Evolution or Revolution: Business Continuity Management for Extreme Weather Risks

Vito Mangialardi CBCP, AFBCI, PMP

This article joins the ongoing discussion about climate change, extreme weather, and its impacts. It explores thoughts and ideas on how business continuity planning can lead your organization to operational resiliency. It is focused on Business continuity and Risk practitioners who have dedicated their lives to create and protect value in an organization by managing risks, making decisions in support of introducing mitigation strategies, setting, and achieving objectives with operational (or organization) resiliency in mind. Secondly it is focused on uniting business continuity practices to tackle the impact of severe weather caused by climate change along with the efforts of many nations at the 26th UN Climate Change Conference of the Parties (COP26) in Glasgow this past November 2021.

Putting aside the Covid-19 Pandemic and all it has taught us, Climate change is back top of mind for decision-makers around the world to proactively mitigate the impacts of Climate Change, while adapting to the now visible consequences, is no easy task. Organizations need to pay more attention based on lessons learned from the Top 10 Canadian 2021 memorable weather events below to create new; or modify existing countermeasures contained in traditional (legacy) business continuity or incident response plans.

Top 10 Canadian 2021 memorable weather events: (extract from Emily Chung · CBC News · Posted: Dec 16, 2021)

Record heat under the dome: On June 28, 2021, Lytton, B.C had a record-high temperature of 45 C for the third time in a week, hitting 49.6 C.
B.C.'s flood of floods: In mid-November, an "atmospheric river" dumped more than 200 millimeters of rain on parts of British Columbia within 48 hours, putting entire communities underwater and forcing more than 17,000 people to evacuate their homes.
Canada dry from coast to coast: Environment Canada says southern regions from B.C. to the eastern Prairies and Northwestern Ontario faced one of their driest summers in 75 years, with many places getting less than half the normal rainfall during the past growing season.
Wildfire season — early, active, unrelenting. This summer was Ontario's worst wildfire season on record, which included the province's largest-ever fire, which burned out of control near Kenora for nearly five months.
Canada rides out 4 heat waves: Besides the June heat dome in B.C., there were four other major heat waves across the country between the May long weekend and mid-August. Environment Canada reported. B.C., Alberta and Saskatchewan each experienced their warmest summers in at least 60 years.
Year of the EF-2 tornado: Ontario and Mascouche, Que. Tornadoes with wind speeds between 180 km/h and 220 km/h — strong enough to rip roofs off houses and uproot 50 per cent of the trees in their path — receive a rating of two on the Enhanced Fujita scale.
Dreaded Arctic blast freezes Canada in February: A polar vortex is being felt across the Prairies, two months later than usual but the frigid temperatures were in between –40 C and –50 C in some provinces. Ontario is expected to be in a deep freeze later this week. 1:47 There was a notable extreme freeze in the second week of February. It broke more than 225 new daily records for low minimum temperatures, including –51.9 C in Wekweeti, N.W.T., the coldest temperature in Canada in four years.
Another hailer-flooder in Calgary: A Calgary hailstorm made it onto the Top 10 for the second year in a row. While this year's event didn't compare to the one that caused at least $1.2 billion in damage in 2020, the 50 millimeters of rain caused flash flooding in many areas.
Hurricane Larry belonged to Newfoundland: Hurricane Larry entered Canadian waters on Sept. 10 as a Category 2 hurricane, with sustained winds of 155 km/h. A day later, it made landfall as a Category 1 storm west of Newfoundland's Avalon Peninsula, ripping the roof off a school and knocking out power to 60,000 customers. The storm surge it brought amid high tides damaged roads, parks, and coastal communities. The insurance sector estimates property losses of more than $25 million, Environment Canada reports.
January Prairie Clipper: The first notable weather event of 2021 rounds out the Top 10: intense winds that raced across the western Prairies in the second week of January. Winds were recorded blowing at 161 km/h at Moose Jaw Airport in Saskatchewan. Winds of 137 km/h in Barnwell, Alta., and 143 km/h at Bratt's Lake, Sask., were also among those that broke 13 January records.

