By Jeremiah Ndhlovu
“To hope for the best and prepare for the worst, is a trite but a good maxim.” (Supposedly John Jay – 1813)
The Coronavirus-(Covid-19)-has affected organisations to unheard-of levels in recent times. The disruption, owing to Covid-19, could not have been imagined a couple of months ago. Severe earthquakes, civil unrest, floods, etc,. can also have significant impacts on organisations.
As such, everyone is asking: Why did the risk management systems fail to ease the impact of such a disruption? The Covid-19 crisis is a typical example of a black swan. Simply defined, a black swan is an unpredictable or unforeseen event, typically one with extreme consequences.
It is critical to discuss the black swan phenomenon when stakeholders can easily relate to the tangible impact of the Covid-19 pandemic. Black swans occupy a special place in risk management frameworks and they require specialised processes-not ordinary everyday risk management processes- to tackle them.
Normally, risk practitioners prioritise easing of risks in organisations based on the assigned inherent risk ratings. The inherent risk ratings mainly consider the likelihood of an event occurring and its impact if it materialises. This means that events with a significant impact and that occur frequently are rated as high risk and generally get more attention.
History is, however, full of “once in a lifetime” events with significant impact, but rare occurrence. Such disruptive events have a high probability of ending many organisations’ existence. As articulated by Winston Scott-Director of Florida Space Port: “At the onset of an emergency, everyone’s IQ goes immediately to zero“. It is human nature that we fail to come up with reasonable decisions to optimise a situation when we are in a disaster. It is, therefore, important to plan for credible, but rare disruptive events to ensure organisations survive an occurrence of such events.
The corporate risk management department’s mandate is incomplete when a practical plan for black swans is missing within the organisation. The framework for developing a functional business recovery and continuity framework mainly includes the following processes:
- The risk management department identifies credible, but rare events which may impact the organisation during its existence. Some of these credible events may a include pandemic outbreak, destruction of premises and work spaces, civil and political unrest, severe workplace and road accidents, natural disasters (for example,floods), information technology black-out, etc.
- The risk management department works with all functions across the organisation to identify critical business processes or outcomes. Critical business processes or outcomes are those that will boost an organisation’s chances for survival from disruptive events- from a financial, operational and compliance point of view.
- The risk management department conducts detailed business impact analyses (BIAs) of the potential disruptive events on critical business processes. Functional units’ input is critical in building resilient and responsive plans.
- The risk management department and the functional units strategise to respond to identified impact for each credible event. Examples of such strategies are:
- Human resources – first aid training, succession planning, policy restricting critical resources travelling in same vehicle.
- Premises – setting up alternative or disaster recovery sites (critical for information technology resources).
- The risk management department documents disaster recovery plans (BCPs) to inform all functional units of the predefined and methodical steps that the organisation should undertake in case of a disruptive event.
- The risk management department works with senior management to plan and test whether the BCPs are effectively responsive to the potential disruptive events. The tests can be through interviewing stakeholders to ascertain whether they are aware of their responsibilities in cases of emergency or drills (mock disasters). Testing is critical as organisations risk maintaining defective BCPs, which will not optimise the organisation’s recovery and continuity prospects.
The BCPs should be detailed enough to incorporate expected recovery times and the organisation’s capacity to rework and recover any critical outcomes destroyed by the disaster.
Business recovery and continuity are components which require pervasive application in an organisation and the risk management department ought to have the knowledge and capacity to oversee their establishment.
About the Author
Jeremiah Ndhlovu is a Certified Expert in Risk Management (CERM). He has acquired extensive risk management insights in the mining sector through outsource projects, including enterprise risk management, combined assurance, process and controls standardisation, internal auditing and external auditing.