How might the future be different?  The value of Horizon Scanning.

Posted on February 22, 2015 by Editor

Horizon scanning is an essential capability in any progressive resilience programme.  It helps to answer the question whether the resources employed in support of the resilience programme have been allocated in a way proportionate to the current and potential threats that the company is and will be facing.   By the time questions regarding specific threats are raised in the board room, it is important that resilience programme leaders can demonstrate a level of preparedness.  This was evident at the time of the H1N1 epidemic, where many resilience programmes were indeed “mostly there” by the time a specific threat reached the agenda of the senior management team, thereby underscoring the value of the resilience approach to risk management. Of course, horizon scanning has a broader business intelligence application that can cover industry, market, competitor and customer development in its support of corporate strategy development but this post will focus on its application to resiliency.

Most resilience practitioners agree that the outputs of horizon scanning are helpful to inform a resilience programme.  According to the Business Continuity Institute’s (BCI) Horizon Scan 2013[1], 77% of organisations in which BCI members are employed, perform longer term trend analysis whether centralised within a function such as strategy and risk or decentralised according to departmental needs.  29% are actively involved in the analysis while some 48% use the inputs for their analysis.  However, 21% of Business Continuity (BC) professionals do not have access to this information even though they know it exists.  The most common application of the information is its use in informing exercise scenarios and future capability development.

However, there is a bigger win on offer here with horizon scanning in that it provides resilience programme with the opportunity to help protect the long term strategy and provide assurance that plans and capabilities are in place to effectively respond to a diverse and changing threat environment.  If you want to present resilience capability strategically then understand future trends and how the business might look in 5 to 10 years’ time and use scenarios to help executives think through issues.  With companies embracing the opportunities of globally extended supply chains, for example, the opportunity arises to present resilience as a key business capability.

One of the often cited challenges is to move from an ad hoc approach to a systematic methodology where resilience capability is developed; likewise there is a need to settle on some key concepts and methods that are effective.  This post, expanded upon in much greater detail in an article written by the author in Operational Resilience in Financial Institutions, sets out a definition of horizon scanning, asks which horizon and whose horizon is to be considered, and offers a taxonomy for the analytical model along with advice on sources of information and practical considerations in developing a horizon scanning capability.

The value of horizon scanning

In a hyper-connected world, the real challenge for risk management is ‘time’.  Risks propagate quickly and unexpectedly, so the need for an early warning system to gain time is acute; horizon scanning can support the development of this anticipatory capability.

We can already see that horizon scanning is going to be of value to any organisation that has any of the following characteristics:

  • Operating from international locations and conducting business around the world
  • Leveraging globally extended supply chains including in emerging markets
  • Operating in a highly regulated sector
  • Operating in an environment which demands high ethical standards
  • Reliant on the Internet and advancing technologies
  • Facing the need to meet highly demanding and constantly changing customer needs
  • Operating in an industry which is changing dramatically and likely to look very different from what it is today in 10 or 15 years’ time
  • Making investments now that will last for 10, 15, 20 or more years

Taking a quick step back, it’s worth reminding ourselves that horizon scanning is a methodology that more broadly supports the business intelligence function and is applied to understand industry, market and the competitive environment.  It is defined as “the systematic examination of potential threats, opportunities and likely future developments, including but not restricted to those at the margins of current thinking and planning.  Horizon Scanning may explore novel and unexpected issues as well as persistent problems and threats.”[2]

As the definition suggests horizon scanning is not just about finding new trends.  Known issues require the application of horizon scanning techniques, specifically around signals that may lead to an impending event or a changing environment – for example, the annual reports of listed companies will list a number of known risk factors, here are three taken form one report[3], by way of example:

  • Our international presence exposes us to risks associated with varied and changing political, cultural, legal and economic conditions worldwide
  • Our international operations expose us to risks associated with fluctuations in foreign exchange rates that could adversely affect our business
  • Political and economic conditions in the Middle East and other countries may adversely affect our business.

Horizon scanning is particularly important for organisations with extended global supply chains, as the firm may not be fully familiar with the exposures that their direct and indirect suppliers face nor the underlying dependencies of the supply chain both in terms of infrastructure, resources, economic and commercial relationships, and the regulatory environment.

