Known Unknown

I was woken up in the early hours of Wednesday morning by a long, low, rumbling vibration coming through the ground, and I assumed that it was a heavy lorry moving slowly along the normally quiet road where I live. Actually, it turns out that I was woken up by an earthquake measuring 1.7 on the Richter scale. The epicentre was about 8 miles from my house.

I live on the edge of the English Lake District, an area of the world that most people think does not suffer from earthquakes. However, this view is entirely wrong as it lies on a geological fault line running through the northwest of England that is prone to earthquakes. In fact, this is the third one that I’ve experienced in about 20 years.

Fortunately, all of these earthquakes have been less than 2.0 on the Richter scale and have not caused any damage. But what is to say that they might not be much larger in years to come and cause significant damage to the area? Just because there’s no record of a large earthquake in the northwest of England, it doesn’t mean that it won’t occur. Surely, if it’s on a fault line, then there is a chance that we will experience the “big one” at some point in the future. If so, what is that chance? What is the probability that the northwest of England will experience a large earthquake in the coming year?

This is a classic case of a known unknown. We know that the northwest of England has a geological fault line and that earthquakes have been recorded three times in the last 20 years (a chance of 15% that the northwest of England will suffer from an earthquake in any one year). What we don’t know is the size and impact of the next earthquake.

So, do all those organisations in the northwest of England that are on or near the geological fault line have an earthquake on their risk registers? And if so, what have they estimated the likelihood and impact of an earthquake. On the evidence of the past 20 years, the likelihood is 15% of an earthquake within the coming year with an impact of zero. But what if the earthquake is about 8.0 on the Richter scale (about the same of the big earthquake in San Francisco in 1906) and the impact is huge? Does anyone have this on their risk register, and if so, what are they doing about it?

My company, Merrycon, is based on the geological fault line, and we have identified a large earthquake as a threat to the company. However, despite spending every day managing risk, we don’t keep a risk register. A large earthquake is just one of the many known unknowns that could destroy the company’s offices and assets, but instead of meticulously recording each threat, estimating the likelihood and impact of each, and trying to think up mitigating actions that we could take, we have a Business Continuity Plan that covers the loss of the northwest of England – from whatever cause.

This is how Merrycon handles its known unknowns.

Selling Business Continuity

I’ve been asked to give a 2 hour session on why companies should implement Business Continuity at an event being held by a supplier of recovery office space, which is aimed at local businesses. This will be the first such event that I’ve presented at for about a year, but before that it was something that I did on a regular basis. Why did I stop? Because I was “bashing my head against a brick wall”. Why am I starting again? Because I want to see if anything has changed.

My many years of experience in trying to promote Business Continuity have led me to the conclusion that it can’t be sold; all that I can do is to make it easier, cheaper, and less painful than otherwise for an organisation that has already decided that it needs to implement  Business Continuity. The concept of “selling Business Continuity to top management” is beguiling, but at the end of the day it’s pointless. Unless top management has already decided that it’s a good idea, you’re wasting your time.

So, why have I accepted the invite, do I now think that the situation has changed and that there’s now a possibility that it can be  sold to top management? No, I don’t. However, I am interested to see if the situation has changed insomuch that a significant number of top managers now believe that implementing Business Continuity is a good idea.

What I think might have changed over the past year is the perception of vulnerability. There has been so much publicity surrounding disasters and how they might affect businesses over the past few years that I’m wondering if all these floods, terrorist attacks, ‘flu pandemics, tsunamis, etc. are starting to make top management believe that not only could it happen to them, but it probably will. The other perception that needs changing though, is that they can cope with whatever happens without some kind of pre-prepared plan.

The event is being held in early September, so watch this space.

Sisyphus – the Business Continuity Manager

In Greek mythology, Sisyphus was the founder and king of Corinth who was condemned to an eternity of hard labor as punishment for a crime against the gods.  The labour was to roll a great boulder to the top of a hill, but every time Sisyphus, by the greatest of exertion and toil, almost reached the summit, the boulder rolled back down the hill and he had to start all over again.

Anyone who has been given the task of running a Business Continuity programme will be all too familiar with the hard work and frustration suffered by Sisyphus. By the greatest of exertion and toil you will almost manage to get the organisation to the desired degree of resiliency, when something happens, such as the implementation of a new computer system, that undoes all the hard work and means that you have to start again. We live in an ever-changing world, which means that never quite manage to achieve what we set out to when implementing Business Continuity.

The fate of the Business Continuity Manager is to continually struggle and toil to push the Business Continuity boulder up the hill, only to see it roll back down again. Does anyone volunteer for this task, or is being appointed as the Business Continuity Manager a punishment from the corporate gods? Who, in their right mind, would want to work so hard knowing that they will never be able to achieve their objectives, and that all their good work will be undone by some sort of change?

As a Business Continuity consultant I see this frustration all the time, but never quite experience it myself. My task is to help the Business Continuity Manager get the boulder part way up the hill, point out the direction that should be taken to get to the summit, and produce a nice handover report to the client explaining how they can achieve their objectives as long as they everyone pushes in the right direction. What is frustrating for the consultant though, is the knowledge that not everyone will push in the right direction, and that at some point, before the summit is reached, the boulder will be pushed off course or there will not be enough effort made to keep it rolling up the hill, and that the Business Continuity boulder will inevitably roll back down the hill again.

Frustrating, but potentially lucrative, because the client will always wonder why their Business Continuity boulder has roll backed back down the hill, and might just re-engage the consultant to get the process going again and point out what went wrong.