How to assess a measure of Business Continuity Management and Risk Management?

Author: Manu Steens

Within Risk Management and Business Continuity Management, each management discipline does it in its own way, risks and uncertainties are assessed in order to have more certainty in a VUCA world on the success or survival of the own organization.

The more or less succinct view on the way of working is that measures are linked to threats via an assessment. (I’m deliberately limiting risks to threats here, so as not to lose focus on the story, while perhaps what follows may be partly true or analogous to opportunities.)

These measures cost money and effort and must therefore be accountable. Until now I got only two answers in literature and at conferences:

  • Look at the costs versus benefits: if the prevention or mitigation costs more than the damage when the risk manifests itself, it is not worth the effort.
  • Look at the estimate of the residual risk, if that has not decreased enough in your opinion, it is not a good measure. The difference between the original risk and the risk after the measure must therefore be sufficiently large.

However, that won’t take you very far if you want to substantiate an argument as a process manager against a risk manager or business continuity manager who in turn has to discuss it with the board of directors or the Chief Resilience Officer (CRO) or in the C-suite.

What’s more, a process manager usually wants hands-on arguments, while a board member or CxO wants more strategic arguments. And then the principle comes into play: to give what is owed to them. Operational and strategic criteria are therefore needed with which to assess each measure.

Without wishing to be exhaustive in the criteria, nor the points for attention that may go with them, I would like to outline a possibility here by proposing such criteria. Note that each criteria can be viewed and further entered and supplemented by those organizations that want to use it. The examples of implementation are purely illustrative and certainly not exhaustive.

As a risk manager or as a business continuity manager, review the measure operationally with the process manager on the following criteria (where applicable):

  • Reliability (For example, if a part is out, there is a backup of processes, people, redundant structure of organization, infrastructure, …)
  • Maintainability (e.g. the building, its equipment, its processes, education and training, …)
  • Availability (e.g. emergency number, network, realizations, independence, visibility…)
  • Feasibility (For example, can it be organized? What legal structure is needed, required finances, required manpower,…)

As a risk manager or as a business continuity manager, look at the measure strategically with the higher manager (CRO, …) on the following criteria (where applicable):

  • Proportionality (Especially: Is a cost benefit evaluation possible, not only with return on investment (ROI) but especially with value on investment (VOI)? ‘More need can be met with the required money in another way than this’, would mean that this is disproportional; what kind of evaluation models are needed for that?)
  • Prudence (For example, what is a life worth? There is no rule of maximum caution here, I think, rather the question whether you can be more careful within budgets?)
  • Effectiveness (Among other things, are the benefits great in the cost-benefit analysis? Is the information flow between the right players? Is there an eye for quality by mapping the risks? Is the organization supportive of the operational and strategic requirements? Does it meet targets in time (for predictable crises to occur) to be able to perform exercises to create preparedness for future crises?)
  • Efficiency (Among other things, is the cost small in the cost-benefit analysis? Is the information flow smooth? Is there a will to collaborate within the networks, and is this with a subsidiary decision-making authority (which is a quality requirement)? Can the organization be reorganized flexibly, and is there a smooth collaboration with government? Are milestones for the plans met in a timely manner?)

Using such a well-thought-out framework of argumentation to substantiate the correctness of a measure, it can help to prevent misunderstandings or arbitrariness when formulating measures to be implemented.

If it has then been established in a subsidiary way at both the operational level and the strategic level that the measure makes sense, it may be safer to implement the measure for all parties, as a justification for a possible audit afterwards if things still go wrong later.

However, although there are the concepts of operational and strategic crisis management, it is not clear to me whether this way of working can be implemented in crisis management. This may be possible in the case of project operation in the aftercare phase. But that in itself may be an idea for others to check.

What is the BC Manager profile?

Author: Manu Steens

Inspired by the pdf of I. Helsloot “Veiligheid als (bij)product” available at https: //

I divide this question into the following questions:

” Why should BC Managers have a good interaction with and knowledge of Crisis? What responsibility do they have in crisis? So what position should they have?

