Download - Prepare: Why Enterprise Resilience Matters
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
1/108
1Enterprise Resilience
Prepare.Why Enterprise Resilience Matters
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
2/108
Why Enterprise Resilience Matters
EDITED BY Debbie van Opstal, Senior Vice President,Policy and Programs, Council on Competitiveness
This publication may not be reproduced, in whole or in part, inany form beyond copying permitted by sections 107 and 108of the U.S. copyright law and excerpts by reviewers for thepublic press, without written permission from the publishers.
The Council on Competitiveness is a nonprot, 501 (c) (3)organization as recognized by the U.S. Internal RevenueService. The Councils activities are funded by contributionsfrom its members, foundations, and project contributions. Tolearn more about the Council on Competitiveness, visit us atwww.compete.org.
COPYRIGHT 2010 Council on Competitiveness
D E S IG N Soulellis Studio
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
3/108
1Enterprise Resilience
Prepare.Why Enterprise Resilience Matters
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
4/108
22
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
5/108
3
Foreward by Deborah L. Wince-Smith 4
Agenda 6Workshop Summary 10
Words Matter: Dening a Common Vocabulary 12
Numbers Matter: Metrics for Resilience 24
Actions Matter: Incentives for Resilience 34
Brieng Materials
Warning: Turbulence Ahead 45
Capturing Value from Risk Intelligence and Resilience 49
Implementing Risk Intelligence 54Reaching for Resilience 64
Roles for Governance 76
Recommendations for Risk Intelligence and Resilience 84
About the Council on Competitiveness 100
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
6/108
4
These rst years of the 21st century are best
described by three Ts: transition, turbulence andtransformation. Rapid globalization is altering ourworld in fundamental ways, and we are more con-nected and more interdependent than ever before.Risks are magnied in an environment in whichdisruptions cascade across networks and borders.What happens anywhere can have profound effectseverywhere.
Countries, communities and companies face whatprofessor Anthony Giddens called the new riskinessto risk. The impact of point failures, whether trig-
gered by attack or accident, can reverberate quicklyacross networksand failure to anticipate and adaptto turbulence can cascade into a bet the companymistake. An Economist Intelligence Unit surveyfound that one in ve companies suffered signi-cant damage from risk failures. Yet, only 25 percentof companies set regular risk targets for managers,and less than one-third provide risk managementtraining. Some companies remain in the dark aboutthe risks they face. Nearly half of the respondents
to a Deloitte survey stated that their companysnon-nancial reporting measures were ineffectiveor highly ineffective in shaping the decision-makingprocess.
Prepare represents the thought leadership of agroup of C-suite executives and resilience expertswho met for a day and half at a Risk Intelligence andResilience Workshop in Wilmington, Delaware. It was
initially developed as a brieng book for workshop
participants on seminal research and recommenda-tions in the elds. It now includes the summary oftheir discussions representing the insights of thoseparticipants, who collectively represent over a millen-nium of risk management experience.
A key conclusion: The next new revolution inbusiness will be in risk management and resili-ence. Just as we built integrated quality and safetymanagement systems, so we must now buildintegrated risk management systems. Enterpriseresilience is an approach to risk management that
anticipates disruptions, better ensures recoveryand protects business protability. Risk-intelligentorganizations elevate resiliency to a board-levelconcern and bake it into the DNA of their enterprisewith powerful processes, well-trained people androbust systems. Their goal is to be proactive andadaptive in response to disruptions, whatever formthey take. Resiliency goes beyond minimizing lossesto include preserving shareholder value, ndingcompetitive advantage in the ability to manage risk
well and growing the top line.For countries, resilience has replaced the threeGsguards, gates and gunsas the national strat-egy. Our work has inspired the government to focuson resilience instead of protection, with the creationof a Resilience Directorate in the National SecurityCouncil. We see the need for continuing dialoguebetween the public and private sectors that lever-
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
7/108
5
ages resilience to meet multiple goals of national
security, homeland security, energy security andeconomic competitiveness.
I would like to thank James H. Quigley, CEO of De-loitte, and John Swainson, former CEO of CA Inc., fortheir sponsorship of this opportunity to understandhow different risk functions link to each other andto strategic planning, and what CEOs and boardsneed to know about risk management. Mark Layton,vice chairman of Deloitte; Vikram Mahidhar, directorof operations of Deloitte Research; and MargaretBrooks, vice president at CA Inc.; provided advice
and insights on an ongoing basis. At the Council,senior vice president Debra van Opstal ably led theCouncil team, with the help of David Padgham, Mil-dred Porter and Michael Ruthenberg-Marshall.
Deborah L. Wince-Smith
President and CEOCouncil on Competitiveness
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
8/108
6
preparations to fences and rewalls;
from business continuity to competitiveadvantage. Words matterand we need tocreate a common language of risk.
Goal: The overall goal is not so much toachieve perfect denitions of resilience andrisk intelligence as it is to get insights fromthe participants on how they operationalizethese objectives in their own organizations.
Paper PresentationErica Seville
University of CanterburyNew Zealand
CommentatorsMary HerbstDirector of Business ResiliencyCarlson Hotels
Anne LarsenAdvisor, Corporate ResponsibilityNovo Nordisk A/S
Darren Mulholland
Senior Vice President, Operations andTechnology, NASDAQ
3:45 Breakout Sessions: Defning the Desired
State
October 30, 2009
12:00 Welcome and Introductions
Lunch
12:30 Setting the Global Stage
Warning! Turbulence Ahead:Strategic Risks
Erik PetersonDirectorGlobal Strategy InstituteCenter for Strategic and International
Studies
1:30 The Risk-Intelligent Enterprise
Rick FunstonPrincipal and National Practice Leader forGovernance and Risk OversightDeloitte & Touche, LLP
2:15 What Risk Executives Think: Survey
Results
Vikram Mahidhar
Senior Manager, Deloitte ResearchDeloitte & Touche, LLP
2:45 Session 1
Words Matter: Defning Risk Intelligenceand Resilience
Creating a Common Lingo. The terms riskintelligence and resilience actually meandifferent things to different peoplespanninga spectrum from disaster management
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
9/108
7
5:00 Reports rom the Breakouts: Defning
Risk Intelligence & ResilienceCo-Chairs for Breakout and Reports:
Breakout 1
Bob MooreVice President, Global Security Group, HP
Carl GibsonDirector, Risk Management Unit, LatrobeUniversity, Australia
Breakout 2
Joe PetroManaging Director, Citigroup
Joseph FikselExecutive Director, Center for ResilienceOhio State University
Breakout 3
Jim PorterVice President and Chief EngineerDuPont (ret.)
Bob FlynnVice President, Travelers
Breakout 4
Ken SenserSenior Vice PresidentGlobal Security, Wal-Mart, Inc.
Branko TerzicSenior Energy Consultant, Deloitte
5:30 Break
6:00 Reception
6:30 Dinner
7:30 Evening Discussion:
What should managers and directors be
asking about risk?
ModeratorDeborah L. Wince-SmithPresidentCouncil on Competitiveness
Director, NASDAQTom ONeillPrincipal, Sandler ONeillChair, Audit Committee, ADM
Larry RittenbergChairman of COSOErnst & Young Professor of Accounting &Information SystemsUniversity of Wisconsin
Mark LaytonGlobal Leader, Enterprise Risk Services andVice Chairman, AuditDeloitte & Touche, LLP
The Honorable Roy FergusonNew Zealand Ambassador
9:30 Adjourn
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
10/108
8
October 31, 2009
7:30 Networking Breakast
8:30 A CEOs Perspective on Risk
Conversation with Charles O. Holliday, Jr.,CEO, DuPont
9:00 Session 2
Numbers Matter: Metrics for RiskIntelligence and Resilience
Developing a Dashboard: Once a commonlanguage of risk is developed, metrics areneeded that cross risks and functions toaccurately assess enterprise riskexistingas well as emerging risks or determinewhether management objectives have beenachieved.
Goal: The goal is to identify measures ofrisk that are meaningful to management,comparable across risk managementfunctions, and explicitly tied to enterpriseobjectives and performance.
