Recognize the Sources of Risk

Risk, Threats and Crisis Scenario

Risk

The risk is the potential loss exposure due to a threat; which causes a disruption to business operations and preventing them from achieving the Minimum Business Continuity Objective (MBCO).

Threat

A Threat is an indication or warning of probable man-made or natural situation that can disrupt an organization’s operations or services.

Crisis Scenario

A Crisis Scenario describes a (crisis or disaster) situation that might disrupt the business.

In crisis management planning, crisis scenario is the equivalent of threats, identified as part of the Risk Analysis and Review phase.

Three Basic Elements of Crisis

The three basic elements of a business crisis are:

• Encountering an increased stress level;
• Having difficulty in finding a resolution; and
• Determining the timing of implementing the solution.

The scenario should include stress indicators or observations. Reference the number of hours worked, safety and quality issues, risks, and legal or regulatory concerns in the crisis scenario. A clear explanation of how the crisis is affected by increased stress on business operations can help reinforce the feeling of emergency.

Crisis Events

The events (or occurrences that happen over a period of time) leading up to the crisis can pertain to people or human resources. Example as shown in Appendix 2: Crisis Types.

Finalize Crisis Scenario

These include actions that already have been taken. Identify the people to contact for taking action, including anyone who may be able to assist in the crisis. You may also want to provide a tool set that may consist of software applications, communication channels, references or other measures that can help crisis responders.

Sources of Risk

The sources of risk (Australian Government, 2012a) may include:

• Biological hazards;
• Civil and political hazards including civil and political unrest, terrorism, sabotage and hostage;
• Management activities and controls including deficiencies in areas of non-compliance with internal management systems, legislation, and agreements/contracts;
• Natural hazards and/or disasters; and
• Technological hazards (failure of technology).

Elements at Risk

Elements at risk (Australian Government, 2012a) covers the:

• Assets;
• Commercial reputation and goodwill;
• Environment;
• People; and
• Quality of life.

Performance Criteria

In this chapter, the performance criteria describe the performance needed to demonstrate achievement of the “Element of Risk.” The performance criteria are to:

• Establish the organizational context for crisis management;
• Investigate the environment to identify sources of risk, elements at risk and vulnerability;
• Identify and consult crucial relevant personnel, appropriate specialist advisors, and emergency response agencies in determining the sources of risk; and
• Develop emergency sources of the risk register.

Identify Sources of Risk

In the crisis management planning process, the Risk Analysis and Review (RAR) phase focuses on the identification of adverse threats and crises affecting organizational assets and provide a risk treatment or crisis strategy for them. By addressing the major fields of threat exposure, this phase details the framework for risk assessment to provide a suitable response. It identifies the types of crises that could occur in an organization concerning its weaknesses and limitations.

Identify Crisis Types

Threats, either man-made or natural, are situations or conditions that can cause disruption or crisis to an organization’s operations or services. Threats are generic. They may or may not have an impact on a given organization. For example, an organization may be immune to a certain threat. Alternatively, a particular threat may not apply to an organization. Vulnerability refers to those threats that are pertinent to the organization concerned. Risk Analysis is the attempt to evaluate these threats objectively via quantitative or qualitative methods. These methods usually employ some element of likelihood or uncertainty in their evaluation.

For a start, a scan of the horizon is carried out to categorize potential threats and its types and causes.

Categorize Crisis Types

From the sources of risk, these are some of the basic types of crises:

• Natural
• Technological
• Confrontation
• Malevolence
• Organizational Misdeeds
  • Skewed Management Values
  • Deception
  • Management Misconduct
• Workplace Violence
• Rumours
• Lack of Funds
• Natural Factors

Examples of Crisis

As an example of what each business should be prepared to deal with:

• Natural
  • For example, tornadoes, earthquakes, hurricanes, landslides, tsunamis, and floods.
• Technological
  • For example, the breakdown of critical equipment during a crucial business period, corrupted software and events that give rise to technological crises.

• Confrontation
  • For example, boycotts, strikes for indefinite periods, Internal disputes, Ineffective communication and lack of coordination that gives rise to confrontational crises, employees disobey their superiors by giving them ultimatums and forcing them to accept their demands.

• Malevolence
  • For example, kidnapping company’s officials and false rumours.

• Organizational Misdeeds
  • Superiors ignore the after-effects of strategies for quick results.
  • Skewed Management Values
  • Deception
  • Management Misconduct

• Due to Workplace Violence
  • For example, beating employees, superiors on office premises.

• Due to Rumours
  • For example, employees spreading factually inaccurate information that tarnishes the image of the organization.

• Lack of Funds
  • For examples, lack of funds leading bankruptcy and liquidity crisis

Goh, M. H. (2016). A Manager’s Guide to Implement Your Crisis Management Plan . Business Continuity Management Specialist Series (1st ed., p. 192). Singapore: GMH Pte Ltd.

Extracted from Recognize the Sources of Risk

Find out more about Blended Learning CM-300 [BL-CM-3] & CM-5000 [BL-CM-5]