​There are all kinds of principles that apply in safety, which make safety what it is.​

One such principle is that “the BC Managers (basically) serve their boss” 

​More detailed this could mean the following:​

that they must be employed by their boss (for his strategic goals) because otherwise there is a threat to the organization that the advice of BCM would be one-sided, it would benefit ‘their own’ subject (partial interest, preferences), without meaningful management. Meaningful management is very often about available money to realize the strategic goals. This means that an external or poorly placed BC Manager cannot make a balanced assessment of interests. This can lead to inefficient and ineffective operation.​

This means that the advice in such a situation would be one-sided, dogmatic (“Just do it!”) and that there is no integral advice.​

​What does that mean?​

In fact, it comes down very much to countering an advice trick of one-sided advisors, who repeat the words (attributed to Trevor A. Kletz) that sound very nicely as a one-liner: 

“If you think safety is expensive, try an accident”.

​The trick to countering this nice-sounding but hollow phrase is as follows:​

The situation of the advice is dismissed as to whether you can compare the costs of the measures against one risk with the costs of the misery that arises when that one risk materializes. However, you do not know in advance which risk will ultimately lead to misery, so you would have to prepare your organization for all risks (the costs of which amount to infinite) while only one risk ultimately leads to misery.​ Do you have to choose? No, the measures must be carefully considered and coordinated where possible. Where possible, a measure should cover as many risks as possible.

An example could be “optimum telework” which is useful when a building is unavailable, but which can also help when a pandemic occurs, when a slope shear is imminent at the main building, when heavy storms are imminent, etc.

Even in a crisis, there is too little time to coordinate several possible matters.​

  • That is why the BC Manager must present the proposed measures in an integrated manner. And not just as a sum of advice swept together.​
  • Therefore, BC Managers must be well aware of the other matters and purposes of their own organization.​
  • That is why priorities must also be made in Risk Management and integrated measures must be taken.​
  • That’s why a BIA and an RA are needed before starting a BCP document set . 
  • And finally: that is why the BC Manager must also be well informed about the target group of the BCP: the Crisis teams and the CMT of the
    organization: what the structure is, who is in it, who needs to know what about BCM.​ What BCM can mean for them.

​To be able to do this efficiently and effectively, a BC Manager must also have sufficient capabilities, and be able to talk to the management team at level, so also have insight into their budgets.​

​This reasoning applies not only when preparing for a potential crisis, but also during and after a crisis in its aftermath, when advice to the CMT, sponsor and senior management is needed.​

​For such goals to be realized by the BC Manager, they must have a holistic view of the organization, internally but also externally in its environment.​

​To meet these requirements, a heavy profile is needed.

The answer whether the BC Manager should be included in the C-suite for this reason is still not given. Personally, I’d rather let that question pass by.

Becoming future proof – how do you do that? Points of attention.

Author: Manu Steens

Inspired by ‘Ready or not’ by Tom Palmaerts.

‘Future proof’ also means being antifragile and resilient. Does resilience start with becoming future proof or is that just one of the entrances? I think it’s the latter.

What can we learn for Business Continuity Management (BCM), Risk Management (RM) and Crisis Management (CM) and on a personal level to become future proof?

The first thing, of course, is that we look into the future. We have to make time for that. If we don’t, we get too focused on what we already can. That produces a daily grind that stays present, giving rise to inefficiency. So variety is the key to adaptation. Further, variety of topics we focus on is also necessary because then we give our subconscious the chance to let a few 10,000ths of brain cells grind through on each of the problems.

However, care should be taken that it does not become too much so that you no longer dwell on a friend’s or acquaintance’s birthday than to send an emoji. The golden advice of Augustus (Ancient Rome) therefore remains valid: “festina lente” or make haste slowly. In fact, that was already an opinion that was close to Kahneman’s when he spoke about “Thinking Fast and Slow”: you have to go slower now and then, because quick decisions often do not survive a long-term vision.

So a right attitude is to embrace changes with slow thinking, which has everything to do with a first step: exploring those changes and the next step: anticipating changes, partly from gut feeling, partly from reason.