Paper Presentation
Brian Ballou/Dan HeitgerCo-Directors, Center for Business ExcellenceMiami University of Ohio
Commentators
Spiros DimolitsasSenior Vice President, Georgetown University
John OConnor
Director of Supply Chain Risk ManagementCisco Systems, Inc.
Pat GnazzoSenior Vice President, U.S. Public SectorBusiness, CA Inc.
10:00 Breakout Sessions
Measuring Risk Intelligence and Resilience
11:30 Reports rom Breakout Groups
Co-chairs for Breakouts/ Reports:
Breakout 1
Bobbi BaileyVice President, Global Network Operations
Jane CarlinGlobal Head of Operational Risk, BCP, andInformation Security, Morgan Stanley
Breakout 2
Steven TrevinoManaging Director
Resilient Civilization InitiativeChris McIlroyDirector, Infrastructure Protection &Resiliency Division, SRA International, Inc.
Breakout 3
Judith CardenasCEO, Center for Performance andAccountability; and Vice President, UniversityCenter, Lansing Community College
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
11/108
9
Bill Raisch
Director, International Center for EnterprisePreparedness
Breakout 4
Scott McHughVice President, Global Asset ProtectionWal-Mart
Steve SpoonamorePartner, GSP LLC
12:00 Networking Break/Luncheon Buet
12:30 Roundtable on Recommendations:Policies and Practices that Support Risk
Intelligence and Resilience
Questions for Discussion: The evidenceseems to indicate that companies whichare more risk intelligent and resilientoutperform the market. If thats true, whydont the markets reward companies thatdemonstrate risk intelligence and resilience?What role could the ratings, insurance and
audit industries play in creating incentives/requirements for risk management? Whatshould government do to encourage thesemarket movers to reward resilience? Whatshould government do to protect citizensfrom the consequences of massive failures inrisk management?
Goal: To identify how the markets can
incentivize better risk management practices,particularly through ratings, insuranceand audit, and what government can doto strengthen and complement marketincentives.
ModeratorHenry RistucciaPartnerDeloitte & Touche, LLP
Linda Conrad
Director, Customer Enterprise RiskManagement, Zurich
Christine St. ClareAdvisory Partner, KPMG
Phil AuerswaldProfessor of Public Policy, George MasonUniversity
2:45 Next Steps
3:00 Adjourn
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
12/108
10
The Risk-Intelligent EnterpriseRick FunstonPrincipal and National Practice Leader, Governance and Risk Oversight
Deloitte & Touche, LLP
The ability to survive and thrive in an uncertain and turbulent environment requires resil-ience and agility. Resilience is the ability to rapidly recover and resume a former shape.Agility is the ability to assume a desired shape in order to rapidly adapt and seize desiredopportunities. Risk intelligence is the ability to detect and rapidly respond to changes thataffect the business model and bottom line.
Risk Intelligence enables:
No surprises No big mistakes
No missed opportunities
Of course, brutal reality is that there will always be surprises, mistakes and missed oppor-tunities. But, in a risk-intelligent enterprise, they will not be life-threatening.
Critical Skills o Risk-Intelligent Enterprises
Check Your Assumptions at the Door. It is better to be roughly right than preciselywrong. Risk-intelligent enterprises look for evidence that their assumptions are wrong.Sometimes that means identifying weak signals that key assumptions in your environmentare changing in ways that threaten your business.
Anticipate Potential Causes o Failure. It is almost un-American to think of failure, butrisk-intelligent enterprises legitimize a constructive discussion of triggers for failure. Theydo not just step outside the box, they actively attack it.
Identiy Interconnections and Interdependencies. The weakest links are often at thenexus of core processes.
Improve Reaction Time. One of the distinguishing aspects of turbulence is speedmostcompanies do not factor velocity into their risk assessments. Bad things happen faster
Rick Funston, Deloitte & Touche, LLP
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
13/108
1
than good; reputations are gained in inches per year and lost in feet per second. The
speed of response has to be matched to the speed of onset.Develop Common Senses to Get Insight and Foresight, Not Hindsight. Mostenterprises tend to lack a central risk nervous system and good communications linesbetween multiple appendages. Specialist functions speak specialty languages and have ahard time communicating with one another, with the result that enterprise communicationscan become a tower of Babel. And, management structures sometimes act as buffers toprevent bad news from getting to the corporate brain. Honing the common senses thatidentify over-the-horizon risks require enterprise collaboration and communication.
Veriy Sources o Inormation. In God we trust; all others bring data. Prior experience isnot necessarily a good predictor for the future. Executive opinions, while important, need
to be corroborated.Maintain a Margin o Saety. October is a particularly dangerous month to invest instocks. Other dangerous months are July, January, September, May, March, November andso on. According to Warren Buffet, the most dangerous words in the investors lexicon areeveryone else is doing it.
Maintain Operational Discipline. For mountaineers, most accidents happen on the waydown. Attention should be constantly focused on operational discipline.
Adopt a Long-Term View. Urgent problems are often not the most important ones. Andshort term events carry a risk of over-reaction. Risks have to be taken to sustain ROI.
In sum:
Build risk intelligence into decision-making processes, but do not bolt it on.
Focus on valueprotecting what you have while creating new value.
Drive out fear of talking about potential for failure.
Generate dialogue, not reports.
Rely on judgment, not formulas.
Manage icebergs first, not ice cubes.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
14/108
12
The language we use matters. Often we use the
same words to mean different things. Or, the wordswe use describe qualities, not competencies. Thelack of a common language of risk is one of the chiefbarriers to risk intelligence and resilience. We needcommon understandings about the words we useto communicate effectively with each other, with ourmanagement, with our investors and even with ourregulators.
Resilience: Great Conceptbut What
Does It Mean?
Erica SevilleResearch FellowUniversity of Canterbury, New Zealand
Resilience is about an organizations ability toachieve its core objectives, even in times of adver-sity, so that it survives in good times AND in bad.Resilient organizations are able to cope with boththe foreseeable events that are on their risk radars,and the ones that come out of the blue.
Seizing Opportunity: Resilience is not just about
survival, but the ability to seize opportunity out of cri-sis. There are always opportunities in a crisis, and theorganizations that are able to seize these opportuni-ties for renewal are the ones that will both surviveand thrive. The qualities that enable an organizationto survive in adversity are the same qualities thatenable it to compete successfully on a day-to-daybasis. The case for resilience is about market leader-ship as well as crisis management.
Interdependencies: Another key characteristic is
that resilience cannot be achieved by any one organi-zation. No organization is an island. It operates withina network of other organizations which, if not alsoresilient, could eventually pull down the network. Weneed to raise the game of all the organizations in thenetwork. Equally important are resilient communities.Organizations are only as resilient as their people andthe communities in which they live.
Dynamic: Resilience is dynamic, not static. Everytime an organization implements a new technol-ogy or has a fractious round of pay negotiations, itis shifting its resilience space. One-time resilienceaudits do not workresilience needs to be constantlyre-evaluated.
Resilience is an overarching concept that pulls togeth-er many aspects of good business management. Itforces business leaders to think about, anticipate andplan for those things that are not on the risk radarand to develop adaptive management strategies.
Four pillars of resilient organizations include:
Resilience Ethos: How well has the organizationbuilt a value system and culture that sets resil-ience as a goal? Has it made the effort to buildwider networks for resilience?
Situational Awareness: Does the organizationhave its finger on the pulse of its operating envi-ronment. Is it positioned to recognize subtle shifts,identify potential opportunities and threats, andmobilize itself to respond?
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
15/108
1
Processes or Managing Keystone
Vulnerabilities: Does the organization knowwhere its critical vulnerabilities are and howproactively it is managing them?
Adaptive Capacity: When the chips are downand the plan did not work, how well can the orga-nization come up with new strategies and imple-ment them rapidly?
Finally, there is no one model for resilience. Likeindividuals, organizations have their own personalities,strengths and weaknesses. The key is to make the
most of strengths in times of crisis and understandweaknesses, and hopefully shore them up before thecrisis moment comes.
