Search in ISMS Guides

Google
 

Friday, August 3, 2007

A risk management self assessment framework

By John Salter

A stadium fire. A dam failure. A toxic release at a vulnerable congregation hub. Explosions at an iconic site. A sinking ferry. A leak from a factory into adjacent dwellings. Floods and landslides which wash away shanty towns. Fires at the urban-forest interface. Crowd crush incidents. Earthquakes which destroy poorly built homes and disrupt vulnerable lifelines. Why and how do these disasters occur? How can we do better to do something about them?

Disasters do not “just happen”. Many are characterized by symptoms of poor management such as:

a) Relying on routine capabilities to provide a sufficient response in an extraordinary context;

b) Inadequate problem definition;

c) Working in isolation;

d) Relying on approaches from the past;

e) Focusing resources on the hazard event and not the prevention opportunities; and

f) Focusing resources on the hazard event and not the impact implications.

These symptoms indicate failures of the key performance tests for good business continuity and emergency planning - about our state of knowledge and its application: considerations around what you ought to know (or be reasonably expected to find out) about risks and their treatment.

This paper puts forward considerations about what characterizes good business continuity and emergency planning and how it might be assessed. What assessment criteria make up a necessary and sufficient set?

We emphasize as a first and underpinning principle the importance of the planning process over the 'plan as a document' approach. The Internet and our electronic society have seen a proliferation of "business continuity planning templates". 'Just fill in the blanks and there you go!' This approach is 'nominal plan as procrustean bed'. The word processor and electronic mail have much to answer for in planning, where it is not uncommon to find the same plan with some global word changes parading as rigor for different locations, organisations and risks.

Unless a business continuity plan has evolved from a ‘needs basis’ and is generated through a process involving those who have an interest it will never quite ‘fit’. The off the rack document (plan) only shows up as a failure when it comes apart at the seams under the stress of reality (performance). While this is not to suggest documentation is unimportant, it is to suggest its proper place is as a supporting record of arrangements and enabling processes. Of itself it does not constitute sufficient evidence of performance.

This distinction between plans and planning is well reinforced by Enrico Quarantelli, a doyen of disaster preparedness who defines (disaster) planning as “a process ... which involves all of those activities, practices, interactions, relationships, and so forth, which over the short term or long run are intended to improve the response pattern at times of (disaster) impact”. (Quarantelli, 1987:15)

If an initial question is 'should I place significance on a plan?', we suggest the answer is 'yes...but' only if the plan is derived from a dynamic, ongoing, iterative process.

The following paper explores business continuity and disaster planning and then offers a self assessment framework to aid the process.

Download the complete paper (PDF)

No comments: