Probability, Impact, and Preparation: Assessing Risk
- Nov 26, 2019
There’s a pretty low probability that aliens will attack — but to be honest, anything could happen.
You can’t protect against everything, so you’ve really got to identify which things could impact your business from a physical standpoint or from a business interruption standpoint.
We recently got to interview Dutch Geisinger, Executive Director at Safeguard Iowa Partnership, a private nonprofit that focuses on building disaster resilience in Iowa. “We work on preparation, prevention, response, recovery — anything disaster related, we have a role in it,” he said.
Safeguard Iowa Partnership has worked with state and local emergency operation centers as well as private businesses to teach business continuity, active threat response, and risk management.
Threats, vulnerabilities, and consequences
So, you can’t protect against everything. You have to identify what really could impact your business (probably not aliens).
Factors in risk assessment
“If we look at the combination of those things, we can really come up with a prioritized list of the threats that we need to be aware of and the things we need to prepare for,” Dutch said.
For example, an active threat or workplace violence is low probability but very high impact, whereas winter storms (at least in Iowa), are high probability but also already at a pretty high level of preparation.
When assessing for risk management, consider what plans are already in place and what threats could have the highest impact for interruption of services or employee safety.
For a winter weather event, Iowans have to have the resources to take care of themselves internally for up to 72 hours.
“Sometimes we have to involve our community partners when we’re doing our planning efforts,” Dutch said. Like reaching out to law enforcement, the public works department, or power companies, to name a few.
“Bringing those partners in and having that conversation up front is one of the best things you can do during your planning efforts,” he added.
How to conduct a vulnerability assessment
“Just like you can’t protect from everything, you can’t protect everything,” Dutch said.
Doing a true assessment starts with honesty.
1. Understand what is critical
It’s probably not your actual office. It might be a critical piece of equipment, electricity, or essential staff.
Ask: What happens to our company if ___ goes away?
Usually, the answer is everyone comes to work anyway and does their jobs. In the case that it isn’t, then you know what to protect.
2. Assess the reality of threats
Next, you look at the threats and how you protect against those threats.
In terms of an active threat, access controls, barriers, intrusion detection systems, etc. are all important. As in, how do you protect your staff from someone coming in from outside?
But since a tornado is much more likely than an active threat, you should focus more on that threat.
Business continuity planning should be the framework for evaluating threats. “If we start trying to look at all the vulnerabilities that exist, it’s overwhelming. Frankly it’s not cost effective either,” Dutch said.
3. Practice your plans
You’ve got a written plan, great!
But have you ever actually practiced it? Or did you put it on the shelf and not look at it for 3 years?
“We have to keep the plan evergreen, and we have to keep looking at it, talking about it, practicing it,” Dutch said.
No plan is perfect — you create the plan with the best knowledge you have at the time.
Things change, obviously. But if you cease to update your plan with your knowledge, then you’re basically inviting gaps.
“When you do a large full scale exercise, it truly can take up to a year in preparation just to get to the point of execution,” Dutch said.
Disaster planning takeaways
- Every time you set your clocks ahead or back, have a conversation about your emergency plans
- Test your plan to locate small gaps that are easy to fix
- Remember to bring your new employees up to speed
- Reemphasize business continuity plans periodically
- Assign emergency responsibilities and keep the assignments current
- Leverage the tools and resources that are available
Hint: There are a ton of free resources at Safeguard Iowa Partnership.
Reach out to Dutch Geisinger by emailing firstname.lastname@example.org or connecting with the Safeguard Iowa Partnership on social media.
Business never stops.