Following on from our earlier blog about the role of risk management and using operational risk software in business resilience and business survival, here Tony and John give a high profile example from their book Mastering Risk Management, and go on to outline how to prepare for responding to a critical event…
It is often said that a business survival plan is like a fire extinguisher – it sits inert, possibly for years, but must be there and working when needed. As a plan must work under all circumstances, not just ideal ones which by definition will not exist at the time, it needs to be tested as fully as possible – to the limit in critical areas.
That is why Nissan were able to keep their global operations running when on 11 March 2011 a 9.0 magnitude earthquake hit Japan and three nuclear reactors at Fukushima Dai-Ichi experienced Level 7 meltdowns. The disaster was three calamities in one – an earthquake, a tsunami and a nuclear emergency.
Most companies could not cope with that, but Nissan was a company reborn from crisis, when it was almost bankrupt in 1999. Renault bought 37% of Nissan’s outstanding stocks and revitalised the management team. As a result:
■ They put in place an effective contingency plan and a Global Disaster Headquarters, including earthquake simulation training, being a priority on human life.
■ Decentralised supply chain structure, but imposed strong central control and coordination when crises occurred. That ‘crisis mentality’ helped them during the 2007/2008 global banking crisis, the Fukushima Dai-Ichi and the Thai floods in 2011.
■ The Global Disaster Headquarters allowed management to make empowered decisions without lengthy analysis from central authority. That was seen on 11 March 2011, when they launched their Control Headquarters just 17 minutes after the earthquake occurred.
How you respond to an incident is critical
When a threat turns into an incident, it will generate a response. The incident will come down to be variations on: loss of premises, staff, equipment, systems, a production line, key suppliers or outsourced activity. The business survival plan formulates those responses. The importance of each response is a mix of the results of the business impact assessment and the sum of the likelihood of the threats associated with it.
It is probably helpful to consider the options under headings, such as these:
■ business activity and process levels
■ infrastructure – power
■ infrastructure – data and systems
■ infrastructure – utilities.
As the answers come, you should also review your current appetites. Finally, having answered the questions, you need to integrate them to give a holistic view.
Business activity and processes levels
What levels of business activity are acceptable, for what periods of time? Use a series of levels starting with ‘business as usual’, through one or more ‘emergency levels’ down to ‘no business’. What’s the response capacity? How much of it can be used or is available? Are there activities which can be mothballed? Similarly, what is the capacity of processes in an incident? What levels of processes are acceptable, for what periods of time?
Business survival critically involves human issues (including families of staff). In considering your strategy, always remember that human safety is paramount, both physically and psychologically. The Covid-19 pandemic has meant that leaders have been showing compassion to their teams. But it doesn’t need a pandemic to show that. Think of the emotional implications. Will there be sufficient staffing in the event of a pandemic, when significant numbers may be quarantined? Will there be sufficient staff in the event of no transport or very limited communications, such as mobile phones? Does everybody know and understand their role in the event of an incident? Are sufficient staff trained to carry out critical functions, including the deputies? In particular, are new hires trained during their induction? Are people trained sufficiently if they find themselves in a new location?
What alternative locations are there? These could range from a mirrored site for immediate use with minimum downtime to working from home. For most, it will probably involve relocating to a different site, often a syndicated site. If you have chosen syndicated back-up facilities, will they be available for all the people who might need them in the event of a ‘wide-area’ event? How many times has each seat been contracted out in the event of an emergency? How does the provider assess priorities? Is there an exclusion zone in the contract that means that you are the only user of the syndicated facilities within, say, 400 metres? For each kind of alternative site, the important thing is for it to be outside the risk zone of the primary site, and with separate sources of critical supplies of telecommunications, power and water. However, if it is too far outside the risk zone, significant travel by large numbers of staff may be required. The expense of this travel (and possibly accommodation) can lead to potentially fatal delay in invoking the plan. If the usual, main location is unavailable, as with the pandemic, is it secure? We need to protect assets.
Another lesson from major, wide-area incidents, such as 9/11, is that mobile phone networks cannot handle the concentrated traffic. That means considering the whole range of alternatives: digital and analogue land line telephones, mobile phones (with a reserve of spare batteries), satellite phones, websites, Zoom, Meets etc. In so many ways Covid-19 is easier. A cyberattack or a terrorist attack is more difficult. How will the crisis management team keep themselves up to date? How will you communicate with staff away from the main site – whether at the alternative site or at home? You need both a system and a culture to make sure messages can be sent from both top down and bottom up. Who communicates in a timely way with key stakeholders such as the workforce (most critically), suppliers, customers, service providers, financiers, the media or, if appropriate, regulators? They all need a continually updated conversation.
Infrastructure – power
Will there be sufficient backup power? You might appear to have sufficient backup electrical power. However, the utility company might be using steam power for the firm’s air conditioning system, which may fail as a result of the general lack of electrical power.
Infrastructure – data and systems
How will we ensure systems and up-to-date data will be in place and available for use? What backup data centres exist? Which systems have fallbacks in remote sites? Which systems have backups offsite? Outdated or weak infrastructure, or increasing system capacity, will fail when you need them most. Firms relying on old or siloed systems will result in limited capabilities in an incident. A priority is to maintain the integrity of critical data in the event of a cyber event, including legal and regulatory requirements relating to data protection and confidentiality. The incident can be simply a programming error. Even a tech-savvy firm such as Facebook in March 2019 had an outage which resulted from a ‘server configuration change’ and was out for their millions of customers for over 24 hours.
Infrastructure – utilities
In the event of an incident will we be able to rely on utilities such as power, transport and telecommunications? Are there alternatives? If we depend on them, have we tested the availability of supporting infrastructure?
The results of the exercise should enable you to identify a preferred recovery strategy for each response trigger and assess the effectiveness both of the strategies and of the controls you have in place for mitigating an incident. The strategic decisions will drive your responses, your investments and your risk appetite. The target is to restore the business in the shortest period possible – as was ably demonstrated by Nissan in the example above.
* Peter L. Bernstein, Against the Gods (New York: John Wiley & Sons), 1998.
Taken from Mastering Risk Management by Tony Blunden and John Thirlwell and published with kind permission from Pearson Education Published. Readers of this blog are entitled to a 25% discount on Mastering Risk Management through the following URL: https://www.pearson.com/en-gb/
In our next blog, Tony and John talk about the importance of external risks and horizon scanning.
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
167 City Road
+44 207 377 2250