Probability, Impact, and Preparation: Assessing Risk

  • Nov 26, 2019

There’s a pretty low probability that aliens will attack — but to be honest, anything could happen.

You can’t protect against everything, so you’ve really got to identify which things could impact your business from a physical standpoint or from a business interruption standpoint.

We recently got to interview Dutch Geisinger, Executive Director at Safeguard Iowa Partnership, a private nonprofit that focuses on building disaster resilience in Iowa. “We work on preparation, prevention, response, recovery — anything disaster related, we have a role in it,” he said.

Safeguard Iowa Partnership has worked with state and local emergency operation centers as well as private businesses to teach business continuity, active threat response, and risk management.

Dutch Geisinger said "Just like you can't protect from everything, you can't protect everything."

Threats, vulnerabilities, and consequences

So, you can’t protect against everything. You have to identify what really could impact your business (probably not aliens).

Factors in risk assessment

  • Probability
  • Impact
  • Preparation

 

“If we look at the combination of those things, we can really come up with a prioritized list of the threats that we need to be aware of and the things we need to prepare for,” Dutch said.

For example, an active threat or workplace violence is low probability but very high impact, whereas winter storms (at least in Iowa), are high probability but also already at a pretty high level of preparation.

When assessing for risk management, consider what plans are already in place and what threats could have the highest impact for interruption of services or employee safety.

Building connections

For a winter weather event, Iowans have to have the resources to take care of themselves internally for up to 72 hours.

“Sometimes we have to involve our community partners when we’re doing our planning efforts,” Dutch said. Like reaching out to law enforcement, the public works department, or power companies, to name a few.

“Bringing those partners in and having that conversation up front is one of the best things you can do during your planning efforts,” he added.

While on Earth Networks Continuity Forecast podcast about business continuity, Dutch Geisinger said " If we start trying to look at all the vulnerabilities that exist, it's overwhelming. Frankly, it's not cost effect either."

How to conduct a vulnerability assessment

“Just like you can’t protect from everything, you can’t protect everything,” Dutch said.

Doing a true assessment starts with honesty.

1.   Understand what is critical

It’s probably not your actual office. It might be a critical piece of equipment, electricity, or essential staff.

Ask: What happens to our company if ___ goes away?

Usually, the answer is everyone comes to work anyway and does their jobs. In the case that it isn’t, then you know what to protect.

2.   Assess the reality of threats

Next, you look at the threats and how you protect against those threats.

In terms of an active threat, access controls, barriers, intrusion detection systems, etc. are all important. As in, how do you protect your staff from someone coming in from outside?

But since a tornado is much more likely than an active threat, you should focus more on that threat.

Business continuity planning should be the framework for evaluating threats.  “If we start trying to look at all the vulnerabilities that exist, it’s overwhelming. Frankly it’s not cost effective either,” Dutch said.

Dutch Geisinger said (on business continuity and risk management) "We improve our security and safety systems, and the only way that we can find out if that's effective is if we practice and we train our employees."

3.   Practice your plans

You’ve got a written plan, great!

But have you ever actually practiced it? Or did you put it on the shelf and not look at it for 3 years?

“We have to keep the plan evergreen, and we have to keep looking at it, talking about it, practicing it,” Dutch said.

No plan is perfect — you create the plan with the best knowledge you have at the time.

Things change, obviously. But if you cease to update your plan with your knowledge, then you’re basically inviting gaps.

“When you do a large full scale exercise, it truly can take up to a year in preparation just to get to the point of execution,” Dutch said.

Disaster planning takeaways

  1. Every time you set your clocks ahead or back, have a conversation about your emergency plans
  2. Test your plan to locate small gaps that are easy to fix
  3. Remember to bring your new employees up to speed
  4. Reemphasize business continuity plans periodically
  5. Assign emergency responsibilities and keep the assignments current
  6. Leverage the tools and resources that are available

 

Hint: There are a ton of free resources at Safeguard Iowa Partnership.

Reach out to Dutch Geisinger by emailing sip@safeguardiowapartnership.org or connecting with the Safeguard Iowa Partnership on social media.

Dutch Feisinger was our latest guest on our business continuity and risk management focused podcast: The Continuity Forecast

Business never stops. 

To hear more from The Continuity Forecast, check us out on Apple Podcasts, on Spotify, or on our website