YourFlyingFish – our nimble Business Continuity Planning app

Risk is a concept that helps give meaning to uncertainty

– especially uncertainties around vulnerability to extreme events.


Our soon-to-be-available app uses an approach that recognises we all have different contexts.

– we might share some of the same exposures to extreme events

– we might share some of the same things we care about

Yet there is a need to consider how your hazards interface with your vulnerabilities.

– your hazards of significance

– your asset vulnerabilities

– your thresholds for acceptable risk

… and based on these considerations, tailor your action plans to meet your needs.

Your risk lens will bring nimbleness and rigor to your tailored approach.

The default context of the app is set for “business” – where the focus is on the “care-abouts”supporting prioritised activities (the set of necessary activities required to deliver a product or service).

Where risk is viewed as a function of the interface between significant hazards relevant to the business context and the vulnerability of critical resources/assets.

“Before Impact” risk “scores” are calculated by multiplying hazard significance with vulnerability of the “care-about”.
”After impact” risk “scores” are calculated by multiplying hazard significance with impact on the “care-about”.

The default setting for the threshold between low and medium is 25
The default setting for the threshold between medium and high is 60
“Acceptable” risk and “thresholds of tolerance” are a function of context
– a function of your values and culture. Therefore, adjust your settings accordingly.
Risk as a ƒunction of Hazard and Vulnerability is a nuanced heuristic
which stimulates thinking and decision making

How does the app work?

1. Identify hazards relevant to your context and attribute a score to their significance.

Select hazards relevant to your context – and / or add your own.

Examples below are from the “Standard on Continuity, Emergency, and Crisis Management”, NFPA 1600


  1. Earthquake

2. Landslide, mudslide, subsidence

3. Tsunami

4. Volcano


5. Drought

6. Extreme temperatures (hot, cold)

7. Famine

8. Flood, flash flood, seiche, tidal surge

9. Geomagnetic storm

10. Lightning

11. Snow, ice, hail, sleet, avalanche

12. Wild land fire / Bushfire

13. Windstorm, tropical cyclone, hurricane, tornado, waterspout, dust storm, sandstorm


14. Food-borne illnesses

15. Infectious/communicable/pandemic diseases

Accidental human-caused:

16. Building / structure collapse

17. Entrapment

18. Explosion / fire

19. Fuel/resource shortage

20. Hazardous material spill or release

21. Equipment failure

22. Nuclear reactor incident

23. Radiological incident

24. Transportation incident

25. Unavailability of essential employee(s)

26. Water control structure failure (e.g. Dam or Levee)

27. Misinformation

Intentional human-caused:

28. Incendiary fire

29. Bomb threat

30. Demonstrations/civil disturbance/riot/insurrection

31. Discrimination/harassment

32. Disinformation (rumours, false allegations, or accusations)

33. Kidnapping/hostage/extortion

34. Geopolitical risks including acts of war, change in government, and political instability

35. Missing person

36. Cyber security incidents

37. Product defect or contamination

38. Robbery / theft / fraud

39. Strike or labor dispute

40. Suspicious package

41. Terrorism

42. Vandalism / sabotage

43. Workplace / school / university violence

44. Supply chain constraint or failure


45. Hardware, software, and network connectivity interruption, disruption, or failure

46. Utility interruption, disruption, or failure


47. Foreign currency exchange rate change

48. Economic recession

49. Boycott

50. Theft / fraud / malfeasance / impropriety / scandal involving currency, monetary instruments, goods, and intellectual property


51. Loss of senior executive

52. Failed acquisition/strategic initiative

53. Humanitarian issues

Attribute a level of significance to each of the hazards relevant to you
(on a scale of 1, LOWEST to 10, HIGHEST)
This slider type will also be used to attribute levels of vulnerability and levels of impact

When attributing a level of significance to the “Hazard” consideration should include:

  1. past recurrence intervals (how many events in the last “x” years)

2. future likelihood of occurrence (is frequency increasing)

3. speed of onset (how quickly might it be upon us)

4. magnitude (how big will it be)

5. duration (how long will it stay)

6. timing (is it more significant at different times)

7. intensity (how much energy is released)

8. likely or potential area of coverage (extent of spatial impact)

9. perception (level of fear or dread invoked)

10. protection (level of existing mitigating factors)

2. Identify the things you care about (“care-abouts”) and score their vulnerability against significant hazards (when disasters occur, the impact slider can be used).

Identify and describe things you “care-about”
(Resources/Assets which your prioritised activities rely on are set as the default)


For each of the identified processes or prioritised activities required for your entity to achieve its objectives, identify the “care-abouts” that support the processes or critical activities by focusing on the following:

(1) Personnel

(2) Equipment

(3) Infrastructure (including premises)

(4) Technology (including plant and equipment)

(5) Information (digital and analogue)

(6) Supply chain (supplies and suppliers)

(7) Reputation

How vulnerable is this resource in the current circumstances? 

Vulnerability is a function of many things.

It is about the characteristics and features of the resource, and the dependencies and interdependencies associated with it, which make it more resilient, or more adaptable, or more fragile.

Vulnerability may be summarized as “a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular event.” [SOURCE: Glossary of Environment Statistics, Studies in Methods, Series F, No. 67, The Organisation for Economic Co-operation and Development]

For people, this may be about factors such as their health and their behaviour. ​

For premises, it may be about such things as the integrity of the structure and location (exposure to hazards). ​

For processes, it may be about factors such as their fitness for purposes and backup. ​

For providers, from utilities (“lifelines” – such as energy, water, waste, communications) to supplies related more directly to your products and services, it may be about factors such as the provider’s size, capability, resilience, and replaceability. ​

For profile, it may be about the nature and perception of the prioritised activity, associated stakeholders, and how well relationships associated with the activity are managed.

Note: Vulnerability encompasses a variety of concepts and elements including sensitivity or susceptibility to harm and lack of capacity to cope and adapt. [SOURCE: ISO 14090:2019 Adaptation to climate change] Adaptive capacity is the “ability of systems, institutions, humans, and other organisms to adjust to potential damage, to take advantage of opportunities, or to respond to consequences”.

In a nutshell, it is about the resource’s “propensity or predisposition to be adversely affected”. [SOURCE: ISO 14091 Adaptation to climate change – Guidelines on vulnerability, impacts and risk assessment]

Evaluating vulnerabilities should give consideration to:
(1) Dependencies
(2) Single-source and sole-source suppliers
(3) Single points of failure
(4) Potential qualitative and quantitative impacts from a disruption to the resources in NFPA 1600/1660 (people, property, operational capabilities including technology, the environment, and the entity itself)

Linkage between data fields – each significant hazard and associated “Care-Abouts”
Template to add “care-abouts” for your context

Communication and collaboration are fundamental to successful management. Especially the management of risk. Therefore reports generated are based on being able to select from combinations of any – or all – of the data fields outlined above, and can be generated as PDF documents – to be shared and communicated as required.