In any Risk Management venture "Establishing Context" is crucial

There is a tendency for people to want to rush to the exciting stuff. To get their hands dirty with extreme event scenarios and risk assessments. That is a mistake.

It is important to pack your bags for the long trip - to lean your ladder up against the right wall - to start with an awareness of issues which might ambush "the end in mind". These phrases apply to any systematic risk management process - where an initial emphasis should be on scoping context. If not, believe me, it will unravel later.

So with many "burn and learn" examples over many years, may I suggest the following three key considerations:

1.    Develop a project plan to establish the risk management context which includes:

a.    the aims and objectives for the establishment of context;

b.    a matrix of stakeholders against their roles and responsibilities; and

c.    a budgeted and scheduled plan for anticipated research and consultation.

2.    Profile the entity for which “context” is being established (e.g. the structure of the organisation; or the demographics of a community) by mapping key networks including:

a.    relationships between people and organisations to identify and evaluate existing networks; and

b.    other network relationships that do not exist, but which might add value should they be developed and established through negotiation, consultation and marketing strategies to gain trust cooperation and support.

3.   Apply strategies to seek and obtain stakeholders’ co-operation and ownership of the risk management context including:

a.    establish and coordinate open communication structures among the networks mapped;

b.    consult with stakeholders to map their issues and needs across the following aspects or “spaces” - social, legal, technical, political, environmental, and financial; and

Establishing risk appetite early is fundamental

c.    identify criteria and thresholds for “acceptable risk” across the aspects or “spaces” identified with stakeholders; and document the level of agreement and divergence between stakeholders regarding risk criteria to be applied. Two sets of criteria should be addressed. Risk assessment criteria – that is, “what do we care about - and how much do we care”; and what are agreed risk treatment selection criteria to be applied.

Disaster Funds: Lessons & Guidance on the Management & Distribution of Disaster Funds

Please find reproduced below, in full, an email from Dr. John Twigg

Disaster Action - a great organisation - has just released what looks like a really useful new publication:

"Controversy surrounds many disaster funds, even decades after they were launched. Little guidance is available to those who take on the responsibility of managing and distributing funds in accordance with the wishes of the donors. Disaster Funds: Lessons & Guidance on the Management & Distribution of Disaster Funds, published by Disaster Action with support from the DCMS and the British Red Cross, fills that gap. It is an essential resource for emergency planners, fund trustees, administrators and managers."

Download from www.disasteraction.org.uk the ninety four page PDF and the five page nutshell pamphlet PDF

Return to EPCB's website - Risk Management 

Post disaster shelter and sustainability

Professor David Sanderson, Director, Centre for Development and Emergency Practice (CENDEP) at the School of the Built Environment, Oxford Brookes University has announced that as a follow-up to the ELRHA funded shelter conference held at CENDEP in September in association with CARE UK, the final report, presentations and podcasts awesome sessions are now available online at http://bit.ly/cSRhQs

The conference examined what role shelter should have in disaster relief and development while critically reflecting on its implementation at local and international levels. It was agreed, that while technological shelter solutions are important, good shelter practice always puts people first. This may mean reassessing practitioners' roles and responsibilities to include ways to work more successfully with affected people in a process, rather than focusing on providing an end product.

Simple things can put you at risk.

It is early days in the investigation of the fire which destroyed the Liverpool Council offices over the weekend but some interesting things are immediately apparent.


"The fire has thrown one of Sydney's biggest and busiest councils into turmoil, losing its website, meeting place and important items including strategic plans, engineering documents and development applications." (Ref Daily Telegraph, 16 Aug 2010)


News Clip Video of the Liverpool Council Fire, 14 Aug 2010.

There is a continuity plan in place - however it seems to have been underpinned by some interesting decisions.

First, backing up customer paperwork. In this case, the loss of development applications from the end of last week. A simple process analysis would place a "scan and file off site" step at the beginning of the process. This reflects respect for what the client is submitting - the backup process is not just about the assessment by the planning department. Or is it? So a question about "how and what" were they thinking arises.

Second, the commentary from the YouTube news video reports the building had no sprinklers. This means either the business continuity plan has not been nested within the organisations risk management arrangements or it has been nested and a cost benefit assessment advised not to install sprinkler systems. Which of these is so will be confirmed by the coroner.

Third, a key principles of managing a crisis is "communicate, communicate, communicate". In the modern world, best practice demands a "go to" webpage - even if it only tells customers what is available and what is not available. A default url to switch to is as important as a backup customer service centre line. Unfortunately this is not being provided (as of 11.00am Monday 16 Aug 2010)

Three Standards adopted to meet North America’s private sector “business continuity” requirements.

