1. Which scenarios to start with?
I strongly believe that scenario planning – and operational risk management generally – should focus on the consequences of an event, rather than the event itself. It simply is not possible to predict every incident or failure event – black swan events such as natural disasters and terrorist events demonstrate that quite clearly. Nor is it productive.
However, different events may have the same consequences. Take for example the foiled airline bomb plot in 2006 and the Icelandic volcanic eruption in 2010 – both very different events, but both resulting in widespread cancellation of flights. A major challenge if worker mobility is key to your business.
2. What is critical?
Before you start, be clear about where your critical dependencies lie and the degree of control you have over them. Those outside the enterprise may result in a reduced level of control.
3. What would happen if you lost any, some or all of them?
This step involves identifying the potential impact of losing any one of your critical dependencies. It is rarely only one failure or incident that causes a problem, but if one item fails there will almost certainly be multiple or cascade failures as a result. It is essential that you consider the impact and likelihood of multiple/cascade failures and have plans in place for recovery. Look at whole systems not just individual items.
Be very careful if you consider the likelihood of failure to be low on a risk matrix. In my opinion it is not really about how low the or high the risk is, but about the impact on the business when it occurs. If the impact is unacceptable you need to take action.
Perhaps more importantly, you need to consider the interdependencies and the impact of the loss of more than one critical factor. An extreme example of this is the impact of Hurricane Sandy in Manhattan, where power was lost AND fuel supplies for generators couldn’t get through.
4. What can you do to mitigate the impact?
Once you understand the impacts, both the immediate impacts and the wider knock-on consequences, you can start to identify what could be done to mitigate them. There might be a number of potential strategies, all of which should be considered, before refining.
5. Where do you have control?
There are three basic types of uncertainty to be considered in the scenario planning:
- Business uncertainties – aspects which are within your organisation’s control
- Industry uncertainties – you may be able to influence these, but not control them
- Environment uncertainties – political, environmental, social and technological events where you have no control
6. What is your action plan?
There is almost no justifiable excuse not to fully consider all aspects of failure within your control and apply scenario planning and training to mitigate the impact on the business.
The resulting plans will form a core part of your disaster recovery plan and reviewed regularly to make sure they are still valid and that all team members are clear about what they need to do. Make scenario training and reviews a regular plan to fully remind all who will respond to these scenarios of the actions they need to take. Too often I find people forget essential issues.
The action plan may have identified some immediate tasks to be carried out, but will most probably have identified a number of longer term options. The course of action taken by the organisation will depend on the assessment of the likelihood of the need to put the action plan into place, the associated cost and the organisation’s approach to risk.
Scenario planning as a process is not just about preparing for disaster, it can also be used very effectively to identify better ways of doing things, improving operational efficiency and finding cost savings. Minds open to alternatives, left-field thinking and challenging the norm can drive huge innovation.
If I haven’t already convinced you, I would like to leave you with the tale of Philips who had a ten minute fire in their mobile phone chip factory in 2000. It impacted on both Nokia and Ericsson, but Nokia had spent the previous five years making the business able to rapidly adapt to huge changes and Ericsson had not.
You can read the full story here if you would like to refresh your memory on the details. In a nutshell, Nokia saw profits rise by 42% and market share to 30%. Ericsson took four years to get back to the same level of operating and net income, but revenue had fallen by 52%, total assets by 30% and employees by 52%.