Combining two seemingly unrelated entities to make a better, more useful creation is a keystone of innovation. Think of products like the clock radio and the wheeled suitcase, and you can see how effective it can be to combine two outwardly disparate things.
This viewpoint is especially useful in the business realm, particularly when it comes to protecting a business from risk. Many companies treat risk management and business continuity as different entities under the same workflows, and that is a mistake; to be optimally effective, the two must be combined and aligned.
Mistaken Approaches
Business continuity traditionally starts with a business impact assessment, but many companies don’t go beyond that. They don’t make a tactical plan or any strategic decisions on how to reduce impact once they have identified what could go wrong.
Organizations must move beyond simplistic goals of creating a business continuity plan using legacy tools. These approaches incorrectly move the focus to, “do we have our plans done?” or create a checklist mentality of, “did we pass the audit?”
In addition to legacy approaches, benchmarking must be avoided. It can provide misleading conclusions about acceptable risk and appropriate investment, and create a false sense of having a competitive advantage over others in the industry. Even companies in the same industry should have their own ideas about what constitutes risk.
Take the retail industry. Two organizations may sell the same basic product – clothing – but one sells luxury brands and the other sells value brands. The value store’s business processes and strategies will focus on discounts as well as efficiencies in logistics. The luxury store will focus on personalized service and in-store amenities for shoppers. These two stores exist in the same industry and sell the same thing, but they have vastly different types of merchandise, prices and clientele, which means their shareholder value and business risks will look very different from each other.
Businesses need to understand levels of acceptable risk in their individual organization and map those risks to their business processes, measuring them based on how much the business is impacted if a process is disrupted. By determining what risks are acceptable, leadership can make rational decisions at the executive level on what extent they invest in resilience – based not on theory, but on reality.
Creating an Integrated Approach with the Bowtie Model
Using the bowtie model, organizations can appropriately marry business continuity and risk management practices.
This approach uses one half of the bow to represent the likelihood of risk events and the other half to represent mitigation measures. The middle – the knot – represents a disaster event, such as disruptions like IT services going down, a warehouse fire, or a supplier going out of business.
To use this model, first, determine every possible disruption to your organization through painstaking analysis of your processes. Then determine the likelihood of each disruption (the left part of the bow), as well as mitigating measures one can take to reduce the impact of the disruption should it occur (the right part of the bow).
Consider, for example, the disruptive event of a building fire – the “knot” in this case.
How likely is it? Was the building built in the 1800s and made of flammable materials like wood, or is it newer steel construction? Is there a restaurant in the same building that would create a higher risk of fire? These answers comprise the first half of the bowtie.
On the other half of the bowtie, you’ll find the measures that could reduce the impact of a building fire, such as ensuring water sources and fire extinguishers throughout the building, testing sprinkler systems, having an alternate workspace to move to, and so on.
The mitigating measures are especially key here, as they aren’t always captured in traditional risk assessments. Understanding mitigation measures, along with the likelihood of risk events, can change perspectives on how much risk an organization can take. Mitigation methods such as being ready to move to an alternate workspace are more realistic than trying to prevent events entirely; at some point, you can accept the risk because for which you know how to address the impact.
A Winning Combination
Bringing together business continuity with risk management and performing holistic dependency mapping allows an organization to treat both as a single operational process. This brings data together to create actionable info to empower decisive actions and positive results.
Using the bowtie method to create a holistic view, companies get the best of both worlds and ensure they understand the possibilities of various disruptions, are taking steps to mitigate the possibilities of disasters, and have prepared their responses to disasters should they strike. This approach to risk management will help keep a business up and running and ensure greater value for shareholders – this year and in years to come.
About the Author
Robert Sibik is senior vice president at Fusion Risk Management. Sibik can be reached at [email protected].
