Business continuity and risk management

Alessandro Mazzeranghi, MECQ S.r.l.

There are situations that can damage a company more or less severely, without however entailing the sudden interruption of business activity. We shall not address these in this article. What we want to do instead is to focus on those events that can, on their own and in an overall satisfying corporate ambience, lead to its sudden and unexpected closure.

In our field, there are three points having a stronger criticality:

• Events that can create a damage to assets that is so relevant as to prevent the activity from continuing; it is not by chance that the tissue field places lots of attention of fire prevention issues.

• Events that can make the consumers of a given brand or company lose trust in them (for manufacturer brand products) or that can cause catastrophic compensation demands by the customer/distributor. On this issue, we cannot underestimate the fact that consumer products are directed at a market whose reactions to strong emotional stimuli are not easily predictable.

•Events that can create law violations so strong as to entail “penalties” for the company that cannot be settled with the resources available. Although legislation in the different areas of the planet differ substantially (too much in my personal opinion), we must admit that in many countries improper entrepreneurial behaviors are heavily penalized.

The above considerations should give an idea of the breadth of the problem and of how it is a multi-disciplinary issue.



 How can a manager who directs a company – whether it be a corporation, a large firm or a “family-owned” establishment – have the proper competences to keep an organic account of all the risk factors that can impact his or her organization? I personally know several tissue companies that differ greatly in terms of size, and feel I can answer in this way: he or she cannot do it alone. That manager needs the help of trusted collaborators, but he or she will encounter difficulties anyway if each collaborator – specialist in one field – illustrates his or her considerations in autonomously chosen fashion.

Basically, what is lacking is a strategic and shared approach by all subjects participating in the assessment, and this will inevitably lead to unbalanced risk management choices because they are not based on homogeneous data.



It is fact: proper risk management must be founded on homogeneous, true bases, and the instrument can only be risk assessment. In the end, it is such a simple and rational methodology that it can be applied to every situation where it is fundamental to understand the concrete need to manage a risk.Let’s just take a quick look at a couple of key concepts to then understand how risk assessment can be applied to issues that can impact business continuity.

Risk assessment allows estimating the concrete entity of a given risk, considering and combining the gravity of the damage and the probability that the damage at issue actually takes place. It is intuitive that, for damages having the same level of gravity, the situation having a higher probability of taking place is the one that entails a greater risk. A catastrophic damage - theoretically possible but practically characterized by a probability close to zero - will also correspond to an almost null risk. And so on. From this, we can almost automatically deduce that risk is given by a sort of mathematical product between gravity and probability.



Considering the so-called standard approach to risk assessment, the application to the case-in-point “enjoys” a simplification that must be used with caution: the gravity of the damage is always the same because what we want to prevent is the interruption of the company’s business activity. But be careful not to confuse things: only those situations that have the concrete possibility of interrupting business are to be retained part of the risk assessment.

Two other aspects are instead more complex: the identification of dangerous situations (under the profile we are considering) and the assessment of the probability of their taking place.

To identify dangers, i.e., those situations that must be prevented in order to avoid interrupting business activity, it is necessary to forecast those scenarios which, if they can concretely present themselves, could lead to undesired consequences. These scenarios must be clearly envisioned (i.e., described) not only as events but also under the profile of those involved and their interest related to situations that could trigger such scenarios. Especially in relation to income statements – but not only – that could lead some individuals to venture into practices that are not very ethical and even concretely imprudent. We are speaking about income statements but we could just as easily speak of practices such as corruption or the lack of prevention of damages to the environment, that may seem like actions performed to the advantage of the company and that hence could appear to be “positive” practices to those who intend doing the company’s good.

Going on to estimating the probability of an event taking place, we fully recover the importance of a correct description of the scenario; only by understanding how a certain event can take place can we understand the actual possibility of its happening. Probability must keep several different factors in consideration that intertwine technical aspects with those connected to human behavior and to the company’s overall organization.



(a stream flowing near a paper mill). Evidently, if the paper mill has a purifying plant, there will be a totally relevant technical aspect connected to the proper functioning of the plant and its appropriate dimensions for the mill. There are other factors, too, that combine the technical aspect with human behavior: management of the measures aimed at verifying the plant’s proper operation, managing programmed maintenance and corrective maintenance interventions, etc.

Now we will look at a much less technical corporate process (in the sense that machines or plants do not come into play). It is a well-known fact that corruption practices are a source of grave risk for companies due to national laws and the public opinion’s perception of the company. Well, to prevent corruption, in addition to pure and simple bans by top management, a well-known instrument is purchasing control, with special reference to the purchase of immaterial goods (for example intellectual services, consulting etc.). If we wonder what probability exists that cases of corruption may be found in a company, we must first of all ask ourselves if the corruption can be of some “use” for the company, and secondly how many people must concur to put a concrete corruption act into practice. It is clear that the higher the number of people independent one from the other that concur in the action, the lower the probability.



 If the assessment activity was conducted in homogeneous fashion, we will have a risk scenario for the company with an overall legibility; we will find situations where the danger exists abstractly, but its extremely low probability makes us consider the risk as negligible, and others, instead, that require greater control because the risk, concretely, is anything but negligible. For the latter case, appropriate control measures must then be defined to reconduce the risk to the acceptable sphere.Safe for a very few cases (see the example of the purifying plant) for which technical measures exist that, due to their very nature, guarantee a sure efficacy, the measures will involve people. Both individually, making people well understand how certain apparently favorable behaviors for the company are instead concretely damaging, and as an ensemble of elements that constitute an organization (a complex one). The second profile is the more interesting and reliable one (in terms of prevention) because it can be better forecasted (it falls outside the individual perception of the company’s good).

Organization, i.e., clear and documented rules expressed through procedures, hence where reasonable, also reports in relation to critical hubs, and in any case, the application of the concept that no individual subject must exist that, autonomously and without surveillance, can enact extremely dangerous behaviors for the survival of the company. And, lastly, assessment of the actual application of the law.



We cannot escape this theme: the rules, procedures, registrations, controls, mutual surveillance are all elements that engulf the day-to-day operations of every company. So it is important that risk assessment is performed carefully in order to avoid putting into practice prevention measures for risks that actually do not exist.

We will return to the issue of rules and of good company operation in the future. But here we just want to underscore that if there is something that must be prevented, it is actually the risks we are speaking about. It is better to reduce the degree of control on other issues, but let’s manage to the best of our abilities those situations that could pose a risk for the very existence of the company.

Login or Register to publish a comment