SUBSCRIBE TO BIG MED AT THE BIG MED SITE ON GOOGLE GROUPS.
November 10, 2009
Big Medicine is published by Team EMS Inc.
The views expressed here reflect the views of the authors alone, and do not necessarily reflect the views of any of their organizations. In particular, the views expressed here do not necessarily reflect those of Big Medicine, nor any member of Team EMS Inc.
VIEWS: GEARY SIKICH
Positing* Business Continuity as a
Strategic Initiative [Nov 18 06]--For
the vast majority of business continuity professionals the process
of defining business continuity has largely focused on analysis
(Business Impact Assessment), Plan development, Plan Validation
(testing) and Plan maintenance. This is a familiar cycle that we all
have used for services that our clients have requested. This article
is designed to provide some ideas that will provoke an exchange
amongst peers, some conceptualizations based on the evolution of
enterprise risk management and some thought leadership (this
hopefully will be the end result) regarding where we need to focus
Business Continuity Planning: A Strategic Tool
In today’s demanding business environment Senior Management needs tools that will help it with strategic issues that will define and ultimately protect their markets. Business Continuity can be that strategic tool. As a former strategic planner for a corporation told me, “we did not have IT at our strategic planning meeting every year. It was at that meeting that we outlined new strategies and reviewed the effectiveness of existing strategies given the changes that regularly and rapidly occur in markets, competitive products and international competitors.”
In the normal
cycle of business continuity plan development we accomplish, through the
Business Impact Assessment, an identification of “Mission Critical Assets”.
Generally these are in the form of systems and applications that are
considered essential. Figure 2, entitled, “Miss-Assessed?” highlights the
general BIA areas of assessment. Please note all the areas that are not
highlighted! Assets are only useful when intellect is applied. For
example, all the information about a company’s financial assets is only
useful if one has the intellect to apply that information in such a manner
as to benefit the user. It was posited at a recent presentation, “Would you
rather have $500 or a 256 meg thumb-drive?” Initial reactive responses were
“I’ll take the $500.” With some thought, many answered the question, “Well
it depends on what is on the thumb-drive.” My perspective is this; it does
not matter what is on the thumb-drive unless you can use it to your
Developing a strategic plan for a company will focus on all the areas in figures 1 and 2, so if business continuity planning is supposed to ensure the resilience of the business, why do we not include in the business impact assessment these other areas to any great degree?
That is “Business Continuity”
Speed, intangibles and connectivity, according to the authors of “Blur” published in March 1998, were going to be the driving force in the economy beyond 2000. Speed, is the first critical characteristic. Our highly mobile society operates at greater speed, allowing us to conduct business worldwide. Speed also impacts an organization’s ability to develop, implement and manage strategic initiatives. So if we are basing our business continuity plan on an incomplete or limited analysis of the business can we expect it to be valid?
Connectivity is the second critical characteristic. Supply chains, outsourcing, etc. are interdependent systems (utilities for example). We in the United States import more of our daily necessities that we produce domestically.
The third critical characteristic is Intangibles. Today’s business environment is the product of thousands of years of forces acting on it. The worldwide economy. In economics, arbitrage is the practice of taking advantage of a state of imbalance between two or more markets: a combination of matching deals are struck that capitalize upon the imbalance, the profit being the difference between the market prices. Why not take advantage of imbalance – a crisis – as an essential element of your business continuity strategy? Companies regularly invest their capital in the markets. Shouldn’t part of the BIA, the plan and the implementation of the plan during a crisis involve strategically directed investing (hedging, derivatives, arbitrage, etc.) as a part of the business continuity toolbox? Strategic investing, Options, Arbitrage, Short-Selling, Derivatives, etc. have long been part of the CFO’s risk management conceptual framework.
Let us look at the business continuity cycle and reflect on how the three legal constructs relate and potentially impact current business continuity practices.
q The first is, “Constructive Knowledge” and is defined in Black’s Law dictionary thus: If one by the exercise of reasonable care would have known a fact, he is deemed to have constructive knowledge of such fact; e.g. matters of public record.
When we do a BIA have we not created a roadmap of constructive knowledge? We identify “Mission Critical” assets. We diligently produce volumes of planning material to support how we are going to protect these “Mission Critical” assets. Why have we not developed sophisticated strategies for investing during a crisis? Perhaps it is because we have not truly identified “Mission Critical” assets, even though we have constructive knowledge by the exercise of reasonable care (due diligence) in our BIA and planning efforts.
q The second is, “Constructive Notice” defined in Black’s as: “Such notice as implied or imputed by law, as in the case of notice of documents which have been recorded with the appropriate registry of deeds or probate. Notice with which a person is charged by reason of the notorious nature of thing to be noticed, as contrasted with the actual notice of such thing.”
We seek to comply with regulatory requirements, ISO standards, best practices, standard of care concepts, etc. as part of the business continuity planning cycle. We have therefore addressed constructive notice in our continuity plans (Sarbanes-Oxley, Basel II, etc.). Are we putting ourselves on notice by not developing strategies that address all of the “Mission Critical” assets instead of only those that are focused on systems and applications recovery?
q Third, is “Negligence” defined in Black’s as: “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”
"That it is logically true need not be argued before a mathematician; that it is not trivial is attested by the thousands of important and intelligent men who have never been able to grasp the doctrine for themselves or to believe it after it was explained to them." — Paul Samuelson
Prudence is occasionally an actual test, but it usually refers to a set of criteria used to measure an investment or enterprise against specific standards. The objective is to determine whether the investment or enterprise is worth pursuing or investing in by judging how well it meets the challenge established by the judgment criteria. Prudency testing in business continuity should refer to the ability of the business continuity plan to stand up to public scrutiny before it is allowed to continue beyond a conceptual phase. It should also refer to testing and validating that a company sets for itself before deciding whether to proceed with a particular business activity. Can we actually say that we are not negligent as continuity planners, when we fail to identify strategic options that will ensure the capability of the enterprise to continue as a “going concern”? Or, that we fail to understand the intricacies of business interruption insurance and contingent business interruption riders? Or, that we do not consider strategic scenarios, but rather sell tactical level response as a strategy?
In his book, “The Collapse of Complex Societies”, Joseph A. Tainter states, “Human societies and political organizations, like all living systems, are maintained by a continuous flow of energy.” He further states, “More complex societies are more costly to maintain that simpler ones, requiring greater support levels per capita.” If the business continuity plan purports to provide resilience, continuity of operations, “all hazards”, etc., then we need to ensure that all options are available to decision-makers when the plan has to be activated.
Concluding Thoughts – Business Continuity Myth or Magic?
Current research indicates a small portion (5%) of businesses today, have continuity plans, but virtually all realize they are at risk of something bad happening. Do the 95% of businesses that do not have continuity plans know something that the 5% that do have continuity plans do not know? Or are they relying on other options that they feel will give them greater flexibility, more protection and the assurance of continuing as a going concern?
In today’s demanding business environment Senior Management needs tools that will help it with strategic issues that will define and ultimately protect their markets. Business Continuity is that strategic tool. As a colleague, John Stagl, a former strategic planner for a corporation said, “I can tell you we did not have IT at our strategic planning meeting every year. It was at that meeting that we outlined new strategies and reviewed the effectiveness of existing strategies given the changes that occurred in markets, competitive products and international competitors”. That is “Business Continuity”. The Center for Resilience at The Ohio State University defines a resilient enterprise as:
“A resilient enterprise has the capacity to overcome disruptions and continually transform itself to meet the changing needs and expectations of its customers, shareholders and other stakeholders.”
Center for Resilience, Ohio State University
We as continuity planners have a responsibility to protect the organizations we develop plans for by facilitating continuity planning and preparedness efforts that avail themselves of all creative mechanisms that will ensure “resilience”. Using their status as “leaders,” senior officials, senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis – and that may well include strategies and options that we currently do not include the business continuity plan, not because they do not exist, because we have chosen to limit our understanding of what continuity means. Today we cannot merely think about the plannable or plan for the unthinkable, but we must learn to think about the unplannable and we must begin to incorporate risk reduction strategies that include the ability to quickly and efficiently implement, as an example, investment strategies as an integral element of the business continuity practice.
