Evolution or Revolution: Business Continuity Management for Extreme Weather RisksVito Mangialardi CBCP, AFBCI, PMPThis article joins the ongoing discussion about climate change, extreme weather, and its impacts. It explores thoughts and ideas on how business continuity planning can lead your organization to operational resiliency. It is focused on Business continuity and Risk practitioners who have dedicated their lives to create and protect value in an organization by managing risks, making decisions in support of introducing mitigation strategies, setting, and achieving objectives with operational (or organization) resiliency in mind. Secondly it is focused on uniting business continuity practices to tackle the impact of severe weather caused by climate change along with the efforts of many nations at the 26th UN Climate Change Conference of the Parties (COP26) in Glasgow this past November 2021. Putting aside the Covid-19 Pandemic and all it has taught us, Climate change is back top of mind for decision-makers around the world to proactively mitigate the impacts of Climate Change, while adapting to the now visible consequences, is no easy task. Organizations need to pay more attention based on lessons learned from the Top 10 Canadian 2021 memorable weather events below to create new; or modify existing countermeasures contained in traditional (legacy) business continuity or incident response plans. Top 10 Canadian 2021 memorable weather events: (extract from Emily Chung · CBC News · Posted: Dec 16, 2021)
The United Nations Educational, Scientific and Cultural Organization Education UNESCO said that: ‘Climate Change education and awareness is an essential element of the global response to climate change. It helps people understand and address the impact of global warming, increases “climate literacy” among young people, encourages changes in their attitudes and behavior, and helps them adapt to climate change related trends. Education and awareness-raising enable informed decision-making, play an essential role in increasing adaptation and mitigation capacities of communities, and empower women and men to adopt sustainable lifestyles.’ Integrating BCM, ERM, and climate change sustainability practices (CCSP) you can build an essential platform to prioritize sustainability risks and mitigation responses for both short and long-term contingencies. Adaptation, adaptive capacity and vulnerability is an ongoing conversation about climate resilience is incomplete without also incorporating the concepts of adaptations, vulnerability, and climate change. If the definition of resiliency is the ability to recover from a negative event, in this case climate change, then talking about preparations beforehand and strategies for recovery (aka adaptations), as well as populations that are more less capable of developing and implementing a resiliency strategy (aka vulnerable populations) are essential. ‘Batten down the hatches’ is a nautical term that gives an order to secure a ship's hatch-tarpaulins, when rough weather is expected. This closes the doors to the outside, as a protection against bad weather. One can do the same for a business in advance of extreme weather such as hurricanes. Business Continuity Planning is proactive and can prepare an organization with timely response to incidents and threats of concern. BCM follows standards that are fundamental in their delivery framework. One such standard, ISO22301, BCM includes identifying potential threats and analyzing impacts to the organization, planning for, and taking steps to build operational resilience and capacity to deal with unforeseen incidents that can affect an organization’s ability to deliver its products and services to all users. Business continuity is deemed a risk control, as response plans implemented are meant to mitigate disruptions to people, process, and technology. The plan–do–check–act cycle is a four–step model for ensuring that the lessons learned from a previous event become embedded in standard operating procedures, moving forward. Business continuity planning has no end, as process is repeated and again, for continuous improvement. Institutionalizing BCM Governance Policy and Program Management promotes the development of appropriate response plans that are comprehensive, focused, and operable. Leveraging an ‘all-hazard, risk-based planning approach’ will address threats that pose the greatest risk to the business, regardless of cause. It focusses on the outcomes of events rather than the events themselves. This cycle involves compiling documentation, measuring, and exercising effectiveness, conducting maintenance, and continually improving of work. The all-hazards approach is defined as documenting and implementing tasks and actions necessary to prepare for, respond to, and recover from impacts of such of all types of risks. For example, loss of the workplace can be caused by any climatic parameter – including flood, hurricane, blizzard, or any other weather event. BCM planning does not mitigate the risk or event rather ‘the consequence’ of it. It is critical to know your business and identify time sensitive work functions that must be recovered within 24 hours of a knockout as well as those that are integral to safety and security, operational integrity (what your customers have paid for and expect to receive) and the customer experience. Extreme weather events are often protracted and geographically widespread, and they may obviate many fundamental assumptions contained in traditional business continuity plans- including:
Adaptive assessments of past events can show where capital should be invested to correct reoccurring impacts to business. For example, if a building was flooded, you could make a recommendation to mitigate the problem with structural repair or to eliminate the risk by moving to a different location. General BCM Program Climate Change / Extreme Weather planning behaviors: 1. Core Planning Domains (address):
Business risk is something that all organizations face and comes in many types. It is important to identify, rank, rate and quantify risk so that adequate mitigation plans are in place to deal with it. In my practice and experience the identification, assessment, and prioritization of risks is followed by implemented ‘controls’ to minimize, monitor, and control the probability and/or impact of the risk (or to maximize the realization of opportunities). Risk actions as we have become to know include: • Acceptance (we can accept and live with it). • Elimination (if we do this it won’t happen). • Mitigation (if we do this it won’t be so bad); and • Transfer (shifted to another 3rd party, typically an insurer or new owner). Risk controls are actions to proactively reduce or eliminate risks identified. The greater the risk control capability (n+1) – the greater the cost. BCM itself is deemed a risk control which can manage the risk by building response plans or physical diversity or redundancy with facilities, operations, and the workplace An enterprise risk management program plays a vital role in the surveillance, monitoring and management of risks and opportunities. For example, ISO 31000 offers a defined evaluation process that can help guide organizations through the identification of threats and planning for risk treatment. The Canadian Climate Change Risk Assessment Guide (A Strategic Overview of Climate Risks and Their Impact on Organizations (Interim Version June 2014) is a ‘Guide written to assist organizations, particularly small and medium sized ones, understand the risks and opportunities of climate impacts and how to manage them. The guide can be found at: https://www.iclr.org/wp-content/uploads/PDFS/CC_Risk_Assessment_Guide_Interim2_Jun_8_14_.pdf Engineers Canada has developed more technical approaches to Risk management and climate change impacts. It is known as The Public, Infrastructure, Engineering, Vulnerability and Committee (PIEVC) has created a protocol to assess the vulnerability of infrastructure to extreme weather events and future changes in climate. This enables better planning and design and climate resilient infrastructure. For information reference PIEVC at https://pievc.ca/protocol/ Climate change and extreme weather represent a known risk. Companies that experienced business interruptions as a result of extreme weather experienced a loss of both revenue and customer confidence. While the numbers can be quantified -- insured damage for extreme weather events across Canada in 2018 reached $1.9 billion’[1], the larger threat is that many unprepared businesses run the compounded risk of never really recovering. A structured approach to Business Continuity Management should focus on operational process, functions and supporting technology. It must also identify strategies to help the business survive a disaster and deliver mission-critical services. Scenarios to considering planning for include the following:
It is not always about plans and processes it must include organizational culture within the company. Agility as a forethought and is crucial as the best prepared plan may have its challenges when activated under duress conditions. Are you prepared for the next significant event impacting your business? Operational resiliency is key to the impacts of severe weather caused by climate change as a destination, and Business Continuity Management can take you there
Written by: Vito Mangialardi CBCP, AFBCI, PMP Metrolinx Senior Manager: Enterprise Business Continuity Management 277 Front Street West, Toronto Ontario, M5V-2X4 T: 416.202.7751 | C: 416.561.9379 | Business.Continuity@metrolinx.com [1] Catastrophe Indices and Quantification Inc. January 16, 2019 (OTTAWA) –
| |
DRIE Toronto Digest - Vol 31 December 2021 |