The benefits of a systematic approach to horizon scanning become evident when sudden events happen.   The reason why some analysts can quickly provide a well-informed perspective on the origins and likely consequences of an unexpected event is that they are analysing the developments in countries or industries all of the time; it is just that not many other people are interested until it becomes a newsworthy or a board agenda item.  For example, it will always be difficult to predict when a dictator may be removed in a coup or popular uprising, but horizon scanning can help you to understand the consequences of a change in power, whether by natural causes or otherwise, and this work can be carried out well in advance of any social unrest or conflict occurring.   It therefore provides the ability to think through issues in a structured way and prepare for events.  The alternative to a systematic approach to horizon scanning is to chase headlines and make the link to your organisation’s interests on the fly.

Horizon scanning therefore helps to reveal exposures and prompts a discussion on consequences and preparedness in the context of an identified and evolving threat horizon.  As importantly, analysis can be used to provide talking points to engage the organisation and demonstrate the relevance and application of resiliency skills.  Some organisations may well use the input from horizon scanning to develop a vulnerability rating which evaluates and reflects both exposure and level of preparedness to meet the identified risks.  BC specifically provides the “mostly there” capability across a broad range of threats, and provides the foundation for the organisation to refine its final preparations as definition around the threat becomes clearer.

Which horizon and whose horizon?

One of the challenges with horizon scanning is choosing the timeline under analysis and relating available information to the desired timeline.  This can often give rise to a hierarchy of horizons with epistemic fractures between them because linkages across horizons are poorly understood.  The goal of horizon scanning is to provide both the broad picture and the long picture, so the timeline chosen and analytical approach needs to support this.

The timeline under consideration with horizon scanning will likely vary by the questions being asked and the nature of the decisions that need to be made.  There is likely to be a correlation between these criteria and industry sector.  While financial institutions may feel that a structure which rolls out from a 12 month view to a 3-5 year view and ultimately a 10 year one is sufficient, organisations in sectors such as energy and transport need to make much longer term investment decisions and will often look at 20 and 30 year horizons[4].

Working across the time horizons will require comfort in dealing with varying levels of uncertainty.  In the very long term, analysis may consider fundamentals and structures[5] such as demographic change, resource availability and quality of infrastructure, while in the medium term it will be easier to discern and document trends and patterns in demand and supply and changing industry structures, while the near term may require the inductive reasoning skills to relate events such as flooding and cyber-attacks and issues such as corporate responsibility to underlying trends.

It is also worth considering how external stakeholders view your and their own horizon, especially where they may be seeking to influence the environment in which your organisation operates. This may be particularly relevant to the treatment of ‘externalities’ regarding social and sustainability issues.

While the discussion on horizon scanning is rightly focused on the external environment, it is worth touching on whether the principles can be extended to analysing the internal environment:  Changes to the internal and external supply chain which are a result of management decisions can create vulnerabilities that once exposed to the macro environment cause problems that did not previously exist.   Given that larger organisations tend to look at opportunities to re-engineer the organisation on a regular basis then it is necessary to ensure that resiliency policy reflects these changes and the risk assessment is updated.  Managers need to be made aware of the short and longer term implications of decisions which affect business resilience.  For example, vulnerabilities could be introduced through new service delivery models offered by outsourcers or changes brought about by divesting unwanted assets.

What do we mean by scanning?

If we revisit the definition of horizon scanning, we can clearly see the output of the process: “…potential threats, opportunities and likely future developments, including but not restricted to those at the margins of current thinking and planning…”[6] but it is the scanning process which is fundamental to achieving these insights.

Scanning needs to be a systematic process to identify relevant sources of information to support analysis and evaluation of the threat landscape.   The process needs to be systematic in two respects – firstly, it needs to be an ongoing process because of the rapidly evolving threat landscape; an annual activity may well be insufficient – and secondly, a systematic approach introduces objectivity, as it will be possible to get beyond the most publicly talked-about threats or those recently experienced, to ensure that potentially lower profile but highly impactful events are identified and treated.

Another fundamental aspect of scanning is the ability to detect ‘signals’[7]. Depending on the time horizon under consideration, and as explained in the previous section, information is sought on changing structures, known issues or emerging trends.  These sources of information can be seen as signals once they have been transformed to insight and contextualised.   Signals can provide directional insight on an emerging trend or issue.  Horizon scanning therefore allows you to spot weak signals before highly impactful events occur.    Using a simple matrix allows you to gain an actionable overview of known-knowns, known-unknowns, and unknown-knowns[8] to quote the risk taxonomy popularised by Donald Rumsfeld, based on the strength of the signal and its business impact.

