Not in scope
The economy's picking up.
The organization has a killer product or service and the competition has been left in the dust.
Things could not be better.
Expect that the organization's business continuity program failed to account for success.
Success as a "disaster?" How can that be?
Success can have the effect of a disaster if the organization can't handle it.
Let's assume - agreed, that's a foolish thing to do - that the organization makes the ubiquitous widget.
The R&D folks have come up with a modification that makes the widget both more efficient and economical for the user. Let's say the "user" is the government and the widget is used on ships. A cutter uses a half dozen widgets, a carrier uses more than 100.
Bottom line, that's a lot of widgets.
Trouble is, the organization is set up to deliver tens of widgets a month; the government wants hundreds of widgets a month.
In order to meet the government requirements, the organization has to
- Employ more people to staff the production line, which means
- Expand the facility and
- Expand the production line which means it must
- Expanding the QA/QC operation
- Find the funds to do all of the above; are lenders available and willing; how much of the organization will have to be "signed over" to the lenders?
- Increase raw materials orders from vendors (can the vendors meet the new requirements?
- Train new hires (are clearances needed?)
Of course the above are just the tip of the proverbial iceberg.
Unfortunately, few business continuity practitioners consider good times as a risk. Good times simply are "not in scope."
Enterprise Risk Management practitioners should; good times are within "scope" for them.
Business continuity practitioners "scope" typically includes the obvious, and some not-so-obvious threats to the organization. Fire, flood, empty building events, vendor failures, the ubiquitous computer failure.
Business continuity is for small-minded organizations. Granted, business continuity is one step up from simple IT disaster recovery, but it leaves the organization fragmented into far too many "silos."
Some of the silos may not even be integrated into the organization. As examples, Legal and Public Relations (a/k/a Corporate Communications). These, like payroll, often are jobbed out to vendors working on retainer or on a hourly basis.
Yet Legal, Corporate Comm, Payroll, and all the other "support" functions need to be included in the Enterprise Risk Management program.
Even the crystal ball gazers; those folks who try to predict future needs and what customers may desire down the road. "Futurists."
Should the Enterprise Risk Management practitioner be a "futurist"? A lawyer or even a para-legal? What about a PR mavin?
Asking the practitioner to be an expert in these disciplines is akin to asking the practitioner to be an SME for HR, Production, QA/QC, Shipping/Receiving, or even InfoTech, the latter where expertise is outdated in the blink of an eye.
What the Enterprise Risk Management practitioner must be is a diplomatic "master (or mistress) of ceremonies," someone able to get everyone working together toward the common goal of protecting the organization from all threats. The practitioner needs to keep up with the "threats du jour" and have an interest in all the "silos" of the organization. The practitioner needs a curious mind unbounded by an artificial "business continuity interests" frame. This curiosity needs to be channeled into "What if" questions for all the SMEs with whom the practitioner works.
John Donne's famous quote was true when he penned it. It remains true today, both for individuals and organizations.
If I wrote it, you may quote it.
"No man is an island, entire of itself; every man is a piece of the continent." Meditation XVII: Devotions upon Emergent Occasions
Longer articles at https://sites.google.com/site/johnglennmbci/