Crisis Management Blog

The Technical Challenges of Risk Mitigation

darryl.jones@rlsligh.com (Darryl Jones) — Fri, 30 Dec 2022 14:44:15 GMT

Risk Mitigation As a Technological Challenge

In previous posts we looked at Risk Avoidance, Risk Transfer, and Risk Acceptance. Unfortunately, despite our best efforts, we cannot eliminate all risks. For those risks that cannot be avoided, transferred, or accepted, our only option is to brace for it and mitigate or limit the impact. Risk mitigation is the process of introducing measures which reduce the impact of a risk occurrence. As with any risk management strategy, one must start with a valid risk/hazard analysis. The identified risks which are not avoided, transferred, or accepted are the ones which should be mitigated.

Any risks, not addressed by one of the aforementioned strategies has the potential to develop into a disaster for the organization. What is a disaster? The answer to this question is in the eye of the beholder. However, for our purposes, let’s define a disaster as any incident, event, or occurrence which inhibits an organization’s capability to generate income. This definition is intentionally broad, and encompasses more than physical damage to facilities and injuries to employees. For example, a new company enters into the market of your organization. However, the new company has better technology and/or processes which permit them to provide better quality products and services compared to your organization. The existence of this new player in the game can inhibit your organization’s ability to produce income. We have seen this scenario previously. Allow me to enter MySpace as Exhibit #1.

The challenges of risk mitigation can be placed into two categories. Risk mitigation is either a technical challenge, or it is a cultural challenge. A technical challenge is easy to fix. With a technical challenge, you purchase a gadget or gizmo, then there is an “App for that” mentality that will suffice. If your organization is faced with technical challenges, you can address the challenge with technology or money. A cultural challenge is much more complex. With a cultural challenge, you must change the hearts and minds of people, you must change the culture of the organization.

Let us first look at a scenario where mitigation was a technical challenge that was not addressed. I responded to an incident where a business sat at the end of a very busy bridge. Motorists would cross the bridge and come to a traffic light where the street teed. The motorists were required to turn left or right. To continue straight would cause their vehicles to jump the curb, cross the parking lot of the business and crash into the building. I cannot say if the organization did not recognize the risk, or ignored the risk, maybe they accepted the risk anticipating or hoping it would not eventuate (Hope is not a strategy). Unfortunately, a car traveled across the bridge at a very high rate of speed. It is believed the driver had a medical emergency while operating the vehicle. The vehicle proceeded through the traffic light, jumped the curb, crossed the parking lot, and crashed into the building. Several people were killed including the driver, employees and customers of the business. Others were injured. Compounding matters, the crash resulted in a multi-alarm fire. Further, the product of this business was required to remain refrigerated, and the fire caused the electrical service to fail.

An accurate risk assessment would have identified the risks. A robust strategy of risk mitigation would have identified the technical solutions to the proposed problem. The first would be to place bollards along the edge of the parking lot to prevent runaway vehicles from entering into the parking lot and crashing into the building. Realizing there are a multitude of reasons for a power failure, and realizing how valuable the product was to the income generating capabilities of the organization, an emergency generator with sufficient power to maintain the environment (heat, air conditioning, refrigeration, etc.) would be a prudent investment.

This scenario identifies several characteristics of disasters:

There is seldom a single cause for an incident. Usually there are several components that must be in alignment for an incident to occur. This is demonstrated in the Swiss Cheese model below. Assume the slices of cheese represent organizational policies, physical failures, unsafe actions, and the environment. For this incident to occur the holes in each slice of swiss cheese must align. This is a rare occurrence.

There are cascading events that add up to a disaster. In our scenario, the cascading events include a loss of employee and customer lives, trauma to the surviving employees. A loss of product, a loss of revenue while the organization was out of service, a corresponding loss of market share. The list goes on.
Because mitigation actions were not taken, the recovery process is extensive, requiring an increase in the expenditure of time and resources. Unfortunately, the organization was not resistant to this event and proved to be less than resilient. The organization was toast.

Because of the failure to implore strategies and tactics to mitigate the risks, this organization was not very resilient. Do not let this happen to your organization. We at R. L. Sligh Limited are available and capable of helping organizations like yours.