If you want to build an anticipatory capability then the skills at identifying signals and making sense of them is clearly a valuable one. Resiliency professionals will need to be proficient at gathering information and detecting relevant signals from what may be a mass of unstructured data.  Once information has been sourced analysis is required to get to an understanding of the potential development of an issue or trend.  This will require creative thinking about how a trend could evolve.

 A taxonomy for horizon scanning

The next step in developing a horizon scanning capability is to agree on the principle risk factors that you wish to include in the scanning process along with a taxonomy that works across the organisation.

In the financial services sector, institutions have a wide range of risks to consider from business and strategy risks to liquidity, capital and market, as well as operational.  BCM programmes may well start from operational risks but the skills involved in contingency planning and crisis response can be extended into other risk domains as part of the development of the programme.

A number of taxonomies are available to frame the analytical model.  One of the considerations in choosing the taxonomy is that it should help to explore the linkages between risk factors and potential cascade effects.  Another consideration is that as we are about communicating internally, it is advisable to use a popular taxonomy rather than create a new one. This also helps others to contribute to your own work.

Here is a brief description of the commonly used terms under the STEEP taxonomy with some examples of application in financial services:

Sociological (S):  Changes in social attitudes, consumer expectations and broader demographic development is an essential component of horizon scanning.   Corporate Responsibility (CR) is a good example of a risk factor that has become more important over time; evolving out of changing social attitudes.

Technological (T):  This risk factor does not require much introduction for financial services professionals, given that risks around technology are the traditional point of departure for many BCM programmes.  While technical outages do not bring big banks down, they do lead to regulatory fines, customer dissatisfaction and re-enforce any extant negative perceptions.

Economic (E):  Economic risk factors cover economic growth and decline, interest rates, exchange rates and inflation rates, wage rates, minimum wage, working hours, unemployment, credit availability and cost of living.  Clearly a critical area for financial institutions but not a familiar area for many BCM programmes.

Environmental (E):  Environmental risk factors are core territory for BCM programmes covering the consequences of adverse weather events, influenza pandemics, earthquakes and volcanic eruptions.  Horizon scanning in this context will look at changing patterns in any of these factors – both in terms of location, source, frequency and impact.

Political (P):  In a heavily regulated sector such as financial services, political and regulatory factors are going to weigh heavily. Political factors, usually influenced by social and economic imperatives, are the precursor to the legislative agenda and changes in the regulatory environment are often quoted[9] as one of the most significant risks that institutions face

It is worth reminding ourselves that the widespread adoption of BC in the financial services sector was triggered by a regulatory imperative, and BC’s continued adoption and growth will be dependent on its ability to respond to changing regulatory priorities.

At this point it is worth considering three points of caution before offering a model to apply the STEEP taxonomy:

  • It is important to emphasise that the impact of these STEEP factors can be highly contextual – an institution which has already suffered reputational damage is less likely to be able to withstand further incidents without creating a sense of crisis and challenge to the management team.
  • The fact that action or inactions, which now attract significant media and stakeholder attention did not do so in the past is testament to the need to monitor the changing environment and context.
  • One of the challenges of any simplified taxonomy such as STEEP is that it is difficult to represent systemic risks and cascading risks – in today’s highly efficient supply chains, risk propagation is much faster than in the past, taking advantage of the efficient systems that have been created, and the time to respond is the one resource that is getting ever scarcer in this environment[10].

Trends, issues and events can be considered across three time horizons – long, medium and near term – and categorised according to the nature of the risk – sociological, technological, economic, environmental or political.   Each segment can be taken in turn and signal strength assessed around identified emerging trends, issues or events.  It is important that the analysis considers the full value chain in this macro environmental context.

Sources of information for horizon scanning

So with a taxonomy in place that works for your organisation and relevant planning horizons, where should you look for information?

The good news is that there are a lot of freely available sources of information to provide insight into these environmental risk factors, albeit you might have to pull reports together and glean insights from reading specialist magazines, newspapers and websites.  The challenge is that many of these sources do not present the information through a commercial lens and often it requires a lot of time to read through the reports to find the relevant information – some of these reports can be very long term and beyond the time planning horizons of most commercial organisations, and they are often academic in presentation.  Climate change is often cited as one of those environmental risks, where it is difficult to action a response unless its consequences can be broken down across time horizons.

