Bad weather or even natural calamities do not affect every city in the world nor every resident of the affected area. Accidents, an inevitable part of some environments, do not affect all your people or totally devalue all your assets. Terrorist do not consider everyone a viable target nor are their actions likely to impact everyone over the course of their lives. The facts remain that only a small percentage of events or incidents resulting in loss of value or productivity will affect your business but conversely a smaller part of your overall assets are likely to succumb to these events; possibly even repeatedly. If this is the reality, why are there so many singular strategies for organizations, one-size-fits-all policy, uniformity in the approach when greater economy could be achieved by focusing on the priority areas? Most of the threats (80%) will only likely place at risk a smaller percentage (20%) of your assets. Do you know which ones?
Too much time and deliberation is spent perfecting the process of identifying and qualifying the threat. While it remains a valid and useful phase the process becomes unexplainably weaker or less popular once value and measurable impact are introduced. This is in part possibly due to the skill and experience of those conducting the analysis/assessment who typical originate from a weak financial background. Even for those with little resources, training or even time, a qualifying exercise to determine what the impact of service failure, disruption or other stressors will provide you with a workable project plan for applying solutions, counter measures or treatment options. This should have financial implications, tangible and intangible. The higher the number, the greater the priority and easier to be presented to business leaders or collaborators. The easier you make the measurement or driver, in a format most commonly used, the greater adherence and buy-in you will get. Abstract terms, ratings, scientific pontification or just made up data will only erode the objective and almost all will loose interest. No single person ever saved an entire organization, it takes systems and team work that follows a plan.
Many conventions are derived from habit or transferred from what others believe to be comparable models. Take fire sprinklers and suppression systems for example. A worthwhile investment and certainly mandated in some jurisdictions to prevent loss of life, undue stress on public services or even making local authorities look bad. Whatever the driver they are common place. However, not every square meter of a building is at risk of having a fire originate in that locale. Much of the planning and installation works on the assumption it could start anywhere, spread anywhere so lets just cover the entire structure. Not necessarily an efficient or effective process but wide spread practice none-the-less. Transferring this methodology to all/any other part of the business would have questionable benefits or make financial sense. These kind of general applications of similar strategies discredit the validity of risk management and force undue cost onto organizations that quite reasonably at times will forego the entire solution because the bulk of the concept is unnecessary, leaving the critical minority (20%) unprotected.
Vision and direction begins with policy. However, this policy is a guiding principle with brevity and clarity not a standalone document. It should include the priority of care or concern such as people, brand, buildings, etc. Priority of response along with the objective of the efforts should be made clear to all. Any and all measures, outlined in subsequent procedural documents and training, should be measurable (financially, operationally and even brand integrity) and constantly reviewed. While policy is unlikely to change for longer periods of time, the process and even certain objectives may as the business changes in both culture and nature. The most effective policies are a single paragraph that encompasses all the aforementioned elements and does not dictate tactics for execution but ensures everyone at least moves forward in the same direction.
Data is a great tool for creating foundation analysis but it should originate from both objective and subjective sources. Single minded collection, measurement and review lead to much bigger falls. No company knows everything about itself or everything else around it, no matter what some may think. Comparative information, data, review and even assessments ensure greater transparency in the final outcome. Care needs to be applied to ensure it is not a popularity contest or management by consensus, a final impartial decision maker is still required. Companies of all sizes can apply this approach cost effectively and expediently while enjoying maximum return on investment not just plain old return on investment (ROI).
The clock is ticking, the world moves on and the business you had an hour ago is not the one you operate now. The process needs to be renewable, adaptive but above all constantly applied by monitoring and surveillance. Monitoring is required of the business, its actions, its impact, resources, threats, disruption impact potential and relevance to the overall business concerns. Many events that arrive on the doorsteps of your business first visited your neighbor or the business down the street. Just because you weren’t watching will not get you a leave pass on the impact your lack of preparation may bring to your organization. Larger companies have internal resources for this purpose, but the smartest have both internal and external for the reasons of effectiveness previously mentioned. Smaller companies, increasingly thanks to technology and a global market, can enjoy all the benefits of outsourced support that the larger companies do without the cost of ownership or inefficiency but with all the benefits.
Only a fraction of your workforce are at risk; a percentage of your travelers too. Not all your fixed assets are of equal value nor will they be exposed to the same single loss expectancy (SLE) or annual loss expectancy (ALE). Only some markets need heightened levels of support and protection as much as only some markets are the most valuable to your overall financial health. Every single email piece of information your company possesses shares the same value. A single piece of code could be worth thousands but a warehouse of files could be nothing more than an administrative cost and operational burden. The problem with this all is that most companies simply don’t know which end is which. The one-size-fits-all approach is cheap, easily understood and been around for years. Secretly the more profitable, efficient and even safer companies have dispensed with the rule-of-thumb and focus their 80% resourcing on the most valuable 20% assets. Do you know your most valuable assets and are they better preserved than the lesser value assets? Or are you just applying the same approach for everyone, thing, process or bit because that is the way it has always been done?