Erica Seville, University oCanterbury, New Zealand
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
16/108
14
Table 1: Deining Resilience Using a Competencies Framework
Resilience Ethos: A culture of resilience that is embedded within the organization across all hierarchical levels and disciplines,where the organization actively manages its position in an interdependent system and where resilience issues are key consid-erations for all decisions that are made.
INDICATOR DEFINITION
Commitment to Resilience A belief in the fallibility of existing knowledge as well as the ability to learn from errorsas opposed to focusing purely on how to avoid them. It is evident through an organiza-tions culture, training and how it makes sense of emerging situations.
Network Perspective A culture that acknowledges organizational interdependencies and realizes the impor-tance of actively seeking to manage those interdependencies. It is a culture where the
drivers of organizational resilience and the motivators to engage with resilience arepresent.
Situation Awareness: An organizations understanding of its business landscape; its awareness of what is happening aroundit, and what that information means for the organization, now and in the future.
INDICATOR DEFINITION
Internal and External SituationMonitoring and Reporting
The creation, management and monitoring of human and mechanical sensorsthat continuously identify and characterize the organizations internal and externalenvironment, and the proactive reporting of this situation awareness throughout theorganization.
Informed Decision Making The extent to which the organization looks to its internal and external environment forinformation relevant to its organizational activities and uses that information to informdecisions at all levels of the organization.
Recovery Priorities An organization-wide awareness of its priorities following a crisis, clearly dened at alllevels of the organization, as well as an understanding of the organizations minimumoperating requirements.
Understanding and Analysis ofHazards and Consequences
An anticipatory all-hazards awareness of any events or situations which may createshort or long-term uncertainty or reduced operability. An understanding of theconsequences of that uncertainty to the organization, its resources and its partners.
Connectivity Awareness An awareness of the organizations internal and external interdependencies and anunderstanding of the potential scale and impact that expected or unexpected changecould have on those relationships.
Roles & Responsibil ities Roles and responsibilities are clearly dened and people are aware of how thesewould change in an emergency, the impact of change, and support functions it re-quires.
Insurance Awareness An awareness of insurance held by the organization and an accurate understandingof the coverage that those insurance policies provide. (Note: This indicator seems at amore micro-level than others, but we regularly observed organizations using insuranceas a security-blanket, without a good understanding of the limitations of that cover!)
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
17/108
1
Management o Keystone Vulnerabilities: The identification, proactive management, and treatment of vulnerabilities that, ifrealized, would threaten the organizations ability to survive.
INDICATOR DEFINITION
Robust Processes for Identifying andAnalyzing Vulnerabilities
Processes embedded in the operation of the organization that identify and analyzeemerging and inherent vulnerabilities in its environment, and enable it to effectivelymanage vulnerabilities to further the networks resilience.
Planning Strategies Effectiveness of organizational planning strategies designed to identify, assess andmanage vulnerabilities in relation to the business environment and its stakeholders.
Participation in Exercises Participation of organizational members in rehearsing plans and arrangements thatwould be instituted during a response to an emergency or crisis.
Capability and Capacity of InternalResources
The management and mobilization of the organizations physical, human, andprocess resources to effectively respond to changes in the organizations operatingenvironment.
Capability and Capacity of ExternalResources
Systems and protocols designed to manage and mobilize external resources as part ofan interdependent network to ensure that the organization has the ability to respondto crisis.
Organizational Connectivity Management of the organizations network interdependencies and the continuousdevelopment of inter-organizational relationships to enable the organization to operate
successfully, and to prevent or respond to crisis and uncertainty.
Staff Engagement and Involvement The engagement and involvement of staff so that they are responsible, accountable andoccupied with developing the organizations resilience through their work because theyunderstand the links between the organizations resilience and its long term success.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
18/108
16
Adaptive Capacity: The organizations ability to constantly and continuously evolve to match or exceed the needs of its
operating environment before those needs become critical.
INDICATOR DEFINITION
Strategic Vision and OutcomeExpectancy
A clearly dened vision which is understood across the organization and reectsits shared values and empowers its stakeholders to view the organizations futurepositively.
Leadership, Management andGovernance Structures
Organizational leadership which successfully balances the needs of internal andexternal stakeholders and business priorities, and which would be able to provide goodmanagement and decision making during times of crisis.
Minimization of Silo Mentality Reduction of cultural and behavioral barriers which can be divisive within and betweenorganizations, which are most often manifested as communication barriers creatingdisjointed, disconnected and detrimental ways of working.
Communications and Relationships The proactive fostering of respectful relationships with stakeholders to createeffective communications pathways which enable the organization to operatesuccessfully during business-as-usual and crisis situations.
Information and Knowledge The management and sharing of information and knowledge throughout theorganization to ensure that those making decisions or managing uncertainty have asmuch useful information as possible.
Innovation and Creativity An organizational system where innovation and creativity are consistently encouragedand rewarded, and where the generation and evaluation of new ideas is recognized askey to the organizations future performance.
Devolved and Responsive DecisionMaking
An organizational structure, formal or informal, where people have the authority tomake decisions directly linked to their work and, when higher authority is required, thiscan be obtained quickly and without excessive bureaucracy.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
19/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
20/108
18
Business Resiliency: Moving the
Mountain an Inch at a TimeMary Herbst
Former Director of Business Resiliency, Audit and BusinessRisk ManagementCarlson Hotels Worldwide
Carlson is in the hospitality business, with facilities allover the world known under several brand names fromthe Raddison Hotels to TGIF. We operate in somehigh-risk areas, so we need to be able to understandthose risks and prepare crisis plans. In times of cri-sis, we need to make sure that our employees know
what to do to keep our guests safe and to minimizethe chaos. What is less understood is that we alsoprovide shelter and food in times of disasterfor thoseevacuated as well as for relief teams. After HurricaneKatrina, our TGIF restaurant was up and running in24 hours, serving $2 meals and $3 beers and provid-ing complementary meals to those who could not pay.We provided showers and daycare for employeesand others. Importantly, that store is also our No. 1producer in the nation and in the world because of
its rapid response and community ties.Carlson created a Business Resilience Councilcomprised of representatives from all of the businessunits as well as the financial, HR and PR areas. Inthe event of a disaster, the Council could be con-vened in conjunction with the crisis team. We needto have processes, plans and standards in place, butwe also need commitment to the mission. Compla-
cence often sets in when a few years pass without
an event. And, without an ongoing effort, your pro-cesses, policies and plans are only as good as yourlast crisis, not your next. We have to take resiliencefrom theory to reality. Our goals are to ensure thatour guests and employees are safe, evaluate andsecure our site quickly in the event of crisis, respondand resume business quickly, and understand ourend-to-end risks and how to mitigate them.
Key Observations rom the Discussions
Deine Resilience: Resilience is a process of pre-
paration, implementation and lessons learned. It isa framework, a process and a lifecyclea constantevaluation of where you are in relationship to yourbusiness objectives and risks.
Resilience is a steward ofand a way to future-proofbusiness strategy.
Resilience is fleeting. The level of resilience anorganization achieves today could be gone tomor-row. Changing contexts create new resiliencechallenges.
Resilient organizations are prepared to reinventthemselves. In a period of change, they do not goback to old ways of doing things, but adapt andevolve.
The rewards of resilience are both financial andintangiblebrand, reputation and relationships.An organizations survival is closely tied to theseintangibles.
Mary Herbst, Carlson HotelsWorldwide
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
21/108
1
Deine Risk Intelligence: Deloitte coined this term
because of the confusion in marketplace and thealphabet soupfrom ERM (enterprise risk manage-ment) to CM (crisis management) to GRC (gov-ernance, risk and compliance)that was floatingaround. Risk intelligence is an aspirational state ofcontinuous improvements in risk management andgovernance.
Risk Intelligence Beore Resilience: Risk intel-ligence is the information needed to make an organi-zation resilient. It is not just the ability to see what isahead, but what is around the corner. It is knowledge,foresight, pervasive situational awareness and theability to communicate risks. An organization needsto be risk intelligent before it can develop the capac-ity to be resilient.
