Best practice #2 – Scenario planning is a vital part of the risk mitigation process

Best practice #2 - Scenario planning is a vital part of the risk mitigation process

The BCI Horizon Scan is a great place to start when you need to think about scenario planning. The 2016 Report, for example, tells you that the use of internet for malicious attacks is the number one trend, closely followed by the loss of key employees. This is a finding replicated in the Cyber Resilience Report 2016 sponsored by Crises Control. The Horizon Scan also tells us that new regulation and increased regulatory scrutiny is in the list of the top five trends and uncertainties reported by BC managers. This gives you an important clue as to why scenario planning and testing is now a must for any organisation serious about its BC planning.

In the first of this series of blogs on best practice on BC planning, I looked at identifying and mitigating the risks to your corporate environment. This involves a solid corporate risk assessment process that identifies the top half-dozen or more risks to the business, scored against their impact on operations and their likelihood of happening.

Once the top risks are identified, the next step is to consider and plot mitigating actions that will reduce either the likelihood of the risk manifesting, or the operational impact if it does happen. This is all well and good, but it still leaves you with two situations in which, no matter what plans you lay, a significant business disruption event may occur.

The first situation involves events that can be more or less predicted, but cannot be avoided or stopped. Severe weather might be just such an event. You know that bad weather will occur, and you can probably even predict the season when it will take place. But you just can’t stop it happening and you can only exercise limited influence over the impact when it does occur, given that you do not control the transport infrastructure.

The second situation involves what might be called a “black swan” event. This is a disruption event that you cannot predict because it is outside the realm of your knowledge and experience. A freak weather event, a plane crash or a terrorist attack could all be examples of a black swan event.

What you need to do next is to start scenario planning for your identified risk events, so that you can develop your response and recovery plans should they materialise. And, just as importantly, you can test these response plans with exercises to identify any flaws and adjust them accordingly. By definition, of course, you cannot scenario plan for a specific black swan event. Although you can plan and test your response to a generic unpredictable event that results in a given set of outcomes, such as loss of power, loss of access to your network and loss of access to your office for a set period of time.

Here at Crises Control we not only encourage you to develop incident specific response plans for all of your identified risks, but we also help you to test these plans virtually with minimum cost and effort. You can use our platform to create a virtual/desktop exercise, and then run a test incident involving multiple locations and teams at the same time that will automatically generate a management report which records all of their response times. You can even schedule a test to start at some future point on time, say every Friday for a fire alarm test, or every six months for a full scale incident desktop exercise.

Our objective is not only to help get you up and running with your business continuity planning, but also to help you test your plans with regular desktop scenarios to see what you can learn before an incident is upon you.

Rickie Sehgal

This blog is the second in a series looking at different aspects of best practice in BC planning.