Kahnemann, Empricial Data on BCP for Small Businesses

Roundup
 
- Daniel Kahnemann has a new book titled "Thinking Fast and Slow".
 
- Someone in LinkedIn group "Business Continuity Management & Risk" is asking where to find metrics that show BCP is "worthwhile" for small businesses.  Suggestions were to look at regulators and government offices set up to help small business (offices such as http://www.sba.gov/).  Others are convinced no such empirical data is available, after having spent time looking for them previously. 
 
Someone questions the question.  Why the need for empirical data when it is clear that a catastrophe means end of the company?. Someone suggested looking at 9/11 as proof of the value of planning for disaster (mostly in convincing people that disaster CAN strike). But the original poster thinks more 'normal' disasters can be more compelling than extreme (and rare) ones such as 9/11.  Someone suggests that the Bishopgate Bomb can provide a useful resource in comparing the impacts between those with BCP and those without.
 
The Waffle House apparently lives in hurricane country and has a very simple and effective BCP plan in place.  More details in http://online.wsj.com/article/SB10001424053111904716604576542460736605364.html.  The company is famous locally for their very quick Return to Operations ability (when the shops are still closed, locals know the danger is not yet over) and uses this to their advertising advantage.
 
Finally Tim Cousins from Australia makes a suggestion to read "The Risk/Earnings Ratio - New Perspectives for Achieving Bottom-Line Stability." (http://www.fmglobal.com/assets/pdf/P09232.pdf).  Tim seems to be also the author of another recommended paper "Organisational Resilience Position Paper", available here:  http://www.emergency.qld.gov.au/publications/pdf/Organisational_Resilience.pdf
 
Someone from the US recommends a read of "The Impact of Catastrophe on Shareholder Value" by Knight and Pretty and says he often uses this paper as a seling point.  (This paper is mandatory reading in the IRM Risk Diploma, so I am quite familiar with it).
 
Dori makes the stunningly obvious (but forgotten!) point that insurance companies would have the best emprical data.
 
The silver lining in disasters is that they often provide the opportunity to restructure (re-engineer), using the sudden infusion of cash from insurance (such as Business Interruption Insurance). 
 
In addition to empirical data, someone suggested to personalise the effects of a disaster.  What would be the impact to you, Mr / Ms Business Owner, what is the cost of lost sales, claims, etc.?
 
 
 
 
 
No comments :

ModelRisk

VOSE Software provides a software tool called ‘ModelRisk 4’ which allows analysts to run Monte Carlo simulations within Microsoft Excel.  The software is able to display the results in graphics format.   The ‘Standard’ version of the product is free and is not time-limited.   You can download it and use it for as long as you like.  If you need more powerful features, the company sells the ‘Professional’, and ‘Industrial’ version of the products.

The software is supported by a very comprehensive help file which goes beyond merely explaining how to use the software, but also gives a brief explanation of the various data analysis functions and their purpose.    But for more in-depth analysis, you can turn to David Vose’s book ‘Risk Analysis: A Quantitative Guide’.   David runs VOSE Software out of Belgium. VOSE Software also provides risk consulting services.

No comments :

Likelihood of an Event

The biggest constraint in risk management, indeed the very reason for the existence of the discipline, is our inability to foresee what will happen next. In most cases where people have to manage the risk of an event, it is very common to rely on subjective estimates of the likelihood that an event will happen. It may be easy to deliver criticism of this approach, but alternative options are limited.  An improvement over such a simplistic 'gut feel' approach is to incorporate the phenomenon that events of a smaller scale occur at a higher frequency than similar events of bigger scale.  Earthquakes of low magnitude occur very frequently. Killer earthquakes occur far less frequently. The relationship of the frequency between the two types of events is described a the Power Law Distribution.  If we keep track of smaller scale events, we will be able to predict with a certain degree of confidence the frequency of the bigger scale events.

No comments :

Deciding That a Crisis is Upon Us

A key challenge that needs to be met in the face of a serious situation is determining whether we are in a crisis or not? Whence is the transition from non-crisis to crisis? Is it time to initiate the crisis management plan, or not yet?

The US military gives us a good model of crisis with the DEFCON
status. It allows a staged reaction to a crisis that may be impending
or may not be impending.  It allows the military to prepare and also not to over-prepare.

As facts become known, and the understanding of the situation becomes more solid, the authorities are able to step up or step down preparations
and mobilisations for handling the crisis.

