business continuity.

Probability

The probability of an outcome is a very important principle in our business continuity program (BCP). Our BCP comprises two agendas – protection and continuity. Protection consists of putting into place viable measures to defend us against known threats that exist in our environment. To do this we evaluate the probability of specific events occurring that could disrupt or destroy our operating environment. If the probability is high, and the effect (consequence) is high, we look at cost-effective measures to shield us against incurring the possible effect. Of course, the cost of our mitigation measures cannot be greater than the estimated cost of the possible effect. The cost of providing 100 percent protection against all possible threats is usually prohibitively expensive. Additionally, the resulting measures would probably encumber our ability to carry out day-to-day operations in an efficient and cost-effective manner.

 

 However, if a real threat is unknown, we will not necessarily carry out any measures to protect ourselves against that threat. Consequently, that is why we have the continuity facet to our program, to provide us recoverability against all possible threats. The continuity agenda exists to safeguard us should our protection measures fail us or we incur the wrath of a threat we did not consider.

The second role that probability plays in our BCP is in the development of viable business continuity or recovery strategies. We need to develop business continuity or recovery strategies that provide us a high-probability of being successfully carried out in case of a disruption of operations or a disastrous event.

This includes such considerations as having adequate availability of sufficiently skilled and trained personnel, access to critical information and resources, and timely access to an alternate location.

For example, we would not place critical recovery resources in an off-site storage location that is subject to a high risk or threat, or that is highly likely to suffer disastrous consequences from the same event that disrupts our critical operating site. This could occur if we were to locate our off-site storage facility in a known floodplain, if both sites were in the same utility power grid, or both sites were in alignment with the path that tornadoes are known to frequent in the area, etc. Performing risk assessments using the principles of probability provide us a basis for making more viable strategy selections.

However, the knowledge of all possible threats is unknown, and probabilities are only a compilation of past experiences with qualifying assumptions. They do not necessarily represent the possibility or consequences of events in the future.

Consequence

Consequence is the fundamental basis of our BCP. To establish the requirements for our program we do a business impact analysis (BIA). The BIA is the gathering and evaluation of information about the organizational consequences of interrupting our day-to-day business functions and processes. This evaluation provides us a sense of the relative criticality and importance of all our functions, processes and resources as they relate to the functioning of the whole organization.

Additionally, it provides a clear business rationale and cost justification for the development and selection of cost-effective business continuity and recovery strategies. This is because learning the financial impact of disrupting functions and processes is an important part of the BIA

Project.

Consequence is also the fundamental basis for how we tend to manage our day-to-day lives and make life-important decisions. For example, why is it that we do not usually purchase any measurable life insurance coverage until after we enter into the commitment of marriage? Then we continue to increase that coverage as our family continues to grow. Is it because we are concerned with the probability of our mortality, which is one or 100 percent? Or, is it because of the consequence that our absence would have on our family unit? Additionally, why do we couple a financial plan and a will along with our insurance program to address a specific approach for carrying out the disposition of our estate? Sounds like a family continuity program to me! How is that different from a business continuity program? Why should we look at business continuity any differently? Is one more important than the other?

We can continue to site examples of our consequence-based world and behavior. For example, we often relate crime and punishment consequentially (e.g., If you can’t do the time, don’t do the crime, etc.). We bet on long shots at the track, on the lottery, and other gaming events. Surely, this is not because of the probability of losing. Is it not the consequences of winning?

What is the real question?

Why do we selectively decide to play the probability card when it comes to supporting business continuity? Is it to diffuse the spending of monies on something that does not appear to support getting product and services out the door?

Experience shows us that development of a sound business continuity program provides us with better business processes for day-to-day operations and greater resiliency from the consequences of day-to-day interruptions. So that can’t be the issue.

Does our management team truly believe they are invincible? Do we not believe in ensuring our own mission, vision, and values statements that proclaim that we will always be the best provider to our customers, employees, and stakeholders? What do you think?

Disruptions do occur and they continue to emanate from the most obscure and unknown events and threats. In a perfect world we would know all the threats that face us and could predict the probability of their occurrence to manage our daily lives. But we do not live in such a place. Our world will always be vulnerable, either directly or indirectly from the misfortune of others, to the consequences of disruptions that we can only partially predict or control.

So, what is the real question? Do we believe it is prudent to manage your organization in such a manner so as to ensure continuity and perpetuity, or are we only there for the short-term without regard for the welfare of our customers, employees, and stakeholders?

If we take the latter view, it will be a short-term relationship for both our organization and us! Most importantly, business continuity is not the responsibility of one individual or even a team.

Every employee, manager, and officer of the organization must be held accountable to ensure success. Like safety and security, it does not work unless everyone believes it is important and consequential. But once we all believe, the resulting consequences are preferable for everyone. This we know with a probability of one!


Barney Pelant, MBA, MBCP is founder and managing director of Barney F. Pelant & Associates, a practice dedicated to business continuity planning and development for mid-sized and Fortune 500 companies. For more information call (630) 894-6989 or e-mail Barney at This email address is being protected from spambots. You need JavaScript enabled to view it..