April 2011 | Special Edition: Dealing with Disasters - Emergency Preparedness

# FEATURE

## Consequence-Based Analysis: An Emerging Risk Assessment Paradigm

### By Donald Byrne

Media coverage of recent catastrophes has heightened the legal community's awareness of these events' potential to disrupt business. In some cases entire communities have been shattered for prolonged periods while others have disappeared forever. Whether due to natural hazards, human error, or the threat of a devastating pandemic, law firms across the country are more aware of the importance of preparedness and contingency planning. This has many firms re-thinking their preparations planning and causing a shift from recovery focus to proactive mitigation and continuity planning. Central to this change is a new approach to threat and risk analysis. Referred to as consequence-based assessments, this approach breaks with the conventional four-step methodology used to estimate risk.

Traditional Risk Assessment: A Four-Step Process
Law schools teach the same four-step methodology used by many insurance professionals and contingency planners to estimate risk. First, a list of previously encountered business threats is created. Other threats may be added to the list, reflecting current or future concerns such as the danger of a pandemic or political upheaval.

This done, the threats are assigned a probability based on their likelihood of occurrence. Third, the cost to the firm in lost income and added expense of dealing with each threat is estimated. Last, this estimate is multiplied by the probability of occurrence to determine the firm's annual loss exposure (Figure 1).

## Figure 1: Calculating Annual Loss Exposure

Threats Facing the Firm

Annual Probability

Estimated Financial Loss

Annual Loss Exposure (ALE)

Severe Weather

12%

\$80,000

\$9,600

Earthquake

0.50%

\$450,000

\$2,250

Prolonged Loss of Power

5%

\$210,000

\$10,500

Pandemic

1%

\$575,000

\$5,750

Fire

3%

\$280,000

\$8,400

Loss of IT Services

10%

\$375,000

\$37,500

Total Annual Loss Exposure

\$74,000

This type of table provides management with insight into which threats pose a danger to the firm and an understanding of the potential loss associated with each type of event. Some organizations use this information in various ways including as a budgeting guideline for risk control and mitigation spending.

Dealing with Shortcomings
There are two widely acknowledged shortcomings to this traditional approach. First, many risk professionals believe that this methodology underestimates the danger posed by catastrophic events that have a low probability of occurrence. In the example shown above, some would argue that the risk of an earthquake is not adequately profiled.

Second, many threats are not represented even though they pose a significant risk to the organization. This is especially true of unanticipated secondary and tertiary effects that may be triggered by an identified risk. The nuclear disaster at the Fukushima power plant is an example of an unexpected threat that arose from an unpredictable set of cascading events. Who would have imagined that one of the countries best-prepared for all types of natural disasters would suffer a nuclear accident because of an offshore earthquake?

An Alternative Approach
In an effort to increase management's awareness of low probability threats that have catastrophic consequences, some organizations have adopted a modified form of the ALE methodology. Known as a heat map, rather than focusing on the loss potential of a disruption, threats are grouped into four priority categories (Figure 2). Threats considered Urgent should be addressed immediately while those rated Important should be addressed within six months. The two remaining categories Monitor, and Ignore provide management with a comprehensive look at the firm's risk profile. Threats in these latter categories can be dealt with at a later date or not at all.

## Figure 2: Risk Assessment Heat Map

As is the case with ALE risk table, the heat map analysis should be re-evaluated at least annually.

The advantage of the heat map model is that it gives visibility to low probability events that have the potential to significantly disrupt operations. When combined with an Annual Loss Exposure analysis, a heat map adds significant value to management understanding of the risks facing their firm. Unfortunately, even this improvement does not help businesses prepare for unforeseen events or the chaos associated with disasters.

A New Approach: Re-thinking Risks
Realizing that it is impossible to account for every conceivable threat, recently contingency planners have devised a new approach to risk assessment. Rather than focusing on threats, this new methodology ignores the cause of the disruptions and explores possible weaknesses in key operating elements. Known as Consequence-based Risk Assessment, this three-step model begins by identifying a firm's critical components. This analysis includes a review of infrastructure, staffing, key services, and other resources. Second, each identified element is examined and a determination made as to its capacity to operate in a stressful environment. Failure points are noted and strategies developed to compensate for these shortcomings. Last, all areas are reviewed and decisions are made to either leave as is (i.e., accept some level of risk), or invest in ways to increase the component's resiliency. Figure 3 highlights some operational components that are common to organizations. These and other critical elements should be evaluated and judged on their ability to continue to perform in the face of a serious disruption.