There are also paid-for services and the advantage here is that the publishing organisation is standing behind the analysis.  Increasingly new services are available that present horizon scanning information in an intuitive and visual manner through online software tools to support planning and bring together diverse sources of information and deliver insight in form that allows a simple calibration of risk appetite and filtering to the information of most relevance.

Regular use of the indicators will help professionals communicate and justify risk-informed decisions and support effective value chain management.

As an example, in one update[11] D&B downgraded Bangladesh by one quartile to DB5d, “due to the deteriorating security situation in the country and increasing frequency of highly disruptive strikes. Minimum-wage negotiations have been one of the triggers of the strikes and riots, but Bangladesh is also holding general elections in January 2014, and we have seen an outbreak of violent protests and demonstrations in the run-up to the polls”.

Are there limits to horizon scanning?

Pressures may force time and resources on to the current state of affairs, especially if a resiliency programme is driven by compliance requirements in isolation from the needs of the business, while some issues may not be seen as resilience matters.   Initially, it may only be feasible to focus on specific threats given limited resources and commitment but it is important to have a roadmap so you can build out from the initial quick wins.  It is also important to consider the opportunities that may be revealed through horizon scanning in a resilience context, for example, the increasing use of social media should be seen as providing new communication channels and a source of information during incidents, while cloud services can provide greater system resilience.

Conclusion

In conclusion, horizon scanning is an essential component of a resiliency programme.   The need for a systematic approach to horizon scanning has become more evident in recent years as supply chains become globalised and organisations are exposed to not only unfamiliar risks, but risks which propagate much faster and in unexpected combinations through highly optimised systems thereby reducing the time available to develop an effective response.  I would strongly recommended that horizon scanning be active and on-going in order to get behind the headline risks, while recognising that pragmatism may dictate the need to start with a limited area of analysis such as operational risks and build out from that point to a broader range of risks and thereby contribute not only to improved resilience, but also increased business performance.

Useful sources of horizon scanning information

[1] BCI Horizon Scan Survey 2013, Lee Glendon, The Business Continuity Institute http://www.thebci.org/index.php/download-the-2013-horizon-scan-report (registration required)

[2] Consultative Committee of Sector Councils for Research and cited by DEFRA and by British Chief Scientific Adviser’s Committee.

[3] Amdocs Ltd, Form 20-F (2011 Annual Report, Risk Factors)

[4] Stefan Gustafsson, BCM Executive Forum Report 2011, The Business Continuity Institute

[5] Early Warning: using competitive intelligence to anticipate market shifts, control risk and create powerful strategies.  Dr Ben Gilad, 2004, Published by Amacom (Shell case study)

[6] Refer to footnote #4

[7] Reference to signals in the context of EWS http://en.wikipedia.org/wiki/Strategic_early_warning_system

[8] Donald Rumsfeld, http://en.wikipedia.org/wiki/There_are_known_knowns

[9] Ernst & Young survey http://www.ey.com/UK/en/Industries/Financial-Services/Banking—Capital-Markets/Structural-change-in-European-banking-survey-2013—Key-findings

[10] Dr Helen Peck, Cranfield University, BCM Executive Forum Report 2011

[11] International Risk & Payment Review (IRPR) 2013, Dun & Bradstreet http://www.dnbcountryrisk.com/

[12] BCM Executive Forum Report 2013, Lee Glendon, The Business Continuity Institute

A fuller article on the subject of horizon scanning and how it informs Business Continuity Policy can be found in Operational Resilience in Financial Institutions, A Practitioners’ Guide to Business Continuity, published by Risk Books 2014.

Posted in Resilience Trends, Risk Analysis, Threats | Tagged , , | Leave a comment

The case for strategic resilience

Posted on December 20, 2014 by Editor

While resilience has rightly jumped up management agendas in operational risk domains such as IT and supply chain, thereby building upon the foundations laid by business continuity and disaster recovery practices, there is still a sense that resilience needs to break out from the operational level, if it is to truly deliver on its promise.

