Most people in management and senior jobs have a good understanding of risks: what they are, how they are managed and even how to measure them. But there remains in many organisations a blurring of definition about types of risk and who is responsible for them, as well as all sorts of risk that haven’t even been identified.

Like not having insurance, this is usually only a problem if something actually goes wrong, and in the minds of most people that is really rather unlikely. The majority of people tend to be concerned about things that have gone wrong before–and not for others, but for themselves. That is human nature.

Typically, in commercial or ‘for profit’ organisations, risk is divided into ‘core business’ and ‘other’ categories. Core business risks nearly always get far more attention and usually quite rightly. But let’s look again at the three types of risk put forward in this book:

These risk types aren’t concerned with the cause, or hazard–that comes later–but they should enable most people in an organisation’s management to decide whether all risks should be dealt with by one person or department, or whether there are some different groupings of risks that fall into separate areas.

The business of risk management is not necessarily as straightforward as some other organisational activities; there is no single approved method, either statutory or otherwise. The Institute of Risk Management (IRM) puts forward ‘A Risk Management Standard’ as opposed to ‘The Risk Management Standard’ or even just ‘Risk Management Standard’.

This standard refers to internally and externally driven risks and suggests a number of specific risks in each of four types (see Figure 1).¹

Most of these approaches actually concern themselves with threats, which is a useful starting point when thinking about operational risks: the risks that the organisation is prevented from doing what it exists to do. But before looking at the sorts of risk that are relevant to business continuity, it’s worth considering a couple of examples of threat types that transcend both core business and operational risks:

Exceptional weather conditions can affect companies in a number of ways:

In 2010 the UK experienced its coldest December for 120 years, coinciding with expected peak demand in the retail sector. The effect on the ‘high street’ was significant and despite the impending increase in the VAT rate from 17.5% to 20% due on 4 January 2011, retail sales dipped substantially whereas, many might have expected them to increase as shoppers anticipated the post-Christmas VAT increase (Figure 3).

This is an example of a core business risk driven by the environmental threat of extreme weather.

The same threat presented an operational risk for the Royal College of Nursing’s RCN Direct service based in South Wales, as both its telephone call centre and substantial mailing activities were suspended.³

So a number of retail companies will have recorded extreme or adverse weather conditions as a threat, and, therefore, risk, to core business, whereas other organisations like the RCN would have treated the same threat as a cause of operational disruption and, therefore, an operational risk.

The supply and price of hydrocarbon fuels used in electricity generation can affect companies in at least two ways:

It is for each organisation, when considering all of its risks, to decide which are to be treated as interruption risks and so form the basis of the business continuity arrangements. Clearly no organisation should put contingency arrangements in place for a threat that it does not face, but at the same time it should also be aware that certain threats may result in more than one type of risk.

But there are some risks which may be considered operational that are unlikely to give rise to an actual interruption to, or significant reduction in, operational activities. These may include, for example:

Again, it is for each organisation to decide whether it wants a fully integrated ‘enterprise’ level risk management system or a number of independent systems, or frameworks, that deal with specific types of risk. The fully integrated approach may make sense in some respects, but in others it is probably counterintuitive for a system that on the one hand deals with the fast-moving risks of something like foreign exchange trading (including in organisations for whom foreign exchange trading is not core business), and on the other with risks, such as health and safety, employment law or information security.

In a probable majority of organisations, there will already be some existing risk management arrangements in place covering a number of aspects of the organisation, and as business continuity gets onto the corporate agenda it may well be ‘added’ onto the responsibilities of an existing team or manager and so almost by default acquire its own risk framework–if, indeed, risk management is to include any kind of formalised approach.

But the opportunity to integrate disparate risk management activities should not be overlooked. There might well be opportunities to improve the efficiency and effectiveness of risk management, and it is often the case that directors and senior managers acquire a better understanding of the organisation’s overall risk profile if they can see everything in a consistent format. There are also examples of a risk control, or mitigation, measure being put in place for one type of risk that then presents a new, or increased, risk in another category. For example, changing an escape route to reduce a fire-related risk could present a new information security risk.

The introduction of business continuity as a new activity or management discipline is often a catalyst for the organisation dramatically to improve its management of risks, particularly those which have previously been paid little attention and of which the Board has limited awareness.

A fairly common failing on the part of directors is that although they are aware of certain risks and may have decided to tolerate them for the time being, they don’t keep any written record of these risks and, in the event something goes wrong, they cannot then account for the fact that one of these risks materialised and cause some loss or injury. This is an exposure that the majority of directors simply don’t need; ignoring a risk that you could be expected to have known about is not good, but making assessment of a risk and noting that you cannot do anything about it at the moment puts you in a much stronger position if and when called to account for it.

The risk management process is described in some detail in Chapter 7 because it is a key component of a BC management system, but it should be understood that business continuity is a key subset of operational risk, which itself is a key component in enterprise risk management, illustrated in the diagram in Figure 4:

Needless to say, the example risks in this diagram are just that; some of the operational risks may represent business interruption risks also, but it is likely to vary between organisations.

A BCM programme is likely to be the most successful if it is not allowed to exist in a ‘silo’, and is seen by everyone in the organisation as a key part of the enterprise (or organisation-wide) risk management process. This is more than likely to bring gains in terms of efficiency, conflict avoidance and reduction in expenditure (or executive time).

The recent economic downturn has taught many in the business continuity world that BCM is treated as a ‘discretionary’ activity by many people running organisations of all types.

Do we now wear seat belts in cars...