I was recently involved in a conversation with a group of business executives that embarked on a process to develop a business continuity program. During the initial business continuity steering committee, one executive added some thoughts regarding recent “regional” events, such as 9/11, Hurricane Katrina and the 2003 Northeast Blackout. “We couldn’t have seen any of those events coming, no one could. Although we didn’t have plans at the time, how could any business continuity plan have helped? We would have had to improvise regardless.”
Many of the other executives began nodding in agreement. One added, “We’re always good at coming together to react to various crises, and we always survive. What will a business continuity plan really do for us?” One executive, the Chief Financial Officer, pointed out a number of key facts that seemed to galvanize the rest of the steering committee, and in reality, changed the scope and approach of the business continuity effort for the better. “But didn’t we learn a lot from those that suffered from each of those events? Yes, we really weren’t affected in a material way. And we’ve been lucky so far in that we haven’t had a crisis that affected our ability to conduct business over the long-term. The crises that we manage successfully are really day-to-day operational challenges. What I think we learned is that proactively, we shouldn’t have all of our strategic assets in one location, and if we can’t avoid that, we need to protect those assets to the fullest. In other words, we can’t keep the terrorists from striking, but we can minimize the likelihood that their attack with translate into a crisis for our business, our shareholders and our employees. And second, we need to have formal processes in place to react swiftly when we’ve missed something, or if something occurred where we accepted the risk of doing nothing. Overall, we need to manage and monitor risk, and we need plans to reassure everyone involved that we have a plan in place to address the critical elements of our business – for our customer’s sake.”
By the end of that meeting, business continuity planning remained a strategic priority for the company, but the scope of their effort grew to focus more actively on managing the likelihood of potential causes of crises, as well as effects if an event were to occur.
Ralph Waldo Emerson once said, “Shallow men believe in luck. Strong men believe in cause and effect.” More and more of today’s business leaders are in the latter category because they recognize that risk management, and preparation for those events outside of their control, are necessary business practices. But what about business continuity professionals? Slowly, the business continuity profession is catching up with executive managers and recognizing the convergence of various risk management disciplines that are addressing a single goal – managing both cause AND effect. This article summarizes a trend in the risk management industry that is gaining traction in the majority of larger organizations – convergence of risk management practices.
The Trend is Convergence (What Does it Mean?) “ The thinker makes a great mistake when he asks after cause and effect. They both together make up the indivisible phenomenon.” – Johann Wolfgang von Goethe
Following the Continuity Insights conference held in New Orleans in April of this year, the magazine’s editorial advisory board convened to discuss feedback, as well as to brainstorm ideas for the 2008 event. Quickly, the board’s discussion turned to trends observed during the various break-out sessions. One such trend was that of convergence. But what does that mean?
For too long, business continuity professionals have operated in a silo that focused on reacting to an event. This reaction was designed to limit the organization’s impact following a crisis event – “the effect”. It’s true the business continuity professional thought about the causes of crisis events, but this was often limited to rank-ordering threats to enable scenario-based planning. An emphasis on governance and enterprise risk management, paired with discussions regarding recent systemic disasters such as 9/11 and Hurricane Katrina, is leading to changes in organizational risk management philosophy. Simply put, executive managers are expecting risk management professionals to work together to manage cause AND effect. Right now you may be asking yourself – how could a risk management professional prevent a hurricane or an act of terrorism? Clearly, they cannot. However, through advanced planning and preparation, risk management professionals can influence the likelihood of a catastrophic outcome caused by an event similar to 9/11 or Hurricane Katrina.
For example, imagine a consumer products manufacturer based in the Midwest (an area of the United States that often experiences tornados). With three manufacturing locations in Kansas, Iowa and Illinois producing similar, but not identical product, a number of single points of failure exist. These single points of failure originated due to streamlined processes born from cost-savings initiatives. In 2002, risk management was limited to loss prevention assessments, and insurance focused on the protection of facilities, equipment and finished product, as well as revenue. At that time, the information technology department had some plans to recover critical production and warehouse management systems. Today, the same organization takes a different approach characterized as proactive. Human resources, facilities, security, risk management, business continuity, medical, communications, procurement, operations and internal audit meet regularly to identify:
- Single points of failure;
- Threats impacting people, process, infrastructure and technology; and
- Current-state or potential risk mitigation strategy options.
Risk mitigation strategy options are no longer limited to insurance, but controls designed to minimize the likelihood of a single event impacting a critical single point of failure for longer than 48 hours. This includes physical protection and hardening, dispersion, replication, business continuity planning, crisis communications planning and yes, insurance (to name a few). For this organization, minimizing cause and effect is in the organization’s best interest.
Overall, convergence is all about risk management professionals working together to minimize event likelihood and impact (cause and effect), and introducing cost-savings measures through cooperative risk management.
Getting Started How should your organization begin down the path toward risk management convergence and realizing the benefits of this trend?
First, identify an appropriate executive sponsor with the organizational visibility and respect to lead and advise the enterprise risk management program.
Second, take inventory of existing risk management processes, and identify the process owners associated with each. These include (but are not limited to) insurance, loss prevention, security (physical and information technology), environmental health and safety, internal audit, medical services, facilities, financial risk management and business continuity management (crisis management, business recovery and information technology).
Third, meet with risk management process owners to organize future efforts and document the long-term strategy. Focus can be added to this effort by answering the following questions:
- What are we trying to protect?
- What concerns us?
- Where are we vulnerable?
- What tools do we have available to manage risk?
During initial meetings, document the coordinated risk management value proposition and an enterprise risk management process. During the risk management plan documentation process, note risk management assumptions and an organizational structure.
Fourth, and with the assistance of the executive program sponsor, expand management support in the form of a program steering committee. Include key lines of business and support functions.
Fifth, begin the risk assessment process and appropriately mitigate unacceptable risk to which the organization is vulnerable. Risk mitigation should focus on affecting both the likelihood of an undesirable occurrence, as well as unacceptable impact. Residual risk should be described based on the possible affect on the organization’s long-term business strategy.
Keeping Momentum Coordinated risk management is not a one-time effort, rather a blend of continuous risk assessment and risk mitigation based on an ever-changing business environment and business strategy. To keep momentum, consider the following:
- Develop a policy noting executive management expectations, addressing roles and responsibilities and summarizing recurring actions.
- Measure risk and report findings to executive management (particularly the steering committee and those responsible for influencing and executing business strategy).
- Survey business and technology managers and engage them in active discussions regarding realistic risk management – overall, involve them directly and continuously in the risk management process.
- Proactively manage risk through business strategy development discussions and project-related work.
- Keep the audit committee and internal audit involved in the risk management process, and enable them to use the findings to focus their recurring audits of business and technology processes.
- Capitalize on a coordinated risk management process, marketing to key customers, investors and business partners.
- Have the confidence to launch and manage strategic products and services with this new-found risk knowledge.
Conclusions Organizations are aligning risk management resources to collectively address two important but related business issues:
- How to prevent downtime for mission critical business processes, and
- How to recover effectively should an interruption occur.
Two key components of this effort are:
- Working to make key business processes and their associated technologies resilient – if such a business need is defined, and
- Creating frameworks to respond effectively – should a failure occur.
Addressing the probability of an interruption, as well as the severity of the event, is not only a key component of the business continuity professional’s job description; it is a management expectation that all risk management professionals work together to define solutions that make business sense.