Strategic resilience is therefore about taking the step to build a sustainable organisation working from the strategic level rather than attempting to “break out” from the operational level, an approach which doesn’t have a great history of success.  According to management guru Michael Porter, strategy is about building a unique company over time.  This uniqueness is typically reflected in the brand and reputation of the company.  Developing the right approach to understand the attributes of this uniqueness is critical; even more important is the ability to interpret these attributes for operational planning and the setting of risk appetite.

The second dimension of strategic resilience is sustainability: as a term it is no longer restricted to purely environmental considerations, it can be applied equally to the way the company does business and how it treats its customers.  Consideration of sustainability brings forward the requirement to take a longer term view of the organisation and build a capability for horizon scanning.  Horizon scanning will be covered in a future posting but the scope of this activity will be framed by the sector and the structural risks to which it is exposed (i.e. STEEP framework)

So strategic resilience equips an organisation with a consistent and coherent framework rooted in the strategy of the business.  It ensures that the understanding of the business is held at the right level within the organisation and downstream operational methods and practices can draw upon this insight in day-to-day decision making.

Posted in Uncategorized | Leave a comment

Ten reasons why we should care about country risk

Posted on November 2, 2014 by Editor

A proactive approach to identifying, analysing and evaluating country risks is an essential element of horizon scanning and the wider resilience model; so for me there is something deeply unsatisfying about relying on an Internet search engine at a time of crisis to “come up to speed” on the country risk and figure out whether and to what extent the incident is likely to affect the organisation.

For some industries such as mining, energy and finance (investment) a methodical approach to horizon scanning is pretty much common practice given the economic and political trends to which long term projects in high risk countries are exposed.  Companies operating in such countries have adapted to the high levels of uncertainty with increased controls on both sides of the “bow-tie” (see earlier posting).

However, globalisation of markets and supply chains means that companies operating in other sectors are now also affected by country risks, so it is becoming mandatory to develop the processes and capability to account for and monitor country risks.  Two specific trends spring to mind: the first is to be found in manufacturing where new exposures are originating as a result of sourcing from or manufacturing in South East Asia; and the second is the off-shoring of IT services to countries such as India.

At this point it is worth noting that we are not just looking at so called “downside” risk.  Off-shoring is a good example of the need for country risk insight both on the upside, e.g. skilled labour force at lower cost than onshore, as well as the downside, e.g.  a new concentration risk where services may not be quickly repatriated once the retained organisation has been transformed, as well as a new location risk, as was seen with the clustering of the hard disk industry in Thailand at the time of the floods.

So if we look into country risks in more detail, what would be the 10 questions that would help you understand the exogenous factors (catalysts or “cause of causes” if using bow-tie analysis) that may be acting upon your organisation and its supply chain?

  1. What are the short term and longer term economic prospects for the country? This can shape demand and investment potential; economic slow-downs can lead to mothballing and restricted capacity, which can even accentuate problems at the point of transition into upturn.  Likewise the financial stability of suppliers in such markets requires vigilance in line with changes in the economy.
  2. What are the political risks of the country; considering both the short and longer term in planning?   One of the interesting aspects of the Arab Spring and the removal of a number of dictators was how some organisations were not prepared for the enforced succession, while others had already acknowledged that there would be a natural end to these regimes and had already run scenarios around how the political environment may change with new leadership.
  3. What are the environmental risks of doing business with companies in this country?  Research here will consider natural disaster trends to the level of detail necessary to understand location risk. It is also worth checking whether public investment is following natural disasters to assess whether the likelihood or impact of future events is being mitigated.  One example has been the delay to investment in flood protection by the government in Thailand following the floods in 2011 – it should not be assumed that action has been taken.
  4. What is the capacity and resilience of critical infrastructure? This one is somewhat self-explanatory:  understanding transport capacity, bottlenecks and alternative routes will help you understand the fragility of the system and allow contingency plans to be put in place; likewise energy infrastructure and the reliability of grids and the need for back-up generators etc.  It’s interesting to note that it is not just emerging markets that now have challenges with the resilience of energy grids.
  5. What is the potential for social unrest?  This risk has taken a much higher profile in recent years as it can affect countries at all stages of economic development.  Its manifestation may range from protests and direct action such as the Occupy Movement to cyber attacks, boycotts, riots and extended shut-downs of government, commercial centres and transport hubs.
  6. What does the natural resource dependency look like? For manufacturing companies, it is worth considering where critical materials originate and whether there are resource constraints at lower tiers in the supply chain.  In my experience some companies actually take an interest in tier five and six suppliers located in Liberia or Kazakhstan that provide iron ore to steel manufacturers in Europe.  Some companies have re-engineered consumer products to take account of supply market conditions for rare earth metals.
  7. How attractive is the labour market? An understanding of the size, cost, age and education of the labour market is an established parameter for many businesses today. It is not just about wage arbitrage, of course.  For IT services delivered from offshore locations it is as much about availability, skills and attitude.
  8. What do we know about the business environment? The most popular risk I have seen in this area is corruption perception, often used as a filter to direct anti-bribery and corruption efforts.  A policy of “when in Rome…” is no longer acceptable in the eyes of law makers in the US and UK, in particular.  On the positive side, there are indicators of how easy it can be to set up a business in countries, which is equally important as countries position themselves to play a part in global supply chains.
  9. How adequate are health and social care systems? This is worth considering in the context of pandemic preparations. The 2009 swine flu epidemic originated in Mexico and one of the reasons attributed to its rapid expansion was the poor quality of public health care infrastructure in Mexico.  If you are reliant on supply chain partners in countries with weak public health infrastructure, then additional controls should be considered.
  10. Do we have a good understanding of the regulatory and legal environment?  Regulatory change is usually a downstream consequence of political action, so understanding the public policy environment is essential in getting ahead of the regulatory environment.