* 1 put forward as fact or as a basis for argument. 2 put in position; place. — ORIGIN Latin, ‘placed’, from ponere. from the Oxford English Dictionary
q Drabek TE, Tamminga HL, Kilijanek TS, Adams CR. Managing multi-organizational emergency responses: emergent search and rescue networks in natural disaster and remote area settings. Natural Hazards Research and Applications Information Center. University of Colorado, Boulder CO, 1981
q Meyer, Gerald C., "When it Hits the Fan: Managing the Nine Crises of Business," 1986
q Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, 1998
q Mitroff, Ian, I., Avoid "E3" Thinking, Management General, 1998
q Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems, 1998
q Sikich, Geary W., The Financial Side of Crisis, 5th Annual Seminar on Crisis Management and Risk Communication, American Petroleum Institute, 1994
q Sikich, Geary W., Managing Crisis at the Speed of Light, Disaster Recovery Journal Conference, 1999
q Sikich, Geary W., Business Continuity & Crisis Management in the Internet/E-Business Era, Teltech, 2000
q Sikich, Geary W., What is there to know about a crisis, John Liner Review, Volume 14, No. 4, 2001
q Sikich, Geary W., The World We Live in: Are You Prepared for Disaster, Crisis Communication Series, Placeware and ConferZone web-based conference series Part I, January 24, 2002
q Sikich, Geary W., September 11 Aftermath: Ten Things Your Organization Can Do Now, John Liner Review, Winter 2002, Volume 15, Number 4
q Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
q Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
q Sikich, Geary W. “It Can’t Happen Here: All Hazards Crisis Management Planning,” PennWell Publishing 1993.
q Sikich Geary W., "The Emergency Management Planning Handbook", McGraw Hill, 1995.
q Sikich Geary W., “A new planning paradigm: Economic Consequences of a Pandemic,” Continuity Central, 2005 (also published in Disaster Resource Guide and Continuity Forum, 2005).
q Sikich, Geary W., Stagl, John M., “Are we missing the point of pandemic planning?”; Continuity Central, December 2005.
q Sikich, Geary W., “Continuity of Leadership: Repopulating Your Chain of Command”; XBHR Newsletter, December 2005.
q Sikich, Geary W., “Supply Chain Continuity”; Supply & Demand Chain Executive, February 2006.
q Tainter Joseph A., “The Collapse of Complex Societies,” Cambridge University Press, 1988; Eleventh reprint 2004.
Integrating Business Continuity Criteria into Your Supply Chain [Jun 4 06]--Introduction. Most organizations have a supply chain that is a mix of competencies, from manufacturing to professional advisory services. Developing business continuity strategies and embedding business continuity processes into an organization’s procurement process can enhance the organization’s ability to actively assess vendor capabilities. By creating a flexible framework for augmenting, retaining, or shedding vendor competencies in order to assure supply chain integrity, the organization can meet customer demand, customer expectations and generate consistent performance.
No one company can deliver end-to-end products and/or services in today’s complex business environment. Your company, like other companies is most likely dependent on vendors of various types (manufacturing, profession services, software, transportation, etc.) to meet customer expectations. Four basic assumptions form the underlying premise for this article:
Complexity: Companies today are complex and their procurement processes are complex management systems operating within multiple networks
Touchpoints: All of a company’s touchpoints (downstream & upstream) within its networks must be considered to effectively evaluate risks, threats, hazards and vulnerabilities to determine the effects and consequences of degradation on the entire system
Responsiveness: Actions at any given level within the network may be inadequate unless the entire network responds in kind
Resource Constraints: Most levels and groups within the company and the supply networks supporting the company lack the resources and specialized skills to know what to do to maximize operational resilience within the network
The integration of vendor business continuity capability as part of the procurement process is becoming an integral part of company strategy. Effective business continuity strategies, like supply chain assurance, need to be designed. Integrating business continuity principles and concepts into the a company’s business portfolio planning process and at each stage of product/service life cycle can provide opportunities to enhance the procurement process, allowing your company to deliver superior products and/or services solutions to its customers.
Structure – a key element
Identifying procurement touchpoints (internally and externally) needs to be one of the first steps in the process. Developing a custom fitted questionnaire for vendors as well as internal stakeholders can provide a basis for moving forward. Applicable policies, procedures, recognized “best practices” and regulatory requirements set the benchmarks from which metrics for assessing vendor business continuity capabilities can be developed. Integration criteria should be contained in the vendor’s contract; spelled out in specific terms.
Touchpoints – Internal and External
Identifying procurement touchpoints should be undertaken to assure that key continuity concerns are adequately addressed. Internal touchpoints may include any part of the organization that has direct and/or indirect interface with the procurement process. This would include customer relationship/service touchpoints, strategic planning, quality assurance, operations, human resources, legal, audit and, in some instances, the officers and board of directors of the enterprise. Identifying external procurement touchpoints may seem simple, but when you begin to identify vendors, you have to realize the components that allow the vendor to get their product or service to you are also touchpoints. Therefore, identifying external procurement touchpoints becomes more complex. In addition, due to the popularity of outsourcing today, we are finding that vendors are also outsourcing. A tiered approach to identifying external procurement touchpoints can facilitate organizing the process.
Vendor Continuity Capability Questionnaire
Developing the vendor continuity capabilities questionnaire needs to be carefully thought through. You are, in essence, creating a legal document that could contain sensitive information and must be protected. You are also creating a potential liability document for yourself.
Let me explain; the legal term, constructive knowledge is defined in Black’s Law Dictionary thus, “If one by the exercise of reasonable care would have known a fact, he is deemed to have constructive knowledge of such fact; e.g. matters of public record.” Constructive notice is defined in Black’s Law Dictionary thus, “Such notice as implied or imputed by law, as in the case of notice of documents which have been recorded with the appropriate registry of deeds or probate. Notice with which a person is charged by reason of the notorious nature of thing to be noticed, as contrasted with the actual notice of such thing.” Negligence is defined in Black’s Law Dictionary thus, “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”
With the type of information that you will collect in order to assess vendor continuity capabilities, your organization could be held liable, under the concepts of negligence (foreseeability), constructive notice, and/or constructive knowledge, for NOT taking action to mitigate potential losses.
The questionnaire that we have most often utilized consists of eight parts as highlighted below.
Part 1: Governance Provisions & Management Commitment
Part 2: Business Continuity Strategies: Developing and Implementing BCP
Part 3: Business Impact Analysis, Risk Evaluation & Control Mechanisms
Part 4: Maintaining Continuity: Training, Awareness, Exercising & BCP Updates
Part 5: Incident Response Operations
Part 6: Crisis Communications
Part 7: Coordination (External Entities)
Part 8: Vendor Certification
The length of vendor questionnaires will vary with the industry group represented and the depth of initial analysis that the procurement group chooses to perform. Generally, the questionnaires that have been developed for clients have contained approximately fifty questions. The questions are designed to require the vendor to provide quantifiable answers. Should the procurement group assessing the adequacy of the answers determine that there is a need for further analysis; a formal audit team is assembled to determine how to resolve the concern over vendor continuity capability.
Vendor Continuity Capability Assessment
During the course of assessment data will be collected, analyzed and developed into assessment findings and recommendations regarding vendor continuity capabilities. The data should be organized by Essential Element of Analysis (EEA) criteria that the organization establishes and uses to conduct data collection, analysis and evaluation. Examples of typical EEA are summarized below.
Organization: As defined herein refers to the current procurement process, vendor roles/responsibilities and deliverables during the procurement process life-cycle and current criteria for the organization’s business continuity programs and plans.
