May 2009 Tip of the Month
Date: Tuesday, May 12 @ 10:41:13 PDT
May Tip: “Don’t overemphasize the risk assessment process to the detriment of a risk’s response plan.”
With the spread of influenza A H1N1, or swine flu, your organization has probably activated Stage 2 or 3 of its pandemic plan. According to officials, the virus is known to be mutating and could become resistant to drugs.
As of May 6, 2009, 22 countries have officially reported more than 1,500 cases of the infection. Mexico has reported 800+ laboratory confirmed human cases, including 29 deaths. The United States has reported 403 confirmed human cases, spread throughout more than 30 states — some likely in your own backyard.
However, despite media hype, we don’t think anyone should overreact. So far, only two people have died in the U.S. Infected persons have gotten better by themselves, or have responded to antiviral drugs.
Organizations are confronted with numerous threats every day — some avoidable and some not (a pandemic) — yet some planners get caught in the web of risk analysis and never move on to the response plan.
Certainly working through a risk/threat vulnerability assessment process is invaluable. It will help determine and weigh the probability of threats that may impact your organization. Conversely, it will bring to light which risks you have most impact on—either to mitigate or to lessen the likelihood of their occurrence.
While it is true that risks must be identified, some planners get so caught up in the minutia of assessing that risk that they don’t complete their response plans. No one can eliminate all the risks that can cause a disaster — power outages, natural disasters, and, of course, pandemics.
Our recommendation is: For risk/threat incidences that cannot be avoided, plan for the result of them and not the risk/threat incident itself.
After spending valuable time identifying risks/threats, including their probabilities, consequences, mitigation strategies, resulting implementation costs, we recommend spending an equal or greater amount of time on the response plan, e.g., health crisis response plan, business continuity plan, disaster recovery plan, etc.
In planning for the result risk/threat incidences, we recommend conducting an assessment that identifies risk, researches the potential loss impact — both quantitative (financial) and qualitative (operational) — of disruptive events, and weigh those consequences with the cost of remediation.
In the case of swine flu, researchers might look at: how prevalent the disease is in the region, how easily it appears to be contracted, how long the incubation and quarantine period is — both for those exposed to it or actually contracted it — until they could function normally again and wouldn’t expose others, or simply what employee downtime would cost.
However, in planning for the results of widespread pandemic, companies should be able to answer the question on what they would do and how they would operate if they experienced upwards of 50% absenteeism. Allowing staff to work at home, cross train personnel, or hire contractual employees are only a small portion of the answers.
In the overall scheme, once planners have facts in front of them, they should no longer be entangled in the trap of the likelihood of a risk they have no control over anyway. They should weigh risks/threats and plan accordingly for their consequences.
Consulting and Software for
Business Continuity and Disaster Recovery Planning