Business Continuity And The Pandemic Threat

Author: Robert A. Clark

With this book the author, Robert A. Clark, draws attention to an important issue that is on the border between BCM and Risk Management, but what is traditionally attributed to BCM, namely the pandemic threat. This threat is relevant because statistically it has manifested itself every 30 years on average over the last 300 years.

The book is divided into two parts: ‘Part I: Understanding the Threat’ and ‘Part II: Preparing for the Inevitable’

Part I talks extensively about micro-organisms, what a pandemic really is, dangers of germs in the hands of criminals and terrorists, a brief history of the most important known pandemics, and the danger of hospital bacteria (anti microbial resistance of AMR). In two separate chapters, he elaborates on the cases of SARS and the Spanish Flu of 1918-1919, which continue throughout the book as the classic examples. He concludes part I with a comparison between the two cases that are still extremes: the Spanish flu with 50,000,000 deaths and SARS with a good 1000 deaths and ‘only’ 8,000 infections worldwide.

Part II deals with the approach to pandemics. He starts from two positions: preparation and response. He talks about what can be done on a world, national, organizational and individual level. What is important in Part II is, in my opinion, the attention he gives to the important points for a pandemic plan. He does this however, without giving a concrete pandemic plan or template. This, however, he makes good by referring in the appendices to a website where a template can be found: But it does not stay there. He also describes what to do with it if there is no pandemic: practice and validate. He gives an overview of a number of types of exercises, ranging from very simple to very complex and extensive.

A limited part of the attention for the characteristics of a pandemic plan go to supply chain.

Meanwhile it was noted that the template is no longer available on the website. An example of a pandemic plan (in Dutch) can be found on this website: ‘’

A Risk identification method

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.

BCM – How to determine the criticality of a process in a BIA?

Authors: Joris Bouve and Manu Steens

In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP) and necessary processes (NP).

Typically one uses as definition:

  • TCP: those processes that have to be restarted within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 weeks]. in. There is then an essential process. In the [process criticality] column, enter EP.
  4. If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary

Process Impact when outage  > 2 days Impact when outage > 2 weeks Impact when outage > 2 months Dependencies criticity process
[name process] [Description] [Description] [Description] TCP/EP/NP


Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage can already be caused by, for example, incorrect communication in the media. It must therefore certainly be started within two days. The 2 columns next to it need not be filled in anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise a rule from the legislation can be violated, with corresponding fines and reputational damage. 2 dagen].”>when outage > 2 weeks’ and you choose the type of process ‘EP’. In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.

This choice of type of process (TCP, EP or NP) can then be adopted one by one in the Business Impact Analysis. The dependencies can also be taken over.


Risk management strictly spoken – Key Risk Indicators and risk intelligence

Author: Manu Steens

An important concept in strategic risk management is that of risk intelligence.

Risk intelligence is a “systematic process for gathering and analyzing information about the risks of the organization’s business, to be able to make strategic decisions based on this and then to do better as business in a competitive environment.” So it is a possible answer to competitive intelligence from potential opponents.

It is therefore more extensive than a classic risk analysis process with accompanying actions. It is all relevant information.

The organization must therefore be capable of providing for events and external impulses for changes. Furthermore, it must be a process because risks are changeable, and strategies must be able to be adjusted, and because new risks constantly arise.

One of the possible predictors are indicators: KPI and KRI (Key Performance Indicators and Key Risk Indicators). I discuss the KRI here. (Please note: the KRI provides information, the analysis of this information must still be done (to create knowledge) by the owners of the risk.)

KRI based on outcomes

Key Risk Indicators are often effect indicators. They measure whether the set objectives, the outcomes of the processes, have been met.

KRI on the basis of outcomes, are effect indicators. Conversely, impact indicators can be considered as a sub-class of the risk indicators. However, it is best to speak of effect indicators with regard to people who are averse to risk management as another topic that management adheres to.

But how do you achieve effect indicators?

Strictly spoken by determining the outcomes of the process, the project, the objective. A trick to determine these outcomes is not t take the output of the processes or projects as the final stage of the activity, but the purpose of the activity. This can be done by describing the process / project in one or only a few sentences, and ending this description with one or more completions after the words “in order to …” or “so that …”.

There you contrast criteria that you then periodically want to keep an eye on to see if they are exceeded, or show a tendency, or make a jump and the like.

