Tag Archives: business continuity

Analysing road vulnerability in Norway

Leave a reply
Revised on: 2015-09-09

How does the Norwegian Public Roads Administration NRPA assess the vulnerability of the Norwegian road network? This is the first post in an attempt at resurrecting this blog from its hibernating state that has now lastet for some 18 months., and marks the start of blog posts form my life as senior adviser in contingency planning and crisis management, where I spend much of my working hours developing tools for risk analysis and giving lessons on how to conduct risk analyses. The inspiration for this post is taken from the course material I prepared for a recent course.

 Why risk and vulnerability analysis?

As a government body, the NRPA adheres to many laws and rules, and is guided by a number of policies and principal documents. One of these documents, the National Transport Plan, or NTP in short, states that the national goal for transport is:

To provide an efficient, accessible, safe and environmentally friendly transport system that covers society’s requirements and encourages regional development.

with accessibility being one of four main goals, as described here:

Our transport policy is to improve traffic flow and reduce the time of travel in order to strengthen competitiveness of industry and contribute to maintaining the main features of existing settlement patterns.

The most recent NTP 2014-2023 emphasizes reduced vulnerability and more adaptation to climate change as an important issue for the future:

Precipitation, temperature and wind have a strong impact on transport infrastructure and traffic management. Extreme weather, with strong winds, storm surges, heavy rains and temperature fluctuations, imposes increased demands on infrastructure. Large sections of the current transport network are not sufficiently resilient to withstand such increased strains. The infrastructure must be made more robust and emergency preparedness must be improved.

The NRPA has its own bylaw, describing in detail which tasks that we are responsible for doing, and with accessibility closely linked to vulnerability, it is no wonder then that risk analysis and contingency planning (among many other tasks) is mentioned specifically:

The NRPA is to have an overview of the threats to and the vulnerability of the road network, and work across its own organsation (and together with other agencies) in necessary contingency planning in order to ensure the best possible accessibility under changing conditions and/or possible or actual threats.

 Being able to see, evaluate and manage potential risks and vulnerabilities is in fact part of the NPRA’s obligation towards society.

Societal security and business continuity

The background for this obligation can be found in the term “Societal security”, a term not very common outside of Norway. “Societal security”, which I tried to explain in a previous post, is best translated as the ability that a society has to persist under strenuous circumstances, to maintain important functions, and to provide the necessary services to uphold the life, health and welfare of its members.”It is very similar to the Finnish “security of supply” that I wrote about some time ago.

For the NRPA societal security, or “samfunnssikkerhet” in Norwegian, means the ability that we (the NRPA) has to to persist under strenuous circumstances, to maintain important functions, and to provide the necessary transport network so that society can persist. Since we plan, build, operate and maintain the Norwegian road network, it is our duty to make sure that it is functioning and accessible 24/7, even during worst of times. That is the obligation that we have towards society.

This obligation towards  “societal security” is apparently so important in today’s world that the ISO in 2013 published an international standard, ISO 22301 – ″Societal Security — Business continuity management systems”, as a response to governments and regulators beginning to recognize the role of business continuity in mitigating the effects of disruptive incidents on society.

This is also reflected in Helen Peck’s 2006 article on Reconciling supply chain vulnerability, risk and supply chain management, where Peck refers to the UK Civil Contingencies Act of 2004 that requires the undertaking of business continuity planning and risk management from local government authorities, utilities providers and commercial organizations with responsibilities for essential public transport and critical infrastructure.

Risk and vulnerability

Back to risk and vulnerability, according to ISO 31000 Risk Management, there is no distinction between risk analysis and vulnerability analysis, it’s just risk analysis. However, for reasons that I cannot really understand, in Norway we mostly call it risk and vulnerability analysis. Linking risk and vulnerability is difficult. Where does one end and the other start? In my understanding, I usually use these definitions:

Risk is the potential likelihood that an event will occur and the potential consequences if the event occurs.

Vulnerability is the ability that an object has to withstand the effects of an (unwanted) event and to resume its original condition or function after that event.