Figure 3: Common Areas of Operational Disruption

• Support staff
• Supply chain failure
• Availability of security and safety measures
• Robustness of technical infrastructure

This approach dramatically simplifies the risk assessment process since rather than attempting to develop an exhaustive list all possible threats, the planner can spend time understanding the capabilities and capacities of a limited number of operating components. Only elements that are critical to the actual business need be reviewed. Once these critical components are analyzed a decision can be made as to when and how to enhance them.

Conclusion
By focusing attention on a limited number of operational areas contingency planners can develop comprehensive strategies that will keep the business working regardless of the origin or nature of the threat. Process concerns can be addressed through changes to policies or modifications to operating procedures. Capital spending can directed at specific areas and the decision to spend money can be justified in part by knowing that the investment decision was not made on the basis of one or two selected threats. Rather the improvements will help protect the firm against a long list of foreseeable and unforeseeable threats. Experience shows that these changes often lead to expense savings, improved productivity, enhanced morale, and increased revenues.

Focusing attention on the segments of the operation which would be impacted during a disruption is proving to be a successful management strategy. Consequence-based analysis provides firms with all the benefit of the traditional risk assessments, while eliminating the uncertainty associated with these techniques.

Donald Byrne is an entrepreneur and former venture capitalist, Don Byrne is a Partner at the consulting firm GRCS, LLC. An Adjunct Professor at Boston University, he teaches graduate courses in risk management and compliance. In 2011, Don became a Senior Fellow at the Stephenson Disaster Management Institute at Louisiana State University. A certified contingency planner (CBCP) and Lead Auditor, he regularly consults with some of the largest certification firms in the U.S. He holds degrees in mathematics, philosophy, and international marketing, is a member of the national board of the Association of Contingency Planners, and a contributing writer for several media outlets.

Money Matters: What Lawyers and Law Firms Can Do To Improve Their Bottom Line
LPM Author-Expert CLE Series, April 21, 2011, LPM Member \$55, Code RSSPLPM

PARTNER DEPARTURES AND LATERAL MOVES: A LEGAL AND ETHICAL GUIDE
LPM Author-Expert CLE Series, May 4, 2011, LPM Member \$135, Code RSSPLPM

2011 LPM SPRING MEETING
May 11-14, 2011, LPM Member \$85 By April 19, 2011; \$125 After April 19, 2011

2011 ABA MARKETING CONFERENCE
November 8-9, 2011, LPM Member Early Bird Rate \$595

 LPM BOOK SPOTLIGHT
PODCAST

42nd Edition: iPad in One Hour for Lawyers

### By Jim Calloway and Sharon Nelson

 LAW PRACTICE MAGAZINE Law Practice is the leading magazine on the business of practicing law. Published six times per year, it offers insightful advice and practical tips on marketing, management, technology and finance.Current IssueSubscribe now for only \$64\$50 for ABA members (includes membership)

LAW PRACTICE TODAY

EDITOR-IN-CHIEF

John D. Bowers, Fox Rothschild LLP

ISSUE EDITOR

Micah U. Buchdahl, HTMLawyers

ASSOCIATE EDITOR

Elise Martin, Grant & Eisenhofer

BOARD OF EDITORS

Micah U. Buchdahl, HTMLawyers

Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP

Nicholas Gaffney, Infinite Public Relations

George E. Leloudis, McGuire, Woods & Bissett P.A.

Pamela Annette Palmer, Morris Polich & Purdy

Allison C. Shields, LegalEase Consulting, Inc.

J. Benjamin Stevens, The Stevens Firm, P.A. - Family Law Center

Misasha Suzuki, Orrick Herrington & Sutcliffe

Qadir Wahid, Ropes & Gray LLP

Wendy L. Werner, Werner Associates, LLC