I haven’t called out sustainability as a specific risk question because in my mind a number of the questions above help to build the sustainability lens for the organisation, one which is no longer restricted to environmental concerns.

One challenge that many organisations will face in trying to get to grips with country risk is building the processes and capability to integrate country insight into decision making. In the absence of recruiting a team of economists and other risk specialists, a good starting point would be to consider the use of country risk indicators from specialist providers.

Country risk indicators can serve two purposes:

  1. They can help you understand the relative risk of operating within countries as a first level pass.  If you use a single composite country score, then that’s as far as it will go, but if you look at indicators for the risks that most concern you e.g. environmental or social unrest, then you will learn more.
  2. Changes in these risk scores provide a “Key Risk Indicator” in the same way that a heat sensor is a good indicator of an impending fire.  Changes in either direction reflect a change in uncertainty, and therefore should trigger changes in the control environment.

They do, however, come with some health warnings:  these indicators can be lagging indicators in spite of the best efforts of the analysts developing them.  However, they can alert organisations to an environment in which events or incidents are more likely occur. Another challenge in using these scores lies in their interpretation.  They are typically developed by economists rather than operational managers and it can be hard to translate the underlying qualitative assessment into practical action without additional work (e.g. bow-tie analysis).  And as with all third party scores, they are an opinion ultimately, and should be an input to the decision that the business or risk owner makes  – and not a substitute.

Posted in Resilience Trends, Risk Analysis, Threats | Tagged , | Leave a comment

From top hat to hard hat: the enduring attraction of bow-tie analysis

Posted on October 19, 2014 by Editor

Having been exposed to some complex and rather user-unfriendly risk assessment techniques, it was a joy to behold the simplicity yet comprehensive nature of the bow-tie risk analysis technique.  The technique has been around for some time with origins attributed to the oil and gas sector ,and I have listed some useful online resources for further consideration at the end of this post.

Why is it still attractive?  My sense is that risk management has created its own opacity through its language and complex models which can all have a detrimental impact on two key stakeholders in any organisation – the very top and the operational level.  On the working assumption that risk management is looking to encourage risk conversations and thinking, then its tools need to lend themselves to participative discussion at different levels across the organisation, something which bow-tie analysis has proven through its continued use.

Bow-tie assessment takes its name from the shape of the model that is produced through the analysis.  At the centre of the bow tie is the risk event or “loss of control” incident.   Analogies are often used to bring this alive by comparing it with a “tiger in the cage” with the loss of control being the tiger escaping from the cage.  Clearly, wildlife parks have to manage this hazard in order to run a successful business.  Another analogy used is that of driving a car and “losing control over the car”.