We know climate is changing causing extreme weather, like we have never seen before. There is increasing awareness of the need to adapt both to climate change itself and the impact of the extreme weather events – floods, hurricanes, forest fires, etc. – that are becoming increasingly frequent. In addition to thinking globally about the impact climate change, organizations must look locally at the impact it can have on their own operations.

The United Nations Educational, Scientific and Cultural Organization Education UNESCO said that:

‘Climate Change education and awareness is an essential element of the global response to climate change. It helps people understand and address the impact of global warming, increases “climate literacy” among young people, encourages changes in their attitudes and behavior, and helps them adapt to climate change related trends. Education and awareness-raising enable informed decision-making, play an essential role in increasing adaptation and mitigation capacities of communities, and empower women and men to adopt sustainable lifestyles.’

Integrating BCM, ERM, and climate change sustainability practices (CCSP) you can build an essential platform to prioritize sustainability risks and mitigation responses for both short and long-term contingencies.

Adaptation, adaptive capacity and vulnerability is an ongoing conversation about climate resilience is incomplete without also incorporating the concepts of adaptations, vulnerability, and climate change. If the definition of resiliency is the ability to recover from a negative event, in this case climate change, then talking about preparations beforehand and strategies for recovery (aka adaptations), as well as populations that are more less capable of developing and implementing a resiliency strategy (aka vulnerable populations) are essential.

‘Batten down the hatches’ is a nautical term that gives an order to secure a ship's hatch-tarpaulins, when rough weather is expected. This closes the doors to the outside, as a protection against bad weather. One can do the same for a business in advance of extreme weather such as hurricanes. Business Continuity Planning is proactive and can prepare an organization with timely response to incidents and threats of concern.

BCM follows standards that are fundamental in their delivery framework. One such standard, ISO22301, BCM includes identifying potential threats and analyzing impacts to the organization, planning for, and taking steps to build operational resilience and capacity to deal with unforeseen incidents that can affect an organization’s ability to deliver its products and services to all users. Business continuity is deemed a risk control, as response plans implemented are meant to mitigate disruptions to people, process, and technology. The plan–do–check–act cycle is a four–step model for ensuring that the lessons learned from a previous event become embedded in standard operating procedures, moving forward. Business continuity planning has no end, as process is repeated and again, for continuous improvement.

Institutionalizing BCM Governance Policy and Program Management promotes the development of appropriate response plans that are comprehensive, focused, and operable. Leveraging an ‘all-hazard, risk-based planning approach’ will address threats that pose the greatest risk to the business, regardless of cause. It focusses on the outcomes of events rather than the events themselves. This cycle involves compiling documentation, measuring, and exercising effectiveness, conducting maintenance, and continually improving of work.

The all-hazards approach is defined as documenting and implementing tasks and actions necessary to prepare for, respond to, and recover from impacts of such of all types of risks. For example, loss of the workplace can be caused by any climatic parameter – including flood, hurricane, blizzard, or any other weather event. BCM planning does not mitigate the risk or event rather ‘the consequence’ of it. It is critical to know your business and identify time sensitive work functions that must be recovered within 24 hours of a knockout as well as those that are integral to safety and security, operational integrity (what your customers have paid for and expect to receive) and the customer experience. Extreme weather events are often protracted and geographically widespread, and they may obviate many fundamental assumptions contained in traditional business continuity plans- including:

the reliability of public utilities and related transportation infrastructures -
the capacity, availability and resilience capabilities of internal and external supply chains that supports the organisation's mission-critical business processes
the flexibility and practicality of workload shifting to geographically disparate human resource staffing pools

Adaptive assessments of past events can show where capital should be invested to correct reoccurring impacts to business. For example, if a building was flooded, you could make a recommendation to mitigate the problem with structural repair or to eliminate the risk by moving to a different location.

General BCM Program Climate Change / Extreme Weather planning behaviors:

1. Core Planning Domains (address):

Operational Resilience (staff and process)
Information Resilience (technology)
Supply Chain Resilience (vendor capability)

2. Role Organizational Senior Leadership (and central to ensuring preparedness and capability)

Employee Behavior and Planning Excellence = Process Continuity and Reliability
Promotes overall client satisfaction during normal and abnormal operating conditions

3. BCM Program Structure and Methodology

All hazards approach
Considers impacts of extreme weather caused by climate change
Aligning with ISO22301: and best planning practices

4. Three (3) Lines of Defense model to build Business Continuity and resiliency capability

Business Continuity Management function in governance Role (with qualified and certified staff)
Organizational Front-Line participation with planning, and
Partnered with Internal Audit, Enterprise Risk Management (ERM for validation) and your Sustainability, Planning and Development office (or consultant).

