The earthquake took place at 13:14 (Central Mexican Time) and reached a 7.1 magnitude on the Richter scale. On the morning of that exact same day, a few people were taking part in a reenactment commemorating the earthquake of 19th September 1985. This reenactment, or simulation, was one of the evacuation protocols we were taught to know what to do in this situation.
As mentioned earlier, it is important to have a contingency plan to ensure business continuity and minimize operational risk impact.
If a natural disaster of this scale were to happen, would your organization be able to carry on with its operations?
A few months before the earthquake, I was visiting a Customer to coach them on GRC (Governance, Risk and Compliance) best practices and organize a training plan on our solutions. The Customer mentioned the possible risks faced by the organization: they had started identifying the risks and their mitigating controls and defined a taxonomy of internal and external risks (technological, financial, strategic, Operational, natural, etc.…).
A month went by before my next visit to this Customer to follow-up on their processes, risks and controls. I was surprised to discover the Customer had not assessed any of the risks previously identified: they had only built a register of isolated risks and had not identified any dependencies or causalities between them. My immediate recommendation was for them to start linking risks together and assess not only the risks they already knew about but also their corresponding controls; all of this to support their decision making with the right reports. However, this was a rather complex company whose approach was more “reactive”: they would rather aim to solve small errors instead of looking for their root cause. Hence, this Customer was only looking for the necessary tools to achieve compliance to a regulation and not pursue any additional benefits.
Carlos Adán Moctezuma Figueroa “They never saw the added value of business continuity planning.”
2 months later, I went back to visit my Customer and their situation was chaotic: they had moved offices, acquired new buildings and new infrastructures and, as expected, they were not able to meet with me in the wake of the earthquake. We reconvened and met again in February 2018. Fortunately, no one from the organization was injured during the earthquake. However, resuming business as usual proved very difficult and, naturally, they did not get to dedicate any time or resources to tasks of continuity planning or risk assessment. Incidents would materialize, and the organization found itself unable to react. The directors were asking themselves questions such as “How to resume operations?”, “How are we supposed to carry out our processes?”, “Would my infrastructure be affected?”, “How do I mitigate my risks?”, “What do I prioritize?”, “Can I carry on with the resources I am left with?” but no one could find an answer…
Customer “How do I resume my business, if I do not have visibility?”
This shared anecdote demonstrates a reality faced by every organizations. When an enterprise is based in areas prone to unavoidable natural phenomenon it is necessary to establish a preventive program and design a plan to counteract these operational risks, the aim being not only to reduce the impact but also ensure business continuity.
Risk Manager need to supervise the vast scope of risks, but also optimize their risk management processes. To do that, there are advanced tools on which Risk Managers can rely to adapt to a continually changing environment, manage operational and IT risks while following the lines of defense model (Internal Control, Risk Management and Internal Audit).