Business organisations would to well to think about a staged approach to
their crisis management plans.

No comments :

Some Regulatory Business Continuity Links

By no means a complete list...

Australian Prudential Regulatory Authority

Guidance Note GGN 222.1
Risk Assessment and Business Continuity Management
http://www.apra.gov.au/General/loader.cfm?url=/commonspot/security/getfile.cfm&PageID=8532.

Guidance Note AGN 232.1
Risk Assessment and Business Continuity Management
http://www.apra.gov.au/Policy/loader.cfm?url=/commonspot/security/getfile.cfm&PageID=8529

Prudential Standard APS 232
Business Continuity Management
http://www.apra.gov.au/Policy/loader.cfm?url=/commonspot/security/getfile.cfm&PageID=8528

Prudential Standard GPS 222
Business Continuity Management
http://www.apra.gov.au/General/loader.cfm?url=/commonspot/security/getfile.cfm&PageID=8531


Commission of the European Communities (2005): Green paper on a
European programme
for critical infrastructure protection, November
http://eur-lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0576en01.pdf

De Nederlandsche Bank (2004)
Business Continuity Planning
http://www.dnb.nl/en/payments/bcp/index.jsp

No comments :

Beyond the Risk Register

A few months ago, someone in a program management office noticed that a new employee had taken a master's degree course in risk management.
A brief cackle burst forth, asking: "why would someone need a master's degree in risk management?"

It's a good question.

Risk management is, for many people in projects, one of the very basic things that anyone can do. It's not rocket science. To most people,
risk management is simply the risk register - often created because it
is a mandated part of the project management procedures - and not much
else.

And anyone can create a risk register. All you need is an Excel
spreadsheet and a template of the right headings, or a risk management
software, and start populating it.

Even the risk management framework is simple enough: identify the
risks, give an estimate of the likelihood, determine consequences,
identify controls, estimate residual risk, identify who is
responsible, and then rank the risks for prioritisation.

Brain surgery is equally simple: identify the area to be incised,
determine the likelihood of success, determine the risks, etc. People
know that not all surgeons are equally qualified to do brain surgery.
Even among brain surgeons, there is a qualitative difference in
experience and consqeuently, results.

Riding a bicycle is also equally simple, but everyone knows there is a
magnitude of difference in the performance of a rider at a Tour de
France level, and someone who rides for leisure.

But what about risk management? While anyone can come up with a risk
register, there can be a serious difference in the results.

Some areas where competence in risk analys would produce a marked
difference in results

* Risk identification - are we identifying the right risks? Are we
missing any? Are putting in risks that aren't risks? Missing a
critical risk can prove catastrophic to a project.

* Risk likelihood - are our estimates any good? Is there available
data we should be using? Overestimating can prove costly.
Underestimating can prove disastrous.

* Risk consequences - how credible are our estimates of consequence?
How complete is it? An inept analysis of the consequences will mean
poor preparation and mitigation of the consequences.

* Risk control - how realistic are the controls and mitigations we
have identified? How good is our decision-making on which controls to
implement? What is the impact of our controls

* Risk prioritisation - are using the right prioritisation approach?

No comments :

Checklists

Checklists and questionnaires belong in the toolbox of risk professionals. A checklist works best when used by the risk professional while interviewing an information source, whom we’ll call an interviewee. 

The checklist becomes far less effective when simply handed over to the interviewee because when you let the interview work by himself,  it raises new undesirable dynamics:

  • First, the interviewee loses the chance to ask questions about the questions being asked.  He may misunderstand what is being asked, but unaware of it.  In such a case, even if you informed the interviewee that they should ‘feel free’ to ask if they have questions, will not help much, because in this case, the interviewee is not even aware that they misunderstand.
  • Second, the interviewee may not have as much interest as the interviewer in the process of gathering data.  In cases like this, you can expect that only the minimum amount of information will be written down in the checklist.
  • Third, the interviewee may not see the whole point of the interview, and why they must fill in the checklist. As in the second dynamic above, this results in lacking information.
  • Fourth, a large number of checklists and forms are very badly designed, which can easily lead an interviewee to confusion. Many forms ask for too many things. The interviewer may have energy to fill in the first few entries, but a noticeable drop in energy due to a drop in interest can often be seen.

