Saturday 5 May 2012

Business Continuity and Operational Risk

After the last Argentine government's decision to nationalize YPF, followed by the Bolivian doing the same with REE subsidiary, in different business continuity forum has started  a debate about the requirement or not to include this scenario in the scope of the Business Continuity plans. Does Business Continuity manager really contemplate the possibility of an expropriation? and as a extension, May bankruptcy scenarios or extremely adverse economic situation, like the situations caused by economic crisis, be included into the scope of plans? It's not a trivial question since scope will determinate the economic requirements of the Business Continuity program and the roles which will be responsible of BC in the organization.

An answer to this question can be found in operational risk management and the integration with Business Continuity management. Operational risk management look for analyze those factors that can affect negatibly to business, defining this, as in every risk analysis, by probability and impact.

In some industries, like financial, risk operational management is a common practice. In fact, financial system regulation (Basilea iI), defines operational risk as:
“The risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events.”

This is quite similar to a risk analysis from a Business Continuity point of view.
Deepening in Basilea II, it defines seven categories of risk operational:
  • Internal fraud;
  • External fraud;
  • Employment practices and workplace safety;
  • Clients, products and business practice;
  • Damage to physical assets;
  • Business disruption and systems failures;
  • Execution, delivery and process management.

Although some of this categories seems to be quite close to Business Continuity categories and scenarios, not all of them may to be included in our business continuity plan. For example, damage to physical assets can be covered by our BC plan, including a IT service recovery plan and all the recovery procedures. However, internal and external fraud seems to be far away from Business Continuity.

As Richar Wartered, from Marsh Risk Consulting, defined in the workshop Risk, Resilience & Continuity by BCI, BC management process and operational risk management must begin at the same tieme and independently, joining resoults when definint risk mitigatin strategies.

It's necessary to take into account that objectives of BC are to recovery the service or delivery of product after a disaster or disruptive event occurs, since risk management has to be focused on the preventive actions, before the occurrence of the disaster.

In order to define the BC scope, the best practice is to follow BS25999, and hope ISO 22301 soon, in which there are defined five componenet that has to be inluced in the plans:
  • people (7.3)
  • premises (7.4)
  • technology (7.5)
  • information (7.6)
  • supplies (7.7)

    • As  I defined in my previous post (Components supporting business), depending on the characteristics of business, each component will have a specific weigh in the delivery of services or products.
    Tags: ,

    2 comments:

    1. Unknown13 February 2013 at 17:18

      Thank you for sharing this post. I found it very helpful and informative. Both organization and planning are vital aspects of running a successful business. Recently, my business had been lacking both. I then looked into business continuity management software and implemented it. Since then, productivity has been at an all time high.

      ReplyDelete
    2. Joseph30 September 2020 at 18:33

      great article!!!!!This is very importent information for us.I like all content and information.I have read it.You know more about this please visit again.

      ISO 22301 Certification

      ReplyDelete

    Subscribe to: Post Comments (Atom)