Business Continuity Risks: interruptions, Triggers, Signals and Cascading Threats

Caution should remain a constant state within business continuity, disruption and interruption plans.

In particular, where risk, security or resilience are either informing factors or dependencies for continuity of service.

The reason for this caution is that risk, security and resilience are neither independent variables nor are they static/fixed.

This means that elements of security, risk or resilience could be in varying states of change, decay or subject to information asymmetry, presenting a fleeting, false and potentially fatal assumption of business continuity resilience.

In other words, current confidence and capacity of business continuity planning is constantly undermined and vulnerable to ever changing security, risk and resilience factors at varying scales and time.

Put simply, if your measurement of risk, security or resilience occurred yesterday, never assume nor make grand plans on these measurements today as they have likely changed in subtle or significant ways that is yet unknown or declared to you and your plan.

Potential business or service distractions are spawned in various disciplines, geographies, industries and time.

Flawed resilience plans and narratives are predicated on 'bounce back' philosophies, routinely ignorant of what has changed since the disruption, delay or reason for interruption.

That is, the organisation picks up and tries to run before it fully understands not only the threat, risk or underlying disruption but also inadequate or incomplete adjustment, change or improvement of the prevailing business continuity/resilience plan before running off with business, operations, services, etc.

All too often the same excuse is used for this failure, as opposed to human, cultural and planning errors.

The excuses sound similar to "once in 100 years", "unprecedented", "because of....", anything but the real reason which invariably was a failure of understanding, process, analysis and corrective action.

Moreover, dominant, painful, visible and obvious strategic/commercial risks move at differing rates and scale to that of operational risks.

That is, while your attention is focused on one, the other may be plotting, scheming and decaying without your knowledge.

Therefore, you have to maintain surveillance and horizon scanning on both at all times.

This is where conventional business continuity is most vulnerable as practitioners neither have specific, technical expertise in this area or are dependent upon many other parts of the organisation and business to 'feed' them their views and signals, as opposed to actual threats, harms, change and variance.

Undermining even the most complex and seemingly complete business continuity strategy and system.

In sum, the practice of business and service continuity has continuously evolved over the years but the presence and variability of key factors or concerns such as risk, security and resilience routinely confound even the most detailed and comprehensive of plans.

That is, security, risk and resilience are dependent and connected variables routinely changing in both tangible and intangible ways, concealed to most practitioners, organisations and systems.

As a result, assurance and confidence of plans should not be done on recent or completed revisions but means in which triggers, signals and cascading threats are identified, quantified and rated.

This remains the contemporary challenge in volatile, uncertain and ambiguous environments and contexts.

In short, risk, security and resilience within any system, including business continuity requires constant surveillance and scans of the horizon, long before high-level or blanket statements can be substantiated of safe, secure, resilient or 'bounce back'.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk, Resilience, Safety & Management Sciences