For the Private Sector Preparedness (PS-Prep) Program, the U.S. Department of Homeland Security has adopted the:

1. ASIS  SPC.1-2009 American National Standard for Organizational Resilience;

2.  BS 25999-2 the British Business Continuity Standard; and

3. NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

This adoption may be partly political – by placating a range of stakeholders. Nevertheless, there is merit in each Standard – and “cherry picking” the best practices by adopting a “crosswalk” methodology (where you compare like with like and integrate a high leverage position) is worth considering.

All three standards share a “quality process” based approach aligned with the diagram below (from ASIS SPC.1-2009)

The explanatory material in each Standard is particularly useful.

These resources and links to their free versions are below:

1. The ANSI/ASIS SPC.1-2009 Standard, titled “Organizational Resilience: Security, Preparedness and Continuity Management Systems—Requirements with Guidance

for Use,” (66 pages)  provides a holistic approach to cost-effectively improve any organization’s resilience and preparedness performance.

It is available from

http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf

2. The British Standards Institution’s BS 25999-2:2007 “Business continuity management. Specification” specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS) within the context of managing an organization’s overall business risks.

Resources are available from

http://www.talkingbusinesscontinuity.com/useful-documentation/free-resources.aspx

3. The US National Fire Protection Association (NFPA) “NFPA 1600” Standard on Disaster/Emergency Management and Business Continuity Programs (2007) (57 pages) has been widely accepted by North American-based organizations.

NFPA 1600 sets out to ‘provide disaster and emergency management and business continuity programs, the criteria to assess current programs or to develop, implement, and maintain aspects for prevention, mitigation, preparation, response, and recovery from emergencies.’

It is available from

http://www.nfpa.org/assets/files/PDF/CodesStandards/1600-2007.pdf

Criticism of Crisis Management - just shows poor style

In a classic illustration of "how to lose credibility" by both big noting yourself and being rude to someone doing as well as can be reasonably expected under the circumstances, Rudy Giuliani has a breakfast TV shot at President Obama over the oil spill crisis.

Visit msnbc.com for breaking news, world news, and news about the economy

If you can't measure it - you can't manage it.

This is an old management adage. Indeed it was Galileo Galilei (1564 - 1642) who is attributed with having said "measure what can be measured - and make measurable what cannot be measured".

In business, measure those activities or results that are important to successfully achieving your organisation's goals. Key Performance Indicators, also known as KPI or Key Success Indicators (KSI), help an organisation define and measure progress toward its goals.

Below is a set of Key Performance Indicators for Business Continuity Planning derived from the British Business Continuity Standard - BS 25999. They have been set into our free Excel spreadsheet tool and are offered for you to take a self assessment and reflect on the resilience of your business.

Element 1 Agreed, Owned, Accessible.
Indicator Be agreed by top management and understood by those who will put the plan into effect; Be owned by a named person(s) who is responsible for the plan’s review, update and approval; Be accessible to those with responsibilities defined within them.

Element 2 Up-To-Date.

Indicator Be reviewed at planned intervals, and when significant changes occur to the organization or its activities; Be under version control with formal change notification and distribution records.

Element 3 Aligned with other arrangements.

Indicator Be aligned with other contingency arrangements external to the organization

Element 4 Purpose and Scope.
Indicator Contain defined purpose and scope

Element 5 Roles and Responsibilities

Indicator Contain defined roles and responsibilities for people and teams having authority during and following an incident

Element 6 Invocation and Communication

Indicator Contain a method by which each plan is invoked, meeting locations with alternatives, up-to-date contact and mobilization details for any relevant agencies, organizations and resources that might be required to support the response; Contain guidelines and criteria regarding which individuals have the authority to invoke the plan and under what circumstances; Contain identified lines of communications, roles and responsibilities, key tasks and reference information

Element 7 Prioritized Critical Activities

Indicator Contain prioritized objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity

Element 8 Procedures, Tasks and Resources.

Indicator Contain details of the consequences of a business disruption and the processes and procedures to enable continuity and recovery of critical activities.Contain details of actions and tasks that need to be performed; nominated person(s) to manage the tasks, and details of the resources (and their availability) required at different points in time.

Element 9 Assumptions

Indicator Contains details of the planning assumptions - including out of scope issues.

Element 10 Risk Management

Indicator Contain details to manage the immediate consequences of a business disruption giving due regard to the welfare of individuals; strategic and tactical options; especially considerations regarding prevention of further loss or unavailability of critical activities.

