BCM and the Risk Analysis (RA): Is it Dead or Dying?

Don’t forget, you could win a FREE BCM Program Evaluation. 

For details go to www.stone-road.com.  Good Luck!!


I overheard an interesting comment the other day between two senior project management representatives: ‘…just go straight to the impact analysis; we already know what are risks are.’  I’m paraphrasing a bit but what got me was that they were talking about not doing any sort of risk assessment.  As usually, I put everything into a BCM/DR/ERM context and I thought, ‘Is the risk analysis dead or just dying?’

With recent events in the world being and the various disasters that are occurring, I was wondering if anyone performs a Risk Assessment (RA) anymore.  In many cases, BCM/DR/ERM programs are started because a corporation has already had a disaster and they jump straight to developing communication and contingency strategies because they already know they’re vulnerable in areas.  If they already had a disaster, what’s the benefit of performing a time-consuming initiative like a RA only to be told they are vulnerable; they already know that.

Financial Institutions and many other like-minded and focused organizations follow RA processes when determining strategy and tactical activities – though if you read the headlines, some of them don’t perform the RA very well – to make money and increase market share.  That might be the reason why the RA is not followed as rigidly as it once was.  If there is a chance to make more money and increase market share and keep unemployment levels low while increasing the corporations brand awareness, the RA might uncover areas that can hinder the ability to make money and keep the company looking ‘good.’  Rather, corporations would rather accept the risk – or ignore it altogether – and go as far as they can with their strategies until something occurs; then worry about the impacts.

Many corporations that focus on their financial risk exposures, make assumptions of what will happen if their operations stop, basically skipping the RA and wanting to know what the impact will be when something happens.  They make the assumption that a disaster will occur and want to know the impact to the corporation, not paying attention the what the vulnerabilities are but rather what will happen if ‘anything’ occurs.

By ignoring a proper RA, corporations increase their vulnerability to disasters.  The RA is being skipped over for actual deliverables, which may – or may not, depending upon how the program is build – harm the program later on because assumptions of what will hurt them are made into contingencies, while those risks that are particular to the corporation are missed for quick and dirty plan development.  The RA can identify that an organization is vulnerable to a particular instance, which means that a proper contingency can later be developed but if it’s skipped and never identified through the RA, when it occurs –and it will – there won’t be anything in place to properly and effectively deal with the situation.

There is in itself when it’s decided to do nothing.  As an example, natural disasters are on the increase and occurring in all areas of the globe, placing people in situations they wouldn’t normally have experienced.

Here’s just a short list of things that are occurring right now:

  1. Volcanic activity (think how the Iceland eruption crippled European travel);
  2. Heat Waves scorching crops (US, Canada, Horn of Africa)
  3. Flash floods in the UK (July 2012),
  4. Flash floods in Russia (July 2012),
  5. Airplanes into buildings (think 9/11)
  6. Texas and Colorado wildfires in the US (June/July 2012)
  7. Arab Spring (which is still occurring in some areas)

For many, it’s no longer a case of what might affect us or what we might be exposed to, but rather, what do we do when we’re exposed to it?  This is the thinking we want organizations and communities to have.  But in getting people to think this way, the RA is slowly falling out of favour and organizations are heading straight to the BIA or even skipping that and going to contingency development and implementation.

Insurance and regulators also want to see results of BCM / DR / ERM planning and programs.  They want contingency strategies and plans in place that show what an organization will do when a disaster occurs.  This also aids in having an organization skip the RA (and often the BIA) and go straight for the contingency development phase.

In the past, a disaster was considered a mere minor possibility of occurring but now a disaster has become fact.  Just turn on the TV and it details the latest set of disasters around the globe.  What was a risk is no longer a risk; it’s real and occurring, driving people away from performing RA’s and moving immediately towards contingency development.  This is what we want organizations to think after all but we want them to ensure that all the right planning steps are taken to build the BCM/DR/ERM program.

There is a feeling that anything can occur – and is occurring – so it’s OK to skip the RA step because it will only validate what they already believe to be the truth; that there are risks that will impact an organizations people, places and things (IT, operations etc).  So they decide to build on the worst case scenario and then work backwards, addressing smaller risks as program development proceeds.  This is a quick and dirty approach, which if done correctly can still provide the right answers and strategies needed but if done wrong, can hinder an organization later down the road.

Could it be a sense of paranoia that is beginning to prevail?  A sense that disaster is imminent; it’s just unknown when it will occur.  If so, that would be why many are skipping the RA and heading towards the BIA first – or jumping further along the path right to the contingency development stage.

Is it possible for the leading governing bodies within the BCM/DR/ERM industries to rethink the RA and BIA processes and streamline the governance around them to meet the thinking of today’s organizations, rather than trying to change the organizations thinking to meet the needs of the governing bodies?

Personally, I think it might be a combination of both and a dialogue needs to be held, as the RA and BAI are both necessary steps in ensuring a solid foundation for any BCM/DR/ERM program.  Is it possible to combine the two?  I don’t think the RA is dying but its importance might be slipping, especially if the acceptance of the potential for a disaster is being accepted by organizations.  The RA is slipping unnecessarily, as it identifies exposures and vulnerabilities for organization, which ultimately help determine impacts and later, the development of ‘fit for purpose’ contingency strategies.

We’ve got corporations thinking the way we want – or at least Mother Nature has – and it seems we haven’t properly thought out what we’d do if organizations did accept our line of thinking (that a disaster will occur).  Now that they do, they don’t see the need for the RA, they see the need and value in contingency strategies and plans.  The industry needs to think about this and ensure that our processes and way of thinking keeps pace with what is needed.



Win a FREE BCM/DR/ERM program evaluation.   

Go to www.stone-road.com for details.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s