Dare to ask that question of your Top Management? Maybe not, but a Risk Manager would try to understand their attitude to risk and their mythical 'Risk Appetite'. As a Business Continuity Manager, why not explore their 'Maximum Attitude to Disruption' (M.A.D.) a phrase I believe I uniquely use and created hoping it becomes more prevalent in a commercially driven BC world.
Risk appetite is a feeling, a sense of danger perhaps. Your risk attitude is what you intend to do about avoiding that danger, your Maximum Attitude to Disruption is a mixture of your Top Management’s risk appetite and risk attitude expressed in a business continuity context.
How much disruption are they willing to tolerate in terms of impacts to the business over time and to what reduced service levels? It’s in part a BIA output, but not simply this alone. How many times do I hear that "quantifying and qualifying” your impacts is too hard to do expressed financially? Conversely how quickly do people manage to count the cost of the disruption after the event, who professes not to be able to do this beforehand?
Can you quantify your fixed cost associated with your business continuity management arrangements? Can you estimate your variable costs associated with an invocation of your response strategy and tactics and resource requirements? Do you know the estimated cost of your impacts over time and what is intolerable to Top Management?
Somewhere in this wealth of (cost) data gleaned in the analysis and design stages of the business continuity lifecycle is your Maximum Attitude to Disruption. An acceptable commercial ratio between the cost of disruption over time and the cost of your response leading to resumption.
Impacts grow exponentially over the time of a disruption if left unchecked. Each response phase carries a cost of achieving your time objectives, each phase will attract negative impacts, without a planned response cost spirals upwards leading to an intolerable level of impacts. For those of you that are now saying, but not all impacts are financial, pause a moment and think of a reputational impact that has no financial impact associated with it.
When undertaking the 'Initial BIA/Strategic BIA', if your report to Top Management included an estimated (expressed financially and based on a seasonal view) set of impacts over time, would this focus their mind on what was their desired set of time objectives and minimum service levels? In doing so, would you then arrive at a draft Maximum Attitude to Disruption?
Armed with this aspirational view from Top Management you can progress through the lifecycle to the end of the design phase at which point you will be capable of answering the questions I asked previously prior to your next sign off gateway.
What are you asking Top Management to sign off? The outputs from your analysis stage and the outputs from the design stage. The cost of achieving their time based objectives to reduce impacts to that which is tolerable over time to achieve the Top Management's Maximum Attitude to Disruption.
David Window is the Managing Consultant of Continuity 22301 Ltd in Cheshire, UK.
- ▼ 2014 (26)
- ► 2013 (59)