Vulnerability Identification and Control: As defined herein refers to establishing minimum acceptable criteria for vendor vulnerability identification and control methodologies as these methodologies relate to vendor business continuity programs and plans and the ability of the vendor to integrate its methodologies on a sustainable basis with the client’s business continuity management strategy.
Continuity Strategy and Approach: as defined herein refers to the metrics developed and used to verify vendor integration of business continuity management program and plans with the client’s business continuity management strategy.
Documentation: As defined herein refers to the documentation of vendor business continuity management program and plan capabilities.
Resource Management and Development: As defined herein refers to the metrics for vendor validation of staffing (Business Continuity staffing) and associated vendor integration of continuity planning, resource development and awareness of continuity.
Continuity Maintenance: As defined herein refers to the procedures used to assure resilience of the vendor continuity process.
The overall objective of integrating business continuity criteria is to facilitate the ongoing development and implementation of enhancements to the procurement process including program management (normal operations and incident management operations), stakeholder communication and knowledge transfer associated with vendor business continuity management programs for vendors operating within your company’s procurement system.
In developing the overall design objectives careful consideration should be given to ease of use by procurement staff, other personnel and external parties (as appropriate). Three elements associated with enterprise assurance apply:
Strategic Element consisting of support for compliance efforts, communications to stakeholders (vendors, customers, internal groups, etc.) and strategic active analysis processes.
Grand Tactical Element consisting of support for implementation efforts, sustaining business operations, communicating upwards (internal focus), and grand tactical active analysis processes.
Tactical Element consisting of direct specific implementation steps, communication upwards (internal focus), external communications (vendor interface), mitigation of noncompliance/nonconformance and tactical active analysis processes (scorecards, vendor continuity questionnaire, etc.).
As with any process negotiating continuity commitments may need to be addressed on a case-by-case basis. Once the evaluation process has been completed, it must be managed, enforced and monitored to assure continuity of operations compliance.
Procurement Planning Considerations
Procurement planning considerations will generally consist of the normal day to day functioning of the procurement process. Supply Chain Business Continuity integration elements should consist of a tiered evaluation structure focused on four aspects as presented in Figure 1, Supply Chain Business Continuity Elements. These elements consist of:
Comprehending and describing supply chain continuity requirements
Conducting business continuity capability assessments
Evaluating business continuity capabilities
Identifying actions to be taken
Each phase of the procurement process can be designated an Essential Element of Analysis (EEA), as defined previously. We recommend that each EEA incorporate in the scorecard process a tiered analysis structure consisting of Measures of Effectiveness (MOE) and Measures of Performance (MOP) to provide metrics for facilitating the scoring of vendor and potential vendor business continuity capabilities. A Measure of Effectiveness (MOE) is a metric that forms subgroups of information relating to specific areas encompassed by an Essential Element of Analysis. A Measure of Performance (MOP) is a data structure. Measures of Performance answer a specific question. Measures of Performance are grouped to form Measures of Effectiveness. Measures of Performance are measurable and observable, that is, they provide a quantitative basis for evaluation of a specific area. For example, a Measure of Performance might be, “What is the current credit rating for the Vendor under consideration?" Illustrative examples of the EEA – MOE – MOP structure are provided and discussed later in this report. Figure 2, Vendor Business Continuity Metrics, provides an illustrative example of these structural components.
Your company faces a variety of risks that have a potential impact on its supply chain assurance. These can be articulated as either internal or external as depicted in Figure 3, Internal and External Vulnerability Drivers.
These drivers and the ability to manage them (put into place contingency measures) often are interconnected. Understanding this potential interconnectedness is a key factor in assessing vendor business continuity capabilities. Internal and External vulnerability drivers can materialize in a variety of ways. Making vertical, horizontal and diagonal connections between drivers can provide a conceptual understanding and potentially reduce unexpected outcomes as you identify how risk is uniquely embedded in your company’s supply chain.
Risk can be context sensitive, as risk elements interact in different ways depending on the situation. Understanding the potential interaction of risk factors facilitates the ability to measure business continuity capabilities and plan for offsets that can be implemented should a disruptive event occur.
Figure 4, entitled, “Sample Roadmap for assessing vendor capabilities” is an illustrative example of a roadmap for the process of assessing vendor capabilities. The assessment process has been designed to provide a phased approach with progressively more detail accumulated at each phase of the procurement process. This assessment process can be easily embedded into your company’s procurement scorecard system, enabling you to incorporate vendor business continuity evaluation as an integral component of the procurement process.
As depicted in Figure 5, “Typical Procurement Process” the integration of recommended business continuity metrics in the procurement process should be related to the key elements of the procurement process. Incorporating the recommended business continuity capability assessment at each phase of the procurement process can help identify vulnerabilities, develop consequence management strategies, plans and implement mitigation strategies.
Upon conclusion of assessment at each phase of the procurement process you can evaluate vendor business continuity capabilities allowing a “go/no go” decision based on measurable criteria. Prior to proceeding to the next stage in the procurement process the vendor will have been vetted and the next stage evaluation can allow you to continue to refine the vetting requirements and gather more detail on vendor continuity capabilities. Having an in-depth understanding of vendor capabilities at each phase of the procurement process can allow critical decision-making at earlier stages of procurement and can thus can enhance communications between you and your vendors regarding business continuity issues.
Embedding into the procurement process specific business continuity objectives, guidelines and assessment metrics can enhance decision-making, communications (vertical/horizontal) and resource management. In addition to the Vendor Continuity Questionnaire, you can develop worksheets that can be incorporated into each phase of the procurement process to further facilitate the assessment of vendor business continuity capabilities. The benefit of having vendor continuity capabilities catalogued and indexed is threefold. First, the company can begin to assess and quantify the risk impact of an event. Second, a determination of how long the risk exposure will last before the event is mitigated and/or the exposure is rectified. Third, a determination of potential recovery costs in terms of emergency actions can be estimated.
Early assessment and quantification of vendor, supplier, etc. business continuity capabilities is essential. In addition to the Vendor Continuity Questionnaire we have developed a set of nine Risk Analysis Worksheets. These worksheets are structured to build on the evaluation criteria in the form of Essential Elements of Analysis, Measures of Effectiveness and Measures of Performance. They are listed below.
Worksheet 1: Describe the Supplier
Worksheet 2: Determine Demand Risk
Worksheet 3: Determine Supply Risk
Worksheet 4: Determine Process Risk
Worksheet 5: Determine Control Risk
Worksheet 6: Determine Environmental Risk
Worksheet 7: Evaluate Implications
Worksheet 8: Identify Actions
Worksheet 9: LMSCARVERtm Supply Chain Risk Analysis
We recommend that your company and its vendors negotiate periodic assessments of sub-tier vendors (vendor’s suppliers) to further assure business continuity capabilities. This can be accomplished through contractual requirements executed at the initial stages of vendor engagement. Your company can utilize the Vendor Continuity Questionnaire and Risk Analysis Worksheets to facilitate consistency of the vendor’s depth analysis. Figures 6, 7 and 8 provide illustrative examples of depth analysis determination criteria.
Procurement Incident Management Considerations
The second part of the procurement process relating to vendor continuity should address incident management considerations. A vendor can complete the vetting process (Vendor Continuity Questionnaire, Risk Analysis Worksheets, Scorecard, etc.) and still experience a disruption that could affect you company’s ability to meet customer requirements (i.e., Philips, Ericcson, Nokia). Having an incident management system as a component of the procurement process can allow your company to respond, recover and restore supply chain operations with less potential for massive disruption. Incident management can range from assessing and classification of a vendor incident to implementation of response actions, such as sending your personnel to vendor facilities to assist in incident mitigation processes.
Contingency alternatives can range from having backup response plans to alternative sources of supply. Once the connected risk themes are identified and evaluated, actions to address consistent themes throughout the procurement process can be taken. Identification of consistent risk themes across a number of risk dimensions can help to determine where your company should place significant effort to mitigate the risk exposure.