Ignore Deinitions, Focus on Process: It doesnot look like there will ever be a common languageof risk. Focus on common processes rather than acommon lingo.
Focus on the Ecology o Risk: Organizations tendto look inward to manage risk when they should belooking outward at changing contexts and commu-nicating with external stakeholders, competitors andcustomers.
Manage Eects, Not Triggers: We have to becareful not to confuse cause and effect. Humanscan go three minutes without air, three days withoutwater and three weeks without food. We need tothink about critical dependencies and how long we
can go without them, independent of causes. That
creates the framework for prioritizing risks andallocating resources.
Prior to September 2005, the secretary of theDepartment of Homeland Security would havesaid that the primary risk he was responsible forwas terrorism. Post-Katrina, the thinking about riskand risk triage changed completely. Katrina wasa weapon of mass effect. We cannot completelyremove the prevention framework, but to managebigger risks, you need to manage outcomes andeffects, not just triggers.
Implement Resilience: The C-suite and the boardneed to buy into resilience. If the tone at the top isnot there, resilience will not be pervasive across theorganization. Resilient organizations have three requi-sites: a culture of resilience, a set of business pro-cesses and enabling technologies. There need to becross-functional teams to help implement these req-uisites, but accountability for resilience must residewith the people who will implement the processes.
Limits o Risk Registers: The vast majority of risk
management is focused on identifying and catalog-ing risks. That is like keeping an accurate inventoryof deck chairs on the Titanic. It is not the data that isimportant so much as the line of questioningwhichtriggers thinking rather than robotic, check-the-boxresponses. Risk management needs to be built intothe way the business is runone size fits one. You canover-risk yourself. Once you capture too many risks,
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
22/108
20
people can be paralyzed into inaction. Lets cut out
90 percent of the list and focus on the top five riskswithin units.
Managing Across Silos: Companies tend tomanage risk well within silos, but most risk failuresemerge from the white spaces between silos.One participant asked: How many people havebeen bitten by an elephant? Less than 10 peopleworldwide have died from an elephant bite. Howmany people have been bitten by a mosquito? Atleast 130 million have died from mosquito-borndiseases. Within their silos, companies tend to focus
on elephants. But, most organizational failures comefrom the mosquitoesthe little annoying things thatcan come back to bite us.
Where Risks Must Be Managed: Managing risk islike conducting an orchestra. The individual compo-nents are competent, but run and are synthesizedby the conductor. One of the key decision points isat what level risks should be managed. There are adozen or so risks that could bring a global corpora-tion to its knees. All other risks are pushed down
to the market levels, and managers are empoweredto identify and manage the risks and opportunitiesthey present.
Need or Oense: One can dig the deepest bun-
kers and pour as much concrete as possible, butsomeone will eventually find their way in or out of it.Unless someone is willing to play offense, organiza-tions cannot be viewed as being resilient. It is abouttraining an organization so that when under pres-sure, a framework has been established to allow theorganization to consolidate its resources and lay thegroundwork to emerge stronger than before. If youadd just a little offensive capacity, the bad guys goelsewhere. You become an unappetizing target.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
23/108
2
Seven Revolutions that Are Shapingthe FutureErik Peterson
Executive Director, Global Strategy InstituteCenter for Strategic and International Studies
We are now navigating in a period of acute volatilitynot just financial volatility, but criti-cal inflection points where we see simultaneous uncertainties. We begin with a question:What will the world look like long range?
Ive identified seven revolutionseach will shape our collective future and the nature ofrisk. They are:
Demographic and population dynamics;
Strategic resource management;
Technological innovation and diffusion;
Massive movement of data and information;
Global economic integration;
Conflict; and
Challenge of governance.
Demographics: What will be the shape of the human family? There were 150 million
humans at time of Julius Caesar. By 2025, the population is projected to rise to 8 billion;8.8 billion by 2040 and 9.2 billion by mid-century.
In the developed world, we will face an aging population. We are reaching a critical tippingpoint where there will be more older people than younger peoplea narrowing base ofsupport for an aging population. High rates of population growth will occur in the emerg-ing economies least able to support it. This suggests that we may want to be alert to thepotential for significant migration patterns, economic as well as climate migrants.
Erik Peterson, Center or Strategicand International Studies.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
24/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
25/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
26/108
24
If companies manage only what they can measure,
what measures would create insights on whetherorganizations are resilient or not? What resiliencymetrics would be meaningful to management tied toperformance and risk objectives? Are measurementsystems able to capture systemic risks that flowfrom interdependencies and externalitiesrisks thatthat individual risk functions may not capture? Whatmetrics could communicate risk intelligence andresilience to the board, C-suite or externally?
Dashboards or Risk and Resilience
Brian Ballou and Dan HeitgerCo-Directors, Center for Business ExcellenceMiami University
Dashboard are in their infancy. There is no onesize fits all. Typically, it is not a question of whethermetrics are available, but what are the right measuresto use? How to filter out volumes of information thatare available? How much internal and external datato gather and put into dashboards? Most companiesfocus internally to control risks, but lack a controltower to pick up external signals in the environment
and bring them back into the risk managementsystem.
Some key questions and challenges companies
ought to be asking:1 What metrics are used to report risk intelligence
and resilience to the board, the C-suite or exter-nally? Have they distinguished between emergingversus existing risks? What are the expectationsof external stakeholders, and what is being com-municated quantitatively?
2 How do risk metrics relate to overall performancegoalscash flow, earnings per share or otherperformance measurement goals? How are those
metrics placed in contexthow are competitorsbench-marked? How are risk metrics linked tocompensation?
3 Is information consistent across risk functions?Are there common denominators for making stra-tegic decisions and conveying risk information?In some companies, each risk ends in a differentnon-financial metric. Others pick a financial met-ric to showcase how well they are meeting goals.Is there a common metric to compare across risksilos? Are there measures for business process
risks that identify how risks affect the wholeorganization?
4 Can leading versus lagging indicators be identi-fied? Most variables are laggingand risk man-agement systems have been stalled in finding thecorrelations and interconnections. Are there riskmodels that can identify problems on the horizon?Can these measures be financial?
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
27/108
2
Three questions executives should ask about their
risk models: Is it right? Have the assumptions been chal-
lenged?
How robust is it and has it been stress tested?
How has the model changed? Indicators do nothold up for very long.
5 Are there qualitative ways of reporting risks? Isthe top ten reporting list that many companiesuse even a good idea? Perhaps the top two risksare so big that they should just focus on those. If
resilience is a process, not a specific risk, shouldqualitative metrics be used to describe the pro-cess? To what extent should a dashboard focuson compliance processes or risk response plans?
Communicating Risk to the Board
Spiros Dimolitsas
Senior Vice President and Chief Administrative OfficerGeorgetown University
A university has an unusual risk profile in that itsfactors of production, production capacity and cus-tomers are all in the same place, which makes it verydifficult to diversify risks.
The board has expressed an interest in looking atrisks more broadly, and we have provided them adashboard to prioritize by type of risk and impact ofrisk. It characterizes risks in two ways, by type andby impact.
Types of Risk
Community risksthings that can harm people orinfrastructure
Business continuity risksfailure of systems toperform as designed
Business performance risks failure of systems toperform as needed
Financing risksthings that can deplete the cashneeded to run operations
Impact of RiskEach type of risk is grouped by likelihood and
threshold of impact (medium, high, low, severe). Forexample, a severe community risk might be a deathon campus. Disruption of a major revenue line bymore than four weeks would be a severe businesscontinuity risk. Reputational risks, such as a dropin national ranking or in the competitiveness of thestudent body, would constitute a severe businessperformance risk.
Resilience MetricsWe have also developed a framework to report how
resilient we are. Bad things have two dimensions:how long they last and how widespread. If you thinkabout extent and duration, you can construct a two-by-two table: localized short term and localized longterm, and widespread short term and wide-spreadlong term. A less resilient system would only be ableto handle a short term, localized disruption. A moreresilient system should be able to handle a longerterm, more widespread disruption.
