Incorporating Risk Management into BCP
- 1. Incorporating Risk Management into BCP What Risk Means to You Ron Andrews January 2013
- 2. Context • The meaning of “risk” has expanded in definition and understanding – well beyond financial instruments and safeguards • Greater numbers of risk assessment tools • Broader multi-disciplinary application • Renewed interest and opportunity in examining “risk” as applied to continuity planning • Implications for continuity practitioners
- 3. Types of Risk • Hazard • Natural hazards, accidents, fire, other insurable hazards • Financial • Interest and exchange rate volatility, loan defaults, asset-liability mismatch • Operational • Systems, processes, people – succession planning, HR, IT, control and regulatory systems • Strategic • Inability to adjust to environmental changes, e.g. geo-political, market, competitor, customer, etc.
- 4. Risk Management & BCM Risk Management • “RM is the process which aims to help organizations understand, evaluate and take action on all their risks with a view to increasing the probability of their success and reducing the likelihood of failure” (IRM) Business Continuity Management • “Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities” (BCI)
- 5. Risk Management & BCM ITEM RM BCM Key Method Risk Analysis Business Impact Analysis Key Parameters Impact and Probability Impact and Time Incident Type All types – though usually segmented Events causing significant damage to critical functions/ capabilities Size of Events All (costs) – though usually segmented Strategy planning - incidents threatening survival BCI “Good Practice Guidelines” (2007)
- 6. ERM and BCM
- 7. Managing Risk • Process Dimension (Technical) • Systems, structures, strategies and tools • Application of sound processes and rational logic • Results reinvested through a learning cycle • People Dimension (Human) • Belief and value systems • Knowledge, skill and competency • Success dependent on the human element
- 8. Risk is Evolving From To Risk as individual hazards Risk in context of business strategy Risk identification and assessment Risk portfolio development All risks Critical risks Risk mitigation Risk optimization Risk limits Risk strategy Risks with no owners Defined risk responsibilities Risk quantification Risk monitoring and measurement Risk is not my responsibility Risk is everyone’s responsibility
- 9. Sample Risk Management Frameworks
- 10. Sample Risk Management Frameworks
- 11. Sample Risk Management Frameworks
- 12. Sample Risk Management Frameworks
- 13. Risk Management Trends • Growing numbers of “emergent” or “wicked” problems • Greater need for comprehensive BCM and EM governance models – tools – processes and adaptive strategies • Greater need for awareness, understanding and acceptance of ERM, RM and BCM risk mitigation/ management strategies • RM profile continues to gain prominence in business and government, e.g. ERM, but challenging with limited resources
- 14. Implications for Practitioners Risk - Context • Complex and multi-faceted • Multi-disciplinary in understanding and application • Integrally tied to innovation and resilience • Rarely falls neatly into functional areas • Emerging risks = emerging opportunities • Management of risk is not technically difficult • Embedding an RM culture is far more challenging
- 15. Implications for Practitioners Risk - Practice • Risk management as normal business strategy • Holistic, inter-functional planning • Clear, realistic and generalizable RM plans • Understand the risk tolerance/ profile – build for resilience, not just recovery • Risk measures anchored to routine governance and business processes • Leverage current communication tools • Consider blending RM with BIA • Gradually increase testing complexity • Embrace risk audits • Build awareness, training and certification • Accept that all RM plans are dynamic
- 16. Risk Management Exercise Room Discussion Your CEO believes that true enterprise resiliency is achievable. Discuss. Small Group Discussion Your CEO wants to incorporate a very robust risk management tool into either the BIA or the Strategy component of the company BCP. You develop one. Discuss.
- 17. References • BCI, “Risk and Business Continuity Management” • Canadian Centre for Management Development, “A Foundation for Developing Risk Management Learning Strategies in the Public Service” • Ernst & Young, “BCM – Current Trends” • IMA, “ERM: Frameworks, Elements and Integration” • IRM, “A Risk Management Standard” • IRM, “A Structured Approach to Enterprise Risk Management” • IRM, “Risk Appetite and Tolerance: Guidance Paper” • IRM, “Emergent Risks” • ISO 31010, “Risk Management-Risk Assessment Techniques” • Klein, Luc “Is Business Continuity Management a Misnomer?”
- 18. References • KPMG, “Enterprise Risk Management” • Lenhart, Carol “Exploring the Interrelationship between Risk Management and Business Continuity: An Interview with David Kaye” • Price, Waterhouse, Coopers, “Exploring Emerging Risks” • PRMIA.org, “Future of Risk Management and Compliance: Global Trends and Perspectives” • The Conference Board, “Bouncing Back: How Companies Approach Resilience” • UNESCO, “Risk Management Training Handbook”
- 19. Recommended Reading • Bestoutcome, “Risk and Issue Management Workshop” • Deloitte, “ERM Management Survey Report – 2012” • Gartner, “BCM: Key Performance Indicator – Key Risk Indicator Mapping” • Hubbard, Douglas, “The Failure of Risk Management” • IRM, “Risk Culture Under the Microscope” • PRMIA, “Future of Risk Management and Compliance: Global Trends and Perspectives”
- 20. Contact Ron Andrews 34 Stonington Bay Winnipeg, Manitoba R3P 2K4 (204) 489-3700 bcmguyron@gmail.com