Download - Risk Intelligence
Kenya Electricity Generating Co. Limited - KenGen
Risk Intelligence'Consolidating Risk Management & Business Continuity Strategies'. The Case of
KenGen.
Presented by: Duncan O. Ogutu
Chief Risk Officer – KenGen
No part of this presentation may be circulated, quoted, or reproduced for distribution outside this Conference without prior written approval from the author. This material
was prepared and used by Duncan O. Ogutu during an oral presentation. It is therefore not a complete record of the discussion.
1
Objectives of This Session
Consolidating risk management and business continuity strategies
➢Operationalising & Update BCP as part of ERM Programme;
➢Manage multiple enterprise wide risks through a transitional period;
➢Reduce Operational surprises and losses during times of uncertainty; and
➢Enable your business to recover quickly form events that disrupt process flow
2
Enterprise Risk Management
A structured, systematic and consistent approach to development and application of
management culture, policy, procedures and practices to the tasks of identifying,
analyzing, evaluating, controlling, responding to risk and ensuring sustainability of the
process.
3
Business Continuity
A strategic and tactical capability of the organization to plan for and respond to
incidents and business disruptions in order to continue business operations at an
acceptable pre-defined level.
4
Business Continuity Management
A holistic management process that identifies potential threats to an organization and
the impacts to business operations that those threats, if realized, might cause, and
which provides a framework for building organizational resilience with the capability
for an effective response that safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities
NOTE Business continuity management involvesManaging the recovery or continuation of business activities in the event of a businessDisruption; and
Management of the overall programme through training, exercises and reviews, toensure the business continuity plan(s) stays current and up-to-date.
5
BCM & Organization Strategy
Business continuity management (BCM) is a business-owned, business-driven process
that establishes a fit-for-purpose strategic and operational framework that:
• Proactively improves an organization’s resilience against the disruption of its ability to
achieve its key objectives;
• Provides a rehearsed method of restoring an organization’s ability to supply its key
products and services to an agreed level within an agreed time after a disruption; and
• Delivers a proven capability to manage a business disruption and
• protect the organization’s reputation and brand.
While the individual processes of business continuity can change with an
organization’s size, structures and responsibilities, the basic principles remain exactly
the same for voluntary, private or public sector organizations, regardless of their size,
scope or complexity.
6
Enterprise Risk Management & Business Continuity Management
Relationship:
Business continuity is an element within the wider context of Enterprise Risk
Management (ERM). ERM is the practice of systematically identifying, understanding
and managing the risks by an organization. The ERM Process is illustrated in Figure 1.
A structured, systematic approach to ERM will enable Organizations to develop a
thorough understanding of the risk issues that may prevent the achievement of goals or
objectives.
As part of this process, an organization should define its essential functions and key
dependencies, and also clearly identify those risks which may potentially result in an
interruption to the services.
A BCP is therefore a means of minimizing the impacts of a particular risk, however it is
not a preventative control/response mechanism for all risks.
7
Relationship Continued……
• ERM and BCM need to be considered as part of an integrated process.
• Risk Management – the identification, analysis and evaluation of risks – is the important
early step to understanding the risks and scoping the need for BCPs. The interface
between ERM and BCM is illustrated in Figure 2.
• Further information relating to the KenGen’s ERM approach can be found in the Our
ERM Policy & Framework.
8
Figure 1: Relationship Continued
Business Management
Risk Management
Business Continuity
Management
Prevention –Incidence
(Emergency Response, Continuity
& Recovery Response
9
The Business Continuity Management Process
The BCM Process
Step 1 − Programme Management/Risk Identification
Step 2 − Risk and Business Impact Analysis
Step 3 − Identification of Response Plan Options
Step 4 − Development of Response Plans
Step 5 − Train, Exercise and Maintain
The ERM Process
Step 1 - Identify risk;
Step 2 - Measure risk;
Step 3 - Select a risk response;
Step 4 - Develop mitigating strategies;
Step 5 - Report on risk; and
Step 6 - Sustain the risk management process.
10
Figure 2: Risk Management Process: Risk Treatment
Establish the Context
Identify Risks
Analyze Risk
Evaluate Risks
Treat Risk (Business Continuity Plans (A treatment for some risks
11
KenGen’s ERM Approach
Due to the nature of the industry KenGen operates and also the nature of our operations,
we have chosen to we have chosen to manage risks under the following categories:
Strategic Risk Management;
Project Risk Management;
Process/Area Risk Management;
Fraud Risk Management; and
Business Continuity Management
Note that this does not in way replace the specific ERM model we use. But is allows
management to provide effective risk response strategies that best manages risks in a
co-ordinated way.
12
Figure 3: BCM Process Illustrated
Program Management
Risk & Business
Impact Analysis
Identify Response
Option
Develop Response
PlansSustainability
13
Step 1: Program Management
The primary focus of this step is obtaining Executive support and commitment of
resources to develop and maintain the BCM programme.
As BCM is an integral part of an organization's approach to managing risk, this should
be completed as part of the development of an Organization’s overall Risk Management
programme.
14
Step 2 Risk and Business Impact Analysis
The emphasis of this step is on prioritizing the business activities that are critical and
identifying the resources that are required to support these activities for business
continuity purposes. This involves:
Identifying key the business activities that are performed by the KenGen;
Assessing the potential business impact incase of interruptions on over varying
timeframes;
Determining the timeframes within which critical business activities must be
resumed following an outage; and
Identifying the resource requirements for business continuity.
Reference should be made to the KenGen’s operational Risk Management
programme, where in many cases, critical activities and risks to those activities may
have already been defined.