Risk Acceptance

Mon, 05 Dec 2022 02:39:09 GMT

Risk Acceptance As a Strategy To Manage Risks

In addition to risk avoidance and risk transfer, the organization may decide to accept the risk. Accepting risks is not necessarily a risk reduction strategy however, it is a valid option when considering risk management. In accepting the risk, the organization is rolling the dice, gambling that an event or incident will not occur, and therefore the organization will not suffer a disruption in operations. The decision on which risks are acceptable will depend upon a thorough risk analysis to examine the probabilities of a specific incident occurring.

There are multiple reasons why an organization will choose the risk acceptance option. These include:

The risk acceptance option has little to no costs (at least on the front end)
The costs associated with the occurrence of an incident is less than the costs associated with other risk management strategies
The organization wants to save money up front with the understanding that it may incur significant costs in the future

Many organizations do not consider business continuity or disaster recovery in their strategic planning. By default, these organizations have selected risk acceptance as their risk management strategy. These organizations are “All-In” gambling that nothing will happen to cause a disruption in their operations and incurring the huge costs associated with this disruption. Every day of operation is a roll of the dice. They are trusting the dice to show snake eyes every time. Be careful, sooner or later the odds will go against you.

If I were to come to you on September 10, 2001 and ask, “what would we do if hijackers took over commercial airliners and used them as missiles to destroy our economic infrastructure?” you probably would have suggested I undergo mental counseling or at the very least a drug screen. If there is one thing 9/11 should have taught us, it is the phrase “that will never happen” is invalid. If risk acceptance is the chosen strategy, it should not be by default. It should be a well thought out decision following careful and detailed analysis of risks faced by the organization.

An organization also has the option to hedge its bets, to not gamble everything on each roll of the dice. An organization has the option to invest in as much risk reduction that it can afford. For example, let us consider a family owned and operated business. The business has existed for years and was passed down through multiple generations of the family. The building is old and may be in a flood prone area. The costs to transfer the risks of fire and/or flooding is excessive and beyond the budget of the organization. In this scenario, the business may not be able to purchase an insurance policy valued at the replacement costs of the business. Therefore, the organization purchases a policy valued less than the replacement costs. This strategy is also a gamble. However, the organization is betting that if there is an incident, it will not be catastrophic, and the damage will be covered by the insurance policy.

Although risk acceptance has little cost to initiate, it can be very expensive in the event an incident occurs. Costs associated with risk acceptance if an incident occurs include:

Loss of production, if the organization is unable to produce products and services, it will be unable to generate revenue
Loss of skilled employees, few things can bring the hopes, dreams, and plans of a person to a screeching halt like sudden and unexpected unemployment. The organization’s most valued resource will seek employment with its competition
Loss of market share, while the organization is out of operation, its customers will seek products and services from its competitors. Some, if not all may not return

Not properly planning for business continuity and disaster recovery exposes the organization. Failure to make to invest the time and effort into planning is inexcusable. Fortunately, R. L. Sligh Limited is here to assist. Contact us, let us guide you through the business continuity and disaster recovery process.

Risk Transfer

darryl.jones@rlsligh.com (Darryl Jones) — Mon, 21 Nov 2022 15:55:28 GMT

Risk Management Strategy: Transfer of Risks

In addition to avoiding risks, an organization may manage associated risks by transferring the risks. Risk transfer is a risk management strategy that transfers the risks associated with a particular process or activity from one party to another. For example, those of us who own a car realize we are at risk for having the car damaged by an accident, or we may cause damage to another person or property if we are deemed to be at fault for the accident. In the event you are in an accident, the consequences could be severe, requiring you to incur huge financial loss.

Most states recognize the potential costs associated with motor vehicle accidents can be catastrophic to both the initiator of the accident and the victim. Therefore, state laws as well as financial institutions require owners/operators of motor vehicles to transfer these risks. Insurance companies are more than willing to accept the risks associated with you owning and operating a motor vehicle for fair compensation. Through a formal agreement, aka a policy, the insurance company agrees to assume the liability, or risks for your action of owning/operating a motor vehicle.