That’s why the advice is to stay focused, but in the right way: start with small things.

–         Check your e-mail only twice a day at fixed times.

–         Turn off your sound on your cell phone when you’re not on call. Don’t let yourself be disturbed, use the airplane mode of your smartphone if necessary.

–         Focus on one subject at a time in blocks of time, so that you can get into a ‘concentration flow’.

–         Change subjects regularly, so that your brain knows rest and continues to work subconsciously.

–         Decline meetings if they are not important.

–         Do creative brainstorms and group sessions regularly, at the time of the day when you are at your best.

In order to bring yourself to the best of your ability, there are also a few things you should take into account: you should explore the future from the best possible known and, above all, lived-through present. So:

–         Read a lot and regularly, and gain knowledge.

–         Love yourself.

–         Treat yourself to something tasty.

–         Use the gentle stimulus of calm music (for myself at least, for others it may be a bit rougher).

–         Use technology to support you.

–         Walk during the meetings.

–         Less coffee, more water, avoid sugar.

Second, we see that the masses choose a simple way out, even if it is wrong. Few choose to delve into the longer path that requires more discipline and patience. The masses know they are going wrong, but they don’t know either, because they don’t want to know. And before you know it, you’ll come across a Gray Rhino that is unavoidable. And that will happen again and again. In this way one learns more not from mistakes of the past than one does learn. And that has to do with brain economy. A one-off experience without great factual knowledge thus becomes a rule of thumb that one uses as a law of nature with absolute certainty. And the reason behind this is often ‘awareness of time’. Or the economical use of their personal time. As a result, many Americans stop by a store on their way to work to pick up a snack for breakfast, fueling obesity. And they know it.

From a time economy, we often choose the easy path at work. That feels safer, because it is familiar territory. It is not untrodden ground. And that goes well, until change is required. Then, of course, an unknown territory takes over, and it becomes more difficult for everybody to see, decide and act. This creates psychological resistance. One must therefore learn to experience overcoming a challenge as something delicious.

The reason why one should learn to enjoy being challenged is that one often gets into original situations, and therefore needs a growth mindset instead of a fixed mindset. This is the only way to push boundaries by alternately exerting and relaxing.

A realization that must penetrate to the core of the gut feeling is that what has previously been tried and failed, may now succeed if the system with which one works changes. After all, complex systems are systems that are time-dependent, in an unprecedented way. As a result, the system’s response to external influences cannot be predicted. Therefore, keep the sensors of your soul open for anticipation of changes in the situation, which is a complex system. Therefore, exploring futures is also useful. Adapt with further training, and think differently, for example from the point of view of scarcity. That could be sooner than you think. See also the UK after Brexit.

Subsequently, it is important to look for a tailor-made approach and solutions in an inspired way in crisis management and resilience management. A copy-paste of a Business Continuity Plan (BCP) from another organization does not work for your own organization and therefore does not add anything to your own resilience. The environment changes and everyone and everything is chasing the facts. So continuous adaptation and evolution is required. For organizations this means that the plans, the risk registers, the objectives must change. For people, this means sharpening skills and developing talents and competencies. For both, a vision of the future that is somehow correct is a must. Because one has to go to the core of the questions, the ‘5 x why technique’ is important to find the original causes.

Although it makes no sense to copy a plan from elsewhere, it is possible that inspired design makes sense. It can provide insights into one’s own situation from the situation of the other. That way an inspired version will be better than the original for your situation, even if it fails, because this is part of evolving.

In this way too, creating your own BCP, giving your own interpretation to the crisis teams, setting up your own risk management is innovation. Because it creates or contributes to value. But that cannot be done efficiently without learning from others

In addition, networking is also important because doing all that work without the internal and external customer and knowing the other stakeholders yields nothing useful. Or almost nothing.

So start from your sources, which you mix with the knowledge about your own current and future situations. Write down your own strengths, weaknesses, opportunities and threats and help build insight into your own situation from there. But always mention your sources, otherwise you will be stealing.

