Mitigation Strategies This is last modules. Steve Elliot President & CEO Elliot Consulting, LLC
Warren Buffett Things can change due to the factors out of direct control. This applies to a company’s suppliers and vendors.
Threats & Hazards Threat - A man-made or natural situation or condition that can cause disruption to an organization’s operations or services Hazard - A dangerous phenomenon, substance, human activity or condition that may cause loss of life, injury or other health impacts, property damage, loss of livelihoods and services - Threats can result in hazards. - Hazards are caused by humans.
Vulnerabilities & Risk Vulnerability - Degree to which an organization is exposed to the actions or effects of a risk, event or other occurrence Risk - A possible event that could cause harm or loss, or affect the ability to achieve objectives. Risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. Risk score = Probability (Likelihood) x Impact Vulnerability – The degree of damage or potential damage. Risk – The measurable probability of an event. A Risk Score can be developed to help quantify the potential impact.
Hazards & Vulnerabilities - Causes Natural Earthquakes Tornado/Wind Hurricanes Floods Volcanoes Rain/Snow/Ice Storms Wildfires Political Strikes Riots Civil Disorder Bomb Threat Biological Threat Nuclear Threat Acts of War Human Workplace Violence Sexual Harassment Fraud/Embezzlement Terrorism Sabotage Technological Software Outage Data Loss/Corrupt Hardware Outage HVAC Network Outage Machinery Failure Power Outage Security Privacy Viruses/Ransomware Data Theft Denial of Service Attacks Counterfeiters Accidents Human Error Fire/Explosion Water Damage Building Collapse Environmental Loss Of: Executives Key Staff Subject Matter Expert Emerging Threats Pandemics Drought PR Incidents Product Liability Cloud Computing Cyber Security This matrix outlines things or events that can potentially damage a business. Some can be more impactful than others. Some are manmade and other are natural occurrences.
Potential Effects Loss of Challenge and Confirm your Assumptions the Physical Facilities Loss of the Information and Systems the Critical Business Operations the People Contingency Plan should be built around these Potential Effects. Plans are built on assumptions. Contingency Plans cannot be built for all hazards and vulnerabilities. Plans can be tweaked based on experiences. Challenge and Confirm your Assumptions
What Should We Do? - Many companies don’t have a plan.
2 Approaches to Address Risks Continuity Planning Disaster Recovery Proactive Process Enterprise-wide Strategic Plan Business and People Reactive Process IT / Facilities-Focus Break-Fix Plan Things and Recovery Time There are two approaches to addressing risk: * Continuity Planning: Strategic and proactive; * Disaster Recovery: Reactive - Both are needed and should come together in the overall plan.
Risk Assessment This table was developed by Elliot Consulting based on experience and data from other similar tables. The probabilities come from history. These are the things that could go wrong. They represent single points of failure. Others can be added based on individual company geography and business. The Business Impact Analysis (BIA) is the key element. Ed Maurer from Suncoast Safety Council recommends regular review, not just annually.
Mitigate Risks Four main ways that you can mitigate risks: Avoidance Transfer Acceptance Reduction Avoidance can include an alternate location. The business operation can be diversified. Outsourcing allows for transference of some of the business operation to 3rd parties.
Risk Avoidance Relocate your facility Divide operations between multiple sites Eliminate a risk process Stop working with hazardous materials Geographic diversity of business operation and personnel accommodates risk avoidance. Off site data centers and cloud services can help mitigate risk. Examine all business operations to identify potential risks.
Transfer Risks Buy insurance / review coverages Outsource the risk to 3rd party suppliers Sell off a division or product Business interruption insurance is available to help cover losses. Moving risky elements of the business out of the operation should be examined. Identify potential outsourcing partners.
Acceptance of Risks Decision to do nothing about a potential risk Accept the risk probabilities and impact Management is willing to roll the dice Cost/Benefit Analysis shows the impact cost is less than the mitigation cost Probability is so low that investing in a long-term mitigation strategy isn’t necessary By deciding to NOT put into place mitigation strategies (i.e., do nothing), the company accepts the consequences associated with this decision. The cost should weigh of the cost of the mitigation strategy against the potential benefit it would receive. Can the company withstand/survive the event?
Reduction of Risks Split production between multiple sites Supplier Diversity (Workload /geography) Physical Mitigation (Hardening Facility) Alternative Access (Work Remotely) Supplier and operational diversity may also include a hot site. An alternate way of the performing the work should be developed. Ongoing testing of the alternatives should be a requirement. The alternative doesn’t always have to perform as well as the primary. Sometimes an alternative worksite does not provide the best solution. Work from home may not be feasible if the power is lost or the home is damaged. Options such as hotels (Marriott) are available as alterative worksites.
Local Hazard Mitigation Planning Gail Moraton suggested that both Hillsborough County and City of Tampa have good plans available for review. The Local Hazard Mitigaiton Planning Fact Sheet will be posted on the chapter website.
Document Your Decisions Hazards & Vulnerabilities Probability Impact Score Level of Risk Revenue Risk Strategy Options? Winter Storms / Snow / Ice 4 3.7 14.7 Very High A, R Tropical Storm / Hurricane 3 4.7 14.0 IT - Hardware Outage(Servers, Printers, etc.) 4.3 13.0 High T Loss of Key Staff 11.0 Ac IT - Critical Application(s) Outage 3.3 10.0 Medium IT - Network Outage (Data) Economic Recession Tornado 2 9.3 T, R Building Fire / Explosion / Bomb Threat Power / Utility Failure & Resulting Damage 2.5 8.3 R The figures listed in the table are subjective. The Hazards and Vulnerabilities can be grouped together, based on the geography and business. Example: River next to the building is a hazard; Flooding of the river is a threat. The Probability, Impact and Score can vary by department or group. Risk Strategy: A = Accept; R = Reduce; T – Transfer. Options: Things the company has chosen to do. Discussions with senior management are paramount. Documenting these discussions and the resulting decisions is even more important. It outlines what was agreed to by all parties. Never stop discussing and planning.
Steve Elliot, President & CEO Elliot Consulting, LLC 813-792-8833 selliot@elliot-consulting.com www.elliot-consulting.com Most software packages don’t provide a way to develop mitigation strategies. Mitigation strategies should be developed for each company site. This also applies to your critical vendors. The World Economic Forum publishes an Annual Global Risk Report.