Disruptive events (figure 9) as they occur need to be classified by their level of severity in order to determine the potential impact they may have. A classification system can provide a consistent framework for evaluation; enhance the communication process allowing ease of communication between internal and external groups and facilitate response, management, recovery and restoration efforts.
In addition to the event classification system the incorporation of an event assessment form that would be used in conjunction with the Event Classification System for determining the event classification level and for facilitating discussion within your company and with the affected vendor(s). As depicted in figure 10, the degree of degradation of service minus the level of preparedness equals the time for recovery. The less prepared an organization is for service disruption the longer it takes the organization to recover its operations and restore service levels. Having a classification system can enhance the ability to identify potentially disruptive situations early and determine how to respond effectively to minimize the level of service impacts.
The procurement process represents the first line of direct contact with vendors, suppliers, etc. Detection by procurement personnel at any stage of the procurement cycle of potential disruption and classification of severity can allow your company to implement its BCP plan and coordinate with the affected vendor to assure continuity of operations and to mitigate the disruptive event.
Early detection, classification and response can lead to less of a drop in service; a potential reduction in the chaos associated with a disruptive event and shorter recovery and restoration timeframes. Figure 11, depicts the typical functions performed at various levels within an organization as it moves from response to restoration. This figure also depicts the focus for an organization at the tactical, grand tactical and strategic levels. At the tactical level the focus is generally on event response and mitigation. The focus at the tactical level should be on response and mitigation while the need at the tactical level is for support from the next level (grand tactical). At the grand tactical level the focus should be on support for the tactical response.
Additionally, at the grand tactical level the focus should be on the prevention of cascade and containment of cascade effects on the organization. At the strategic level the focus should be on management oversight, coordination and facilitation of restoration of services. It is important to note that a key element in this vertical and horizontal process of detection, classification, response, management, recovery and restoration is seamless communications. Seamless communication is based on the adoption of common terminology and in the functions represented at each level, as shown in figure 11.
Phased Development and Integration
With any large scale project, such as the integration of vendor business continuity criteria into the procurement process, attempting to implement on a grand scale can lead to chaotic results. A phased approach to implementation and integration would generally consist of five phases:
Phase 1: Assessment & Vendor Continuity Questionnaire – deliverable: letter report with executive summary that will include discussion and recommendations based on the results of the review of Essential Elements of Analysis (Report).
Phase 2: Procurement Integration (vertical/horizontal) – deliverables: Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide (Tools) and Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide training program materials (Knowledge Transfer).
Phase 3: Monitoring & Enforcement – deliverable: Procurement Management System Vendor Business Continuity Management Program and Continuity Plan Integration Criteria Guide maintenance criteria (Sustainability).
Phase 4: Sustainability – deliverable: periodic metrics, event response reports.
Phase 5: Maturity Model Evaluation – deliverable: metrics for maintaining the process, change management procedures.
Assuring supplier continuity capabilities are of paramount concern today. Realizing that most business processes today extend beyond the boundaries of a single entity, awareness of critical supply chain interdependencies has risen sharply. Simply having profiles of potential high risk suppliers, while extremely important, is by itself not enough. Developing capabilities to assess and monitor vendors to facilitate the active analysis process, providing predictive metrics to supplement the initial assessment process performed during the early stages of the procurement process. Active Analysis is a process that utilizes predictive metrics to identify potential problems before they occur.
Today business leaders have the responsibility to protect their organizations by facilitating continuity planning and preparedness efforts. Using their status as “leaders,” senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis.
Many people feel that the world has changed as a result of the events that took place on September 11, 2001; that we need to rethink our concepts of continuity and crisis management. Today we cannot merely think about the plannable or plan for the unthinkable, but we must learn to think about the unplannable.
Market research indicates that only a small portion (5%) of businesses today have a viable plan, but virtually 100% now realize they are at risk. Seizing the initiative and getting involved in all the phases of crisis management can mitigate or prevent major losses. Just being able to identify the legal pitfalls for the organization of conducting a crisis management audit: can have positive results.
References and Endnotes:
“Key developments in the Firestone tire case.” (www.accidentreconstruction.com.).
Levene, Lord, "Changing Risk Environment for Global Business.” Union League Club of Chicago, April 8, 2003.
Meyer, Gerald C., When it Hits the Fan: Managing the Nine Crises of Business. (1986).
Mitroff, Ian, I., Avoid "E3" Thinking, Management General. (1998).
Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems. (1998).
Palmer, Pamela, “When Is It Safe To Shred Unwanted Documents After Sarbanes-Oxley?” Wall Street Lawyer, Vol. 6, No. 8, Pgs. 15-19.
Perera, Valerie C. and Sikich, Geary W., “Controlling Crisis Will Determine Corporate Survival.” The Corporate Lawyer, Illinois State Bar Association, November, 2002.
Sikich, Geary W., “Managing Crisis at the Speed of Light.” Disaster Recovery Journal Conference (1999).
Sikich, Geary W., “Business Continuity & Crisis Management in the Internet/E-Business Era.” Teltech (2000).
Sikich, Geary W., “What is there to know about a crisis.” John Liner Review, Volume 14, No. 4 (2001)
Sikich, Geary W., “The World We Live in: Are You Prepared for Disaster?” Crisis Communication Series, Placeware and ConferZone web-based conference series – Part I, January 24, 2002.
Sikich, Geary W., “September 11 Aftermath: Ten Things Your Organization Can Do Now.” John Liner Review, Winter 2002, Volume 15, Number 4.
Sikich, Geary W., “Graceful Degradation and Agile Restoration Synopsis.” Disaster Resource Guide (2002).
Sikich, Geary W., “Aftermath September 11th, Can Your Organization Afford to Wait.” New York State Bar Association, Federal and Commercial Litigation, Spring Conference, May 2002.
Sikich, Geary W., "September 11th, Can Your Organization Afford to Wait?" GlobalContinuity.com, May 2002.
Sikich, Geary W., Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty. PennWell Publishing, (2003).
Understanding Supply Chain Risk; prepared by LCP Consulting in conjunction with the Centre for Logistics and Supply Chain Management, Cranfield School of Management, Cranfield University, United Kingdom, 2003.
Legislation, Regulations and their impact on BCP: “How to think globally while acting locally” [May 22 06]--Copyright© Geary W. Sikich 2006. World rights reserved. Published with permission of the author.
“Let us begin by setting aside the facts, for they do not affect the matter at hand” (Rousseau)
At its beginning, we have no doubt about the sources of authority. Will today’s all-encompassing anthill of international legislation and regulation give meaning, structure and order to businesses? Will business continuity as a profession evolve to take aim at the wide array of legislation and regulation that has combined to make such authority function? Or will we, like Voltaire’s six kings, claim attention through the assertion of our powerlessness?
Sarbanes-Oxley will probably be one of the most far-reaching pieces of legislation that has yet to be enacted. The essence of Sarbanes is quite simple; compliance with all Federal regulatory matters. But, how do you know what compliance is or what it ought to be? What about such international precedents as BASIL or the ISO standards? The gap between “is” and “ought” is not accidental but systematic. It’s a gap that may leave us permanently torn.
Legislation, Regulations and their impact on the BCP profession
The myriad of compliance initiatives that organizations have to contend with today can leave one dazed and confused. Starting in the late 1960’s with environmental, health and safety regulations having requirements for emergency preparedness, through today; the ever expanding requirements for greater preparedness seem without end. Today regulations, such as NYSE rule 446 require firms to develop, maintain, review and update business continuity and contingency plans that establish procedures to be followed in the event of an emergency or significant business disruption.
