|
by John R. Phelps
Disasters like 9/11 and
Hurricane Katrina have
arguably changed the
“worst case scenario” paradigm
for business continuity
planning and risk management.
Shortly after Katrina
struck New Orleans, many
business continuity planners
were hauled into the
C-suite to explain how
such a tragedy would have
impacted their company.
In many cases, the person
responsible for Business
Continuity Management
(BCM ) was instructed to
draft a plan to address a
“Katrina-like” event.
Many of us with both a BCM and
Enterprise Risk Management (ERM)
responsibility felt somewhat conflicted
because, although it is important to have
a plan for such an unlikely catastrophe,
there are other serious risks that have a
nearly certain likelihood of occurring.
Risks like privacy, fraud and inaccurate
data cost many organizations millions
of dollars each year. Emotions run high
in the face of rare and disastrous events,
causing a rush to allocate funds and
efforts to safeguard against them. Integrating
BCM as part of a comprehensive
ERM program allows a more reasoned
and less emotional understanding of
the universe of business risks faced by
the company. This approach produces
efficiencies with regards to how organizations
react to catastrophic risk.
ERM provides the context with which
to understand risks and how they interact
with the business enterprise. By including
BCM into such a program, the
organization begins to understand how
BC planning fits with other risks like the
colors of a rainbow. In order to understand
how both highly skilled fields can
compliment each other, it is important to
understand what ERM means.
Most people associate “traditional risk
management” with the guy that buys
the insurance. For years, risk management
professionals were relegated
to paperwork and number crunching
behind closed doors. For the past twenty
years, risk management focused on dealing with insurable risks, as opposed
to operational risks where outcomes
can be influenced by how the risks are
proactively managed. In other words,
risk managers never felt they had a role
in helping the organization to manage
market, reputation or outsourcing risks.
Instead, their expertise was applied to
property, liability, and worker injury
risks. In this context, business continuity
and risk management were content
to coexist in very separate “silos” of
responsibility, failing to take advantage
of the efficiencies offered by integrated
risk assessment and treatment.
Within the past several years, the term
Enterprise Risk Management was coined
to distinguish traditional risk management
from a more comprehensive and
pro-active view of operational risk in
an organization. ERM is a business
capability and requires the organization
to look at risk from a completely
different perspective – as a partner and
source of opportunity for the business.
The question is, how can the enterprise
risk manager help operational areas take
those risks and use them to the advantage
of their companies. In order to
take risks intelligently, the organization
needs a construct to evaluate risks from
the boardroom to the mailroom – from
power outages to hurricanes to data
management or threats to brand equity.
The other distinguishing aspect of ERM
is that the risk management department
does not own the process. Done correctly,
ERM will be embedded into the
operational areas and systems. The risk
manager may be the wizard of tools and
steward of the governance structure, but
application of the process is “owned” by
the business units. In a mature structure,
leaders and managers in areas like brand,
finance, human resources, facilities and
information technology understand their
risk management responsibilities. There
is a common governance structure that
brings these disciplines together to provide
oversight of the process and how
it is pro-actively addressing risks like
reputation, data quality, privacy of information
and, yes, business interruption.
BCM and disaster recovery are natural
components of ERM. All the resources
and plans that make up a business continuity
plan are developed to address business
interruption risk in an organization and
should be part of a comprehensive mitigation
plan for all the enterprise risks.
For the last few decades, the analysis of
business functions has been based upon
an “impact” perspective as developed
during a business impact analysis (BIA),
the gold standard used to determine
“criticality” of business functions. The
purpose of a BIA is to assess the impact
a business function has on the overall
organization and to develop recovery
objectives. It is not designed to provide
a full risk assessment. In other words,
the BIA does a poor job of assessing
the likelihood of disruption to business
functions and the effectiveness of
controls already in place. In addition, it
rarely, if ever, evaluates the business continuity
risk against a tapestry of other
enterprise level risks.
More mature ERM programs have the
force of corporate policy that requires
leaders and managers to understand
risk before they take it. At Blue Cross
and Blue Shield of Florida, the process
starts with the BIA and is then run
through the Enterprise Risk Management
filter, to add the “likelihood” and
“effectiveness of control” perspective.
A key component of the process is the
tools that have been created for the
ERM program, especially the method
and evaluative criteria for assessing risk.
This provides a unified understanding
of each risk based upon the same criteria.
This method is used for all risks,
including business interruption. The
outcome of the ERM assessment process
is the development of a specific risk
index. Two different functional areas
with the same impact may have very
different risk indices when calculated
using the ERM methodology. This helps
management understand two important
dimensions. First, by comparing the risk
indices, a greater understanding is created
of which “important” functional areas
are more important than others. Second,
management can understand how the
risks of interrupting important business
functions compare to other risks in the
company like reputation or market risk.
This supports decisions concerning the
allocation of limited resources in terms
of risk treatments. Specific to business
continuity, in some cases, this process
causes the organization to re-consider
the application of planning resources for
certain functional areas. This perspective
would not have been known had management
relied upon the BIA alone.
ERM, by its definition, is a very highlevel
view of risk in an organization. A
component part of an ERM program is
the mitigation of catastrophic risk from
natural and human causes. Many organizations
are beginning to recognize the
opportunity they have from embedding
or incorporating BCM into an overall
program to identify, evaluate and mitigate
risk. Boards expect the organization
to have a comprehensive and effective
process for identifying, measuring and
managing risk. By viewing BCM as a
risk management function and embedding
it into the enterprise level ERM
program, which has been aligned with
the strategic imperatives of the company,
boardroom expectations are met
and alignment achieved.
