BUSINESS CONTINUITY

Potential Threats Leading to Delay,

Disruption, Crisis & Disaster
Scenarios

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Consideration and investigation of threats
that may affect a business or operations is
often limited by time, resources, expertise
and experience.

Moreover, the shortlist of threats are

routinely carried over from year-to-year or
practitioner-to-practitioner with limited,
legitimate risk analysis or supporting
evidence, before leaping into controls
development, risk ratings and crisis or
continuity planning.

That is, potential threats is more likely a

mental accounting list or 'top of mind'
consideration than detailed, informed and
analytical approach to environment,
operational or organisational related
threats, actors, hazards or harm.
Tony Ridley MSc CSyP CAS FSyl
Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
The necessitation of an all-hazards approach to
risk and threat analysis may seem obvious, but is
constantly restated by professionals and
practitioners because it remains inconsistently
and unevenly applied across organisations and
industry.

Risk Assessments

"A comprehensive risk, threat, and vulnerability

assessment offers an organized and systematic
approach to assessing and documenting risks to
the organization. The risk assessment provides an
informed list of risks and recommended
corrective actions to help the enterprise attack
and correct the most serious risks identified. A
risk assessment is generally a holistic view of the
facility and is intended to view all activities and
look for “all hazards” that can constitute risks to
the company."
(Hayden, 2020)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
However, all too often, risk analysis and
assessments are seen as a 'one time'
requirement, repurposed or 'tweaked'
time and time again. This not only
undermines and distorts the risk
assessment process but also creates
false perceptions and assumptions of
resilience.

"Levee Syndrome: A condition in which

the presence of safety (security)
measures decrease risk awareness and
leads to a lack of preparation and a
liberal attitude towards the hazard
(threat)."
(Paton and Johnston, 2006)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Resilience

Increasingly, these calls for revision and

improvement are not limited to just private
enterprise, with governments echoing similar
sentiment, especially when it comes to critical
infrastructure. Not surprisingly, legal
commentators are reinforcing these
rudimentary evidence and compliance
obligations

"The program intends to increase resilience

across critical infrastructure assets, address
vulnerabilities across physical, cyber, supply
chain, and personnel domains, provide a
wholesale uplift in critical infrastructure
security, and reassure the Government that
critical infrastructure assets are appropriately
safeguarded against all risks."
(BDO, 2021)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
But government agencies are neither opposed nor
resistant to improved understanding of threats, risk and
harm... in all its forms.

"Current approaches to disaster risk reduction are being

challenged in a world of more frequent and compounding
hazards. As the population and economy continue to
grow, increasing exposure is creating complex
interdependencies that are leading to more systemic
vulnerabilities. "
(National Recovery and Resilience Agency, 2021)

Overtime, more detailed analysis and reflections have led

to wholesale reconsideration and revision of supply chain
structures, existing network and past assumptions of free
market efficiency and self stabilising resilience.

"The barriers put in place to reduce the spread of COVID-

19 effectively represent an experiment in deglobalization,
and may mark a turning point in this direction for the
longer term, if companies decide to reduce their
dependence on fragmented international supply chains
and seek to produce goods closer to home. "
(Wakefield, 2021).

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Critical Infrastructure, Services and Processes

Moreover, constrained or narrow consideration of

threats have routinely forced revision after other,
new or emergent threats and tactics emerge.

"Critical infrastructure has long been subject to

risks associated with physical threats and natural
disasters, and is also now increasingly exposed
to cyber risks. These risks stem from a growing
integration of information and communications
technologies with critical infrastructure and
adversaries focused on exploiting potential cyber
vulnerabilities. As physical infrastructure
becomes more reliant on complex cyber systems
for operations, critical infrastructure can become
more vulnerable to certain cyber threats,
including transnational threats."
(Homeland Security, 2019)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Natural Threats

However, revision may just repurpose focus to that of human

actors and intervention and overlook traditional, longstanding
threats from the natural environment, which is both a
dominant and persistent consideration for communities,
organisations and governments.

"Flooding is one of the most common, widespread and

destructive natural perils, affecting approximately 250
million people and causing USD 40 billion in losses on an
annual basis. The increasing accumulation of assets in
floodplains and coastal zones, combined with the expected
impacts of climate change on precipitation patterns and sea
levels, are likely to lead to increasing losses in the future. As
a result, significant policy attention is being focussed on
finding ways to effectively manage the financial impacts of
flood risk, considering the roles of investments in risk
reduction as well as mechanisms for transferring flood risk.
Insurance and other risk transfer tools can make an important
contribution to the financial management of flood risk by
spreading the risk across domestic and international
(re)insurance and capital markets and reducing the share of
losses absorbed by households, businesses and
governments. "
(OECD, 2016)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Threat, Harm, Hazard and Risk Assessment Demands

In sum, professionals, practitioners, governments and

experts support an all-hazards or comprehensive
consideration of threats. Legal advisors, courts and
regulators endorse this approach:

”…[Legal] cases suggest that risk assessment should be a

rigorous process of gathering information in order to
understand the nature of the hazard(s), the mechanisms by
which the hazard(s) could give rise to injury or ill health, and
the gravity of the risk"
(Johnstone and Tooma, 2012).

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
However, one of the most significant
corrections required within organisations,
communities and government is the that of
convergence. Whereby division or siloes have
been established and reinforced between
physical and digital/cyber environments.

