By Luis Ramiro Hernandez

In addition to natural and man-made disasters, human errors, and hackers and virus attacks, the continued growth of the Internet and network computing is breeding new categories of peril. Information theft, malicious code, denial of service and access violations threaten companies worldwide. No matter what the source may be, business today cannot afford the interruptions these events cause.

Notably, most companies already have much of the needed risk management expertise in the house to battle these exposures, but it is often scattered throughout the organization. Integrated risk management can help to pull these resources together to ensure that business operations continue – No matter what.

Facing the Risk

What makes businesses, in this day and age, so susceptible to continuity problems, and more dependent on complete integrated risk management programs? The pace and nature of modern commerce.

Because businesses are moving at the speed of the Internet, market advantages based on assets comprised of processes and intellectual capital can oscillate on a whim. Market maneuvers that used to take a year now happen in three months.

The widespread distribution and use of technology also means companies can no longer contain or control their intellectual capital, or data, in traditional glass-house environments.  The exchange of data with customers, suppliers and others has increased the number of potential points of failure, which can compromise company brand image and overall credibility.

In the face of these changes, traditional alternate site approaches to continuity are no longer enough.  So-called “hot site” or “warm site” back-up locations, set up to take over in the event of business interruptions, are often insufficient to carry the business load.  And experience has shown that reciprocal agreements between companies to back each other up do not work in disaster situations because of a reluctance to possibly jeopardize one business by saving another.

To survive in today’s competitive e-commerce environments, companies must move beyond these traditional solutions and be able to provide continuous availability of applications, and zero downtime for their Web sites.  They are now forced to address new issues, such as capacity and peak load balancing.

Capacity problems arise when e-commerce companies, in a rush to have an Internet presence, formulate their business objectives without considering the impact of those objectives on business operations, or installing a sound infrastructure on which to deliver them.  For instance, during the holiday shopping rush of 1999, many e-business concentrated on making their Web sites look great at the front end, attracting huge amounts of business.  It was not until the critical juncture when business processing was being stretched, that they realized their behind-the-scenes infrastructures did not have the capacity to handle the demands.

Peak load balancing issues arise when e-commerce companies experience spikes in demand at specific times.  For example, a national women’s clothing catalogue house ran national ads announcing a fashion show that could be viewed on the Web.  On the day of the fashion show, the site was inundated with visitors wishing to view it.  The company was unprepared for this response and unable to handle the peak load demand.

In order to enhance competitive advantage and increase shareholder value, companies must also strive for more effective and accurate decision making.  Organizations need to know what level of risk they can tolerate and also understand that all risk is not necessarily all bad.

For example, instead of buying insurance to provide coverage, a better approach for handling intellectual security breaches might be to mitigate the risk through appropriate prevention techniques: installing firewalls, monitoring the network on a real-time basis and providing security for network data.  Mirroring and electronic vaulting address capacity and peak load balancing issues (and thus enable continuous availability and zero downtime in disaster situations.)

In order to take advantage of such solutions, however, an integrated risk management program must be in place to provide the needed breadth of expertise to turn risk into opportunity.

Unite

Risk management in the Internet age has changed dramatically from the early days of the discipline.  Starting in the early 1990’s, risk managers began to assume responsibility for all risks that affect the company--credit, market, operational, business and organizational--and thus emerged the concept of integrated risk management.  Today, the evolved discipline enables companies to implement effective and consistent processes for protecting all of their assets.

Integration involves successfully coordinating risk management (credit, market, business, operational and organizational), security and the evolving business continuity disciplines throughout the company.  This includes utilizing the resources and expertise of each category.  Risk management disciplines typically address financial and insurance risks; continuity disciplines address availability of the critical business functions, and the process required to continue operations in case of business interruptions; and security disciplines deal with logical protection (confidentiality) and integrity.  All three are involved in mitigating, transferring and accepting risk.  Uniting them enables enterprise-wide business continuity programs in which all risk can be identified and addressed.

The first step to unite these disparate groups is improving communications.  Once the lines are open, rapid detection of risk can be enhanced by training management and staff in basic detection skills, incorporating network monitoring tools and procedures, and making individual employees aware of potential risks.  The resultant anticipation capability within the organization results in better continuity planning, processes and results.

Integration that enables this interaction and communication between disciplines can provide the following advantages:

• standard operational policies and procedures
• closer relationships that bring people together toward common goals
• common systems for reporting and measuring exposures
• cost savings through the pooling of budgets
• less overlapping of functions and duplication of efforts
• knowledge sharing (ideally through automation)

A number of companies have realized such success with their integrated programs.  IBM, for example, takes particular interest in managing its risks as a self-insured.  With operations spanning the globe and assets encompassing many technologies, it has found that an enterprise-wide appreciation of its exposures is essential.

By harnessing the knowledge and experience of those in risk management, business continuity, human resource and information technologies, to name a few, they have developed a proven method for identifying and mitigating their risks.

Making it Work

Integrated risk management programs, aligned with the business objectives of the company, can help to analyze the supply chain and customer relationship management process and tie them together cohesively.  This enables companies to address and support customer needs, ensure that suppliers are on board to ship products on time, and prevent delays.  By being able to see the full picture, organizations can avoid costly errors--both in terms of money and reputation--brought on by a lack of whole-enterprise forethought.

These solutions also must meet the company needs for continuous availability of critical business applications, ensure the confidentiality of data and prevent unauthorized access to confidential information.  Integrated risk management provides the operational and organizational skills necessary for this essential balance.

To bring together the various disciplines and implement integrated risk management, ensuring the support of top-level executives is vital.  These executives can institute the process that enables people and resources across the company to participate in identifying and assessing risks, and tracking the actions taken to mitigate or eliminate those risks.

Some organizations now are appointing so-called Chief Risk Officers (CRO’s) or Corporate Risk Managers (CRM’s), who report to the CEO and are charged with considering the corporation’s entire “risk universe.”  CRO’s and CRM’s are responsible for protecting corporate assets by implementing common processes and establishing consistent goals, as well as maintaining the essential link from upper management to frontline employees.

After all, process alone will not ensure the success of the program.  Employee buy-in is critical.  Companies must foster an organizational culture in which everyone across the company is aligned with risk management efforts and participates in the protection of company assets.

In today’s Internet-driven business environment, there are new threats every day.  Clearly, survival will depend on the ability to plan for and manage risks.  Taking inventory of in-house expertise, understanding which risks pose the greatest threat to business assets and determining the steps needed to prevent or mitigate business interruptions are extremely important.  But ultimately, the best defense against a new generation of continuity threats is a united front that brings together in-house risk management, business continuity and security resources in an enterprise-wide integrated risk management program.

About the Author
Luis Ramiro Hernandez is an IBM  Global Services Project Executive in New Jersey. He manages a strategic outsourcing account. Mr. Hernandez has 19 years of experience in IT and 10 years experience in Business Continuity and Integrated Risk  Management across several industries with world-wide experiences. He has been a speaker at conferences  including Common, Survive, CyberSecure 2000 and IBM's annual Summit conferences. He can be reached at (201) 967-2611 or ernandez@us.ibm.com.

For more information,  consult the IBM website at www.ibm.com/services/continuity.