Brian Ballou and Dan Heitger, Center or Business Excellence at MiamiUniversity
Spiros Dimolitsas, GeorgetownUniversity
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
28/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
29/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
30/108
28
Leading Indicators
Leading indicators are difficult to identify. Sometimesit is not whether you can predict the indicator, butwhether you can rapidly assess how it will impact yourposition. As a service organization, one of our con-cerns is the volatility and rising levels of benefits pack-ages. The benefits budget is significant20 percentof operational budget. We might not be able to predicteverything that could impact the cost of benefits, forexample, a change in the social security floor, but wehave developed a methodology to assess how quicklya change would be digested through the system and
what it would do to our cash position.
Managing and Mitigating Risk
Pat Gnazzo
Senior Vice President, U.S. Public Sector BusinessCA Inc.
Compliance, risk and business continuity are all inter-twined. A couple of cautions. We need to be carefulabout using someone elses template. One size doesnot fit all. Every company is different. Every universityis different. Risks are different across sectors and
universities. Risks have to be understood within thecontext of a specific business.
Companies have been assessing risk for years, butthey do not put it in a form that boards can use. Theproblem is the lack of a good tool that allows infor-mation to bubble up to senior management. Everyorganization should understand its risk appetite andits risks.
That plan needs to reach down to the business
unitstheir operating plans should talk about therisks of not meeting goals and the actions it will taketo mitigate those risks. Risk management has tostart at the bottom. You cannot understand it froman enterprise basis if you do not understand it atthe business unit level. For example, everyone has abudget. What are the risks of changes to the budget,and how will the business units mitigate that risk?
The top ten enterprise risks are important, but wecannot forget that every department within an orga-nization should have a top ten risk list as well. If each
one of those departments is not working on its topten risks, the company is exposed. We may be han-dling the Katrina and bird flu risks, but we are miss-ing the department risks. There will always be a topten, because when you mitigate some risks other willemerge. That is what managing risk is all about.
Resilience Metrics: Time to Recovery
John OConnor
Director of Supply Chain Risk ManagementCisco
My perspective is functionally oriented toward supplychain risks. Cisco has an enterprise risk managementgroup focused on assessment and identification oftop risks. They coordinate activity, but the functionsdrive the risk intelligence and resiliency programs.
What can we measure, and what should we mea-sure? Cisco has identified a key quantitative metric:time to recovery. Our business continuity program(BCP) assesses our strategic nodescore suppli-
Pat Gnazzo, CA Inc. John OConnor, Cisco
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
31/108
2
ers, transportation hubs, logistics nodes, manufac-
turing nodesand asks: Regardless of disruption,what is the time to recovery for each of thesenodes? Regardless of the disruption, how long doesit take us to go from a catastrophic disruption withzero output back to 100 percent? That is our mea-sure of resilience: TTR or time to recovery.
We spent a lot of time on that information set becauseunderstanding recovery time is a key piece of informa-tion for crisis management. Whether it is a Chengduearthquake or a Hurricane Ike, we understand wherenodes in that region are and how long it takes for
them to recover. We can assess the impact immedi-ately. This informs not only our crisis management butalso our resiliency programs. We understand wherewe have exposures and where we need to allocateresources to drive recovery. BCP may come off as adry process, but it is a key enabler.
We have BCP coverage as a metric and responserates as a requirement, and we measure our suppli-ers against that.
We pair risk intelligenceknowing where our vulner-
abilities arewith risk analytics. We have collectedlarge series of data setshistoric food data, incidentdata, simulation analysiswhich tell us where wehave the greatest probabilities of disruption.
This allows us to look at operational risks and naturaldisasters as one set. It tells us where we are morelikely to experience a disruption. That is all interestingand informative, but the data has not been terribly
operational. Risk programs are not generally tailored
to risk analytics for a couple of reasons. You arealways going to pick the wrong risk.
At the end of the day, we found that revenue is thekey attribute that focuses risk programs. Obviouslywe have a program that takes care of our peoplefirst, but a risk focus on revenue allows us to lookafter both our shareholders and customers. Ciscois unique in that it has 200 product families and8,500 products. But 100 products account for50 percent of revenue, so it is a relatively easyanswer about where to focus.
How do you determine your risk appetite? That is aninteresting question, but the simple answer is that riskappetite will never match risk budget. For $100 millionwe could de-risk the entire supply chain. Although wehave a great budget, it is no where near enough toguarantee a risk-free supply chain. When setting ourrisk budget, we also think about the impact on grossmargin and on external insurance. So, risk appetiteneeds to be anchored in something far more tangible.
We have been talking about risk intelligencegath-
ering information, understanding vulnerabilities andmaking sure you have playbooks and processesbutwe have not really discussed resilience. Whatevervulnerabilities we identify, they are still going to bethere. This to me is the difference between risk intel-ligence and resilience. For Cisco, resilience is aboutrecovery time goals for each of the nodesand thatrecovery time may or may not be acceptable. If thenode is something with a simple process, like pack-
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
32/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
33/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
34/108
32
Coping with Crisis,DuPont StyleCharles O. Holliday, Jr.
CEO DuPont
We have learned a couple of key lessons.
First, you can never anticipate the crisis you get.
Second, if your systems are resilient enough, youcan manage pretty much anything that comes up
Third, raise the warning flags early. People are
often reluctant to call a crisis. A few examples:
Case 1: Crisis or Not?
One Wednesday at 5:00, when I was head ofDuPonts Asia Pacific business based in Tokyo, Ireceived a call from a person who said he was theSwiss ambassador. He said a DuPont employeehad broken into the embassy and threatened to killhim. This was potentially an international incident onsovereign Swiss soil involving the Swiss, Japaneseand U.S. governments with DuPont at fault.
Here is the rest of the story: The employee lived fourhouses away from the embassy. His wife was preg-nant and due very soon. He had complained multipletimes that the embassy guests were blocking hisdriveway so he could not get out in the event thathis wife went into labor. And he could not call emer-gency services because he did not speak Japanese.
And, although he got angry enough to issue threats,
he was not actually armed. We did not call the U.S.embassy or Wilmington. We decided to work itthrough. And, two days later, the ambassador invitedthe employee and his wife for dinner and an apology.
All the trappings, but no crisis.
Case 2: Crisis or Not?
The scene is Northern India. DuPont had a contractto sell technology to a plant under construction. At2:00 a.m., rebels went in an pulled five people out oftheir dorms and assassinated them. DuPont had no
one on site.
Most thought it was a terrible tragedy. Few wouldhave seen a crisis coming. But the next morning, thefactory owner gave an interview to the news mediaand said that DuPont caused the deaths. His logicwas that DuPont had advised them to keep the gunslocked up since the vessels that were being deliveredwould not have reacted well to a gunshot. The nextmorning the parliament of India was debating whatcharges should be brought against DuPont.
Crisis or Not? We did react very seriously. We got theright information out to the public, talked to the ownerand got him to retract his statement, and shut thecrisis down in 24 hours. Because of how the mediahandled it, what would have been a terrible tragedy inany event turned into a crisis. So the message is thatthe organization will tend not to call a crisis.
Charles O. Holliday, Jr., DuPont
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
35/108
3
Crisis Management at DuPont: The key to manag-
ing crisis is to create a resilient crisis managementprocess and pressure test it.
At DuPont, there are 17 crisis management teams.The leaders of each of those teams are continu-ally on alert and empowered to call a crisis. Thefirst question that is asked is whether it should be acorporate crisis. Those actually have not been calledvery often9/11 was the first.
The leaders of the 17 groups can be rallied to a cen-tral crisis management room in 30 minutesand we
find that the room itself creates its own kind of focusand mindset.
The CEO has specific crisis communications roleswith the media, the government, suppliers, families.Given those responsibilities, the DuPont CEO doesnot manage the crisis teams.