An example here can create clarity.

In the operation of a BCM manager, there is a process that starts with each cycle. This cycle can be described in ISO 22301, but also in the GPG of

An example is for crisis communication: “Speaking to the media with a clear voice from the organization during the crisis”. This is an objective of the crisis management team, because the goal during a crisis is that the transfer of information is easily verifiable, just as fully as possible and in accordance with the requirements of the moment. The undesirable consequence that you are running is that a number of people wrongfully talked to the media with all the wrong information flows that can follow from them. You can therefore do a measurement as follows:

T = “Sum of (The number of people who (unjustly) speak to the media) of the crises that month.”

You can then illustrate the measurement with smileys as follows:

Green smiley: 0 people

Yellow smiley: youdo not use this one here

Red smiley: 1 or more people

Gray smiley: there was no need for communication to the media due to no crisis settlement that month.

KRI based on risk analysis

But there is also a second class of Key Risk Indicators, which do not base themselves on the outcomes or targets set, but which refer back to the risk analysis of the process, the project or the objective (s).

An explanation of the method can most easily be illustrated with the Bow-Tie risk analysis method.

In the Bow-Tie method one can predictively work by looking at the left side (preventive side) of the bow tie, where one has pierced through to the root causes of a desired or undesirable event.

Once the relevant causes have been inventoried, criteria must be established in which these causes occur. For example, (hypothetical) accidents among foresters peak when 15% of foresters have less than 1 year experience in the sector and their supervisors are younger than 30. Then one can draw up a KRI for HRM to find out what the age of the supervisors is. and the combination of the experience of their guests. When a new recruitment with this combination exceeds this criterion, for example, a reorganization of seniors and juniors can be implemented.

As one readily sees, these KRI are certainly important for their predictive power. They are predictive, where the KRI on the basis of outcomes show that something has gone wrong or something is going wrong.

That predictive indicators can make the difference between success and failure in the intended effect, and they are based on the results of the complete risk analysis, is a reason to carry out a complete risk analysis according to the American model.

The important thing about the KRI is that it is possible to adapt the existing strategies during the process. One can anticipate.

Risk Issues and Crisis Management in Public Relations – A Casebook of Best Practice

Authors: Michael Regester & Judy Larkin

In this book, the authors discuss risk management (although they only speak of risk issues) and crisis management as part of what they call ‘Issues management’ and that with an approach from the perspective of public relations. Here they give numerous examples in the form of case studies.

The book is divided into two parts: a section on the elaboration of issues management, which looks suspiciously like risk management, because it has many similar building blocks, and a second section on crisis management, emphasizing both the importance of the teams, as the communication aspects.

Issues management is working on the drafting of a procedure of issues management, in which a great deal of attention is paid to the components that the authors consider important. The whole is concluded with some overviews of concrete approaches in two existing organizations.

Concerning Crisis Management, it is the intention that you remember the following (not necessarily in this order and certainly not an exhaustive list):


  • Be the first to share, recognize first that there is a problem.
  • Rectify immediately any error that comes into the media.
  • Be complete, correct, honest, transparent and willing to communicate. Do not say things like ‘no comment’ and if nothing is known yet, then tell them you will not leave no stone unconverted untill is known how things work.
  • Provide a place to speak to the press. It’s best to work one-on-one for the television channels. The latter can take a lot of time and energy and therefore it can be interesting to have a single TV interview set up in consultation with all channels.
  • Start communicating immediately, even if you do not have any information yet.
  • Always discuss the following topics in the following order:

    • People
    • Environment and environs
    • Properties
    • Money

And always talk first about the facts, then emotions and then state a vision of what you will do or are doing about it. Prevent a void in communication.

  • Always make sure that your actions are in the spotlight, and that you are heard.
  • Avoid putting bad blood in the population.
  • Visit the disaster site.
  • Acknowledge fault when it is proven, not before. Refer to experts for the evidence and do not be tempted into endless defense talk.
  • Never speculate about what you do not know.
  • If the press does not pay attention to you, do not walk away, stay in the area but do not pull any attention to your organization. Do not be a ‘sitting target’.
  • Do not ignore any media source.
  • Be willing to pay ex-gratia.

All this is extensively upholstered with cases where it worked and where it did not work.