We hear about financial institutions conducting stress tests to assure they have the needed capital and processes in place to weather another crisis in the global financial community. How many organizations test their operational business processes to assure they can withstand serious stress?
Delta Air Lines is probably wishing it had stress tested its staffing procedures prior to last month’s severe weather that forced the cancellation or delay of thousands of flights. The weather events that led to the crippling of Delta’s crew-scheduling system were not “black swan” type occurrences, but it was unusual that there were three back-to-back-to-back severe storms that had a cascading impact on the airline’s ability to keep up with crew-schedule changes and to communicate with crew members about revised assignments.
Which of your key business processes are exposed?
Delta experienced a breakdown in one its most vital business processes—crew scheduling. Could your organization experience something similar to one or more of its key processes? A good time to ask that question is once the annual review of your enterprise risk management process is completed for the year.
Chances are, your organization already has in place an assessment process to review the effectiveness of the mitigation procedures to address individual risks; however, you’ll probably want to examine whether your ERM program can address interrelated risks or a rolling threat such as moving weather fronts like the ones that hit Delta so hard.
Weather is not the only example of the potentially calamitous, cumulative impact of risks. Another example is the impact on supply chain of a single event or series of events, particularly for parts of your supply chain that are n-levels down the chain. Civil unrest or a labor dispute that impacts multiple nodes of your supply chain, or a shipping interruption from/to a major port, can cascade throughout your organization.
How to execute a basic stress test
To execute a simple stress test, you should first validate the risk matrix and identify the interrelatedness of each risk so that you can identify the potential for cascading or exacerbated events. Once the cross-risk relationships are captured, often in a desktop exercise, you then simulate the triggering of one risk after another to evaluate the impacts.
In one experience, we conducted this exercise on a monthly basis using scripted scenarios, adding new risk impacts as the exercise went along. This approach added a “game” atmosphere to each exercise; it also allowed us to include changes in company operations or structure to the scenarios, as well as near-real time social events, adding an element of real life to the exercise.
Conducting stress tests of your key business processes is a chance to review your ERM process and to learn from the Delta experience.