15
Step 3: Identify Response Options
This step involves the identification and assessment of response options to meet the an
organization’s requirements for business continuity. These Covers:
People,
IT systems and networks,
Premises and facilities, and
Data backup and offsite storage.
The recommended options, along with the associated budgets and implementation
plans, are then presented for Executive approval.
16
Step 4: Develop Response Plan
• Once the appropriate response option has been approved, the process of developing the
response plan begins. This involves:
Organizing managers and employees into crisis management and business continuity
teams;
Developing processes for incident notification and escalation; and
Documenting business continuity action plans for critical business activities.
This is also the time when any physical implementation work such as procurement of
backup equipment and commissioning of alternate sites are carried out.
17
Step 5: Sustaining the BCM Process
This is the step to ensure that what has been developed and documented will actually
work to enable the Organization to continue to deliver critical business activities when
a crisis arises. This involves:
Training relevant employees on the use of the plan;
Conducting exercises to validate the completeness and accuracy of the plan; and
Putting in place a schedule for the on-going maintenance of the plan.
18
Managing Risk vs. Business Continuity (BCM)
• As we continue to pursue the vision for KenGen to bring together multiple areas of risk
management into a cohesive and meaningful program at the executive level, we are
increasingly presented with the stark disconnect between the executive decision-
making process and risk management activities ongoing throughout the enterprise.
• While each area of risk management, such as Business Continuity, Disaster Recovery,
EH&S, Insurance Risk Management, Audit, etc. operate under some level of mandate
and with the best of intentions to protect and enable the enterprise, the reality is that
these disparate activities with their disparate reporting structures and disparate
definitions of what constitutes risk inadvertently create a noise level in the executive
suite that disables a comprehensive approach to risk management.
• However Enterprise Risk Management has become a part of the executive dialogue, the
challenge remains to establish a truly comprehensive yet manageable approach to risk
management that enables executive decision making rather than distracts from the
process of managing the business; causing business decisions to be made away from the
risk management process.
19
Top Mistakes in Business Continuity Management: Is your company
making these mistakes?
I would like to share with you several mistakes made in Business Continuity Management:
• Investing in BCM solution BEFORE defining your business requirements. We see
companies make multi-million-dollar decisions to select vendor or internal solutions
and implement recovery technology without the benefit of a clearly defined Business
Continuity and strategy. The result can lead to over-building recovery solutions that do
not align with business requirements. Consider these questions:
-- How much data can you afford to lose? (Probably zero!)
-- How long can you afford to go without access to your IT systems?
• Updating your Business Impact Analysis and Risk Assessment will ensure your recovery
will bring efficiency while optimizing on BC capabilities.
• Allowing your executive team to accept risk without fully appreciating the implications.
When executives decide against a comprehensive Business Continuity Program, they
accept significant risk, typically without a clear understanding of whether they'll be
able to compensate for the potential loss to the organization.
20
Is Your Company Making This Mistakes?
• Allowing your Business Continuity capabilities to become outdated. The number one
cause of failure we see during a recovery is the divergence between an real
environment and the recovery environment. We strongly encourage you to test often,
test adequately, and keep your plans and solutions current.
• Viewing Business Continuity as point-in-time projects rather than an ongoing program.
From an executive perspective, it is an unpleasant reality that Business Continuity
capabilities require an ongoing program, not occasional quick-fix projects. Businesses
are continually changing either incrementally over time or through strategic events
such as mergers or acquisitions. By managing Business Continuity ongoing program,
your company can keep up with the incremental changes, streamline investments, and
take the major changes in stride.
21
Best Approach
• Ensure you have a properly executed Business Continuity Plan
• Ensure that as your program becomes well aligned with your business requirements,
provides adequate protection appropriate to your budget constraints, and is quickly
evolving into a well-managed set of mature business processes, you will be well
prepared should a business-impacting event occur.
22
Strategic Consideration for Business Continuity Management
• Business Continuity at the enterprise level presents a daunting challenge for executives
concerned operational risks associated with vulnerabilities in critical business processes.
Mid-size and large organizations are complex eco-systems with significant internal and
external dependencies making business continuity complex and difficult to manage
effectively.
• The problem -- most businesses are built with a primary focus on optimizing quality,
efficiency, and costs while rarely considering basic risk management principles to
ensure continuity of operations. Too often, Business Continuity is an afterthought rather
than a strategic imperative.
• In reality, Business Continuity is best managed as an ongoing program designed to
create business value rather than as a series of point projects which create incremental
expense.
• The tactical approach to Business Continuity typically deals with specific events at
specific locations. As a threat manifests itself by exploiting vulnerability, a business
interruption may occur at that location. As each location is subject to myriad threats,
and as the enterprise consists of many locations, the business continuity planning
process at the enterprise level becomes very complex.
23
Continuation.....................
• Consider that any business, no matter how large or small, is built on assets and
processes designed to create and deliver a company's objectives. Within each set of
assets and processes, vulnerabilities exist that create risk to the business. In addition,
alternatives exist that may serve to mitigate or avoid those risks altogether if given
proper. From this perspective, addressing Business Continuity by exploring
vulnerabilities and alternatives to the status quo elevates this function to the level of
business strategy.
• Aligning Business Continuity with corporate policy results in a number of benefits:
manageable standards can be established throughout the enterprise, appropriate
regulatory compliance can be achieved inline rather than as a separate process, and
best practices can be leveraged across organizations. Companies that get this right enjoy
considerable savings and efficiencies, and gain assured access to market regardless of
unexpected events that may impact their business.