Both BCM and ERM use scenario analysis
to drive planning. After being
approached to develop plans for Blue
Cross and Blue Shield of Florida in the
event of another Hurricane Katrina, the
hurricane threat was modeled using an
outside catastrophe modeling company.
Modeling revealed that the odds of the
home office being struck by a Category-
3 hurricane or higher, are once every
70,000 years. In addition, each of the
buildings were designed to withstand
category 3 hurricanes, and the new, state
of the art, hardened data center is located
20 – 30 miles inland from the home
office facility. This caused management to think differently about the resources
it would take to relocate thousands of
critical employees for a “smoking hole”
type event. As a result, a staged approach
was chosen to emphasize more likely scenarios
but provide some pre-planning in
case the worst-case scenario does happen.
The hurricane scenario analysis gave us
another prism with which to view our
hurricane risk.
Scenario analysis can be effectively
used for a multitude of risks other than
hurricanes, pandemics or power outages.
The process is equally valuable for
events like unintentional release of data,
unethical boardroom shenanigans, and
supply chain failure. To illustrate how
BCM and ERM can work together, consider
a regulated company that needs
to make state filings for rate increases.
During the BIA, it was reported that
the risk of lost revenue from not making
timely filings (as a result of a major,
unexpected disruption like a fire or long
term power outage for example) would
be in the range of $2 – $5 million per
week. Through the BIA lens, then, this
department would be deemed critical.
After the BIA, the people in the
department responsible for the filings
were interviewed using an ERM
process of risk profiling. The risk of
not making the filing (interruption
of services from the filings department)
was evaluated according to
impact (similar to BIA but with an
established ERM scale and criterion),
likelihood and effectiveness of controls.
These factors were combined into a
single risk index for that specific department.
It was determined that the risk
index was relatively low due to existing
controls including the ability to
re-file renewal increases post disaster.
This perspective indicates that the filings
department is not “critical” after
all. In other areas, the Enterprise Risk
Management Assessment supported
the BIA findings. For example, customer
service functions were critical
under both the BIA and the ERM
assessment. What this supports is a
decision around the application of limited
resources. Developing extensive
plans to recover customer service areas
within a minimal amount for downtime
is essential. Allocating resources to
recover the filings department is foolish.
Ah, the efficiency of ERM!
Three Models for ERM and BCM
in a Company
When joining together BCM and ERM,
there are three different models. The
first model is having a central management
for both BCM and ERM, which is
Blue Cross and Blue Shield of Florida’s
model. The second model is to create
a shared responsibility with BCM and
integrate it functionally into the ERM
program. The third, and least efficient
way to maintain BCM and ERM programs,
is to maintain separate silos for
both disciplines. Unfortunately, this is
what many businesses are doing today.
The danger of maintaining separate
BCM and ERM efforts – the “silo
mentality,” is that both are working
according to their own strategy. Nothing
could be less efficient or effective.
To support the integration of ERM
and BCM, Blue Cross and Blue Shield
of Florida has created a risk council to
provide a single governance structure.
The risk council is made up of director
level representatives from Information
Technology, Human Resources, Service,
Compliance, Internal Audit and so
forth. The risk council is responsible
for “controllership” of operational risk
as well as general oversight and control.
Part of the oversight responsibility
extends to BCM and provides assurance
that understanding the business interruption
risk and mitigation of that risk,
is clearly understood and pro-actively
addressed. High-level executive support
has been established though the Operating
Committee, which includes the
Office of the Chief Operating Officer.
When we consider large, highly publicized
risks similar to Hurricane Katrina,
management often reacts emotionally. “What would we do if it hit OUR
company? How would we serve our
customers? This could bankrupt the
company!”, and so on. These are serious
questions, but while management panics
about such improbable occurrences,
companies could bleed millions of dollars
per day from other risks like fraud
and “dirty data”. Organizations need to
address the “Katrina-like” event, certainly,
but they need to do so as part of a
comprehensive understanding of all the
company’s significant business risks.
ERM helps provide an understanding
of the relationship of risks, which
cannot be obtained from a traditional
risk management or business
continuity perspective. ERM and its
associated methodology and tools
provide an opportunity for business
continuity professionals to burst out
of their silo to observe how business
interruption risk relates to the other
enterprise level risks. This approach
also elevates BCM to a higher level
with Boardroom and c-suite attention.
Companies that can achieve this level of
maturity with their business continuity
program will make better decisions
about the allocation of limited capital.
There are few organizations that have
taken their business continuity program
to this level. The psychology of risk
is one that constantly gets in the way
of making truly informed decisions.
Without factual and logical risk assessment
methodologies, emotion at all
levels of the organization will triumph
reason. Throughout the world, in
every organization, people are making
decisions about risks based on past
experiences and emotions. ERM and its
methodology will continue to fly the
banner of reason in a battleground of
emotion. At one time, people relied on
the woolly caterpillar to tell them about
how harsh the winter will be. Now we
have meteorology. In just the same way,
an ERM approach to understanding
business risk will help the BC professional
declare victory over the business
interruption risk. The woolly caterpillar
of business continuity is about to
become extinct.
About the Author
John R. Phelps, CPCU, ARM, CBCP is Director,
Business Risk Solutions for Blue Cross
and Blue Shield of Florida, Inc. Mr. Phelps is
responsible for the development and implementation
of an Enterprise Risk Management
program for the company, and is a leading
practitioner of ERM. Prior experience includes
nearly two decades managing risk systems
within the healthcare industry.
|