Because people tend not to take crisis tests veryseriously, we have stretched the definition of crisis toinclude important events, but maybe not the tradi-tional definition of crisis events. On a Friday after-
noon about a year ago, I was in New York meetingwith customers when my blackberry started to doits shaking thing. I looked down and read: No crisis,call immediately. Within a few minutes, I learnedthat President Bush was planning a visitthe nextTuesdayand the secret service and advance peoplewere already on their way. As we were thinking about
how to get ready for that visit, we decided to activate
our corporate crisis processand it worked brilliantly.We were able to rally everyone in the company virtu-ally overnight.
Strategic Resilience at DuPont: Back in late1980s, Greenpeace scaled the fence on a coldrainy day and hung a big banner from the top ofthe water tower that said: DuPont, No. 1 polluter.The word polluter was so low that it was belowthe fence line. So all the people outside could seewas: DuPont, No. 1. Most people thought we hadwon another award. Our plant manager handled the
Greenpeace guys, got them down safely, and wewere dealt with pretty gently on the evening news.So, we were sitting around the next day, pattingourselves on the back, and one lone voice said: Buttheyre right. He said that we put out more stuffthan anyone else. You could have heard a pin drop.And everyone was thinking: Who is this soon to beunemployed person?
But, for me, it was a watershed moment. We mightbe the biggest, but we spent the next decade try-
ing to fix our processes to reduce our footprint. As aresult of that work, we have reduced our greenhousegas emissions by 72 percent while we increased ourvolume by 40 percent, and we got good returns forour shareholders every time.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
36/108
34
At the end of the day, companies need to create a
system that drives toward resilience. What role canmarket movers play in helping to move organizationstoward more effective risk management and resil-ience? What can government do to reinforce privatesector drivers and market mechanisms that encour-age/reward resilience processes? How should thepublic and private sectors be working together tocreate a more resilient country?
The Role o Audit
Christine St. Clare
Audit PartnerKPMG
The audit profession is risk averse, so it is hard toimagine rapid innovation in risk reporting in non-financial areas. However, the fastest inroads are beingmade in the areas of sustainability and corporatesocial responsibility (CSR) reporting. Increasingly,senior management sees non-financial reporting as acrucial companion to financial reporting.
Today, the real question is not who is doing CSR
reporting, but who is not. Every three years, KPMGconducts a global study. We found significantincreases in the number of companies reporting.CSR has become a more mainstream practice aroundthe worldand the U.S. is lagging. We are near thebottom of 22 countries.
For the Global 250, more than half are linking theirreports to metrics. This is driving a need for morenon-financial data that is credible and can stand up
to scrutiny. Until recently, there has been criticism
around self-serving reports that were generated byexternal PR offices.
Historically, financial reporting was directed to share-holders. The evolution now is toward CSR reportingdirected to a broader audience of stakeholders.Today, stakeholders are asking that reporting belinked to strategy, risk, business processes, gov-ernance and concrete performance indicators ormetrics.
Since sustainability reporting is voluntary, guidelines
have been slower to emerge. The guidelines com-monly used are published by the Global Reporting Ini-tiative. These guidelines created a more data-driven,structured way of reporting that creates comparabilityThat is what is needed for the accounting industry tohave a credible assurance or attestation capability.
We could take an hour and not exhaust the list ofstakeholders who want more reporting and moretransparency in CSR reports. To name just a few,the Carbon Disclosure Project, a collaboration of300 institutional investors, is calling better disclo-
sure around risk to be included in 10K filings. TheCoalition of Environmentally Responsible Economiespetitioned the SEC to force registrants to disclosefinancial risk and opportunities around climatechange. The Climate Action Partnerships lobbyingeffort for federal regulations on greenhouse gasemission (to forestall a patchwork quilt of state regu-lations) could drive more reporting requirements. The
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
37/108
3
Grocery Manufacturers of America are working with
their members to measure carbon footprints fromproduction to consumption.
The Dow Jones Sustainability Index is ranking perfor-mance related to environmental programs. Walmartrecently brought together its suppliers with NGOsand Chinese officials to discuss how to bring sustain-ability and risk mitigation into the supply chain.
All of this creates pressures to collect data that canbe verified by the audit community.
In the sustainability area, the United States lags in
developing approaches and standards that can beattested to. And, basic requirements for attestationare missing in the risk reporting area, including lackof a common language of risk, lack of standard tax-onomy even within an organization, and one size fitsone approaches which are at odds with the unifor-mity of reporting approach requirements. Moreover,auditors will have difficulty with the issue of emerg-ing versus existing risk.
The opportunity to get more uniformity and accep-
tance of risk reporting and performance indicators isthere, but much more groundwork must be laid. If theother stakeholders keep up the pressure for morereporting, as they have done in CSR and sustainabil-ity, the accounting profession will continue to moveinto the area of non-financial risk attestation.
The Role o Insurance
Linda ConradDirector Risk Engineering, North America
Zurich
Insurance is in the business of risk. It is what we dofor a living. Our motto is: change happens. Lastyear we delineated that into three sections: Changehappens around you (that you cannot necessarilycontrol); change happens to you and change hap-pens because of you. That helps you delineate thosethings over which you do have control versus thethings you do not control but to which you must beprepared to respond.
Many people think of insurance as lines of business;as discrete risk solutions for certain problems. But Ithink we do ourselves as an industry a disservice ifwe do not look beyond insured risks. No companywould look at its exposure just in terms of propertyrisk. We need to look at the entire risk that compa-nies face, not just their insurable risk. Insurance isonly a small piece, maybe 20 percent to 40 percent,of a companys risk picture. If we only look at the
insured portion, we are not working as a partner.A case in point. We conducted a risk profiling sessionwith a food additive company. Someone in account-ing stood up and said that they had a fantastic newsales partner which represented some 25 percent to30 percent of business. The new sales partner wasan aviation company buying up food additives forde-icing purposes. We were insuring them for productliabilitybut this use was not part of the coverage.
Christine St. Clare, KPMG Linda Conrad, Zurich
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
38/108
36
We are not working well with our customers if we do
not help them look at things that could come out ofnowhere.
Most people tend to think of insurance as set it andforget it. If structured correctly, they think that oncethe insurance coverage is in place, they can move on.But risk is dynamic and needs to be revisited often.If we are not constantly re-evaluating, we are not ad-equately covering even the insured risks, let alone therisks that are uninsurable, like reputation and brand.
Insurance needs to get out of the old century and
become more like a GPS system. Risk intelligence isGPS. If you are going down a path and miss the turn,your strategic decisions need to realign. Even moreimportantly, you have to keep checking whether youare headed toward the right address.
The Role o Public Policy
Phil Auerswald
Professor of Public PolicyGeorge Mason University
When we think about responsibilities, risks and
events, there is scalability. Low impact events areusually managed by individuals or by operationspeople in a company. Larger-scale events might bethe responsibility of a CEO or a mayor. And thenthere are problems that are much largerand gobeyond the fence line or the municipal boundary.These situations are too large for any one com-pany or jurisdiction to handle, even if their survivalis threatened. Those will be the challenges that thegovernment has to lead.
Although its focus is often on high-impact, low-
probability events, the government has an interest inunderstanding risk across the boardjust as compa-nies have an interest in understanding risk that goesoutside their firms. So there is a convergence ofquestions being asked, decisions being made and,surprisingly, even of objectives. All of this could havethe fortuitous effect of creating an era of betterand different government, and better and differentbusiness. But, there are no guarantees it will happenthat way.
The 2008-2009 global financial crisis could inform
a whole new vision of how the government shouldpartner with business. But, that is not where weare headed. On one hand, the central take-away ofthe discussion is that government was not payingattention and did not perform its regulatory func-tions. On the other hand, it is that businesses weregreedy and did not care about the soundness of thefinancial system.
This crisis should have stimulated a conversationabout opportunities for public and private mission
sharing. This will have to be an activity in which bothsides leave behind the 20th century. The private sec-tor has to be leave behind the old adages of dontregulate us, we know what were doing; the freemarket can solve its own problems; and resourceswill be allocated when we let the market determinewhat will function best. For its part, the governmentmust understand that more compliance directives,more regulation and more standards of differenttypes do not make good use of the capabilities of
Phil Auerswald, George MasonUniversity
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
39/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
40/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
41/108
3
publicly-owned facilities and infrastructure, and offer-ing homeowners incentives to do the samebefore adisaster occurs.
