Business Continuity And The Pandemic Threat

Author: Robert A. Clark

With this book the author, Robert A. Clark, draws attention to an important issue that is on the border between BCM and Risk Management, but what is traditionally attributed to BCM, namely the pandemic threat. This threat is relevant because statistically it has manifested itself every 30 years on average over the last 300 years.

The book is divided into two parts: ‘Part I: Understanding the Threat’ and ‘Part II: Preparing for the Inevitable’

Part I talks extensively about micro-organisms, what a pandemic really is, dangers of germs in the hands of criminals and terrorists, a brief history of the most important known pandemics, and the danger of hospital bacteria (anti microbial resistance of AMR). In two separate chapters, he elaborates on the cases of SARS and the Spanish Flu of 1918-1919, which continue throughout the book as the classic examples. He concludes part I with a comparison between the two cases that are still extremes: the Spanish flu with 50,000,000 deaths and SARS with a good 1000 deaths and ‘only’ 8,000 infections worldwide.

Part II deals with the approach to pandemics. He starts from two positions: preparation and response. He talks about what can be done on a world, national, organizational and individual level. What is important in Part II is, in my opinion, the attention he gives to the important points for a pandemic plan. He does this however, without giving a concrete pandemic plan or template. This, however, he makes good by referring in the appendices to a website where a template can be found: www.bcm-consultancy.com/pandemicthreat. But it does not stay there. He also describes what to do with it if there is no pandemic: practice and validate. He gives an overview of a number of types of exercises, ranging from very simple to very complex and extensive.

A limited part of the attention for the characteristics of a pandemic plan go to supply chain.

Meanwhile it was noted that the template is no longer available on the website. An example of a pandemic plan (in Dutch) can be found on this website: ‘http://www.emannuel.eu/uncategorized/pandemieplan/’

A Risk identification method

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.