The pursuit of understanding the legislative and regulatory morass often seems to lead us to the judgment that the regulators of the world exist to drive us mad. The search for compliance with new regulations often reveals the vices of the old; should we analyze them in sufficient detail. Let us look at the “morass” of legislative and regulatory initiatives from a few different perspectives. Table 1, “Regulations with BCP Implications,” depicts the legislative and regulatory impact on business continuity as a profession. I have attempted to simplify the tables by using three vertical levels, strategic, grand tactical and tactical representing compliance in theory; and six horizontal levels representing compliance in practice as related to continuity requirements. Before we get into a discussion of the first table, some definitions of the terms used it in this article are necessary.
Business Continuity, "All initiatives taken to assure the survival, growth and resilience of the enterprise."
Strategic Level, “Mission, vision, values; the direction the enterprise takes in order to achieve business continuity.”
Grand Tactical Level, “All initiatives taken to fulfill the strategy of the enterprise by a major element of the enterprise (i.e., business unit, operating division, etc.)”
Tactical Level, “The primary point of implementation of compliance initiatives.”
Table1, “Regulations with BCP Implications”
§ Public Perception
§ Sudden Market Shift
§ Product Failure
§ Top Management Succession
§ Cash Crisis
§ Industrial Relations
§ Hostile Takeover
§ Adverse International Events
§ Regulation - Deregulation
Note that the final form of crisis that Meyers lists is “Regulation – Deregulation”; I think that this is critical for understanding the strategic, grand tactical and tactical axis. A new study by PricewaterhouseCoopers and the Economist Intelligence Unit has revealed that too many financial institutions continue to fall short of first-class compliance and leave themselves extremely vulnerable to reputational damage with their customers, the regulators and other stakeholders. As part of the study, entitled 'Compliance: a gap at the heart of risk management', 160 executives responded to an in-depth global survey on the subject of compliance. Alarmingly, less than a fifth of survey participants considered awareness of compliance-related risks to be high across all parts of the business and fewer than a quarter were very confident with regulatory requirements and internal codes and policies.
As part of the study PricewaterhouseCoopers identified three key attributes that mark out an institution in the vanguard on compliance risk management:
Table 2, “Compliance Matrix,” depicts three levels on a vertical axis and six applications on a horizontal axis. At the Strategic level, business continuity planning needs to be viewed as an integral element of the overall strategy of the enterprise. For example, the popular “Balanced Scorecard” and strategy mapping are ideal vehicles to begin to assess strategic implications for the enterprise when evaluating legislative and regulatory compliance initiatives. At the Strategic Level we should accomplish the following:
· OBJECTIVES: What is the goal of your compliance program? How can a continuity program benefit your organization and its key stakeholders?
· FOCUS: Which regulations specifically will your continuity program focus on? What capabilities are required to assure compliance? How will they be coordinated across the enterprise?
VALUE: What metrics will
you employ to measure the results and demonstrate the value of the
The Grand Tactical
level should be involved in the information gathering portion of compliance
and the implementation of “checks and balances” to assure that compliance is
being adhered to. The Grand Tactical level provides an excellent
opportunity to interview and receive input from others that you may not
often interact with. This will give you exposure with those executives
while allowing these executives to participate in the development of the
continuity program and “buy in” to the ultimate outputs of the Strategic
level initiatives because they have a vested interest in seeing it
With the above definitions as a starting point, let us venture to the first table. Table 1, depicts three levels on a vertical axis and six applications on a horizontal axis. At the Strategic level, business continuity planning needs to be viewed as an integral element of the overall strategy of the enterprise. For example, the popular “Balanced Scorecard” and strategy mapping technique are ideal vehicles to begin to assess strategic implications for the enterprise when evaluating legislative and regulatory compliance initiatives.
Table 2, “Compliance Matrix”
What does all this mean for the business continuity profession? The proliferation of regulations at the Federal, State and local level should mean that the business continuity profession will have to expand. These regulations should mean that business continuity professionals will have a greater influence on the organizations that they are employed by or that they provide consultation to. They also mean that business continuity professionals will have to become more educated in their chosen profession. They mean that business continuity, as it is variously defined, will have to rethink its basis and redefine itself.
For the business leaders they mean that an “integrated” approach to business continuity; one that makes business continuity planning an integral part of the business process should be a priority. Today business leaders cannot afford to let regulatory compliance go unanswered. Sarbanes-Oxley and other legislation have elevated compliance initiatives to the senior management and board of director levels.
U.S. regulations and legislation, such as, The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, HIPAA and privacy regulations will have far reaching impacts on everyone. Add to the mix, international regulations and legislation and you have a volatile combination. Business leaders should ask, “In a world of earthquakes, can we count on contingency to work in our favor?” Business continuity professionals need to ask, “Can I afford not to know what compliance means?”
When developing a strategic continuity plan to address legislative and regulatory initiatives for your enterprise, make sure you consider the following areas.
A new planning paradigm: Economic Consequences of a Pandemic [Feb 19 06]--Copyright© Geary W. Sikich 2005. World rights reserved. Published with permission of the author.
At present the transmission of H5N1 has been limited to animal/human transmission. This has limited the number of people who have become infected by the virus. Mortimer B. Zuckerman writes in the New York Daily News on 20 June, 2005, in his article entitled, “A Nightmare Scenario – H5N1 Pandemic” the following excerpt:
Should we sound the alarm for a worldwide epidemic that might not occur? There is no choice with the avian flu emerging from Asia. Should it adapt to be able to be transmitted from human to human, international health experts warn, bird flu could spark a global pandemic, infecting as much of a quarter of the world's population and killing as many as 180 million to 360 million people - at least seven times the number of AIDS deaths, all within a matter of weeks.
There are three elements to a pandemic. First, a virus emerges from the pool of animal life that has never infected human beings, meaning no person has antibodies to fight it. Second, the virus has to make us seriously ill. Third, the virus must be capable of moving swiftly from human to human through coughing, sneezing or just a handshake.
The outbreak in Asia is not expected to diminish significantly in the short term. It is likely that H5N1 infection among birds has become endemic to the region and that human infections will continue to occur. So far, no sustained human-to-human transmission of the H5N1 virus has been identified, and no evidence for genetic re-assortment between human and avian influenza virus genes has been found.
It should be noted that the types of antiviral drugs that may be effective against H5N1 (bird flu) may have been diminished since April as the result of giving Tamifu, one of the antiviral drugs, to infected birds in Asia. This should be of concern, as Tamiflu is being stockpiled by many countries as their first line of defense against H5N1.
If H5N1 has a mortality rate even half of its current rate, estimates of the deaths worldwide will range from 40,000,000 to 100,000,000. Even more important experts are predicting that the morbidity rate will be around 33% of the population. In the United States, current medical facilities would be overwhelmed having to support over 80 million sick individuals.
But the World Health Organization issues these warnings all the time
A recent Reuters story entitled, “Bird flu 'resistant to main drug'”, reveals that H5N1 is showing resistance to Tamiflu. The Lancet carried an article entitled, “H5N1 influenza pandemic: contingency plans” (The Lancet 2005; 366:533-534 DOI: 10.1016/S0140-6736(05)67080-8) written by Drs. Kenneth WT Tsang, University Department of Medicine, University of Hong Kong, Queen Mary Hospital, Pokfulam, Hong Kong SAR, China, Philip Eng, Department of Respiratory and Critical Care Medicine, Singapore General Hospital, Republic of Singapore, CK Liam, Department of Medicine, University of Malaya Medical Centre, Kuala Lumpur, Malaysia, Young-soo Shim and Wah K Lam, Department of Internal Medicine, Seoul National University College of Medicine, Korea, is highlighted below:
The current epidemic of the highly pathogenic H5N1 strain of avian influenza, with a mortality of 58%, appears relentless in Asia, particularly in Vietnam and Thailand.1 Although inefficient, there is some evidence of human-to-human transmission for the H5N1 virus.2 A possible catastrophic pandemic could, therefore, emerge should re-assortment of viral antigens occur resulting in a highly infectious strain of H5N1. Influenza pandemics in 1917–18, 1957–58, and 1968–69 have already caused approximately 15, 4, and 0·75 million deaths worldwide, respectively.