Create Market Financing or Disasters. Finally,government can partner with the private sector tocreate innovative financing mechanisms that fundrecovery from natural disasters. Floods, storms, earth-quakes and heat waves place a huge burden on thepublic sector, which not only carries the cost of reliefefforts but is also responsible for rebuilding publicinfrastructure.
Moreover, public entities consciously or uncon-sciously decide to retain risk by not insuring theirinfrastructure. For example, in 2005, economic lossesfrom natural catastrophes hit a record high, withdirect financial losses of $230 billion (0.5 percentof total worldwide GDP). Despite a record insurancepayout of more than $83 billion, uninsured directlosses of $150 billion had to be carried by individuals,companies and the public sector. More recently, in
2007, a total of 335 natural catastrophes led tolosses of $64 billion across the globe, of which$40 billion were uninsured.4
Traditionally, the public sector has adopted a post-event approach to disaster funding, including increas-ing taxes, reallocating funds from other budget items,accessing domestic and international credit, andborrowing from multilateral financial institutions. Mostrely on assistance from international aid.
Pursuing a post-disaster strategy has several
potential disadvantages for governments. Fundsare diverted from key development projects to payfor emergency relief. Governments must pay thepremium to raise new domestic debt in a creditconstrained, post-event market, and raising taxescan weaken the economy further and discouragenew private investments. Finally, international aidoften arrives too late for immediate disaster relief.
4 Disaster Risk Financing: Reducing the Burden on Public Budgets. SwissRe, June 2008.
Governments could save considerable amounts byshifting from relief to pre-event risk financing; that is,by setting up solutions that involve financial reserves,contingent debt agreements, insurance and alterna-tive risk transfers. How could this work? One exam-ple is catastrophe bonds that transfer risks from thesponsors to market investors. In essence, the bondoffers investors an attractive risk/return profile. Theissuer invests the capital in low-risk securities (suchas treasuries) and the interest plus a premium is
paid to the investors. If the bond matures without thepre-specified event occurring, the principal is repaidto the investors, similar to regular bonds. If a catas-trophe does occur that triggers the bond, investorsmay lose some or all of the investment principal theyhave paid. In that event, the funds are paid to thebond sponsor to cover losses.
We are now facing a new set of risk dichotomiesthat demand new approaches in the way countries,companies, communities and citizens prepare for and
manage risk, and prepare for resilience.In the 20th century, paradigms of security evolvedfrom Maginot lines to doctrines of containment tofirewalls. Each succumbed in its turn to technologyand globalization. At the start of the 21st century, thevery notion of security defined in terms of perimeterdefense or threat containment has become all butobsolete.
Todays threats are too ubiquitous to be isolated andtoo nimble to be contained.
In such a world, responsible companies and govern-ments are compelled to emphasize accessible actionsrather than illusory remedies. In such a world, resil-ience is no longer an afterthought. It is an imperative.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
42/108
40
Challenges orCorporate RiskManagersHenry Ristuccia
PartnerDeloitte & Touche
Vikram Mahidar
Senior Research ManagerDeloitte
What we find in many companies is that risk man-agement activity is driven by both regulation andbusiness needs. But, the connectors are lackingboth across the organization and up the organiza-tional ladder.
One of the most serious gaps is the disconnectbetween the risk management functionswheremost of the heavy lifting occursand the seniorexecutives and governing bodies that are ultimatelyresponsible for risk management. There is nocommon definition of organizational frameworkfor managing risk, no well understood roles andresponsibilities and no way to measure or monitoreffectiveness.
A few weeks ago, I asked the CEO of a financialinstitutionone that has fared better than its peershow its risk management programs were related tothe risks identified in the companys 10K. He said:Thats the problem; they dont. The biggest oppor-tunities to transform risk management are in filling
in the gaps between the risk management activi-
ties and senior managers. These broken links haveserious implications for the bottom line: incompleteand inaccurate information, false positives as well asfalse negatives, and inefficient use of resources.
Many of the following nine principles of a risk-intelli-gent enterprise focus on a transformation at theexecutive level. The characteristics of risk intelli-gence include:
Common definition of risk that addresses both thevalue preservation and the value creation sides
consistently and throughout the organization; Common risk framework supported by appropriate
standards;
Key roles, responsibilities and authorities clearlydefined and delineated;
Common risk management infrastructure to sup-port business units and functions;
Appropriate transparency and visibility into riskmanagement processes for the board;
Executive management charged with primaryresponsibility for designing, implementing andmaintaining an effective risk management process
Business units given responsibility for manage-ment of risk within the organizational framework;
Certain functions (finance, legal, IT, HR) providesupport to business units with respect to organi-zational risk management processes; and
Ongoing and objective monitoring and reportingon effectiveness of risk programs.
Henry Ristuccia , Deloitte & Touche Vikram Mahidar, Deloitte
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
43/108
4
Survey Results: When asked how they identify and
mitigate their top five risks, most company executivessaid they did not manage risk that way anymore.Rather, they had created a comprehensive frame-work for risk management that was integrated acrossthe organization and at multiple levels. Respondentsindicated that their companies understand risksspecific to their industry and business modelandmany have instituted a central function charged withorchestrating risk management processand theseprocesses have been well-received by the businessunits.
That is the good news. The bad news is that mostrespondents were not sure whether these best prac-tices are adequate, and they did not know whethertheir companies are managing risk well or not.
We identified three gaps:
1 The ultimate goal of risk management remainsunclear. When we asked, how do you define riskmanagement goals, the answers were literally allover the map. Risk disclosure statements, evenwithin the same industry, are quite disparate, indi-cating that there is no common understanding ofwhat is important. Even within the same company,there are inconsistencies about what the goal ofrisk management processes should be.
2 Most executives reported that they do not under-stand the risk management expectations of majorstakeholders, such as investors.
3 Given the uncertainties, companies are finding it
difficult to quantify the business impact of emerg-ing risks.
Senior management and board level involvementremains minimal. Getting the right tone and estab-lishing clear goals and consistent processes requiresengagement by senior executives. Companies haveset up risk committees, but executive involvementremains relatively sparseas do the reports fromthe risk committee to the executive committee. Onerespondent noted that the only time the CXO getsinvolved is when it is time sign the SEC filing. Simi-
larly, the balance scorecards used by the boards con-tain very few risk measures. We need to balancethe balance scorecard.
Currently, risk seems to be managed from differentfunctional organizations within the companylegal,audit, security. But, frequently, there is not ownershipat the executive level. And, the people who managerisk often come from a security, intelligence, compli-ance or legal background. What is needed are busi-nesses skills that complement these specialty areas.
Risk professionals need to be able to translate whatthey see into business terms.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
44/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
45/108
4
James PorterVice President and Chief EngineerSafety, Health, &Environment and Engineering (Retired)DuPont
William RaischDirector, International Center for EnterprisePreparednessNew York University
Henry RistucciaPartner and Leader, Governance and Risk ManagementDeloitte & Touche, LLP
Larry E. RittenbergErnst & Young Professor of Accounting & InformationSystemsUniversity of WisconsinChair, COSO
Susan RochfordVice President, Energy & Sustainability InitiativesCouncil on Competitiveness
Steve RossFirm Director, Security ServicesDeloitte & Touche, LLP
Kenneth SenserSenior Vice President for Global Security, Aviation andTravelWal-Mart Stores, Inc.
Erica SevilleResearch FellowUniversity of Canterbury
Mark SibleyProgram Director, Business Resilience, NorthropGrumman Information Technology
Steve SpoonamorePartnerGSP LLC
Christine St. ClareAdvisory PartnerKPMG LLP
Matt StatlerAssociate Director, International Center for EnterprisePreparednessNew York University
David W. StenderAssociate CIO for CybersecurityChief Information Security OfficerInternal Revenue Service
Branko TerzicSenior Energy ConsultantDeloitte & Touche, LLP
Jonathan TetzlaffSenior Director, Crisis Management and Threat AnalysisMerck & Co., Inc.
