Looking for a new job means watching the boards for business continuity and risk management opportunities.

I see what I consider too many jobs that are function specific rather than operational.

What do I mean?

I see requirements for telecom continuity - which usually translates into an alternate phone system or an e-mail option. There are the ubiquitous IT functions - today it's mostly "cloud" computing or off-site storage.

All of these functions are important, but taken individually they are not "business continuity" and certainly not "enterprise risk management."

At best, some are mitigation measures and others are disaster recovery.

The least effective "business continuity" effort starts off by identifying key business processes and then looking for obvious direct-impact threats to process continuation. "Direct threats" are, to borrow part of a phrase from Police Capt. Louie Renault (Claude Rains) in Casa Blanca, "the usual suspects": IT, facilities, vendors.

At least this level of "business continuity" starts with the business function.

Unfortunately, it ignores many more threats than it considers, and therein lies the problem.

Bound to repeat the past

Jorge Agustín Nicolás Ruiz de Santayana y Borrás gave us Santayana's Law of Repetitive Consequences that states "Those who cannot remember the past are condemned to repeat it."

A business-function-only continuity plan ignores a lot of history because it simply is too narrow in focus.

Perhaps enterprise risk management practitioners need a background in "The History of the World." That background amongst others (e.g., journalism to learn the art of asking questions and listening to the answers and also the art of writing to different audiences so that all can comprehend the message; law enforcement for personal safety).

Look at some of the threats practitioners ignored: planes crashing into buildings; it happens all the time and sometimes - such as on a foggy day in 1945 - big planes crashing into tall buildings, in this instance, the Empire State Building; the financial disaster from which we may (or may not) now be extracting ourselves is cyclical, it visits every 20 years or so; terrorism, hardly a new or novel idea dates back at least to the time of the Caesars.

King Solomon is alleged to have written that there is nothing new under the sun. There may be a new "twist" on something, but the fundamentals have been around for as long as mankind.

The question I am putting before you now is simple: "Could (pick an event) been predicted and could something have been done to avoid or mitigate the event?"

My answer is an unequivocal YES; events can be predicted and most can be avoided or mitigated.

Don't ignore; absorb

The bottom lines for this short piece are two:

One: Absorb all the information available for each functional tool to avoid or mitigate a threat. Don't expect to be a Subject matter Expert (SME) on all things; the days of the renaissance man are past; even Thom. Jefferson for all his interests was not the complete authority; he died nearly penniless. Develop a cadre of true SMEs, both within the organization and without.

Two: Expand your view beyond the immediate concern; be inquisitive and look at the "what might be"; play the "what if" game with all the people involved - and that should be "all the people," from newest intern to board room. There will be time to prioritize the risks, but if they are overlooked, if they are never considered, they can't be prioritized.

We remain in tight budget times and the temptation is to narrowly focus on the low-hanging fruit, e.g., IT, facilities, vendors.

Unfortunately, it was focusing on the low-hanging fruit that played a large part in the mess we now find ourselves.

Two suggestions for today's practitioner:

One: Read. Read history, even fictionalized history. Read spy novels. Read the newspaper. (Ever try to clip something from the 7 o'clock tv news?) Become a regular at the local lending library.

Two: Think globally. Look beyond the walls. What are the neighbors doing; what's going on in the community? What happens if . . . ?

Unless you are a Hoover, don't try and identify all threats in a vacuum. Ask others; the SMEs, including the ones on the public payroll (e.g., police, fire, planners, transportation department) and less-then obvious vendor (e.g., finance, insurance).



 

---

John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI. com.