Page 1 of 2

Citrayudha Komaladi
From:
Sent:
To:
Subject:

Goh Kheng Leng [gohkl@income.com.sg]

Friday, March 30, 2007 5:23 PM
Citrayudha Komaladi; Heng Cheng Chiang Eddie; Ng Sai Wei
Businesses focus a disproportionate amount of their Business
Continuity resources on unlikely scenarios

www.SecurityPark.net
The leading News portal for Security Professionals - Copyright 2000-2006
Security News article posted in Security News, IT Network and Computer Security, on 21/03/2007

Businesses focus a disproportionate amount of their Business Continuity

resources on unlikely scenarios
It will be a long time before anyone forgets the dramatic events surrounding the death of Alexander Litvinenko
on 23 November last year. As well as giving daily updates on his lingering death, with its eerie echoes of the
Cold War, the newspapers were full of reports of severe disruption to businesses as hotels, restaurants and
other premises were sealed off and subjected to detailed radiological surveys. Most notably, BA not only had a
number of planes involved in the incident grounded but had to trace the many thousands of passengers who
had flown on them. This incident has undoubtedly raised the profile of Business Continuity and this type of risk
in particular: already this year I have been involved in running a Crisis Management exercise based on a
radiological scenario for one client and I expect that there will be more requests before too long.
Only a few weeks earlier, we had watched from the window of our offices on Fleet Street, as an altogether less
newsworthy Business Continuity event played out in front of our eyes. On the morning of 19 October 2006 a
luffing jib crane on a construction site at New Street Square / New Fetter Lane failed after putting down a load,
leaving the crane jib hanging vertically from the mast. The Emergency Services quickly attended and began to
clear Fetter Lane and adjacent streets. Dozens of organisations were evacuated from their premises and a large
crowd of displaced office workers began to grow at either end of the cordon. Fortunately the weather was dry
and quite mild for many of them appeared to have nowhere to go and there was a delay of over an hour before
the Fire Service announced that nobody would be allowed back into the affected premises that day. I am
pleased to report that the incident was resolved without any injuries and business as usual resumed the next
day.
The New Street Square / New Fetter Lane incident is not, in fact, an isolated one: in September last year a
crane collapsed on a construction site in Battersea and, only last month, a crane collapsed in Liverpool City
Centre unfortunately both these incidents resulted in fatalities. Needless to say, none of these crane-related
incidents have resulted in a flood of calls to our office. Moreover, in two years of running Crisis Management
exercises, no client has ever asked for a scenario such as this, involving short-term denial of access to their
premises without any physical damage to the building or contents or injuries to their staff.
The juxtaposition of these two events the dramatic but highly unusual and the banal but all too frequent
caused me to give some thought to the mental models that inform the way that we plan and train for business
disruptions. Many businesses seem to be focusing a disproportionate amount of their limited BC resources on
increasingly exotic and unlikely scenarios.
I should like to suggest 2 possible explanations: If only subconsciously, many businesses appear to be
inappropriately applying an analogy with insurance-buying in their Business Continuity planning. It is not
generally cost effective to purchase insurance for routine losses (so-called pound-swapping) so one
concentrates on insuring against less likely events which would, if they occurred, seriously damage or destroy
the business. The analogy though is flawed for 2 reasons:
It can, in fact be very cost-effective to mitigate routine everyday occurrences (such as short-term denial of
access) through Business Continuity Management; and
Our ability to effectively plan responses to massive disruptive events is, by definition, limited by our lack of
understanding of these very rare occurrences.
Working in parallel with this Insurance-Analogy, and possibly more powerfully, it is well documented in the
5/25/2010 9:56 AM

Page 2 of 2

psychological literature that we vastly overestimate the likelihood of being involved in some dramatic event
such as a plane crash compared to falling victim to less newsworthy events. This leads to a phenomenon called
the availability heuristic where, for example, people believe death from terrorism to be a greater risk than
death from all possible sources (including terrorism). Over the last year we have seen the availability heuristic
clearly demonstrated at a Corporate level with many organisations developing detailed Flu Pandemic plans in
stead of generic Business Continuity plans which will provide resilience against a wide range of disruptions
including pandemics.
I am not suggesting for a moment that we pretend that 9/11 never happened or that we bury our
heads in the sand and refuse to consider the prospect of a Flu Pandemic. Rather in addressing
risks, we advise clients to balance considerations of Impact and Likelihood (both highly subjective
measures) with considerations of Comprehension and Control. In this context:
Comprehension refers to ones ability to accurately predict the likelihood of an event; and
Control refers to ones ability to prevent the event taking place or mitigate the effects.
This generally has the effect of redirecting attention away from vague, but potentially catastrophic
risks, towards more mundane but treatable ones.
Furthermore, our experience of working with and studying numerous organisations in crisis leads
us to two important conclusions:
High impact incidents are not necessarily more complex to manage and are, in many cases,
simpler than less disruptive events; and
There is much commonality in the actual issues that a Crisis Management Team has to deal with,
regardless of the precise trigger or the scale of the incident.
I would therefore submit that planning to deal with less dramatic scenarios is not only a useful
activity in its own right but also lays a solid foundation for planning to deal with headline-grabbing
events.
In most cases Business Continuity Management is about doing the best job with limited resources
getting the best Bang for your Buck. In this context, focusing plans and resources on mitigating
the impact of massively disruptive events may secure Senior Management attention and funding but
actually represents poor value for money. Concentrating in stead on the mundane and everyday is
much more likely to demonstrate real benefits in the short term and forms a solid basis on which to
build over time.
Article contributed by Patrick Roberts, Senior Consultant, Needhams 1834 Ltd. Needhams 1834 Ltd will be
exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 28th - 29th March
2007, www.businesscontinuityexpo.co.uk
This is a printer friendly version of the article - Go to the www.SecurityPark.net website and see the full article
online and all other related articles.

5/25/2010 9:56 AM