incorporating risk management into bcp
TRANSCRIPT
Incorporating Risk Management into BCP What Risk Means to You
Ron Andrews
January 2013
Context
• The meaning of “risk” has expanded in definition and understanding – well beyond financial instruments and safeguards
• Greater numbers of risk assessment tools
• Broader multi-disciplinary application
• Renewed interest and opportunity in examining “risk” as applied to continuity planning
• Implications for continuity practitioners
Types of Risk
• Hazard • Natural hazards, accidents, fire, other insurable hazards
• Financial • Interest and exchange rate volatility, loan defaults, asset-liability
mismatch
• Operational • Systems, processes, people – succession planning, HR, IT, control
and regulatory systems
• Strategic • Inability to adjust to environmental changes, e.g. geo-political,
market, competitor, customer, etc.
Risk Management & BCM
Risk Management • “RM is the process which aims to help organizations
understand, evaluate and take action on all their risks with a view to increasing the probability of their success and reducing the likelihood of failure” (IRM)
Business Continuity Management • “Business Continuity Management is a holistic
management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities” (BCI)
Risk Management & BCM ITEM RM BCM
Key Method Risk Analysis Business Impact Analysis
Key Parameters Impact and Probability Impact and Time
Incident Type All types – though usually segmented
Events causing significant damage to critical functions/ capabilities
Size of Events All (costs) – though usually segmented
Strategy planning -incidents threatening survival
BCI “Good Practice Guidelines” (2007)
ERM and BCM
Managing Risk
• Process Dimension (Technical)
• Systems, structures, strategies and tools
• Application of sound processes and rational logic
• Results reinvested through a learning cycle
• People Dimension (Human)
• Belief and value systems
• Knowledge, skill and competency
• Success dependent on the human element
Risk is Evolving
From To
Risk as individual hazards Risk in context of business strategy
Risk identification and assessment Risk portfolio development
All risks Critical risks
Risk mitigation Risk optimization
Risk limits Risk strategy
Risks with no owners Defined risk responsibilities
Risk quantification Risk monitoring and measurement
Risk is not my responsibility
Risk is everyone’s responsibility
Sample Risk Management Frameworks
Sample Risk Management Frameworks
Sample Risk Management Frameworks
Sample Risk Management Frameworks
Risk Management Trends
• Growing numbers of “emergent” or “wicked” problems
• Greater need for comprehensive BCM and EM governance models – tools – processes and adaptive strategies
• Greater need for awareness, understanding and acceptance of ERM, RM and BCM risk mitigation/ management strategies
• RM profile continues to gain prominence in business and government, e.g. ERM, but challenging with limited resources
Implications for Practitioners
Risk - Context
• Complex and multi-faceted
• Multi-disciplinary in understanding and application
• Integrally tied to innovation and resilience
• Rarely falls neatly into functional areas
• Emerging risks = emerging opportunities
• Management of risk is not technically difficult
• Embedding an RM culture is far more challenging
Implications for Practitioners
Risk - Practice • Risk management as normal business strategy • Holistic, inter-functional planning • Clear, realistic and generalizable RM plans • Understand the risk tolerance/ profile – build for resilience,
not just recovery • Risk measures anchored to routine governance and
business processes • Leverage current communication tools • Consider blending RM with BIA • Gradually increase testing complexity • Embrace risk audits • Build awareness, training and certification • Accept that all RM plans are dynamic
Risk Management Exercise
Room Discussion
Your CEO believes that true enterprise resiliency is achievable. Discuss.
Small Group Discussion
Your CEO wants to incorporate a very robust risk management tool into either the BIA or the Strategy component of the company BCP. You develop one. Discuss.
References
• BCI, “Risk and Business Continuity Management”
• Canadian Centre for Management Development, “A Foundation for Developing Risk Management Learning Strategies in the Public Service”
• Ernst & Young, “BCM – Current Trends”
• IMA, “ERM: Frameworks, Elements and Integration”
• IRM, “A Risk Management Standard”
• IRM, “A Structured Approach to Enterprise Risk Management”
• IRM, “Risk Appetite and Tolerance: Guidance Paper”
• IRM, “Emergent Risks”
• ISO 31010, “Risk Management-Risk Assessment Techniques”
• Klein, Luc “Is Business Continuity Management a Misnomer?”
References
• KPMG, “Enterprise Risk Management”
• Lenhart, Carol “Exploring the Interrelationship between Risk Management and Business Continuity: An Interview with David Kaye”
• Price, Waterhouse, Coopers, “Exploring Emerging Risks”
• PRMIA.org, “Future of Risk Management and Compliance: Global Trends and Perspectives”
• The Conference Board, “Bouncing Back: How Companies Approach Resilience”
• UNESCO, “Risk Management Training Handbook”
Recommended Reading
• Bestoutcome, “Risk and Issue Management Workshop”
• Deloitte, “ERM Management Survey Report – 2012”
• Gartner, “BCM: Key Performance Indicator – Key Risk Indicator Mapping”
• Hubbard, Douglas, “The Failure of Risk Management”
• IRM, “Risk Culture Under the Microscope”
• PRMIA, “Future of Risk Management and Compliance: Global Trends and Perspectives”
Contact
Ron Andrews
34 Stonington Bay
Winnipeg, Manitoba
R3P 2K4
(204) 489-3700
Risk Notification