Hence, to me, risk is associated with the immediate consequences of an event, while vulnerability is associated with the extent of the ability to manage or handle the wider consequences and long-term effects rather than the imminent consequences. Essentially, the less you can handle, the more vulnerable you are. Or, to use the term business continuity, vulnerability is that which stops business from continuing.

Example: Risk: A bridge is prone to being closed because of frequent flooding. Vulnerability: There is no diversion route.

I often use the bow-tie figure below to illustrate the difference between risk and vulnerability, and between proactive and reactive measures, i.e. mitigative actions and contingent actions..

Please note that the consequence in the right column does not necessarily relate directly to the cause on the same line in the left column. Also note that the consequences illustrate the wider effects on society, i.e. the business continuity issues related to societal security, whereas the event is the immediate effect resulting from the cause(s).

ISO 31000 Risk and Vulnerability Analysis

The risk and vulnerability process in the NRPA follows the terms and steps (5.3 to 5.5) used in ISO 31000, as described in the figure below: While ISO 31000 describes very well what is meant by these terms, I have made my own a bit more hands-on descriptions for what a risk and vulnerability analysis contains:

What Values do we have? Establishing the context 5.3

What do we want to protect? What can we accept?

What are the Threats we face? Risk identification 5.4.2

What are our challenges? What can go wrong? What do we fear?

What are the Likelihood and Consequences of events? Risk analysis 5.4.3

Why and how can things go wrong? Causes, drivers and results?

How is our Vulnerability and Robustness? Risk evaluation 5.4.4

If things go wrong, how bad is it really? Can we cope (or not)? What are the wider effects?

Which Likelihood-reducing measures are there? Risk treatment 5.5

What have we done (and what more can we do) to prevent things from happening?

Which Consequence-reducing measures are there? Risk treatment 5.5

What have we done (and what more can we do) to prevent things from getting worse, if they indeed do happen?

Perhaps not the best of descriptions, but they work for me.

Three levels of analysis

As to the risk and vulnerability analysis itself, it is done at three different levels: simple, simplified and detailed. Simple analysis (Level 1):

A risk and vulnerability analysis that is used to identify what risks and vulnerabilities that exist and to make initial easement of how they should be treated. The analysis shall point at possible challenges and solutions, and is a mostly qualitative analysis, a best guess or estimate.

Evaluation criteria: Best judgement

  • Situation OK, risk treatment can be done if desired, but is not required.
  • Situation NOT OK, risk treatment is necessary and should be done, it is not required, but highly recommended.
  • Situation NOT OK AT ALL, i.e. unacceptable, risk treatment is required and must be done.

Simplified analysis (Level 2)

An extended risk and vulnerability analysis that is used to evaluate risk and vulnerability, when or where the first analysis does yield conclusive results or when or where there is a need for a more thorough analysis to evaluate different risks and risk treatments. This is a mostly quantitative analysis that aims at determining more precise values for likelihoods and consequences.

Evaluation criteria: Risk matrix

Note that this is a generic matrix and that one must decide on which values and increments to use for likelihood and consequence before starting the analysis, by answering the question “What can we accept?” when establishing the context. This also establishes the colour grading of the matrix, which may or may not be as seen above. Being generic, this matrix should be extended to include analysis-specific consequence categories, as seen in this book on Security Risk Management, e.g. consquences for people’s life/health, environment, accessibility, property/equipment.

Detailed analysis (Level 3)

A special risk and vulnerability analysis that is used to analyse specific risks and vulnerabilities, e.g. in the construction and design details of roads, bridges and tunnels. This is a detailed and quantitative analysis using statistical methods and forecasting tools aimed at ruling out any missed uncertainties in the previous levels of analysis.

Evaluation criteria:  analysis(object)-specific This type of analysis is not often used within the NRPA and mostly contracted out to consultants and risk analysis experts.

Events

Obviously, there are many events that could close down a road, too many to think of, actually. That is why the NRPA risk and vulnerability analysis guidelines lists a set of “standard” events for which a road should be analysed, in order to generate a risk profile.

