In 1998 while promoting the Australian approach to emergency risk management I used the above quote from Mazzini. It was an opportunity to reset our approach – to move from a focus on hazards to a focus on vulnerability. Similarly, today I share an exciting step we had on 1 June as our AgileBCP software development project transitioned from testing and has soft launched to potential consulting partners.
The “sure we could but why would we want to” test is a classic answered in the table above and in the five key things this Software as a Service helps you do:
1. Plan for risks that affect your business
2. Identify the business activities that are essential for continued operatioin during a disruption
3. Assess the vulnerability of those essential activities
4. Develop continuity and resilience plans tailored to your business, giving you a plan before any disruption event
5. Develop response and recovery plans tailored to your business, giving you a plan in the event the worst occurs
All entities (organizations) have purposes or aims, and objectives which are achieved by providing products and services.
These products and services are made possible by the critical activities which produce them – and significantly, for business continuity, the resources which underpin those activities.
Meanings are important. Using agreed meanings provides clarity and consistency.
Most “keywords” used in our approach are from ISO 22301 Security and Resilience – Business Continuity Management Systems – Requirements.
“Person or group of people that has its own functions with responsibilities, authorities, and relationships to achieve its objectives”
“Result to be achieved”
Statements of objectives – i.e. “where you are headed and how you will know when you have arrived” – should be in performance terms so that you can plan how best to get there, and how to measure progress toward it.
Product / Service
“Output or outcome provided by an organization”
“Set of one or more tasks with a defined output”
Process – “Set of interrelated or interacting activities which transforms inputs into outputs”
Prioritized activity – “Activity to which urgency is given in order to avoid unacceptable impacts to the business”
“All assets (including plant and equipment), people, skills, technology, premises, and supplies and information (whether electronic or not) that an organization must have available to use, when needed, in order to operate and meet its objective”
Deﬁnitions in philosophy are often offered in terms of necessary and sufﬁcient conditions.
A necessary condition is something that must hold in order for something to be the case. E.g. It is a necessary condition of being a human that you are a mammal, but this is not sufﬁcient.
A sufﬁcient condition is something that assures that something is the case. E.g. It is a sufﬁcient condition for being a mammal that you are a human, yet it is not necessary.
It is usual for deﬁnitions to be stated in terms of individually necessary and jointly sufﬁcient conditions. E.g. A necessary condition for being a sister is that you are female. However, this alone is not sufﬁcient for sisterhood; it is also necessary that you be a sibling. As such there are two individually necessary conditions for being a sister and these are jointly sufﬁcient. Therefore, we can deﬁne a sister as a female sibling.
From change management workplace reviews and reimagining future organizational structures, to business continuity and crisis management, this thinking (focusing on necessity and sufficiency) is applied to consider the sets of resources needed for effective activities, supporting products and services which achieve objectives.
“Effect of uncertainty on objectives”
Recognizing that “risk” is a concept used in a range of ways by different people and different cultures to make sense of, give meaning to, and help understand “uncertainty” the notes below are attached to the definition of Risk in the Standard (ISO 22301 Security and Resilience – Business Continuity Management Systems – Requirements).
Note 1 An effect is a deviation from the expected – positive or negative.
Note 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3 Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these.
Note 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence.
“Occurrence or change of a particular set of circumstances”
Note 1 An event can be one or more occurrences – and can have several causes.
Note 2 An event can consist of something not happening.
Note 3 An event can sometimes be referred to as an “incident” or “accident”.
Note 4 An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.
“Outcome of an event affecting objectives”
Note 1 An event can lead to a range of consequences.
Note 2 A consequence can be certain or uncertain and can have positive or negative effects on objectives.
Note 3 Consequences can be expressed qualitatively or quantitatively.
Note 4 Initial consequences can escalate through knock-on effects.
Note 5 This (“Risk”) constitutes one of the common terms and core definitions of the high-level structure for ISO management system standards. The definition has been modified to add “on objectives” to be consistent with ISO 31000.
“Terms of reference against which the significance of a risk is evaluated” [SOURCE: ISO Guide 73 Risk Management – Vocabulary]
Note 1 Risk criteria are based on organizational objectives, and context.
Note 2 Risk criteria can be derived from standards, laws, policies and other requirements.