A second method of risk transfer is through indemnity. Indemnity is defined as security against or exemption from liability. An indemnity clause is a contractual provision in which one party agrees to assume liability that the other party may incur. If you enter into a contract with an outside organization. There may be a clause in the contract which states the contractor will indemnify your organization against a specified risk. For example, your organization enters into a contract with a construction company for a new sidewalk on your property. For some reason the sidewalk is uneven and a patron trips and falls suffering an injury. It may be wise to have an indemnity clause in the contract stating the contractor will assume all liability resulting from the construction of the new sidewalk.

An indemnification clause is one contractual method of risk transfer. Another method is a performance clause or bond. Assume you are making a major capital purchase. Your organization is purchasing a new machine needed to improve production of your organization. To receive the best price you issue a request for proposal from the manufacturers. A stipulation included in the proposal is a performance bond. An insurance company, or other financial institution issues a performance bond to the contractor whom you are purchasing the equipment. The performance bond is invoked if the equipment does not meet specifications or fails to perform as specified. The bond company is assuming the risks and liabilities associated with the equipment’s failure to perform.

Why transfer risks? Transferring risks takes the potential liability of an incident or event from your organization and drops it in someone else’s hands. Thereby protecting your organization from exposure to litigation and financial losses. The elements of an effective risk transfer policy include:

Require certificates of insurance from subcontractors, tenants, service providers and other parties.
Determine appropriate insurance coverage and limits.
Develop a system that enables an annual review of certificates of insurance for multi-year relationships prior to the work starting.
Enforce certificates of insurance requirements.
Create a certificate of insurance filing system for annual review.

"Best Defense is No Be There" _ Mr. Miyagi

darryl.jones@rlsligh.com (Darryl Jones) — Mon, 14 Nov 2022 14:48:04 GMT

Business Continuity: Risk Avoidance

Risk Avoidance

In a previous post, I used a boxing analogy to help describe the difference between being resistant and being resilient. I expounded on the risk posed by me entering into the ring with Mike Tyson. Since I am adverse to suffering serious neurological damage, I will avoid the risk of physical conflict with Mike Tyson at all costs. How do I accomplish this? Simple, I don’t enter into the ring. The best way to not suffer the consequences of a risk eventuating is to not take the risks, thus the quote from Mr. Miyagi above.

There are personal and organizational risks we should avoid. For example, we should avoid the risk of setting our home on fire by leaving a pot on the stove unattended, and we should avoid the risk of drowning by not driving through standing water on roadways. Additionally, we should avoid injury and/or death to our employees by incorporating safety devices such as handrails on stairs, and clearly marked emergency exits in our facilities.

Your organization is exposed to risks at the macro level or from the external environment and from the micro level or internal environment. The ability and practicality of avoiding these risks is limited. Let us consider the external environment. Imagine your organization is located in close proximity to high-volume railroad tracks in an urban area. Since rail lines serving urban areas are usually transporting passengers, the railroad companies and the federal government place a high priority on track maintenance. The Catch-22 of this is since the rail is well maintained, hazardous materials are transported on the same rail to reduce the risks of a derailment and the consequences associated with it (yes, instead of routing the hazardous materials in a different direction, hazardous materials are transported through densely populated urban centers). It is beyond your control to determine what hazardous materials are transported on the track. Therefore, you cannot avoid the risks associated with hazardous materials being transported by rail in close proximity to your facility. Other risks from the external environment which are unlikely to be avoided include severe weather, civil unrest, pandemics, and fluctuations in the economy.

Risks posed by the internal environment could include the processes used in production. If, for example, your company is in the plastics industry, the process to create your product may require the use of flammable or other hazardous materials. There may be furnaces in use, or controlled chemical reactions which produce excessive amounts of heat. This means your organization is at an increased risk of fires, hazardous materials spill, and associated production risks to employees. These risks are the costs of doing business. Some may refer to such risks as being the nature of the beast. In this situation, risk avoidance is not an option. The organization must find alternative strategies of managing the risks. Other examples of internal risks include labor disputes, toxic leadership, and failure to adapt to changes in the external environment.