Reverse engineer your sources: see why they work for them, and apply similar reasoning to your own situation.

That way you build your own flexibility. You get it back in no time, because you already had it as a child. Ultimately, agility is innate. Some lose that and become dinos in the business. Others sometimes adapt. Still others are constantly adapting. The latter is what you need. That can go so far that you also have to change dreams and goals. However, that does not mean that you should unlearn acquired skills. Because many things come back cyclically in history and you don’t know which ones in advance. But ‘panta rei’, and so the needs of everything and everyone are constantly changing.

A point of attention here is that experts sometimes try to be able to do everything. That does not work. You have to be able to let go of things. Others can do some things better than you can. However, these are external factors on which you should let nothing depend, but to which you must adapt yourself and your organization. Preparation is therefore ‘key’ and also your own flexibility. Learn to adjust your wishes. Among other things, by continuously learning, or by being curious and by daring to change your opinion in a well-founded and motivated way. A ‘worst case scenario’ in a BCP can thus better become a ‘reasonable worst case scenario’. By adapting in a reasonable way to what you and your organization can handle. What is needed is:

–         Using an open attitude.

–         Trying to be ‘reasonably all-round’.

–         Use fast and slow thinking.

Extremely important are:

–         The use of a cultural empathy and being in / creating a multi-cultural environment.

–         Think about whether you can do it yourself before going to a consultant, because you always know your own needs better than they do.

This makes you more independent, self-steering and more flexible.

Most importantly, even if you evolve well to become future proof, you must always remain a freshman. In the sense that you regularly still practice. Otherwise ideas turn into sterile theory that everyone eventually distrusts, except those who are concerned with ‘conspiracy theories’. So take your time for theory, but also for practice. Take pleasure in both, come up with original things, and before you know it there will be another evolution. This requires interest, as the engine of lifelong learning. When is the best time to do that? When you feel the passion for it. For the content. Note: you don’t have to have a passion to do “something”, but to do “that”.

To further steer that in the right direction, you have to break through the bubble that you were taught in your upbringing. To see your blind spots in what you want to develop. Therefore: travel, do conferences, imagine your dreams, start a ‘secret’ talk club for extreme thoughts.

So: as said: passion comes first. You have to dream big, but start small. Step by step you move forward. Provide content first, look and feel after. Collaborate with competitors and see what you can create together. Go hang out with them. And put your passion to the test.

Besides all this that is based on good will, saying that there is a threat is usually meaningless. One must feel it. So creativity is needed to make this feel. This creativity must be stimulated from the youth years. A STEM (Science, Technology, Engineering, Mathematics) education should therefore also contain art. (Then it becomes STEAM) After all, design is necessary to establish a link between people and technology.

Thinking about the future should always be based on today’s reality. Otherwise it will not be accepted. That is why working step by step is also important here. A challenge for crisis teams is therefore the fact that risks sometimes seem to make leaps and bounds, because events can sometimes occur suddenly.

To think about the future from the present, with a multi-cultural and technical and scientific background, you should also visit other entities and other governments. Discuss with them their approach and point of view and your own.

However, to think diversely in a group, inclusion is needed. A good Cultural Quotient (CQ) (and culture-based empathy) and adaptability are required for this. Together you have more depth and therefore better insights into your own situation. A better 360° view. Without inclusion, it is just a check-the-box exercise for diversity policy. With a good CQ, look not only inwardly, into your own organization, but also at world developments, far and near from you. Look to the future and the past, to be and remain successful. A strong element in this can be creating your own knowledge-sharing network for people with common interests. A mindset to dare to take risks is essential here.

What must, as an example of daring, is to regularly (dare to) raise the bar. The crisis teams must be informed about the world. In addition, risk leadership is a means to this end. Everything must be openly discussed, hard for the results but with a heart for the people.

In line with this, it makes sense for each of the employees in the crisis teams to look daily at what they are grateful for that day, every day. This focuses on the positive, which increases resilience. Because gratitude, just like being flexible, leads to more happiness. And happiness is one of the most essential conditions for being future-proof.