Business risk is something that all organizations face and comes in many types. It is important to identify, rank, rate and quantify risk so that adequate mitigation plans are in place to deal with it. In my practice and experience the identification, assessment, and prioritization of risks is followed by implemented ‘controls’ to minimize, monitor, and control the probability and/or impact of the risk (or to maximize the realization of opportunities). Risk actions as we have become to know include:

•            Acceptance (we can accept and live with it).
•            Elimination (if we do this it won’t happen).
•            Mitigation (if we do this it won’t be so bad); and
•            Transfer (shifted to another 3rd party, typically an insurer or new owner).

Risk controls are actions to proactively reduce or eliminate risks identified. The greater the risk control capability (n+1) – the greater the cost. BCM itself is deemed a risk control which can manage the risk by building response plans or physical diversity or redundancy with facilities, operations, and the workplace

An enterprise risk management program plays a vital role in the surveillance, monitoring and management of risks and opportunities. For example, ISO 31000 offers a defined evaluation process that can help guide organizations through the identification of threats and planning for risk treatment.

The Canadian Climate Change Risk Assessment Guide (A Strategic Overview of Climate Risks and Their Impact on Organizations (Interim Version June 2014) is a ‘Guide written to assist organizations, particularly small and medium sized ones, understand the risks and opportunities of climate impacts and how to manage them. The guide can be found at:

https://www.iclr.org/wp-content/uploads/PDFS/CC_Risk_Assessment_Guide_Interim2_Jun_8_14_.pdf

Engineers Canada has developed more technical approaches to Risk management and climate change impacts. It is known as The Public, Infrastructure, Engineering, Vulnerability and Committee (PIEVC) has created a protocol to assess the vulnerability of infrastructure to extreme weather events and future changes in climate. This enables better planning and design and climate resilient infrastructure. For information reference PIEVC at https://pievc.ca/protocol/

Climate change and extreme weather represent a known risk. Companies that experienced business interruptions as a result of extreme weather experienced a loss of both revenue and customer confidence. While the numbers can be quantified -- insured damage for extreme weather events across Canada in 2018 reached $1.9 billion’[1], the larger threat is that many unprepared businesses run the compounded risk of never really recovering.

A structured approach to Business Continuity Management should focus on operational process, functions and supporting technology. It must also identify strategies to help the business survive a disaster and deliver mission-critical services. Scenarios to considering planning for include the following:

Your office building or manufacturing facility is unavailable, damaged or destroyed

Operational staff and management are unavailable for extended periods of time
Power and other utilities become unavailable or intermittent; or
The supply chain is interrupted.

Planning for a weather risk event impacting your business is simply a good business practice and should be extended to consider including integrated sector-wide table-top exercises on specific extreme weather-related threat scenarios. Stakeholders can include:

representatives of key Canadian private sector industries (deemed to be "critical infrastructure" by Public Safety Canada)
provincial and municipal offices of emergency management
Public Safety Canada and related federal government agencies

It is not always about plans and processes it must include organizational culture within the company. Agility as a forethought and is crucial as the best prepared plan may have its challenges when activated under duress conditions. Are you prepared for the next significant event impacting your business? Operational resiliency is key to the impacts of severe weather caused by climate change as a destination, and Business Continuity Management can take you there

Where to start – take a Risk Based Approach, know what you have and prioritize by risk.
Learn from lessons learned as you cannot predict a disaster, but you can plan for one.

