Business continuity 1: Basic risk handling
Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.
It’s a big topic. In a sense it’s a part of risk management in general, though saying that doesn’t narrow it down much. But let me start there.
You probably already have a risk handling system in your organization, so what I say here will all look pretty elementary. Still, I’ll review it briefly.
Think of the Safety Committee in a grocery store. They brainstorm all the ways somebody could get hurt, and then define measures to keep it from happening. If someone breaks a jar of spaghetti sauce in Aisle 3, put up a “Wet Floor” marker and mop it up. Don’t put heavy things on high shelves. And so on.
Sometimes they might think of a risk that’s not very likely: What if a customer brings his dog and the dog bites somebody? Well, OK. It’s true you want to know what risks you face, and (for example) the ISO management system standards all require some level of risk identification. (ISO 9001, ISO 14001, and ISO 45001 all put this requirement in section 6.1.1.) But you can’t prevent everything, so you need to rank your list in order of importance. Then you plan for the ones that really matter, and let the rest go. But what ranking do you choose? Generally there are at least two questions to consider:
- How likely is this risk?
- And how bad will the impact be if it happens?
Anything that scores high on both questions goes to the top of the list. After that, it’s not so obvious. But here’s one simple approach you can take. Please note two things:
- You can use this approach for any kind of risks. Just now I was talking about safety risks. But your marketing team can do the very same thing with competitive risks. Your engineers can use this approach (or a more sophisticated version of it) as an FMEA (Failure Mode and Effects Analysis) to think through product or operational failures. Your shipping department can do this to evaluate different logistical methods. It is a very general and very powerful tool.
- There are a lot of ways to make this approach more sophisticated, depending on the needs of your organization. What I describe here is the simplest possible version.
Step one: Score all of your risks according to how likely they are, using just three values: High, Medium, Low.
Step two: Now score all of your risks according to their impact—how bad things would be if they happened—using the same three values: High, Medium, Low.
Step three: Use these two scores to calculate a priority for each risk, using the following formula:
Priority = Likelihood x Impact
On this scale, for example, “getting bitten by a customer’s dog” would probably rank Low for likelihood but potentially High for impact, for a composite priority of Medium.
Now that you have assigned a priority to every risk on your list, what next? The next step should be to address the important ones.
- What does it mean to “address” a risk?
- If possible, prevent it.
- If you can’t prevent it, take steps now to mitigate the impact when it happens.
- Also, consider how you will respond when it does happen: those are your contingency actions.
- To make sure this gets done, assign the risk to an Owner, and assign a deadline by when the actions have to be in place. Then be sure to follow up that they really are.
- Which ones are “important”? It depends on what you are doing. At the very least, you should address all the risks with priority = High. But you don’t have to stop there. Maybe you want to address the Medium ones as well, or some of them. Maybe there are steps you can take for a few of the Low risks too, though typically you should think about them last. You have to decide what works for you. But addressing all the risks rated High is pretty much a minimum.
What happens to the risks that you choose not to address? If the store’s Safety Committee updates their list of risks to include “getting bitten by a customer’s dog” and then calculates its priority as only Medium, they might not plan any action for it. So why put it on the list?
The point is that the priority ratings aren’t static. From time to time—at least once a year, if not more often—you’ll review your list to see if things have changed.
- As you take mitigation steps, for example, the impact of some risks will drop and so their priorities will change.
- The impact of others might rise, depending on changes in the outside world. Back in 2019, most American companies who did business continuity planning probably rated “global pandemic” at a very low likelihood; by mid-2020, it had become a fact of life.
- While you are at it, check whether your contingency plans are still correct and current. Is that still the best way to handle this risk, if it comes about? Are the responsibilities all assigned to the right people, or do you have some tasks assigned to a guy that retired last month? And check to make sure your supplies are all in stock and up to date.
- Assign actions as needed, and follow up to ensure the actions are closed on time.
So even if a risk falls below your threshold and you decide not to address it right now, keep it on the list. Then the next time you review the list—next quarter, next year, or whenever—you can think about it again. And as long as it stays on the list, you won’t forget.
Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.
Oil & Gas Global Network “OGGN”
Texas Quality Assurance and the #QualityMatters podcast