This week Charlie applies the PESTLE framework to business continuity, in response to finding other risk management frameworks too restricting.
Over the last few weeks I have been thinking a lot about risk management frameworks for business continuity. The more I look at business continuity, the more I feel that basing the risk and threat assessment on PPRS (people, premises, resources and suppliers) or even on the new Good Practice Guideline’s list of buildings and work environment, IT, equipment, product/consumables and suppliers, is too narrow and does not give a holistic view of the risks business continuity planning should be addressing.
This was brought home to me a few years ago when I was doing some work in the Philippines. We were scheduled to conduct some incident management training as part of a business continuity roll-out at a plant, but when we turned up we found them in the middle of a major environmental incident. A fuel tank had overturned and the fuel oil had spilled into the local creek. This event emphasised that I, as part of the analysis phase, had not identified this as a possible incident, as an environmental incident didn’t fit neatly within the PPRS framework. Yes, they did have a plan with an incident management team which could have managed the incident, but I felt in our planning we concentrated too much on incidents unlikely to happen, such as mass loss of staff and ignored more likely incidents, such as an oil spill.
What I have been considering for a while, is a framework for looking at risks beyond PPRS, which are perhaps more likely to occur. Once they have been identified we can look at whether we need to develop a bespoke business continuity solution (strategy) and write this up into a contingency plan. As part of the process, we might mitigate the risk, to lessen the impact if it occurred or the likelihood of it happening. I have trawled through the internet, but found nothing which is fit for purpose. I have tried using an enterprise risk framework of hazard risk, financial risk, operational risk and strategic risk, but this seems too wide and goes into areas such as financial risk or business strategies, which I believe are beyond the remit of the business continuity manager.
What I have come up with so far is using PESTLE as a framework, which involves putting a number of risks under each criterion and using this as a prompt to help those conducting the risk assessment to look at the widest variety of risk possible.
This is what I have so far:
a. Sustained or severe criticism in the media (or on social media)
b. Criticism of the organisation by politician or celebrity
c. Rumours or malicious falsehoods
a. Hostile takeover
b. Run on the shares
c. Incident affecting the banking system
d. Cyber incident affecting operations or delivery of services
e. Suppliers using underage workers or modern slavery
a. Protest against the organisation
b. Protest targeting senior managers, suppliers or shareholders
c. Scandal or corporate wrong doing (by employees or senior managers)
d. Strike by employees
e. Others striking, effecting delivery of service
f. Civil unrest or rioting
g. Death or multiple injuries at one of our sites to staff, contractors or members of the public
h. Kidnap or blackmail
a. Product recall or allegations of product causing harm
b. Data breach
c. Lock out of data
d. Explosion, accident or incident at site
a. A sudden legal process, such as a dawn raid or emergency court application
b. Regulator enforcement and close down of operations
c. Legal case causing reputational damage
d. Cover up
e. Accusations of bribes
f. Health and safety breaches
a. Spillage or discharge off-site impacting on local community or members of the public
b. Business process being found to be causing major environmental damage
c. Environmental bad practice by supplier of failure to dispose of correctly hazardous materials
I am still not sure about my list. It goes beyond the list in the Good Practice Guidelines, but I am still not convinced it captures all the different types of risks that should be considered. This list is very generic and doesn’t take into account the risks specific to the industry. We also need to consider black swans that have occurred elsewhere, but the organisation undertaking the risk assessment may have never heard of them.
If anyone has a better list or methodology I would be very interested in hearing from you and seeing if you have cracked this particular hard nut!