Element 11 Record Keeping

Indicator Contain a method for the recording of vital information about the incident, actions taken and decisions made.  

Element 12 Stakeholder Information

Indicator Contain a reference to the essential contact details for all key stakeholders.

Element 13 Communication Protocols

Indicator Contain details on how and under what circumstances the organization will communicate with staff and their relatives, key stakeholders and emergency contacts.

Element 14 Media Management

Indicator Contain details on the organization’s media response following an incident, including: the incident communications strategy; preferred interface with the media; guideline or template for drafting a statement for the media; and appropriate spokespeople.

Element 15 Stand Down

Indicator Contain a process for standing down once the incident is over.


When you enter your attributed level of capability (or score) against these fifteen criteria, it is displayed on a single graph.

Finally - the oil spill is recognised as the ultimate Babushka doll.

After fifty days of failure we see a new pattern of questions emerging. The risk is being correctly recognised as a function of many factors – a complexity of things which are linked, interrelated or nested. And like peeling back onion layers, the exploration of “root cause” needs to be thoughtful and systematic. An important thread to explore is the evolution of how we, as a society, have chosen to meet our basic needs. This mapping process is illustrated in the diagram below.

(Ref: Figure 6 in "Risk Profiling in Disaster Management Methodology" by John Salter)

A key question is “what is the output from such an enquiry in terms of outcomes?” Outcomes are about social structures, arrangements and agreements. And the outputs from a systematic assessment of the current oil spill fiasco should challenge the very core of our social and economic structures. Issues of wealth, power and status are always difficult to address. In any society no one wants to “give theirs up”. In the end, we will all have to face a collective dilema – and ultimately one which is a challenge of will. Will we be up to it?

In the risk space, how important is management over marketing? Fundamentally important.

Too often we "rush to products". In a marketing dominated era the pressure is understandable. But it needs to be resisted.
 
When we are serious about our purchases we know we should buy what we need. This calls up quality decision making based on some sensible criteria.
 
In the risk management space it is about continuous improvement - even if - or especially if your baseline is zero. When starting a fitness program, you start be assessing where you are now. You then set some goals about where you want - or need to be.
 
In the risk management space, assessment should also be done in a framework which reflects best practices and context. The unfortunate management term used is "Maturity Models" - which include a series of descriptions of business performance for discrete risk management elements. The optimum level of maturity is recognised as being the level that delivers the organisation’s strategic objectives most effectively and efficiently, which does not necessarily mean the “top” level ( F: fully applied).

So a prudent first step is to assess the gap between where you are now - and where you should be. However unlike the fitness assessment which may well require a medical assessment from a specialist, such as a Doctor, it is not necessary to have your capability assessment done by a specialist (or consultant). You know your business inside out - all you need is to reflect on it within an appropriate framework.
 
Our free maturity model provides a systematic framework for benchmarking in a business continuity best practice context. It will help you to deliver business benefits in incremental steps - in key areas.
 

Click here - take three minutes - take stock now

Communication and informed decision making - the foundations of a sound Crisis Management framework.

Many Crisis Management Plans are based on scenarios. Fire; Flood; Pandemic etc. Scenarios are useful as a tool to exercise arrangements and processes but too often they are used to develop a plan which is too detailed and hazard driven (rather than business focused).


CEOs and Boards need flexible frameworks which can facilitate good decision making under the impact of any hazard (condition or circumstance with a potential for harm).


Our practical paper outlines an approach to integrating business impact assessment into crisis management in order to strengthen the quality of information based decision making. Regardless of the hazard, the system empowers the decision makers with a profile of what the risk is, what the risk means, who needs to know, and who should do what. Free Crisis Management Paper


It is intended to be read alongside an accompanying Excel spreadsheet. Free Crisis Management Tool



For clients who need more, we have developed Buttress® - EPCB's integrated and comprehensive software - scalable for medium to large enterprises. Buttress® crisis management software will support you to understand your risks, evaluate your exposures, and (a) take action to mitigate your vulnerabilty before an incident - and (b) manage the consequences after an incident.

Buttress® is tailored by EPCB Franchisees during consultation and facilitation processes to meet clients' needs.

Buttress® is also available "off the shelf" as an Access Database file for clients to purchase and use independently (data collection screen shot above).

Pricing:A once only payment of US$1000 per business site. Cash-back discounts are available for Medium Enterprises (15% off), Small Enterprises (20% off) and NGOs (25% off). Please contact us to discuss your requirements.