  • Adverse weather
  • Bridge closed
  • Drainage failure
  • Electricity blackout
  • Ferry link failure
  • Fire (in objects on or near the road)
  • Flooding
  • Foundation failure
  • Frequent accident point
  • Hazardous goods accident
  • High winds
  • Landslide (earthflow)
  • Malicious actions/terrorism
  • Quick clay slide
  • Restrictions (in height, width, weight, axle load etc. that make the road inaccessible to some vehicles, typically Heavy Goods Vehicles)
  • Road rescue and towing (of Heavy Goods Vehicles, other car rescues are neglible)
  • Rockfall
  • Snow avalanche
  • Storm surge
  • Terrain sinking (non-slide)
  • Transport hub inaccessible
  • Tunnel closed

In a later post I will present some of the analyses done in my work region and the risk profiles they resulted in. It is quite interesting to see which events that are most frequent in which areas.

Summary

This post was meant to give some basic insight into how  the Norwegian Public Roads Administration NRPA assesses the vulnerability of the Norwegian road network. It will be followed up by more detailed posts.

Author’s note

This is my first post for some 18 months now, and it has taken me more time than expected to write this. Not just because of the language barrier, as the original material for this post is in Norwegian, but also because of a “writing barrier”. Wording and phrasing and structuring a blog post is a skill that needs regular training and I must admit that my skills are still a bit rusty. Nonetheless, there’s more to come.

Links

Related

Crisis? What crisis?

Leave a reply
Revised on: 2015-09-12

Finally, almost to the day six months into my new job, a genuinely new post on husdal.com. My new line of work has kept me so busy that I haven’t had much time to think about supply chain risk, let alone post about. Besides, my new job is all about business continuity and crisis management, and I haven’t even read a single article on supply chain risk since I came here, so if there is to be a new post, it has to be about crisis management. And frankly speaking, supply chain risk is probably going to be a very seldom topic on this blog from now on, unless popular demand wants it otherwise.

What is a crisis?

You see, part of my job at Southern Region office of the Norwegian Public Roads Administration is to develop and maintain crisis management plans. One of the important questions to ask when developing contingency plans is the question “When is does a situation turn into a crisis? When is a crisis really a crisis? What makes a crisis a crisis? For that I need to define the term crisis.

An “ordinary” contingency is not a crisis

Obviously, within the Norwegian Public Roads Administration (or Highways Agency in the UK) there are contingency plans for a wide range of unexpected situations such as accidents, heavy snowfall in winter, flash floods in summer to mention but a few. There are also detailed detour plans if this or that link is closed. These are what I call “ordinary contingencies” that happen every day so to speak and that do not warrant extraordinary attention.

An extraordinary contingency is a potential crisis

It is only when the ordinary contingency plans fail or when the ordinary contingency measures are not enough that we have potential crisis at our hands. Hence I came up with this definition of a crisis:

A crisis is a situation following an unwanted event that cannot be resolved through an organisation’s ordinary contingency efforts, but that requires a coordinated and extraordinary effort across all/many organisational units,  and often additional assistance from external agents.

This definition is translated from Norwegian and my choice of words in English may not be perfect or to the point, but I hope it brings the message across.

When incidents turn into crises

Essentially, what the crisis definition says is that any eventuality that is not covered in a contingency plan can become a crisis, simply because one does not know what to to, since it is not planned for or prepared for. However, even eventualities that are covered can turn into crises, if they are not managed properly. And importantly, even if an eventuality is not covered it may not always turn into crisis, if it is managed as it should be, despite the lack of contingency plan guidance.

Do you agree/disagree?

I’d love to hear you opinion on my definition of crisis. lease comment below or contact me directly.

Related posts

Estimation of disruption risk

1 Reply
Revised on: 2015-09-08

How to estimate the disruption risk exposure in a supply chain? That is the question asked by Ulf Paulsson, Carl-Henric Nilsson and Sten Wandel in their paper titled Estimation of disruption risk exposure, building on what Paulsson wrote in his PhD on the same subject. Here they develop a model that links disruption risk to disruption source, covers all flow-related disruption risks in the total supply chain from natural resources to delivered final product, seen from the angle of an individual focal unit in the supply chain. The model classifies the risk exposure into 15 different risk exposure boxes, of which 12 have ‘expected result impact’ and three have ‘known result impact’, providing what they call a total negative result impact.