Bow Tie Analysis Chart

Bow Tie Analysis – high level architecture

To the left of the risk event, the analysis considers the potential causes; in the car analogy this could be caused by excessive alcohol or a slippery road.  In my view it is worth making a distinction between the cause and the catalyst.  I’ve run a lot of business continuity surveys in the past and often causes and catalysts are listed together (my own fault!), so I think there is greater clarity to be won in making the distinction.  One often quoted example of this is the end of the Roman Empire:  was it the Visigoths who caused the end of the Roman Empire?  Historians will often talk about Rome being divided as the cause of its demise and the Visigoths as catalyst.  The same can be said of the end of the feudal system in Prussia, it was not the Napoleonic wars that caused the beginning of the end of that system, it was that the economic rationale behind the feudal system had outlived its usefulness.  So “causes” are likely to be internal vulnerabilities rather than purely external factors.

The right-hand side of the bow-tie considers the consequences of the risk event occurring. In the high-level model, that I have put forward there are two levels to the consequences – the immediate operational consequences and, if uncontained, the wider business consequences or impact.   These impacts could be categorised using an existing ERM taxonomy prevalent in the organisation in order to ready the output of the analysis for risk reporting and governance.

Clearly, after a brainstorm of catalysts, causes and impacts, the next phase is going to consider what measures are in place to reduce the likelihood of such causes creating the risk event, and should these controls fail, what contingencies (or mitigating controls) are in place to reduce the impact.  A worst case scenario can therefore be assessed and the business case for introducing risk management is clear from the start.  This process will generate a great conversation around what is in place (i.e. gap analysis), and what testing or exercises should be introduced to assess capability.  Another potential benefit is an understanding of how risks can interact and cascade across the organisation.   I also think that this model lends itself well to taking the outputs of horizon scanning and gaming changes in a highly visual way.

Finally, some useful links to find out more about bow-tie analysis:

http://www.youtube.com/watch?v=P7Z6L7fjsi0

http://www.r4risk.com.au/Bow-tie-Analysis.php

http://www.erm.com/en/News-Events/Platform/Ten-rules-for-smart-bowtie-analysis/

http://www.bowtiepro.com/bowtie_history.asp

Posted in Risk Analysis | Tagged , | Leave a comment

Pandemic risk – underrated?

Posted on March 2, 2014 by Editor

Some risks seem to grab the headlines more than others; this doesn’t mean these other ones have gone away, of course.  I’ve just read through Aon’s research into what they term ‘underrated threats’.  While Aon make a distinction between insurable and uninsurable risks, this clearly doesn’t mean that these risks are not being managed (or underrated) just because someone hasn’t bought a policy.  After all, risk transfer is just one of four options in popular risk management methods, and insurance is only one tool in the risk transfer tool-kit at that.  Nonetheless, Aon pick up on cyber crime, terrorism, unethical behaviour, talent attraction/retention, pension scheme funding, risk interdependency, and pandemic/health risks as those warranting higher levels of executive attention.

Pandemic risk caught my attention as I’ve spent the past week in Vietnam and the threat of “bird flu” featured prominently in two editions of Viet Nam News, which may have been coincidence but taken at face value the authorities are flagging this as a serious, high likelihood event with high levels of infection among tested poultry detected already this year.  The concern focuses on H5N1 and H7N9 strains of avian influenza.

Aon’s perspective is that any breakout would quickly spread due to dramatic increases in international travel and that consequent travel restrictions would also create supply chain discontinuities, especially if supply is concentrated in affected regions of countries with limited options to set up new sources of supply due to travel restrictions.  Aon also imply that the source of the next pandemic may well be from the Asian region which is becoming ever more influential in global supply chains, hence the impact could well be greater than that seen in past outbreaks such as with SARS.

Pandemic risk hasn’t gone away and experience from “swine flu” back in 2009 shows that it can arise and spread quickly.  Research by the Business Continuity Institute back in 2013 showed that many risk specialists were concerned about the lack of effectiveness of future antibiotics in their horizon scanning; so the environment that we are likely to face when the next pandemic alert is announced will be materially different from the last time. Planning and preparedness starts now.

Posted in Threats | Tagged , , , , | Leave a comment

Top Ten Resilience Trends for 2014

Posted on January 2, 2014 by Editor

It’s that time of year again when the urge to predict the future is only mildly tempered by the knowledge that much of what is predicted is based on things which are either already happening or are complete wild cards where their non-occurrence can be rationalised away at the end of the year!  Nonetheless, the field of resilience thinking is fertile ground for development in 2014, and so here are my thoughts on some of the issues, topics and emerging trends that are likely to be discussed in 2014, and ones I hope to talk about in more detail as the year progresses.