Governments and health agencies should also consider planning for clinical trials, for instance a combination of both neuraminidase inhibitors, with or without other potential novel drugs, such as short interfering RNAs and interferon.3 These trials, if initiated at the early stages of a pandemic, could provide useful information for further patient and outbreak management in later stages. The geographic location of vaccine manufacturers in developed countries would also delay poorer Asian nations from obtaining the updated influenza vaccine. Perhaps vaccine and neuraminidase inhibitor manufacturing activities should also begin in Asia to deal with such deficiencies. The ethics of maintaining drug patents in a potential worldwide catastrophe is questionable. Epidemiological modelling suggests that influenza is more infectious than severe acute respiratory syndrome, and that severe acute respiratory syndrome infection control measures might not be adequate for a pandemic of influenza.17 There will, therefore, be an overwhelming strain on health-care workers and hospitals in an H5N1 pandemic, and staff could be rapidly demoralised and degenerate into deserters, if colleagues develop hospital-acquired H5N1 infection, especially if not given adequate intensive-care unit treatment.18 Protection of core personnel should also be planned to underpin recovery in the aftermath, when many key players in health care and governmental institutions would have perished.
A plan developed by the Bush administration to deal with any possible outbreak of pandemic flu shows that the United States is woefully unprepared for what could become the worst disaster in the nation's history. A draft of the final plan, which has been years in the making and is expected to be released later this month, says a large outbreak that began in Asia would be likely, because of modern travel patterns, to reach the United States within "a few months or even weeks."
Pandemic – Business Continuity Planners what are you doing?
Helen Branswell of the Canadian Press wrote on August 17, 2005 in her article entitled, “Flu pandemic could trigger second Great Depression, brokerage warns clients”:
A major Canadian brokerage firm has added its voice to those warning of the potential global impact of an influenza pandemic, suggesting it could trigger a crisis similar to that of the Great Depression.
"We won't have 30-per-cent unemployment
because frankly, many people will die. And there will be excess demand for
labour and yet, at the same time, it will absolutely crunch the economy
A leading voice for pandemic preparedness said the report is evidence the financial and business sectors - which have been slow to twig to the implications of a flu pandemic - are finally realizing why public health and infectious disease experts have been sounding the alarm.
"All the other catastrophes we've had in the world in recent years at the very most put screen doors on our borders. This would seal shut a six-inch steel door," Osterholm said.
Cooper, a highly influential figure in the Canadian financial sector, wrote the report with Donald Coxe, a global portfolio strategist for BMO Financial Group.
They warn investors the economic fallout out of a pandemic would inflict pain across sectors and around the globe.
Airlines would be grounded, transport of goods would cease, the tourism and hospitality sectors would evaporate and the impact on exports would be devastating, Cooper wrote.
"This would trigger foreclosures and bankruptcies, credit restrictions and financial panic," she warned, suggesting investors reduce debt and risk in their portfolios to be on the safe side.
Absence of purchases due to illness and psychological reactions to a pandemic will present a new form of business impact that is currently not assessed as part of the traditional business impact assessment; and as such, it is not addressed in any business continuity, disaster, crisis management or recovery plans. Another area that has not been addressed in impact assessment or plans is the loss or restriction of a company’s revenue. Traditional plans start with an assumption that the marketplace is still viable; a potentially false assumption. Traditional plans are designed to get an organization back into their market as quickly as possible – RTO, RPO and MTO come to mind (RTO = Recovery Time Objective, RPO = Recovery Point Objective, MTO = Maximum Tolerable Outage).
In the case of a pandemic markets may no longer be viable. If your market is materially impaired, a consequence is that the revenue that is derived from that market may be restricted and/or completely gone.
In another article, published on October 7, 2005 (NewsTarget.com) entitled, "Economic Shock Waves From Avian Influenza Spreading Faster than the Disease" the following is pointed out:
The Avian influenza crisis in Asia has already caused more than $10 billion dollars in damage in the economies of the most-seriously affected countries, but this is just the tip of the iceberg compared with the possible global economic consequences of a human influenza pandemic according to a study, Thinking Ahead: The Business Significance of an Avian Influenza Pandemic, released today by Bio Economic Research Associates (bio-era™).
"According to the quantitative measures we developed for assigning relative economic risk exposure to infectious disease outbreaks for countries in Asia, Hong Kong and Singapore are especially vulnerable to the initial economic shock waves that would ensue from a pandemic," said James Newcomb, Managing Director and principal author of the bio-era report. "However, the secondary impacts on other countries, especially China, could have far-reaching impacts for economies around the world, including the US," he added.
Other key findings in the report include:
! Avian influenza is the latest in a series of major livestock disease outbreaks that have caused more than $60 billion in economic damages worldwide over the past 15 years.
! Concerns about a possible influenza pandemic are already providing stimulus for increased spending and accelerated research and development efforts in some parts of the economy, ranging from custom microarray chips for rapid diagnostic testing to antiviral drugs.
! Governments around the world have recently made commitments totaling an estimated $1.4 billion to stockpile oseltamivir (Tamiflu)—an antiviral drug produced by pharmaceutical giant Roche.
! Manufacturers of flu vaccines are gearing up for what may be an unprecedented global demand for a vaccine effective against H5N1 variants, but it is not known whether the vaccines being developed now would be effective against the influenza strains that might emerge.
! New "DNA vaccines" offer an alternative to conventional production technologies and could speed the vaccine industry’s ability to respond, but these technologies are not yet approved by FDA.
"We’ve been looking at how things might unfold under six very different but highly plausible scenarios for the evolution of the outbreak," said Stephen Aldrich, President of bio-era. "In the process, we’ve made assessments of potential outbreak risk by country, the relative economic exposure by country — and how selected industries and companies are likely to be affected."
We have not experienced this type of business problem in our lifetimes. The last generation to have to address such a widespread issue was that of our grandparents and parents during the Great Depression.
During the Great Depression the revenue component of the free enterprise system was significantly impaired. Just as important, today on a worldwide basis we do not have any leadership in business or government who has lived through the 1918 Spanish Flu Pandemic or the Great Depression and so that experience base is lost to us. Our best option, therefore, is to start to think about the possible problems we may have to confront and take steps to avoid or deal with them in our businesses. If we wait until the pandemic starts, it will be too late.
Even if a pandemic were mild, it is estimated that about a
third of the world's population would fall sick over a period of months and
millions would die. If the strain is virulent, the death toll could mount to
several million, over a relatively short period. If we look at previous
pandemics (Spanish Flu 1918 – 1919, Asian Flu 1957 – 1958, Hong Kong Flu
1968 – 1969) they generally run their course in 18 to 24 months. As an
The Health and Human Services Department plan outlines a worst-case scenario where more than 1.9 million Americans would die and 8.5 million would be hospitalized with costs exceeding $450 billion.
Current Forecasts – Business Continuity Planners where can you add value?
We often use the phrase “value added” when we promote business continuity planning. We say that we “add value” to an organization by preparing it to respond and recover from incidents. At this time I think that we can earn our keep, so to speak, by providing that “value added” service that we speak of. Current forecasts predict that the H5N1 pandemic will spread around the world in a historically short period of time. One expert stated that if this pandemic is identified on the west coast of the United States it will spread across the country in a week. When SARS spread from China just a couple of years ago, it was in 5 countries in 3 days and in 24 countries in 3 months. Time to react will be virtually non-existent. And if we are to earn our merit as business continuity planners, we need to react now! The companies that survive this extraordinary disaster when it occurs will have heeded the words of Sun Tzu centuries ago, “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Planning today will prove to be the only viable strategy to ensure a company’s “victory”.
What if the pandemic does not materialize? Do we have the proverbial “egg on our face”? In the event that this pandemic does not materialize, your planning will not be lost. Most of it will be transferable. There will be future pandemics (and they occur approximately every 30 – 40 years) and to the ever present threat of terrorist attacks using chemical/biological/nerve agents. Business survivability in the face disasters is imperative to the economic strength of the world community.