Conclusion

The upside of risk avoidance is you need not fear the consequences of being exposed to the risks. The downside is nothing ventured, nothing gained. The question then becomes is risk avoidance a realistic strategy for your organization? At R. L. Sligh Limited, we recognize that risk management strategies are not mutually exclusive. Through care analysis and assessment, we can help you select the best option for reducing risks to your organization.

Business Continuity Planning: Identifying Risks

darryl.jones@rlsligh.com (Darryl Jones) — Sun, 06 Nov 2022 13:38:29 GMT

A business continuity plan is a playbook for continued operations in the event a risk materializes into an incident. Every organization, no matter the domain or environment in which it operates is exposed to risks. Risk identification and management is a critical component of any business continuity plan. For a business continuity plan to be valid, it must address all relevant risks faced by the organization. What is a risk? What is the difference between a risk and a threat? How do you determine the risks for which your organization should prepare?

Risk

A risk can be defined as the product of multiple factors. These factors are:

Threat
Probability
Vulnerability
Consequence

Threat

The United States Department of Homeland Security (USDHS) defines a threat as “...a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property” (p. 14, 2011). A threat is anything that can potentially cause harm, or injury. The operative word here is potential. Therefore, when you think about it, a threat is anything that can possibly have a negative impact on your organization. In other words, anything is possible.

Probability

Probability is the likelihood that a threat will occur. If my favorite team is playing football this weekend, I do not know for certain the outcome. However, based on the analysis of information such as past performance, injuries, location of the game, etc., I can determine the probability of a victory or loss. Based upon the analysis of specific information, an organization can determine the probability of a threat occurring.

Vulnerability

Vulnerability is the level of exposure or susceptibility your organization is to a threat. In hockey, if the score is close and time is running out, the losing team may remove the goalie in an effort to have more offensive players on the ice to increase the chances of scoring. This strategy leaves the losing team’s goal vulnerable. They are susceptible to being scored upon.

Consequence

The consequences come after or as a result of some action. Consequences have a negative connotation. For example, the process used by your organization to produce a product requires the use of hazardous chemicals. By definition, the hazardous chemicals alone pose a threat. Failure to properly use the chemicals may result in a spill. The consequences of the spill may be injury or death to your employees, loss production time, and loss of revenue.

CONCLUSION

The degree to which these factors overlap is a measure of the level of risks faced by your organization. The rules of math apply in the previously shown formula. If the value of one of the factors is zero, then the product is zero, which means there are no risks.

It requires all of the factors to create a risk. For example, we stated a threat is the possibility of an event occurring. It is possible for a meteor to strike your facility. However, the probability is so small that there is no need to view a meteor strike as a risk.

An organization or community is highly unlikely to eliminate all risks. The best you can hope for is to reduce your risks to an acceptable level. The Nuclear industry uses the acronym ALARA, which stands for As Low As Reasonably Achievable. Reducing the weight of one of the four factors or risks, reduces the chances of a risk occurring or the impact of the risk on your organization if it does occur. Allow R.L. Sligh Limited to assist your organization with managing risks. We can assist your organization and your community with risk identification, risk management, and risk reduction. We are experienced, skilled and capable of helping you protect your organization and community.

Resistent, Resilient, or Toast

darryl.jones@rlsligh.com (Darryl Jones) — Wed, 02 Nov 2022 19:15:29 GMT

Disaster planning is about ensuring the organization is resilient. To provide the organization the best possible chance of surviving a catastrophic incident. I use the three words in the title to describe the level of capability an organization has to manage a catastrophic incident. Using a boxing analogy, allow me to explain.

Resistant

Assume I was in the boxing ring opposing Mike Tyson. It is my hope that I will be resistant. This means Mike punches me in the face and I smile and keep going. I am not phased. I continue with my routine with little to no effect. I am resistant to his punches. We are resistant to various incidents each day. We find them mildly annoying but they otherwise have no effect on us. Examples may include heavier than normal rush-hour traffic, routine scheduled maintenance on production equipment, or a meeting that goes longer than expected cutting into your lunch hour.