Written by:
Vito Mangialardi CBCP, AFBCI, PMP
Metrolinx
Senior Manager: Enterprise Business Continuity Management
277 Front Street West, Toronto Ontario, M5V-2X4
T: 416.202.7751 | C: 416.561.9379 | Business.Continuity@metrolinx.com

[1] Catastrophe Indices and Quantification Inc. January 16, 2019 (OTTAWA) –


Evolution or Revolution: Business Continuity Management for Extreme Weather Risks Vito Mangialardi CBCP, AFBCI, PMP This article joins the ongoing discussion about climate change, extreme weather, and its impacts. It explores thoughts and ideas on how business continuity planning can lead your organization to operational resiliency. It is focused on Business continuity and Risk practitioners who have dedicated their lives to create and protect value in an organization by managing risks, making decisions in support of introducing mitigation strategies, setting, and achieving objectives with operational (or organization) resiliency in mind. Secondly it is focused on uniting business continuity practices to tackle the impact of severe weather caused by climate change along with the efforts of many nations at the 26th UN Climate Change Conference of the Parties (COP26) in Glasgow this past November 2021. Putting aside the Covid-19 Pandemic and all it has taught us, Climate change is back top of mind for decision-makers around the world to proactively mitigate the impacts of Climate Change, while adapting to the now visible consequences, is no easy task. Organizations need to pay more attention based on lessons learned from the Top 10 Canadian 2021 memorable weather events below to create new; or modify existing countermeasures contained in traditional (legacy) business continuity or incident response plans. Top 10 Canadian 2021 memorable weather events: (extract from Emily Chung · CBC News · Posted: Dec 16, 2021) Record heat under the dome: On June 28, 2021, Lytton, B.C had a record-high temperature of 45 C for the third time in a week, hitting 49.6 C. B.C.'s flood of floods: In mid-November, an "atmospheric river" dumped more than 200 millimeters of rain on parts of British Columbia within 48 hours, putting entire communities underwater and forcing more than 17,000 people to evacuate their homes. Canada dry from coast to coast: Environment Canada says southern regions from B.C. to the eastern Prairies and Northwestern Ontario faced one of their driest summers in 75 years, with many places getting less than half the normal rainfall during the past growing season. Wildfire season — early, active, unrelenting. This summer was Ontario's worst wildfire season on record, which included the province's largest-ever fire, which burned out of control near Kenora for nearly five months. Canada rides out 4 heat waves: Besides the June heat dome in B.C., there were four other major heat waves across the country between the May long weekend and mid-August. Environment Canada reported. B.C., Alberta and Saskatchewan each experienced their warmest summers in at least 60 years. Year of the EF-2 tornado: Ontario and Mascouche, Que. Tornadoes with wind speeds between 180 km/h and 220 km/h — strong enough to rip roofs off houses and uproot 50 per cent of the trees in their path — receive a rating of two on the Enhanced Fujita scale. Dreaded Arctic blast freezes Canada in February: A polar vortex is being felt across the Prairies, two months later than usual but the frigid temperatures were in between –40 C and –50 C in some provinces. Ontario is expected to be in a deep freeze later this week. 1:47 There was a notable extreme freeze in the second week of February. It broke more than 225 new daily records for low minimum temperatures, including –51.9 C in Wekweeti, N.W.T., the coldest temperature in Canada in four years. Another hailer-flooder in Calgary: A Calgary hailstorm made it onto the Top 10 for the second year in a row. While this year's event didn't compare to the one that caused at least $1.2 billion in damage in 2020, the 50 millimeters of rain caused flash flooding in many areas. Hurricane Larry belonged to Newfoundland: Hurricane Larry entered Canadian waters on Sept. 10 as a Category 2 hurricane, with sustained winds of 155 km/h. A day later, it made landfall as a Category 1 storm west of Newfoundland's Avalon Peninsula, ripping the roof off a school and knocking out power to 60,000 customers. The storm surge it brought amid high tides damaged roads, parks, and coastal communities. The insurance sector estimates property losses of more than $25 million, Environment Canada reports. January Prairie Clipper: The first notable weather event of 2021 rounds out the Top 10: intense winds that raced across the western Prairies in the second week of January. Winds were recorded blowing at 161 km/h at Moose Jaw Airport in Saskatchewan. Winds of 137 km/h in Barnwell, Alta., and 143 km/h at Bratt's Lake, Sask., were also among those that broke 13 January records. We know climate is changing causing extreme weather, like we have never seen before. There is increasing awareness of the need to adapt both to climate change itself and the impact of the extreme weather events – floods, hurricanes, forest fires, etc. – that are becoming increasingly frequent. In addition to thinking globally about the impact climate change, organizations must look locally at the impact it can have on their own operations. The United Nations Educational, Scientific and Cultural Organization Education UNESCO said that: ‘Climate Change education and awareness is an essential element of the global response to climate change. It helps people understand and address the impact of global warming, increases “climate literacy” among young people, encourages changes in their attitudes and behavior, and helps them adapt to climate change related trends. Education and awareness-raising enable informed decision-making, play an essential role in increasing adaptation and mitigation capacities of communities, and empower women and men to adopt sustainable lifestyles.’ Integrating BCM, ERM, and climate change sustainability practices (CCSP) you can build an essential platform to prioritize sustainability risks and mitigation responses for both short and long-term contingencies. Adaptation, adaptive capacity and vulnerability is an ongoing conversation about climate resilience is incomplete without also incorporating the concepts of adaptations, vulnerability, and climate change. If the definition of resiliency is the ability to recover from a negative event, in this case climate change, then talking about preparations beforehand and strategies for recovery (aka adaptations), as well as populations that are more less capable of developing and implementing a resiliency strategy (aka vulnerable populations) are essential. ‘Batten down the hatches’ is a nautical term that gives an order to secure a ship's hatch-tarpaulins, when rough weather is expected. This closes the doors to the outside, as a protection against bad weather. One can do the same for a business in advance of extreme weather such as hurricanes. Business Continuity Planning is proactive and can prepare an organization with timely response to incidents and threats of concern. BCM follows standards that are fundamental in their delivery framework. One such standard, ISO22301, BCM includes identifying potential threats and analyzing impacts to the organization, planning for, and taking steps to build operational resilience and capacity to deal with unforeseen incidents that can affect an organization’s ability to deliver its products and services to all users. Business continuity is deemed a risk control, as response plans implemented are meant to mitigate disruptions to people, process, and technology. The plan–do–check–act cycle is a four–step model for ensuring that the lessons learned from a previous event become embedded in standard operating procedures, moving forward. Business continuity planning has no end, as process is repeated and again, for continuous improvement. Institutionalizing BCM Governance Policy and Program Management promotes the development of appropriate response plans that are comprehensive, focused, and operable. Leveraging an ‘all-hazard, risk-based planning approach’ will address threats that pose the greatest risk to the business, regardless of cause. It focusses on the outcomes of events rather than the events themselves. This cycle involves compiling documentation, measuring, and exercising effectiveness, conducting maintenance, and continually improving of work. The all-hazards approach is defined as documenting and implementing tasks and actions necessary to prepare for, respond to, and recover from impacts of such of all types of risks. For example, loss of the workplace can be caused by any climatic parameter – including flood, hurricane, blizzard, or any other weather event. BCM planning does not mitigate the risk or event rather ‘the consequence’ of it. It is critical to know your business and identify time sensitive work functions that must be recovered within 24 hours of a knockout as well as those that are integral to safety and security, operational integrity (what your customers have paid for and expect to receive) and the customer experience. Extreme weather events are often protracted and geographically widespread, and they may obviate many fundamental assumptions contained in traditional business continuity plans- including: the reliability of public utilities and related transportation infrastructures - the capacity, availability and resilience capabilities of internal and external supply chains that supports the organisation's mission-critical business processes the flexibility and practicality of workload shifting to geographically disparate human resource staffing pools Adaptive assessments of past events can show where capital should be invested to correct reoccurring impacts to business. For example, if a building was flooded, you could make a recommendation to mitigate the problem with structural repair or to eliminate the risk by moving to a different location. General BCM Program Climate Change / Extreme Weather planning behaviors: 1. Core Planning Domains (address): Operational Resilience (staff and process) Information Resilience (technology) Supply Chain Resilience (vendor capability) 2. Role Organizational Senior Leadership (and central to ensuring preparedness and capability) Employee Behavior and Planning Excellence = Process Continuity and Reliability Promotes overall client satisfaction during normal and abnormal operating conditions 3. BCM