How to handle a supply chain disruption?

one of the ideas from this article that I like very much are the different alternatives for handling a supply chain, basically only two: to act or not to act, that is the question.

These two options start from the very first signs of disruption: To act: close down the supply chain, or not to act: keep the supply chain running.

The same goes for pre-event measures, or mitigative measures as I like to call them. Here, to act means trying to prevent disruptions from happening, while not to act mens either to accept the disruption and its consequences despite possible actions that could be taken, or to accept the disruption because it can neither be influenced as to probability nor as to consequence.

Similarly, when it comes to post-event measures, or contingent measures as I would call them, there is again the option of acting or handling internally or not acting or passing on the event and it s consequences.

Going with the flow

Another interesting though from this paper is the supply chain flow, and where the purpose of handling supply chain disruptions is to regain a stable flow in both incoming, outgoing and internal flows.

Furthermore,  regaining a stable flow after a supply chain disruption also implies short-term stability or market patience while the disruption is handled and long-term stability or market confidence after an event has been handled.

Total expected result impact

Combining the disruption handling options, the types of flows and the chain of events creates twelve possible combinations of impacts which must be added in order to obtain the total expected result impact:

This splits the disruption impacts into individual units while at the same time keeping the full picture intact.

Conclusion

What I like about the model developed in this paper is that addresses the entire supply chain from supplier until end customer. It is a holistic and generic model for estimating disruption risks in the supply chain flow in a systematic and structured manner. The model presents, as far as I can see, the most complete estimation of disruption risks, it includes incoming and outgoing flows and it separates between mitigative and contingent handling of disruptions, thus balanacing proactive and reactive risk management.

Reference

Paulsson, U., Nilsson, C., & Wandel, S. (2011). Estimation of disruption risk exposure in supply chains International Journal of Business Continuity and Risk Management, 2 (1) DOI: 10.1504/IJBCRM.2011.040011

Author links

Related posts

Supply Chain Continuity

Leave a reply
Revised on: 2015-09-10

Many business owners will have come across the term business continuity, and many supply chain owners will have come across the term supply chain risk management. However, the term supply chain continuity is still a rather unexplored topic, gathering mere 45000 search results on Google, while business continuity has no less than 10 million results. But isn’t that what supply chain risk management is all about, namely supply chain continuity? Well, here’s a book that most certainly thinks so: A Supply Chain Management Guide to Business Continuity by Betty A Kildow, showing how a well-functioning supply chain is the key to a well-functioning business.
Continue reading

What are you afraid of?

2 Replies
Revised on: 2011-08-01

What do businesses in Scandinavia fear the most? That is what Nordic insurance giant If Insurance decided to find out. So they asked 400 managers in major companies in Denmark, Sweden, Norway and Finland the question “What kind of risk or threat do you think that publicly listed companies in your country fear the most today?” The answer may surprise you…or maybe not, and interestingly, what is most on managers’ minds is very different from country to country. Supply chain risks do not rank very high. Actually, unless you count them in implicitly, they do not rank at all…almost. But what do business leaders in Denmark, Norway, Sweden and Finland fear the most?

Continue reading

Critical Infrastructure and Resilience

1 Reply
Revised on: 2015-09-12

What happens when a business is disabled for a length of time? What are the impacts on its profitability, service delivery, and employees? What are the flow-on effects to the broader community? What are the key attributes that can help a business to bounce back or bounce forward from a disruption? Those are the issues the Australian Resilience Expert Advisory Group REAG discusses in a position paper titled Organisational Resilience. I was alerted to this paper by a recent post on the blog of Ken Simpson, a resilience expert and blogger from Australia.  The paper details a set of core principles and resilience attributes that can be applied across a diverse range of critical infrastructure organisations, and although it is aimed at the individual business and its management, it is a paper that makes sense in a range of organizational settings.

