Recently I have been focusing more on the discipline of risk management. There has been an ongoing debate for many years as to whether BCM is a subset of RM, or vice versa. The current discussions around convergence will probably bring this issue forward yet again.
This post will be the first in a series exploring the links and relationships between Risk and BC Management – in the context of the concept of resilience. The starting point is exploring the idea that resilience (and BCM) is about dealing with a discrete class of risk – what some label as “non-routine” risk.
My previous post on the work of John Adams mentioned his concept that some areas of risk are illuminated by the light of science – but that the bulk of our risks are managed without the aid of science. Adams talks about how there is a whole range of risks that we deal with as part of our daily routine – and we often tend to do this at a level of ‘unconscious competence‘.
This idea that there are things we do frequently, the things that are routine, is a key concept to people and organisations becoming resilient. We cannot hope to be proficient at skills and techniques that we are hardly ever called upon to use – this is the reason that we have Business Continuity/Crisis Management rehearsals and exercises.
However you look at it, risk management is a way to try and deal with uncertainty. It is not possible to eliminate uncertainty – if it was we would all win lotto every week! The degree and nature of the uncertainty will vary with different types of threats/risks, and therefore the way we need to treat threats, and how we react when the risk is realised must also be variable. The traditional institutional Risk Management approach tends to be focused on the routine risks (those that are better understood) – and the application of ‘normal science’ to achieve mitigation of these risks.
Handmer and Dovers (p93) describe a typology for disruptions (emergencies and disasters) that include these science and routine concepts. Their model defines three categories, based on attributes such as Scale, Visibility, Uncertainty and Complexity;
- Routine
- handled by applied or normal science
- scientific responses imply that we can plan and repeat the response to these disruptions
- Non-Routine
- dealing with these disruptions requires what they describe as a ‘professional consulting’ approach, not a packaged, pre-defined response
- that is, you are unlikely to just be able to pull a plan off the shelf and follow along
- Complex
- introduces the concept of Post Normal Science (PNS) as a way to address at this category.
- For background on this PNS concept see Funtowicz and Ravetz
- perhaps this also the same category as Perrow’s “Normal Accidents”
- I will explore this idea of complex and/or ‘wicked’ problems in another post
- introduces the concept of Post Normal Science (PNS) as a way to address at this category.
My primary interest in this post is the concept of non-routine risks and disruptions. There are a number of attributes of a disruption that can push us out of routine responses, perhaps the most common are likely to be scale and frequency of the disruption.
Frequency has certainly been a key concept that recurs in the debate around resilience. In this context the frequency with which we respond is related to the likelihood of the risk being realised. Routine risks/responses are applicable to more likely incidents (the High Probability/Low Impact end of the spectrum). The Non-Routine Risks then are those at the High Impact/Low Probability end of the spectrum.
These Non-Routine Risks are also likely to be characterised by the high cost of prevention – and a long lead time from the decision to invest to deriving the benefit. The Non-Routine Risks could perhaps also be viewed as “Black Swan” events – more likely to to have a higher degree of uncertainty, complexity and ambiguity.
These type of risks are not well suited to the identify/assess/treat models of Risk Management. As an alternative, Wildavsky offers a variable approach to managing risks that recognises these different attributes of the risk. His model proposes an appropriate response from a spectrum that ranges from ‘Anticipation’ through ‘Resilience’.
- Anticipation
- essentially what we would call the traditional Risk Management approach
- study/assess the vulnerabilities, so we can anticipate the threats
- take ‘prudent action’ to mitigate/limit the obvious threats
- Resilience
- this is described as a more flexible response, and in response to actual (rather than anticipated) danger
- uses the common idea of bouncing back after a disruption
- Worth noting his book “Searching for Safety” was published in 1988 – perhaps one of the earlier proponents of an adaptive approach to BCM!
It is perhaps this idea of resilience as a choice of mitigation for these non-routine risks that is promoted in the High Reliability school (see post re work of Weick & Sutcliffe) that includes a “Commitment to Resilience” as a key attribute of an HRO. The commitment here is a commitment to developing this appproach to managing continuity and recovery after a disruption.
We need to adopt an approach that promotes the most appropriate way to assess and treat these different risks. A framework that recognizes that some risks/impacts can be readily anticipated and others cannot. Managing the total array of risks to the enterprise needs a portfolio of responses. Risk Management (ISO31000) provides framework and governance processes to address part of the problem – the various BCM Standards (especially the more recent ‘management systems’ standards such as the proposed ISO22301) the framework/governance for another part of the problem.
Instead of the debate being about which discipline is the superset and which is the subset, it would be more helpful to view them as complementary (and equal) parts to the holistic approach to managing the impact of uncertainty on the objectives/goals of the enterprise.
Is Resilience a good label for an umbrella approach that links the management of risk (routine) and the management of recovery/continuity (routine) with an Adaptive BC/CM mode to deal with the non-routine extreme threats?
Your views?
To me resilience is the ability to bounce back after a sustained impact. The only events that can cause sustained impact are, in my opinion, non-routine risks (or badly handled routine risks). I think resilience should be reserved for non-routine events. While there ought to be a linkage between RM and BCM, I'm not sure resilience is the best umbrella.
I hadn't heard about the complex “post normal science” risks before…fascinating indeed. Now you've given me a lot to read and ponder. Thanks, Ken.
It is my pleasure to create work for others Jan!
This talk of convergence of risk, BC, security, Emergency Mngt – will ultimately need a name, certainly some are calling it resilience – I suspect I am still tending to your point Jan, perhaps it is not the best label.
.
Certainly the concept of resilience and the non-routine risk fits very well. RM is clearly the domain of the routine, perhaps it is BCM that will become harder to place.
Gidday Ken
Thanks for your continuing contributions to the great resilience debate and how to put it into practice or enhance our organisation's resilience through better BCM and risk management.
I was particularly taken by the notion of “unconscious competence”. I've seen much evidence of it working in the health care sector on BCM over the past year.
With thanks and regards, Chris
Consultant, BCM
Thanks for the feedback Chris, as a consumer of ACT Health's services I am glad to hear that they are prepared.
You have also given me the idea for a new post, that is always appreciated.