Program Structure and Methodology All hazards approach Considers impacts of extreme weather caused by climate change Aligning with ISO22301: and best planning practices 4. Three (3) Lines of Defense model to build Business Continuity and resiliency capability Business Continuity Management function in governance Role (with qualified and certified staff) Organizational Front-Line participation with planning, and Partnered with Internal Audit, Enterprise Risk Management (ERM for validation) and your Sustainability, Planning and Development office (or consultant). Business risk is something that all organizations face and comes in many types. It is important to identify, rank, rate and quantify risk so that adequate mitigation plans are in place to deal with it. In my practice and experience the identification, assessment, and prioritization of risks is followed by implemented ‘controls’ to minimize, monitor, and control the probability and/or impact of the risk (or to maximize the realization of opportunities). Risk actions as we have become to know include: • Acceptance (we can accept and live with it). • Elimination (if we do this it won’t happen). • Mitigation (if we do this it won’t be so bad); and • Transfer (shifted to another 3rd party, typically an insurer or new owner). Risk controls are actions to proactively reduce or eliminate risks identified. The greater the risk control capability (n+1) – the greater the cost. BCM itself is deemed a risk control which can manage the risk by building response plans or physical diversity or redundancy with facilities, operations, and the workplace An enterprise risk management program plays a vital role in the surveillance, monitoring and management of risks and opportunities. For example, ISO 31000 offers a defined evaluation process that can help guide organizations through the identification of threats and planning for risk treatment. The Canadian Climate Change Risk Assessment Guide (A Strategic Overview of Climate Risks and Their Impact on Organizations (Interim Version June 2014) is a ‘Guide written to assist organizations, particularly small and medium sized ones, understand the risks and opportunities of climate impacts and how to manage them. The guide can be found at: https://www.iclr.org/wp-content/uploads/PDFS/CC_Risk_Assessment_Guide_Interim2_Jun_8_14_.pdf Engineers Canada has developed more technical approaches to Risk management and climate change impacts. It is known as The Public, Infrastructure, Engineering, Vulnerability and Committee (PIEVC) has created a protocol to assess the vulnerability of infrastructure to extreme weather events and future changes in climate. This enables better planning and design and climate resilient infrastructure. For information reference PIEVC at https://pievc.ca/protocol/ Climate change and extreme weather represent a known risk. Companies that experienced business interruptions as a result of extreme weather experienced a loss of both revenue and customer confidence. While the numbers can be quantified -- insured damage for extreme weather events across Canada in 2018 reached $1.9 billion’[1], the larger threat is that many unprepared businesses run the compounded risk of never really recovering. A structured approach to Business Continuity Management should focus on operational process, functions and supporting technology. It must also identify strategies to help the business survive a disaster and deliver mission-critical services. Scenarios to considering planning for include the following: Your office building or manufacturing facility is unavailable, damaged or destroyed Operational staff and management are unavailable for extended periods of time Power and other utilities become unavailable or intermittent; or The supply chain is interrupted. Planning for a weather risk event impacting your business is simply a good business practice and should be extended to consider including integrated sector-wide table-top exercises on specific extreme weather-related threat scenarios. Stakeholders can include: representatives of key Canadian private sector industries (deemed to be "critical infrastructure" by Public Safety Canada) provincial and municipal offices of emergency management Public Safety Canada and related federal government agencies It is not always about plans and processes it must include organizational culture within the company. Agility as a forethought and is crucial as the best prepared plan may have its challenges when activated under duress conditions. Are you prepared for the next significant event impacting your business? Operational resiliency is key to the impacts of severe weather caused by climate change as a destination, and Business Continuity Management can take you there Where to start – take a Risk Based Approach, know what you have and prioritize by risk. Learn from lessons learned as you cannot predict a disaster, but you can plan for one. Written by: Vito Mangialardi CBCP, AFBCI, PMP Metrolinx Senior Manager: Enterprise Business Continuity Management 277 Front Street West, Toronto Ontario, M5V-2X4 T: 416.202.7751 \| C: 416.561.9379 \| Business.Continuity@metrolinx.com [1] Catastrophe Indices and Quantification Inc. January 16, 2019 (OTTAWA) –
DRIE Toronto Digest - Vol 31 December 2021