Convergence: Physical & Digital Realms

"The decreasing separation between the

physical and technological aspects of the
environment, assets and services means that
security issues can no longer be siloed as
personnel, physical or cyber. Increasingly, if
measures are to be effective in addressing the
security risks, a multi-layered approach that
includes consideration of personnel, physical or
cyber security, as well as good governance, is
required."
(CPNI, 2019)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Risk Management Legislation and
Compliance

Emergency legislation has actively sought

to not only correct this error but mandate
'positive' security and risk management
obligations on providers, management
and owners.

"The Risk Management Program would

require owners and operators of critical
infrastructure assets to manage the
material risk of any hazards occurring,
which pose a risk of impacting on the
availability, integrity or confidentiality of
the critical infrastructure asset. "
(Cyber and Infrastructure Security Centre, 2021)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Risk Management Framework/s

"The purpose of a risk management

framework is to assist an
organisation integrate risk
management into strategic
activities, functions and decision-
making. The effectiveness of
managing risk will subsequently
depend on the governance,
leadership and commitment of the
organisation and support from
stakeholders."
(National Recovery and Resilience Agency, 2020)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Risk Assessment and Management Errors

But, reverting to the premise of this article, threats remain

one of the more superficial or least explored element of
risk analysis and risk management. That is, individuals,
departments and organisations leap to the concept of
'control' without fully investigating or understanding the
threat, actors, harm, hazard or raw risk.

"Type I – errors occur when we believe that there is a

genuine effect in our population, when in fact there isn’t *.
(rejection of a true hypothesis – Producer's risk/sins of
omission)^

Type II – errors occur when we believe that there is no

effect in the population when, in reality, there is*.
(acceptance of a false hypothesis – Consumer risk/sins
of commission)^

Type III – errors that arise from faulty specification of the

problem, leading to real solutions to what turn out to be
the wrong solutions to real problems"
(Field, 2018) & (Royal Society, 1992)

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Resilience by Design

“…resilient engineering systems must be able

to:

1. monitor – know what to look for;

2. anticipate – know what to expect;
3. respond– know what to do; and
4. learn – know what has happened.

"…functional resonance analysis method show

how each of the resilience processes are
dynamically coupled to the other processes
and to identify the dependencies among them.
The four abilities are focused on different ways
of knowing and thus emphasise a cognitive
perspective of how humans influence system
resilience "
(Kekovic and Ninkovic, 2020).

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Summary

In sum, continuity of business and operations, through

the active application and practice of risk management
is predicated on detailed understanding, analysis and
consideration of threats, harm and hazards in all its
forms.
Exposure to threat is not constrained by internal or
commercial constraints such as time, budget,
knowledge or expertise.

That is, the consequences of threat, harm and risk will

happen regardless of your consideration or not.

Therefore, all reasonable, probably and likely threats

require consideration and evaluation.
A failure to do so will inherently undermine, weaken
and negate subsequent business continuity, resilience
or risk agendas.

As a result, a lack of imagination, focus or expertise

remain inherent risks and dangers concealed in the
process.

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
References:

BDO (2021) An overview of the Critical Infrastructure Bill. Available at: https://www.bdo.com.au/en-
au/insights/cyber-security/articles/an-overview-of-the-critical-infrastructure-bill

CPNI (2019) Security Considerations Assessment, Centre for the Protection of National Infrastructure.

Critical Infrastructure Centre (2021) Protecting Critical Infrastructure and Systems of National Significance, Co-
design of Governance Rules: Critical infrastructure risk management program -summary of consultation,
Department of Home Affairs, Australian Government

Cyber and Infrastructure Security Centre (2021) Security legislation amendment (Critical Infrastructure
Protection) Bill 2022: Explanatory Document, Department of Home Affairs, Australian Government

Cyber and Infrastructure Security Centre (2021) Security legislation amendment (Critical Infrastructure
Protection) Bill 2022: Exposure Draft, Department of Home Affairs, Australian Government

Field, A. (2018) Discovering Statistics Using IBM SPSS Statistics, 5th ed, Sage, p. 82

Hayden, E. (2020) Critical Infrastructure Risk Assessment: The definitive threat identification and threat
reduction handbook, Rothstein Publishing

Homeland Security (2019) A guide to critical infrastructure security and resilience, Cyber-Infrastructure, US
Department of Homeland Security, US Government

Johnstone, R. and Tooma, M. (2012). Work Health & Safety Regulation in Australia: The Model Act, The
Federation Press, p.42

Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for
Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173

National recovery and resilience agency (2020) National emergency risk assessment guidelines, Australian
Disaster Resilience Handbook Collection, 1st ed (updated) , Australian Institute for Disaster Resilience,
Australian Government

National recovery and resilience agency (2021) Systemic Disaster Risk, Australian Disaster Resilience
Handbook Collection, 1st ed, Australian Institute for Disaster Resilience, Australian Government

OECD (2016), Financial Management of Flood Risk, OECD Publishing, Paris.

http://dx.doi.org/10.1787/9789264257689-en Operations Support, Department of Natural Resources

Paton, D. and Johnston, D. (2006) Disaster Resilience: An Integrated Approach, Charles C Thomas Publishing,
p. 111

Royal Society (1992) Risk: Analysis, Perception and Management, Report of the Royal Society, London, pp.139-
140

Wakefield, A. (2021). Security and Crime: Converging Perspectives on a Complex World. SAGE

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au
Enterprise Security Risk Management

Practical Questions:

Do you honestly consider 'all

hazards'?

How is threat knowledge captured

and communicated across your
organisation?

Is 'risk', 'resilience', 'safety', 'security

and 'business continuity' still siloed
across your organisation?

Tony Ridley MSc CSyP CAS FSyl

Risk, Security, Safety, Resilience & Management Sciences (Applied) www.risk-management.au