We as continuity planners have an obligation to be forward thinking and to see what others choose not to recognize until it is upon them.
Steps to take…Now
The ability to effectively respond to and manage the consequences of an event in a timely manner is essential to ensure an organization's survivability in today’s fast paced business environment. With the emergence of new threats, such as cyber-terrorism and bio-terrorism; and the increasing exposure of companies to traditional threats such as, fraud, systems failure, fire, explosions, spills, natural disasters, etc. an “integrated” approach to Business Continuity Planning is essential. The “integrated” approach, as presented in this article, is based on the concept of graceful degradation and agile restoration. “Graceful degradation” refers to the ability of an organization to identify the event, classify it into a level of severity, determine its consequences, establish minimal stable functionality, devolve to the most robust less functional configuration available and to begin to direct initial efforts for rapid restoration of services in a timely fashion.
Several steps can be taken to prepare your organization. First, put in place an effective surveillance program; meaning, expand your business impact assessment activities. In my article, “"Futureproofing" - the Process of Active Analysis” written in 2003, I recommended that we rethink the business impact assessment process:
Traditional analysis such as that performed at the initiation of the business continuity plan development is recognized as necessary to develop a baseline of information. However, it should also be recognized as having certain limitations:
• Pre-Event - Best guess as to what could occur
• Static - Best guess based on available facts and models
Traditional analysis creates undecidability due to the inability to predict all behavior in a dynamic environment. Therefore one should adopt an Active Analysis methodology, such as that developed by Logical Management Systems, Corp. (LMS). LMS' methodology is based on the U.S. Military's "Joint Special Operations Targeting and Mission Planning Procedures" (JP 3-05.5 10 august 1993). It is detailed herein.
The advantages that can be realized by adopting this methodology and maintaining an active analysis process are:
• Uses Static Analysis as a basis
• Touchpoint complexity factors
• Dynamic - based on creating a mosaic
• Time Factors (Time Critical, Time Sensitive and Time Dependent) act as drivers
Termed "Futureproofing" by LMS the active analysis process is designed to create a mosaic that enhances decision making by identifying behavior patterns in a dynamic environment.
Active analysis can be subdivided into three categories of possible threats/occurrences that could befall an organization. Dr. Ian Mitroff refers to the three categories as Natural Accidents, Normal Accidents and Abnormal Accidents. I have renamed them and to differentiate the three aspects of each. That is, the threat, the actual occurrence and the consequence of the occurrence.
•Natural Threats/Occurrences/Consequences consisting of such things as drought, floods, tornadoes, earthquakes, fires and other naturally occurring phenomena.
•Normal Threats/Occurrences/Consequences consisting of such things as Economic Disasters, such as:
•Stock Market Downturns
•Rating Agency Downgrade, etc.
Personnel Disasters, such as:
• Workplace Violence
• Employee Fraud, etc.
Physical Disasters, such as:
•Health & Safety
•Abnormal Threats/Occurrences/Consequences consisting of Criminal Disasters, such as:
•Kidnapping & Hostages, etc.
Information Disasters, such as:
•Theft of Proprietary Information
•Hacking, Data Tampering
•Cyber Attacks, etc.
Reputation Disasters, such as:
•Internet Reputation, etc.
Please note Abnormal Threats/Occurrences/Consequences are becoming more of the norm than abnormal as we see the normalization of threats such as hacking and data tampering.
Five key assumptions were used as a basis to for the developmental framework of the "Futureproofing" methodology. These are:
•Assumption # 1: The modern business organization represents a complex system operating within multiple networks
•Assumption # 2: There are many layers of complexity within an organization and its "Value Chain"
•Assumption # 3: Due to complexity, active analysis of the potential consequences of disruptive events is critical
•Assumption # 4: Actions in response to disruptive events needs to be coordinated
•Assumption # 5: Resources and skill sets are key issues
Based on the above assumptions and the results of the baseline analysis (static analysis) one realizes that the timely identification, classification, communication and response, management and recovery from a disruptive event are critical. As depicted in the graphic on the next page over time uncertainty will decrease, as will available options for response and recovery.
This is contrasted with increasing numbers of issues and higher and higher costs associated with response and recovery efforts. As such, an organization should seek to continually analyze situations so as to develop a clear picture of the current state of the business system network. Referred to as "Data Fusion - Constructing a Mosaic" by LMS; this is a process of getting enough bits and pieces of information in place in order to transform seeming chaos into recognizable patterns upon which decisions can be made.
Second, recognize that you cannot depend on public
authorities (read this as government at all levels) to be there for your
organization. They will have too many issues to deal with and they will also
be impacted by the pandemic – remember that 30% of the population could be
affected; that means that civil authorities are just as
If you do the first step, putting in place an effective surveillance system, you will develop "detectors and indicators of change" metrics that can be employed to facilitate the constant analysis of the state of the business system and its complex "value chain" network. The "detectors and indicators of change" provide the early warning basis for event classification at the lowest (least severe) levels.
Third, train, drill, exercise. All the planning in the world is never going to be effective unless it can be implemented. One key to implementation is having a trained organization. That means that we have to train not only the primary position holders in our organization, but we have to train the secondary and even a third level within the organization.
If Only We Had Known…A New Paradigm for Planning Strategists
In my latest book, “Integrated Business Continuity Planning: Maintaining Resilience in Uncertain Times” I asked:
"Is Business Continuity integrated into your business operations as a way of doing business; or is Business Continuity an adjunct to the business that you are involved in?"
As you ponder this question, you need to reconsider the value proposition offered by having an integrated approach to business continuity.
I offer the following definitions for the purpose of this article and as a basis for developing an “integrated” approach to continuity:
Crisis: "A disruptive event that is amplified, elevated and magnified."
Business Continuity: "All initiatives taken to assure the survival, growth and resilience of the enterprise."
Executives have an obligation to their stakeholders to assure that everything that can reasonably be done to protect the business and ensure its competitiveness in the marketplace is done. Unless executives rethink the relationship between how they do business (strategy, competitive intelligence, etc.) and the way they currently address business continuity (managing disruptive events, security, etc.), the imbalance between "security" and competitiveness will not be resolved. Therefore, businesses must rethink their recovery strategies to be able to deal with and survive pandemics. This is a whole new paradigm for planning strategists.
The table below is a look into the proverbial “crystal ball” at what could be some of the possible outcomes when the pandemic strikes.
Conclusion: Seize the Initiative - It Makes Sense
A Chinese proverb states that "Opportunity is always present in the midst of crisis." Every crisis carries two elements, danger and opportunity. No matter the difficulty of the circumstances, no matter how dangerous the situation… at the heart of each crisis lays a tremendous opportunity. Great blessings lie ahead for the one who knows the secret of finding the opportunity within each crisis.
Today business leaders have the responsibility to protect their organizations by facilitating continuity planning and preparedness efforts. Using their status as “leaders,” senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis.
Market research indicates that only a small portion (5%) of businesses today have a viable plan, but virtually 100% now realize they are at risk. Seizing the initiative and getting involved in all the phases of crisis management can mitigate or prevent major losses. Just being able to identify the legal pitfalls for the organization of conducting a crisis management audit: can have positive results.
We cannot merely think about the plannable or plan for the unthinkable, but we must learn to think about the unplannable. Business continuity planning must be overlapping in time, corrective in purpose complimentary in effect.
