by Chris McFee
•
18 Jun, 2020
One of the aspects of risk management planning is the uncertainty in trying to identify the full range of threats that could cause disruption. In particular, assessing the likelihood of the threat occurring. One way that smaller businesses can deal with this is to focus on the generic outcomes of threats. For example, flooding, power cuts or fire could have the same outcome: that you are unable to access your business premises. However, when we want to do a more detailed analysis then we need to think in more detail about each specific threat: how likely are they to occur and what would the direct impacts be. This is particularly important in dealing with some of the more unusual threats which may have a large impact but whose likelihood is low, but how low is not clear. To illustrate, how likely is it that we have a complete failure of the UK electricity network? This sort of information is known as a “planning assumption” and it is important to be clear what they are. Obviously, if you assume that a threat is far less likely than it turns out to be, you may quickly discover that your business is severely disrupted as your plans aren’t up to the job. But if you assume the threat is more likely (or serious) than it turns out to be, you could end up spending lots of time and money that would be better spent in other key areas of your business. While this information is available in some areas, it is difficult to get hold of. Examples include the frequencies and durations of power cuts in your local area over the past ten years. There is quite a lot of certainty around those figures, but you can’t access them (unless you are willing to pay quite a bit of money). In contrast, the information for other threats is more uncertain. I have already mentioned the likelihood of a failure of the UK electricity infrastructure. Another threat is from space weather, or an unconventional terrorist attack. In those cases, detailed information about frequency of occurrence is not available, and an expert judgement is needed where there is often disagreement about the frequencies to use. Given this, what figures should you take for your planning assumptions? How can you make sense of the information that is publicly available? It is important that you communicate these assumptions clearly and effectively to colleagues so that they can include them in their business decisions. But how can you do this without providing a false level of confidence in your assumption that you may not have? Be aware that there is rarely a consensus at the early stages. An example could be that of a power cut affecting your business. It is highly likely that you will face a power cut at some time. You almost certainly have had one in the past. And the immediate consequences are also quite well understood. You may lose IT provision (unless of course you have already mitigated with some form of backup). If your business is public facing, you may need to temporarily close access to the public, and so on. That said, how long is this power cut likely to last? This is where the uncertainty can lie. In such a situation, where there is consensus about the nature of the threat but a lot less so about the likelihood, include all of the range of scenarios in your planning. For example, you could aim to plan for a most likely case of one hour, a possibility of two days, and an unlikely (but still possible) worst case duration of two weeks. You can then use this to set boundaries. Likewise, the situation is more difficult where you have a lower probability threat, particularly when the impacts of the threat itself will be very high. Together, these this combination can make it difficult to communicate the threat sufficiently effectively to enable appropriate and proportionate planning to take place. One technique is to use language and this should be the first component of your discussions. For example, when considering the likelihood (frequency) that something may happen for which there is little information, framing the information in the context of verbal boundaries is often highlighted as an effective technique. For instance, • very high confidence – 90%. • Highly unlikely – less than 1 in 10 chance (<10%). This is a good technique to use, but be aware that it can be a hostage to fortune and should be used carefully. Whilst everyone may be clear that “highly unlikely” corresponds to a less than one in ten chance of occurrence, our own biases may lead to us mentally interpreting this in different ways, particularly when it is natural to focus on short term issues. Describing an event as “highly unlikely” often leads to that event being filed away in the “it will probably never happen” part of the brain, and we approach that threat in a different way. It may be better to expand the language slightly. For example, it is “highly unlikely but still possible” makes that uncertainty clearer. A misunderstanding over the use of language can quickly lead to you being blamed as the individual responsible for underestimating this threat. Also beware of over-interpreting extreme possibilities. The press can often become fixated on extreme scenarios that become almost apocalyptic but really are extremely unlikely. A natural tendency to be focused on that extreme case can lead to poor allocation of resources. Conversely, by rejecting that “extreme” case, we can go too far in the other direction and assume that the threat is not as likely as it actually is. In UK central government planning the concept of the “reasonable worst case” is used to try and avoid these biases. But of course, this always leads to the question: “what do you mean by reasonable?”. Thus, having bounded the potential likelihoods, you could try planning around a number of different scenarios that provide a sensitivity analysis to see how vulnerable your business is. It may be that most scenarios your business would be disrupted but could still cope and you only need to focus on one or two scenarios. Weather forecasts are produced in a similar way. The inherent non-linearity in weather systems means that there is quite a high sensitivity to the initial starting conditions. Therefore, models are run many times to produce a range of potential weather outcomes which the forecasters use their judgment to review. It follows that, when you run sensitivity scenarios you are looking to identify how extreme any situation needs to be before things start to go seriously wrong. The information you have from your business impact analysis should be very helpful to this. Nevertheless, what we are focusing on here is not the failure of a specific component or service in your business process. With a major event there are likely to be multiple compounding areas of disruption that stress the system until something gives. If possible, include a second incident into your analysis. You may find your business can cope with one incident, but if a similar incident occurs things start to deteriorate very quickly. Running multiple scenarios is obviously very time consuming and resource intensive and may not be possible. But if can do something this can give greater confidence around these uncertainties – it helps bound those areas that you need to really worry about. Alternatively, if you can’t manage extensive scenario planning, how about some role playing? One of the difficulties with assessing low probability events is the difficulty in being able to “imagine” the actual impacts. Numbers and slides may demonstrate how bad the impacts could be, but the inherent low probability of the event means that we have difficulty in dealing with this. It can often feel so abstract that we make assumptions about how we would react which are wrong. Role playing can help with this. Asking simple questions such as, “if this did happen to the business, how would you feel if”? In a similar vein, focusing on similar issues that occurred in the past, and the consequences of the decisions made, can be very helpful. And finally, try to understand the inherent biases and compensate. In particular, overconfidence and groupthink. Discussions around uncertainty will often be led by one or two individuals who are very vocal in their view. Sometimes this is justified (they may be an expert in this field) but often this is down to pure overconfidence. Try to find ways to remove this tendency. Perhaps using questionnaires to get individual views (this also helps minimise groupthink where no one wants to be odd one out). In these situations, a diversity of individuals with diverse opinions and experiences can be extremely helpful.