1. Value chain thinking connects resilience to the business. “Value chain” is a term which can evoke mixed feelings among the receiving party but in 2014 the reluctance to use such a buzzword-laden term will recede because it is actually a great way of providing a compelling narrative to the resilience practice.  Value chain thinking connects the organisation with its supply chain partners and most importantly the customer.  It helps to solve the perennial challenge of measuring the value contribution of resilience-building activities because the key performance indicators are already there – rather than talk about performance dips, delays and increased cost of working, value can be expressed in terms of how a company’s cash-to-cash cycle is improved or impacted, for example.

2. Progress is made on making the link between corporate resilience and sustainability.  While some may consider that sustainability and corporate responsibility are part of value chain thinking, I think it’s useful to keep them separate for the sake of clarity.  For me, sustainability and Corporate Responsibility relate to “externalities”, factors which historically businesses did not have to consider in the costs of doing business.  These external costs to a firm are typically born by society in the form of pollution, health and welfare costs etc.   While progress will prove to be uneven, firms will look at how they can support the communities, especially where domestic business environment lacks political will or economic capacity because it helps to secure their value chain.

3. Assurance models get reformed.  Certificates and periodic audits don’t cut the mustard in the environment of extended supply chains as we have seen in 2013 in many countries including Bangladesh.    As someone wise once said to me: “Assurance reporting will tell you how complete your plans and approaches are relative to the specification, but they will not help assess the value of the activity”.

4. Big data meets risk management.  Traditional approaches to risk assessment are living on borrowed time.  While (unstructured) Big Data can help in crisis management and identifying signals of impending risk events, finding ways to share existing structured data among the resilience community would also help.  Just consider how many companies maintain incident management databases and supplier performance information.  Consider also how much insight is trapped inside a .pdf document in your organisation!

5. Business Continuity Management (BCM) looks beyond traditional risk events.  I’m looking forward to seeing some case studies that don’t end with a building evacuation or DR site activation. Too much of BCM is based around non-business events.  No one wants the epithet “the department of unlikely events”.

6. But tension with Crisis Management (CM) increases…while BCMers debate how to elevate the discipline, those of a crisis management persuasion will feel that they need their own home to reflect the much broader range of risk events that they need to tackle and strategic level of their discipline.   Unfortunately, Crisis Management has its own challenges in positioning crisis communication and crisis management; accommodating the perspectives of PR-people and ex-military types within the same church will be a challenge in its own right.

7. A clearer view on “resilience as opportunity” will develop.  There is still much work to be done to position the value of resilience practice.  The opportunity side of being resilient is not limited to being able to deliver when others affected by the same incident cannot.  It is much more about applying the thinking to other business problems such as unexpected peaks in demand and new ways of working.

8. Insolvency practice becomes an entry point for BCM to manage financial vulnerability.  This one might seem a little obscure but insolvency procedures are not just about liquidation and winding up businesses.  They are first and foremost about trying to recover a stressed business because that is the best way of getting a return for creditors.  The banking sector has already recognised this with living wills developed under Bank Recovery and Resolution Plans.  BCMers have played their part in developing these plans but this path has a lot of potential – the process requires a great understanding of the business and it’s incredibly time-sensitive.  But equally, BCMers can learn from other disciplines such as insolvency practitioners (accountants and lawyers typically) to develop their own.

9. Risk-Adjusted Decision Making enters the Management Lexicon (hopefully, in a much jauntier form).  Here’s an area which is far easier to talk about than actually do.  Qualitatively, it makes full sense but when it comes to quantitative models it becomes very difficult.  However, smart people are working on concepts such as “Total Cost of Ownership+Risk” and so watch this space as people put a figure on the value of risk mitigation beyond the heuristics often seen.

10. Talking comes back into fashion.  By “talking” I mean that people are recognised as the foundation of a resilient organisation, rather than systems and technology.  Smart organisations will seek to redesign their business such that people feel connected to the organisation, its mission and values.  They will be even be encouraged to develop bonds with co-workers and leaders. IT and the need for compliance have in many ways become barriers to effective resilience.  I think there’s a lot of opportunity in this area of “resilient by design”.

Go back

Your message has been sent

 

Posted in Resilience Trends | Tagged , , , , , , | Leave a comment