Continue reading

SME Risk Management

Leave a reply
Revised on: 2015-11-12

Small and medium-sized enterprises (SMEs) make up the majority of enterprises in most countries, and thus often play a considerable role in supply chains, yet they often lag behind in implementing effective risk management practices. For SMEs, the establishment of a risk management system is essential to their survival and their business continuity, and a potential supply chain partner may also want to assess the proper implementation of a risk management system before engaging in a relationship. That is why Thomas Henschel wrote Risk Management Practices of SMEs. Evaluating and Implementing Effective Risk Management Systems, where he provides precise recommendations for the implementation of an effective risk management in SMEs.

Continue reading

Risk Management Simplified

3 Replies
Revised on: 2011-07-05

Risk management. Why make it difficult when you can make it easy? That is perhaps what Andy Osborne thought when he wrote his most recent book, Risk Management Simplified. The cover says that is is “A practical, step-by-step guide to identifying and addressing risks to your business”, and it doesn’t come much more practical than this. This is a handbook and a self-assessment tool that leaves practically no risk uncovered. It’s practical, well-illustrated, to the point, not academic at all, filled with case examples and easy to work with. In this post, I will take a closer look at the book, because despite it’s simplicity, it does hold a couple of hidden gems worth mentioning.

Continue reading

Book Review: Procurement Risk

Leave a reply
Revised on: 2015-09-04

“Do yo like living dangerously? Then you should read this book. It exposes you to over seventy types of risk you  you can take in your business life.” Those are the opening words of the most recent book on my night stand.  Written by Richard Russill, the title Procurement Risk is perhaps misleading, as this book risk is just as much about supply chain risk or enterprise risks in general. In fact,  the book makes a strong argument for procurement risk management being just a short step away from business continuity management. Not only will this book help procurement professionals to lift their head from their desks and gain a wider perspective on possible ramifications of their purchasing decisions, it will also help top managers to seeing procurement as a crucial contributor to a company’s well-being and competitive advantage.

Continue reading

London Olympics and Business Continuity

Leave a reply
Revised on: 2015-09-12

Are UK businesses, and in particular London businesses, unprepared for the London Olympics in 2012? A recent report by Deloitte would suggest so. Over two-thirds of large companies in the UK expect the London 2012 Olympic and Paralympic Games to have virtually no impact on their ability to operate “business as usual”. Only 24% of London companies expect a medium level of disruption with just 16% planning for a high level of impact during the Games. They do realize that this event is a bit larger than the average Saturday football match, don’t they?

Continue reading

In memoriam David Kaye

Leave a reply
Revised on: 2015-09-26

Sad news. I don’t always keep up with the subjects of my reviews, and today I was very saddened to learn that David Kaye passed away more than a year ago. David Kaye was the author of Managing Risk and Resilience in the Supply Chain, a book I reviewed on this blog some 18 months ago. David Kaye was a leading author, lecturer, examiner and workshop leader on risk management and business continuity subjects. He guided a diverse range of companies and public sector organisations on risk related issues around the world. His book was a great inspiration to me when I read it and it will continue to be so in the future.

Continue reading

CPM 2010 East in NYC

Leave a reply
Revised on: 2015-09-12

Behind this perhaps cryptic title (for some, but not for others, especially those in the BCM industry) is the Contingency Planning & Management Conference (CPM 2010 East) that is coming up November 3-4 in New York City. It offers a 2-day, 4-track advanced-level program taught by expert faculty in small, classroom settings.  Joseph Bruno, Commissioner of the NYC Office of Emergency Management, will also be this year’s keynote speaker. I won’t be going there myself, but if you’ve never attended before and are interested in attending, through my contacts I am pleased to offer a special registration code that will save you $100 off the full conference rate.

Continue reading

How Norwegian freight carriers handle disruptions

Leave a reply
Revised on: 2014-07-30

Transportation networks, and in particular road networks are an integral part of supply chains, and in regions with sparse networks this road network becomes very important, since in a possible worst-case scenario no suitable alternative exists for deliveries to or from these communities. How are the supply chains of companies located in sparse transportation networks affected by transportation disruptions? What are typical disruptions in certain locations or for certain types of business, and how do businesses and carriers counter supply chain disruptions? Are bad locations synonymous with bad logistics?

Continue reading

Volcanic ash cloud – really a surprise?