Resilient

If I am not resistant, I want to be resilient. I am in the ring with Mike Tyson, he punches me in the face and I go down. However, I quickly recover and proceed to the new normal. Why a new normal? Because things have changed and the old normal is gone forever. I cannot change the fact I sustained a hit, I cannot change the fact I was knocked down, I cannot change the fact I was hurt. The best I could hope for is a fast recovery and proceed with my mission. If I can recover from the hit, I will demonstrate resilience. In fact, the faster the recovery, the more resilient I am. What makes me resilient? Planning, being in good physical condition, preparing for the contest. Additionally, it requires an analysis of the risks I face when entering the ring with Mike Tyson.

Toast

The reality is if I were to enter into the ring with Mike Tyson and he hit me I would be lucky to wake up. It will be a victory for me to be able to feed and clothe myself. If you took the time to watch the proceeding video, you witnessed two professional fighters in the ring. There were no surprises. It’s not like one was ambushed by the other. Both had some level of expectation when they entered the ring. Yet, one landed a devastating punch on the other, from which she was unable to recover. The boxer was on the mat unaware of her surroundings and not in control of her faculties. Recovery would take an extended amount of time at best. She was toast!

Conclusion

I can avoid the risks of being knocked unconscious by Mike Tyson. Risk avoidance is a strategy we will discuss in a later post. Boxing is not an element of the environment in which I live and work, therefore avoidance is easy. Each of our organizations operate within an environment wrought with risks. Some of these risks we cannot avoid. We must use a strategy other than avoidance to manage these risks.

What level of capability does your organization have to manage a catastrophic incident? Have you correctly identified the risks to your organization? What are your strategies for managing these risks?

I have heard owners/operators say “I have a plan”. A plan is a good starting point, however it is only a starting point. “Everyone has a plan until they get punched in the mouth”, ironically this is a Mike Tyson quote.

We can assist you with preparations for a devastating incident. We can increase your resilience. Do you have a continuity of operations plan (COOP) in place? If not, why not? If you do have a plan, when was it last revised? What has changed since the plan was developed? When was the last time you placed that plan to the test?

Please feel free to contact us if you have any questions, comments, or concerns

Can Your Organization Survive Today's Threat Environment?

Mon, 24 Oct 2022 07:19:32 GMT

As a business executive, I am sure you have a multitude of concerns. These concerns include production performance, quality of the product, market share, supply chain, your greatest resource, which is your people and of course the bottom line. Believe me, these are more than enough concerns. I don’t mean to pile on, however you should add disasters to your list.

What Is Your Nightmare Scenario?

What is it about your specific business environment that keeps you up at night? What if you were victimized by a cyber-attack? Are you prepared for a natural or man-made disaster? Have you identified the cascading effects of a long-term interruption of your operations?

Cascading Effects

What are the cascading effects of an interruption of your business operations? There are many, however we will discuss a few here:

• Loss In Market Share: All disasters begin and end at the local level, for a business, they can be viewed as a personal problem. If your operations cease, for whatever reason, your customers will seek your products and services elsewhere. Once they leave it will be hard to get them back.

• A Loss of Human Resources: Skilled personnel are hard to find. Just because your business took a hit does not mean your employees can or will put their lives on hold. They still have bills to pay and dreams to achieve. They will take their skills elsewhere, which will prolong your organization’s recovery.

• A Loss to the Community: This ties in with the previous point. Is your business a major employer in the community? What happens to the community when its major employer is no longer in operation? The National Response Framework identifies seven community lifelines are the most fundamental services in the community that, when stabilized, enable all other aspects of society to function. A strong economic system is part of these lifelines.

• The Bottom Line: The definition of bottom line is dependent upon your business. For our purposes we will define the bottom line as the availability of your product and services. Products and services for those of you in the medical profession or non-profit organizations are more valuable than money.

Conclusion

Today’s threat environment has increased the need for comprehensive continuity plans that enable organizations to continue essential functions and provide critical services across a broad spectrum of emergencies when normal operations are disrupted. An organization with a robust and proven plan will be a resilient organization. Are you confident your organization will better manage a disaster than your competition? If not, how much business are you likely to lose?