Erm, does this make sense?
A previous tip (‘It’s likely that something unlikely will happen’) discussed a key limitation of the commonly-used ‘likelihood x impact’ approach to risk management when assessing and managing business continuity risks.
Continuing the theme, there’s another issue to watch out for when trying to link business continuity risk assessment to the enterprise risk management (ERM) programme, particularly for larger organisations.
The issue is with using the ERM’s financial impacts in the ‘likelihood x impact’ calculation. At first sight, it would seem to make sense to utilise a consistent approach and common metrics. The problem is where the high, medium and low levels of financial impact are set. For an organisation of any size, a high financial impact might be deemed to be tens, or hundreds, of thousands of pounds/dollars/euros/etc (delete as applicable, or insert your own currency here, adding a zero or three if necessary). In large, multinational organisations, it’s not unusual for it to be measured in millions.
So, for many of the business continuity risks that we might identify, there’s a fair chance that the financial impact doesn’t make it past the medium, or even low, level. Coupled with a ‘guestimated’ low likelihood (and, if we’re honest, assessing likelihood is often very much based on guesswork!), the issue discussed in the previous tip is further exacerbated and the rating seldom even sneaks out of the green zone into amber, let alone red, thus no mitigating action is considered necessary.
In reality, even in organisations for whom a high financial impact is measured in millions in the ERM system, a loss in the thousands might raise an eyebrow, a loss in the tens of thousands would possibly raise both eyebrows and one in the hundreds of thousands may well result in raised voices and someone senior wanting something done about it!
By all means link business continuity processes to other corporate methodologies where it makes sense to do so. Just ensure it does actually make sense, by properly considering the implications first.
Andy Osborne’s latest book ‘Business Continuity Management Simplified’, published by Bookboon, is now available at https://bookboon.com/en/business-continuity-management-simplified-ebook