The risk criteria used in the AgileBCP® approach are about the importance of elements at risk (criticality); vulnerability; and impact.
“Propensity or predisposition to be adversely affected”.
[SOURCE: ISO 14091 Adaptation to climate change – Guidelines on vulnerability, impacts and risk assessment]
Note: Vulnerability encompasses a variety of concepts and elements including sensitivity or susceptibility to harm and lack of capacity to cope and adapt. [SOURCE: ISO 14090:2019] Adaptive capacity is the “ability of systems, institutions, humans, and other organisms to adjust to potential damage, to take advantage of opportunities, or to respond to consequences” [SOURCE: ISO 14090:2019]
Vulnerability may be summarized as “a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular event.” [SOURCE: Glossary of Environment Statistics, Studies in Methods, Series F, No. 67, The Organisation for Economic Co-operation and Development]
“Chance of something happening”
Note 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
Note 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English. [SOURCE: ISO Guide 73]
The effect of an event (on the capability to achieve objectives) which may be a positive or negative deviation from what is expected.
Criteria based considerations provide a consistent and agreed approach to structured conversations. We apply THREE KEY CRITERIA to CHARACTERIZE RISK to Resources – and therefore, risk to the organization’s capability to achieve its objectives.
AgileBCP® enables you develop and apply your own thresholds – to reflect requirements of your context.
Criterion 1 – CRITICALITY OF THE RESOURCE
For how long can this resource be unavailable before there is a critical effect on the continuity and effectiveness of the activity?
(1) more than 1 week.
(2) 5 working days.
(3) 3 to 4 working days.
(4) 1 to 2 working days.
(5) less than 1 day.
If the resource was unavailable how might that influence the achievement of objectives?
(1) Insignificant: Negligible impact on objectives if resource is inactive.
(2) Minor: Effects on objectives easily remedied if resource is inactive.
(3) Moderate: Some objectives affected if resource is inactive.
(4) Major: Some important objectives cannot be achieved if resource is inactive.
(5) Absolute: All objectives are compromised if resource is inactive.
Criterion 2 – VULNERABILITY OF THE RESOURCE
How vulnerable is this resource in the current circumstances?
Vulnerability is a function of many things. Vulnerability may be summarized as “a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular event.” [SOURCE: Glossary of Environment Statistics, Studies in Methods, Series F, No. 67, The Organisation for Economic Co-operation and Development]
In a nutshell, it is about the resource’s “propensity or predisposition to be adversely affected”. [SOURCE: ISO 14091 Adaptation to climate change – Guidelines on vulnerability, impacts and risk assessment]
Note: Vulnerability encompasses a variety of concepts and elements including sensitivity or susceptibility to harm and lack of capacity to cope and adapt. [SOURCE: ISO 14090:2019 Adaptation to climate change]
Adaptive capacity is the “ability of systems, institutions, humans, and other organisms to adjust to potential damage, to take advantage of opportunities, or to respond to consequences”.
For people, this may be about factors such as their health and their behaviour.
For premises, it may be about such things as the integrity of the structure and location (exposure to hazards).
For providers, from utilities (“lifelines” – such as energy, water, waste, communications) to supplies related more directly to your products and services, it may be about factors such as the provider’s size, capability, resilience, and replaceability.
For processes, it may be about factors such as their fitness for purposes and backup.
For profile, it may be about the nature and perception of the prioritized activity, associated stakeholders, and how well relationships associated with the activity are managed.
Criterion 3 – IMPACT ON THE CAPABILITY OF THE RESOURCE
Consider the impact on this resource’s functionality in the present circumstances
For how long can the loss of capability (to support the achievement of objectives) be afforded? Guidelines:
(1) more than 1 week
(2) 5 working days
(3) 3 to 4 working days
(4) 1 to 2 working days
(5) less than 1 day
Consider how impact might influence the achievement of objectives. Guidelines:
(1) Insignificant: Negligible impact on objectives
(2) Minor: Effects on objectives easily remedied
(3) Moderate: Some objectives affected
(4) Major: Some important objectives cannot be achieved
(5) Absolute: All objectives are compromised.
AgileBCP® – nimble, informed, decision making is at the heart of the framework.