A well designed form helps much toward eliciting good information.  At the very least, the following should be addressed when designing questionnaires and checklists:

  • Who is going to use the contents of the checklist?
  • To what purpose are they going to use the contents?
  • Who is going to provide information to the checklists? (That is, who are the interviewees)
  • What kind of questions and prompts should the checklist contain in order to elicit the information required?
  • What kind of information does the current version of the checklist contain that are not needed?
  • In what ways can the questions and prompts be misunderstood?

It is vital that a checklist be tested on several interviewees first before finalising it use.

No comments :

Risk Management Software Packages

In a LinkedIn discussion someone asked for recommendations on a web-based risk management software package that’s suitable for a SME (small to medium enterprise).  The key need was for managing a risk register and for tracking risks.  Some of the recommendations were:

This is quite a handful of choices. I’m hoping to be able to spend some time lokking into each one.

No comments :

What is the difference between an impact and a risk?

Sit at any Risk Management 101 class or Risk Management introductory workshop and you will most certainly be introduced to the risk register. And in that risk register, you will be introduced to two columns: the Risk, and the Impact. 

You will be told that the Risk is an event that may or may not happen.  You will also be told that Impact is what will happen if the Risk occurs (or ‘eventuates’). Sounds clear, simple, direct. 

Now let’s apply what we’ve learned.  You are concerned (rightly) about crashing your car. Is that a risk? Or is it an impact?  (Avoiding the pun on crash and impact). It is not certain that your car will crash, so that is a risk.  What will be the impact?  Easy: you may experience fatality.  Or you may experience serious injury, or you may experience light injury. 

But why isn’t crashing the car an Impact? 

What caused the car crash? Did your brakes malfunction?  Was that a risk?  Was there a risk that your brakes would malfunction?  Were you hit by a drunken driver? Was that a risk you faced when you were driving? Absolutely.

So let’s say: Risk = Possibility of being hit by a drunker driver.  What is the impact?  Crashing your car.  What was the risk earlier is now the impact.

The distinction between risk and impact is not so clear.  What is a risk from one perspective is an impact from another.  But which perspective is the right one to take? And which perspective should you be taking when you fill in the risk register?  Do you put “Car crash” under Risk or under Impact?

No comments :

Winning and Risk Management

There’s a highly-regarded self-coaching book called “Sail, Race, and Win”, by Eric Twiname and Cathy Foster. In the book is a neat description of how to win in a race.  They ask the reader to imagine a descending escalator, with lots of people, representing the competitors, walking up the escalator.  The goal being to remain in the same spot they started in as much as they could manage to. They can walk up to the same pace that the escalator is going down, but they can't walk up faster than that.

  images

Since no one’s allowed to go faster than the pace of the escalator, the would-be winner will have to focus on not making mistakes rather than walking faster than the pace of the escalator.  Any mistake, no matter how momentary, will set you back a little, possibly allowing someone behind to move out in front of you.  The more mistakes and lapses you make, the more you are pushed back relative to your starting position, and relative to the other competitors.

Now since you can't go faster than the pace of the escalator, you can't make up the distance you lost by putting in extra effort. The best you can do is to make no more mistakes.  The only way you can get ahead of those in front of you is if they make mistakes.

escalator

I haven’t seen winning explained in this manner before, and despite its oddness, it has a certain valid point.  Twiname and Foster come from the world of sailing.  Perhaps the idea of not being able to outpace the escalator comes from their world, where your progress depends on the winds and the tides -- you can't go faster than what the elements or the environment allows.

The image seems rather useful when thinking about how risk impacts business.  A company cannot make more money than what its environment allows.  For example, if you are a consumer goods company, how much you can sell is moderated by the size of your market, the demand for your product, and the competitive dynamics of the industry you are in. In a market with 10,000 customers and 5 competitors, you just cannot make sales equivalent to a market of 20,000 customers.

And while you can't get ahead, you can definitely be set back.  The key to winning then becomes minimising the setbacks. From an operational basis, you are constantly being set back if your production costs are more than the competition’s. From a discrete and pulsating basis, you are set back each time a risk eventuates which impacts you negatively.  The longer and more expensive it takes you to recover, the more you are set back.  The key to winning in this case is to ensure that you minimise your risk eventuations and minimise their impacts.

You can look at risks as these setbacks.  It is in your interest to avoid them as much as possible, and to be able to recover as quickly as possible.  Even then, you can only recover to a point less better than where you started. Hence, reducing the occurrences of risks become a key factor in winning.

No comments :
Subscribe to: Posts ( Atom )