RMI welcomes Jack Freund to the RiskAnalys.is blog…

Once again the 24-hour news cycle is buffeting us with “information” about the new risk that will surely end us all. I’ve received several “breaking news” stories in my email about the pandemic in the last few days. Russia is now taking the step of banning meat from several States and nations (despite it not being transmitted by meat). Clearly, we’re being told this is a serious risk.

Several years ago in a previous life, I participated in an avian flu preparation exercise in my large, telecom manufacturing company. The goal was to determine the extent to which a large-scale pandemic would disrupt business operations, and what kind of controls could be put into place to minimize them. This primarily took the form of a questionnaire that was given to every employee. When it came my turn to fill it out and I got down to the section where I had to decide if I could do my job from home or not, I quickly choose yes. Even if I couldn’t, I thought, I’d be a fool to say so and be forced to come into the office with all those other sick people.

I am certainly unqualified to comment on whether this is or will be the next new plague. However, let’s look at this from the perspective of your own organization and how this might contribute to your risk analyses.

The swine flu will effect most organizations in one direct way, and some other, not-so-direct ways. This is mostly a business continuity risk. If you are following a business continuity management system program (such as BS 25999) you should have identified the parts of your business that are a priority (typical large revenue-generating parts of your business). Remember that in a disruption, cash flow is paramount. Creating a business process map of these parts of your business will help when framing the risk scenarios that will be analyzed by FAIR.

So, what will these risk scenarios look like?

Well, clearly any part of the business that needs people to operate it, or needs people to input something manually has the potential to cause a disruption. This is anything from manufacturing, sales, processing, etc. Any part of your business that depends on people contact (such as retail sales) will also be affected.

What the process map will also tell you is that there are several external dependencies that need to be considered. These are the not-so-direct ways I mentioned above. Namely, reliance upon other businesses (B2B) will be at the mercy of those organizations’ continuity plans (be sure to do your second party audits). Anything from service, support, shipping, and supplies will be disrupted.

The loss magnitude side of the FAIR equation will have the following trajectory. There will be heavy losses on the productivity side of the equation. Clearly, if your people can’t come to work–either because they are too sick, frightened, quarantined, under government order not to leave their homes, or deceased (let’s hope not this one), work doesn’t get done. Response costs will exist, if for no other reason than the activation of your BC plans. Replacement costs are a tricky one for me. The most obvious control would be to have an alternate work facility that isn’t geographically near your primary one. However, this flu has already hit several countries and States. I’d be interested in hearing from you in the comments what you think about this one. For some organizations the answer will be to take the hit. On the secondary loss side, there are some issues. I doubt that there will be litigation (most contracts have a force majeure clause that would be argued). If the impact of the flu is evenly dispersed, then competitive advantage and reputation become less impactful.

The biggest takeaway is that the traditional ways of dealing with this type of outage (work from home and hot/warm/cold sites) may also be effected by the same outage. It’s easy to dismiss this risk as a low frequency high loss event, but that is exactly why FAIR has the unstable risk element. It shouldn’t be written off as crazy end-times talk, but should also be taken with a  grain of salt.

There are many other interesting risk angles in this event. For instance, how the recent memory of the 1918 avian flu goaded then President Ford into calling for nationwide vaccination, how in so doing the pharmaceutical companies had to forgo work in other areas, and how the side effects of the vaccine caused Guillain-Barré syndrome in many. Some believe that the cost to human lives was greater from the vaccine than would have occurred from the flu itself.

As for me, I’ll be stocking up on paper face masks, duct tape, and Pop Tarts. I’ll read your comments from my fortified basement bunker…

Posted on April 30