Leave a reply
Revised on: 2015-09-12

Last week a volcanic eruption on Iceland took Europe’s civil aviation authorities by total surprise, prompting them to shut down air traffic over much of Europe for almost an entire week. An unprecedented event? Yes. Was it a surprise? Maybe Yes, maybe No. Should authorities have seen it coming? Yes. Then why wasn’t Europe prepared? On the operational level, among air traffic controllers, the awareness of the widespread impacts of a volcanic ash cloud from Iceland has been there for quite some time. They have indeed planned for it and there have been regular exercises.

Continue reading

Using social media in a crisis

6 Replies
Revised on: 2015-09-09

Sometimes the timing of Internet launches is just right. And for Scandinavian Airlines (SAS) the timing of the launch of it’s Facebook page could not have been better planned. It was launched on April 14, the day before the volcanic ash cloud paralyzed both European and much of global air traffic. Now SAS could fully utilize the power of social media to keep its passengers informed on the latest developments, and answer  all sorts of questions from stranded travelers. In all the confusion about lack of information from airlines, maybe SAS will come out as a winner?

Continue reading

Book Review: Heads in the sand

Leave a reply
Revised on: 2015-09-12

Finally, after 5 days of volcanic ash cloud posting, I can return to my regular topics of supply chain risk and business continuity, or maybe not…as I am tempted to rephrase the title of today’s book into “Heads in the volcanic ash”, but that would not be fair towards all those who did their utmost to deliver their services during the air traffic restrictions faced by the millions of travelers that were in fact stranded all over the world. Heads in the sand by Alex Fullick is a simple book, but it is a book that turns traditional business continuity thinking on the head, because what is business continuity really? It is the social responsibility to survive that your business has vis-a-vis the customers it serves, the suppliers that rely on it, the community it is located in, and most of all, vis-a-vis the people that work there. So easy, and yet so far from reality for many businesses in today’s world.

Continue reading

Volcanic Ash Cloud Day 5

1 Reply
Revised on: 2015-09-12

Today is Day Five of the infamous Iceland volcanic ash cloud disruption. What just a week ago was a highly improbable scenario has settled in to become a daily routine…almost. Was this really one of these damned (Pardon my French) Black Swan Events…or was it a Predictable Surprise we should have been aware of? While it is fair to assume that volcanic eruptions are in the business continuity plans of most airlines, it is probably not so fair to assume that 5 days of sudden air traffic restrictions is in the business continuity plans of most companies reliant on frequent air travel. Perhaps it should have been. For sure it will be – from now on.

Continue reading

Can we do without air traffic?

3 Replies
Revised on: 2011-03-22

Travelers and businesses are waking up to a fourth day of no air traffic in Europe, and a fourth day of stranded air passengers seeking whatever means they can find to reach their destination, or reaching any place between where they are stuck and where they were supposed to go. As I said in my post yesterday, perhaps it’s time to re-learn the value of slow travel, and perhaps we don’t need to go anywhere as fast as possible or have our goods delivered in an instant. If this lasts on, it may lead to a change in our way of thinking. Seriously, what would happen if this supply chain disruption because of the volcanic ash cloud were to go on for a week, a month, a year?

Continue reading

Business continuity 101

2 Replies
Revised on: 2011-03-22

This is the 3rd day with severe transportation and thus supply chain disruptions all over Europe, due to the volcanic ash cloud from Iceland, forcing travellers, cargo shippers and logistics providers to seek alternative solutions. In essence this is a very practical lesson in business continuity. Who would have thought that a volcano eruption in country that until recently and before the IceSave dispute did not make any headline news could create such havoc with widespread impacts? I certainly did not. Nonetheless, it is also a lesson in business creativity: German car rental company Sixt shows how.

Continue reading

Business Continuity in Global Supply Chains

1 Reply
Revised on: 2011-02-17

Business Continuity is a crucial ingredient of supply chain management. At the same time, implementing business continuity principles in supply chains is really simple. So says Steve Cartland in his book chapter on Business Continuity Challenges in Global Supply Chains in the book titled Global Integrated Supply Chain Systems, published in 2006. Cartland’s chapter is the last of the 19 chapters in the book, and the only chapter touching upon business continuity. Unfortunately. I think this chapter should have been first.

Continue reading