Drabek TE, Tamminga HL, Kilijanek TS, Adams CR. Managing multi-organizational emergency responses: emergent search and rescue networks in natural disaster and remote area settings. Natural Hazards Research and Applications Information Center. University of Colorado, Boulder CO, 1981
Harris, Gardner, October 8, 2005 – New York Times; Bush Plan Shows U.S. Is Not Ready for Deadly Flu
Meyer, Gerald C., "When it Hits the Fan: Managing the Nine Crises of Business," 1986
Mittelstadt, Michelle, Dallas Morning News, Sunday, September 11, 2005 "Four years after 9-11, Katrina reveals flaws in emergency planning"
Mitroff, Ian, I., Avoid "E3" Thinking, Management General, 1998
Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems, 1998
Sikich, Geary W., The Financial Side of Crisis, 5th Annual Seminar on Crisis Management and Risk Communication, American Petroleum Institute, 1994
Sikich, Geary W., Managing Crisis at the Speed of Light, Disaster Recovery Journal Conference, 1999
Sikich, Geary W., Business Continuity & Crisis Management in the Internet/E-Business Era, Teltech, 2000
Sikich, Geary W., What is there to know about a crisis, John Liner Review, Volume 14, No. 4, 2001
Sikich, Geary W., The World We Live in: Are You Prepared for Disaster, Crisis Communication Series, Placeware and ConferZone web-based conference series Part I, January 24, 2002
Sikich, Geary W., September 11 Aftermath: Ten Things Your Organization Can Do Now, John Liner Review, Winter 2002, Volume 15, Number 4
Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
Sikich, Geary W., "Aftermath September 11th, Can Your Organization Afford to Wait", New York State Bar Association, Federal and Commercial Litigation, Spring Conference, May 2002
Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
"It Can’t Happen Here: All Hazards Crisis Management Planning", Geary W. Sikich, PennWell Publishing 1993.
Sikich, Geary W. and Slavik Nelson S., Industry Expectations Concerning Healthcare Response to OSHA 1910.120 "Hazardous Waste Operations and Emergency Response"; Environmental Health Manager; Spring Issue 1990, VOL. 4, No. 1.
Sikich Geary W., "The Emergency Management Planning Handbook", McGraw Hill, 1995.
Sikich Geary W., Stagl, John M., "The Economic Consequences of a Pandemic", Discover Financial Services Business Continuity Summit, 2005.
Zuckerman, Mortimer B., New York Daily News, 20 June, 2005, "A Nightmare Scenario – H5N1 Pandemic"
Economic Shock Waves From Avian Influenza Spreading Faster than the DiseaseSource: http://www.prweb.com/releases/2005/3/prweb220610.htm
The following citations are taken in total from The Lancet carried an article entitled, "H5N1 influenza pandemic: contingency plans" (The Lancet 2005; 366:533-534 DOI: 10.1016/S0140-6736(05)67080-8):
1. World Health Organization. Cumulative number of confirmed human cases of avian influenza A/(H5N1) since 28 January 2004. May 4, 2005 http://www.who.int/csr/disease/avian_influenza/country/... (accessed May 8, 2005)
2. Ungchusak K, Auewarakul P, Dowell SF, et al. Probable person-to-person transmission of avian influenza A (H5N1). N Engl J Med 2005; 352: 333-340. CrossRef
3. Zeitlin GA, Maslow MJ. Avian influenza. Curr Infect Dis Rep 2005; 7: 193-199.
4. Kirkbride HA, Watson J. Review of the use of neuraminidase inhibitors for prophylaxis of influenza. Commun Dis Public Health 2003; 6: 123-127.MEDLINE
5. World Health Organization. National influenza pandemic plans. 2005: http://www.who.int/csr/disease/influenza/nationalpandem... (accessed May 8, 2005).
6. GlaxoSmithKlineRelenza datasheet. Issue number 5. June 8, 2000. Evreux, France: Galxo Wellcome Production, 2000: http://www.msdsgsk.com/uk_presc/11057406.pdf (accessed June 1, 2005).
7. Hoffmann-La RocheTamiflu datasheet. Core data sheet version 1.5. May, 3 2004. Basel: F Hoffmann-La Roche, 2001:http://www.medsafe.govt.nz/profs/Datasheet/t/Tamiflucap... (accessed June 3, 2005).
8. The MIST (Management of Influenza in the Southern Hemisphere Trialists) Study Group. Randomised trial of efficacy and safety of inhaled zanamivir in treatment of influenza A and B virus infections. Lancet 1998; 352: 1877-1881. Abstract | Full Text | PDF (80 KB) | MEDLINE | CrossRef
9. Treanor JJ, Hayden FG, Vrooman PS, et al. Efficacy and safety of the oral neuraminidase inhibitor oseltamivir in treating acute influenza: a randomized controlled trial. JAMA 2000; 283: 1016-1024US Oral Neuraminidase Study Group. MEDLINE
10. McKimm-Breschkin JL. Management of influenza virus infections with neuraminidase inhibitors: detection, incidence, and implications of drug resistance. Treat Respir Med 2005; 4: 107-116. MEDLINE
11. Kiso M, Mitamura K, Sakai-Tagawa Y, et al. Resistant influenza A viruses in children treated with oseltamivir: descriptive study. Lancet 2004; 364: 759-765. Abstract | Full Text | PDF (95 KB) | CrossRef
12. Tran TH, Nguyen TL, Nguyen TD, et al. Avian influenza A (H5N1) in 10 patients in Vietnam. N Engl J Med 2004; 350: 1179-1188. CrossRef
13. Imuta F, Toyoda M, Toyoda T. New application method of zanamivir with a straw. Pediatr Int 2003; 45: 366-367. MEDLINE | CrossRef
14. Murphy KR, Eivindson A, Pauksens K, et al. Efficacy and safety of inhaled zanamivir for the treatment of influenza in patients with asthma or chronic obstructive pulmonary disease: a double-blind, randomized, placebo-controlled multicentre study. Clin Drug Invest 2000; 20: 337-349.
15. Cass LM, Brown J, Pickford M, et al. Pharmacoscintigraphic evaluation of lung deposition of inhaled zanamivir in healthy volunteers. Clin Pharmacokinet 1999; 36 (suppl 1): 21-31.
16. Hill LS, Slater AL. A comparison of the performance of two modern multidose dry powder asthma inhalers. Respir Med 1998; 92: 105-110. MEDLINE | CrossRef
17. Webby RJ, Webster RG. Are we ready for pandemic influenza?. Science 2003; 302: 1519-1522. CrossRef
18. Tzeng HM. Nurses' professional care obligation and their attitudes towards SARS infection control measures in Taiwan during and after the 2003 epidemic. Nurs Ethics 2004; 11: 277-289. MEDLINE | CrossRef
Technorati tags: geary sikich, pandemic planning, economic impact, h5n1
Geary Sikich a Principal with Logical Management Systems, is recognized as a one of America’s premier thought leaders in corporate crisis management, business continuity, enterprise risk management and strategic resiliency.
He has provided services to Fortune 500 companies including American Express, ExxonMobil, Amoco, Motorola and international institutions such as the World Bank.
He is the author of over 160 published articles and three books on crisis management and business continuity: "It Can't Happen Here: All Hazards Crisis Management Planning" (Tulsa, Oklahoma: PennWell Books, 1993). His second book, "Emergency Management Planning Handbook" (New York: McGraw-Hill, 1995) is available in English and Spanish-language versions. His third book, "Integrated Business Continuity: Maintaining Resilience in Uncertain Times," (PennWell 2003) is available on www.Amazon.com. His latest book, “The Great Wreckoning: Pandemic and the Global Economy” is currently being finalized for publishing.
Previously on Geary Sikich:
Legislation, Regulations and their impact on BCP: “How to think globally while acting locally” [May 22 06]
The contents of this site, unless otherwise specified, are copyrighted by © Big Medicine 2001-2007. The news provided is for personal use only. Reproduction or redistribution of the this site, in whole, part or in any form, requires the express permission of Big Medicine or the original source. For questions or comments pertaining to this site, contact the web administrator. Big Medicine is not responsible for the content of external sites linked and does not endorse their content. Advertisers are not responsible for Big Medicine contents, the content of external sites linked and do not endorse their content.