This week Charlie talks about writing incident scenarios and how different business continuity plans have come back in style.
What was once fashionable always tends to come back into fashion at some point. Flared trousers seem to come and go quite regularly. Fashion from my youth has come round again, as we are seeing the return of shoulder pads, big hair and the mullet. This is the same in the business continuity industry, with the return of risk scenarios which has gone full circle over the last 20 years. The use of risk scenarios is being pushed by the PRA and the FCA at present, as part of their operational resilience agenda.
There was a time where if you looked at a business continuity plan, it consisted of a series of risk scenarios. These could include plans for flooding, fires, tornadoes, disrupted transport links, and even an incident at a nearby nuclear plant. This style of planning was particularly prevalent in the USA, where they have a multitude of different natural hazards, which were addressed in business continuity plans. However, you ended up with a plan consisting of 10-15 scenarios, most of which contained a checklist of actions that were the same for every event. This led to large binder sized plans, which might have looked the part to an auditor or an organisation that was only concerned with ticking boxes, but fairly useless in an incident.
The ‘trend’ now is to have plans which cover the loss of an asset. If your building is lost to a fire, flood, or denial of access, the cause of the loss is not as important. Instead, our plan focuses on how you can respond to the loss of use, in terms of the asset. This has led to shorter and more focused plans, as practitioners know that those responding will ignore long, complicated plans when reacting to an incident. Like all good fashion trends, there are always people who cling to past trends, long after they have become unfashionable. Even now, when I am reviewing business continuity plans, I still see plans covering every single scenario they can think of, for example, a flood and a fire. Nevertheless, these types of plans are becoming increasingly rare.
The PRA and the FCA in the UK have revived the idea that organisations should prepare for any incident that could happen, including ‘extreme but plausible’ scenarios. These scenarios can be taken from incidents or near misses, which have happened to other organisations, and “could consider failures within their control (e.g. system failures) as well as those, outside of their control (e.g. disruption to essential infrastructures, such as power, transport or telecommunications)”. Interestingly, the FCA also state in ‘Building operational resilience: Impact tolerances for important business services’, that organisations should not “devote too much time to considering the relevant probability of incidents occurring”. Therefore, there is no need to overthink the likelihood of these scenarios happening. This thinking is aligned with another bulletin I have written, ‘Risky Business: Is Looking at Likelihood a Waste of Time?’.
I do like the idea of looking at different scenarios when considering business continuity plans, as I believe they add value and help focus our response.
It’s part of the business continuity lifecycle to look at the risks to our organisation. Often when I speak to clients about what they think their risks are, terrorism pops up. This identification of terrorism as a risk doesn’t help me plan for it. Do you mean the type of attacks we have seen in London, where a lone wolf or a gang run amok stabbing people? The risk of this type of terrorism to the organisation is low. Even if the attack took place outside their building, the likelihood of more than 1-2 people being affected is low. Or, by a terrorist attack do you mean the huge truck borne bombs placed around London, which blew up several offices and caused a massive amount of damage? Both are terrorist attacks, but have very different impacts and require very different responses.
If we believe that terrorism is a key risk, we could write a response plan for the type of terrorism we are planning for. An example is listed below:
Planning Scenario – Terrorism
Type of attack: Terrorist attack involving one or more terrorists randomly attacking people on the street or at transport hubs. The attack could be by knife, bomb or vehicle. It is unlikely that the attack will be targeted at our staff or organisation.
Likely impacts to prepare for:
- 1-5 employees injured or possibly killed
- Transport lockdown
- A safe shelter in place
- Possible denial of access to the office if it occurs outside
- Transport disruption potentially lasting for several days
Contingencies to be prepared for in response to this scenario:
- Dealing with staff injured, or death in service
- Dealing with relatives and family of those injured and killed
- Accounting for all staff
- Communications on transport disruptions
- Denial of access to office
I like this example because we have clearly stated what we are preparing for, we understand the impacts, and we have developed contingency plans around the potential threat. It’s also important to describe how we see the threat unfolding, for example, if the attack was an IRA style car bomb, then we know that we don’t have plans in place for this type of incident, and we will have to make up the response as we go along. By recording the scenario we are preparing for, the Board that oversees the business continuity plans can clearly see our capabilities and the type of incident our plan addresses. This provides clarity to the scale of the incident we are preparing for. In our terrorism planning scenario, we have envisaged a maximum of 5 staff injured. There are additional issues we must consider, such as the person or people injured or killed could be vital employees to the company, their skills and knowledge may be difficult to replace in the short term, impacting the organisation as a whole.
I think this type of descriptive scenario planning is more useful for those planning the response to an incident than taking risk directly from a risk register. If the risk is ‘flooding’ what does this mean? A small flood or a big flood, and what is the impact of the flood? This raises a lot of questions but doesn’t help the person writing the business continuity plan to describe a response.
I am with the PRA and FCA in pushing organisations to write detailed scenarios as part of their operational resilience agenda, and then to use these scenarios to check whether the organisations’ impact tolerances would be exceeded. So, I challenge you to go out and start describing the scenarios you are planning for and then get them signed off by top management so that there is clarity in your organisation, regarding what type of incident you are prepared to deal with.