Betsy ThurstonVice President, Strategic DevelopmentCouncil on Competitiveness
Steven TrevinoManaging DirectorResilient Civilization Initiative
Debra van Opstal
Senior Vice PresidentCouncil on Competitiveness
Deborah L. Wince-SmithPresidentCouncil on Competitiveness
Kirsten Edmondson WolfeVice President, MarketingCA Inc.
Rob ZanellaVice President, IT ComplianceCA Inc.
COUNCIL STAFF
David Padgham
Policy DirectorCouncil on Competitiveness
Mildred PorterMeeting PlannerCouncil on Competitiveness
Michael Ruthenberg-MarshallInternCouncil on Competitiveness
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
46/108
44
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
47/108
4
Global Risks 2008: A Global Risk Network
ReportWorld Economic Forum, January 2008
The World Economic Forum (WEF) highlights majorcategories of transnational riskwith emphasis onsystemic nancial risk, food security, supply chainsand energy. Globalization has increased the likeli-hood of a tragedy of the commons-type outcomeby reducing the incentives for any one actor toaddress problems like pandemics, pollution or globawarming. Interdependency has also increased theprobability that a disruption in any one region mayhave signicant global repercussions.
The WEF compared the likelihood of 26 coreglobal risks with their predicted severity in termsof economic loss (measured in U.S. dollars).
Its a whole new ballgame on riskor
countries as well as companies.Transorm, Council on Competitiveness
Overview
Globalization, competition, technologicalcomplexity, interdependence and speed arefundamentally changing the kinds of risksand competitive challenges that companiesand countriesface. The competition is get-ting much better. The world is entering anage in which well all be competing witheveryone, from everywhere, for everything.1
Technological complexity and interdepen-dence in the global economy are increasingother risks. Extended and interdependentenergy, transportation, information and com-munications networks can quickly magnify theimpact of point failureswhether triggeredby attack or accident. Operational risks, oncethought to be a back ofce concern and trivialin comparison to market and credit risks, arebecoming bet-the-company risks that belong
in the boardroom.Studies may disagree as to which are thegreatest risks, but every study underscoresthe concern of business executives that risksare rising.
1. Globality, Harold Srikin, James Hemerling and Arindam Bhattacharya. Bos-ton Consulting Group (Boston: 2008)
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
48/108
46
Core Global Risks and Predicted SeveritySource: World Economic Forum, January 2008
50-250
250-1,000
50-250
250-1,000
50-250
>1,000
10-50
5-25
50-250
30-150
50-250
>1,000
50-250
150-625
50-250
50-250
10-50
50-250
50-25030-150
250-1,000
50-250
150-625
50-250
150-625
10-150
Economics
Geopolitics
Environment
Society
Technology
Risk Perceived Likelihood(%-WEF Analysis)
Cost(Severity in Billions of US$)
5-10
10-20
7-12
7-12
1-5
17-22
5-10
7-12
5-10
10-20
5-10
5-10
7-12
10-20
7-12
7-12
5-10
1-5
1-51-5
5-10
3-8
10-20
5-10
7-12
1-5
Food Insecurity
Oil and Gas Price Spike
Major Fall in US$
Slowing Chinese Economy (6%)
Fiscal Crises in Advanced Economies
Asset Price Collapse
International Terrorism
Collapse of Nuclear Proliferation Treaty
Interstate and Civil Wars
Failed and Failing States
Transnational Crime and Corruption
Retrenchment from Globalization (Developed)
Retrenchment from Globalization (Developing)
Middle East Instability
Extreme Climate Change Related Weather
Heat waves and Droughts
Loss of Freshwater
Natural Catastrophe: Cyclone
Natural Catastrophe: EarthquakeNatural Catastrophe: Extreme Inland Flooding
Pandemic
Infectious Disease, Developing World
Chronic Disease, Developed World
Liability Regimes
CII Breakdown
Emergence of Nanotechnology Risks
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
49/108
4
Risk 2018: Planning or an Unpredictable
DecadeEconomist Intelligence Unit, 2008
In 2008, the Economist Intelligence Unit (EIU) sur-veyed 600 senior-level executives to evaluate andrank which risks they believed would present themost signicant threats to business during the nextdecade, as well as the level of preparedness of theirindividual organizations to address each risk.
High Risk/Impact with Less than HighReadiness
Climate change Retrenchment from globalization
Oil price shock
Instability in Middle East
Asset price collapse
International terrorism
Emergence of disruptive business mode
High Risk/Impact with High Readiness
Unexpected regulatory change Global recession
Increased competition from emerging marketeconomies
Talent shortages
The EIU survey noted that: Risk managementappears to be a function in transition. While it retainsits responsibilities as a source of assurance thatensures regulatory compliance and helps the orga-
nization to avoid loss, it is now expanding beyond
this traditional heartland to assume a broader role.Among our survey respondents, there is generalagreement that risk management will encompassmore strategic activities over the next ten years, withtwo-thirds expecting an increase in the use of riskmanagement as a strategic tool.
Risk management and controls now have two par-allel dimensions: the traditional keep me out oftrouble side of risk and the emerging make mybusiness better aspect. Managing risk effectivelycan help improve performance, help improve process
and strengthen competitive advantage.
Strategic Business Risks 2008Ernst &Young
Interviews with more than 70 analysts across20 disciplines by Ernst & Young captured a differ-ent set of insights on key risks.
Regulatory and compliance risk
Global nancial shocks
Aging consumers and workforce
Inability to capitalize on emerging markets
Industry consolidation/transition
Energy shocks
Execution of strategic transactions
Cost ination
Radical greening
Consumer demand shifts
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
50/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
51/108
4
Overview
A key theme is that risk management isnot just about minimizing losses, but aboutpreserving shareholder value and growingthe top line. The rst wave of studiesextended the lens beyond simply calculatingimmediate losses from failure in risk man-agement. They linked risk management tolong-term earnings and shareholder value.A next wave of studies is needed for a more
rigorous examination of the upside potentialfor value creation.
Disarming the Value KillersDeloitte & Touche, 2005
The Deloitte study found that many of the largestlosses in value among the worlds largest globalcompanies resulted from their failures to managerisk effectively and systemically. Almost half of the1,000 largest global companies suffered declinesin share prices of more than 20 percent in a one-month period between 1994 and 2003, relative tothe Morgan Stanley Capital International (MSCI)World Index. And the value losses were often long-standing. Roughly one-quarter took more than a yearfor their share prices to recover, sometimes muchlonger. By the end of 2003, share prices for one-quarter of these companies had not recovered totheir original levels.
The study found that most rms were exposed to
more than one type of riskwhether strategic,operational, market or nancialand failed to managethe relationships among these different types of risk.Actions taken to address one type of risk had thepotential to increase exposure to other types of risk.
Countering the Biggest Risk o AllAdrian Slywotzky and John DrzikHarvard Business Review, April 2005
The evidence of strategic risk is becoming ever moreapparent. In the past 20 years, there has been adramatic decrease in the number of stocks receiving
a high quality rating by Standard & Poors and a dra-matic increase in the number of low-quality stocks.From 1993-2003, more than one-third of Fortune1000 companies lost at least 60 percent of theirvalue in a single year.
Many rms have been adopting the practice ofenterprise risk managementfocusing on nancial,hazard and operational risksbut most managershave not systemically addressed the strategic risks
A risk-intelligent enterprise knows
when to avoid danger and when to
take a chance. It doesnt just stay in
business. It prospers.
James Quigley, CEO DeloitteFortune Magazine, Weathering Any Storm, March 19, 2007
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
52/108
50
that can be a more serious cause of value destruc-tion. The authors categorize strategic risk into sevenmajor classes: industry, technology, brand, competitor,customer, project and stagnation.
Managing for strategic risks can often turn defensivemoves into offensive opportunities. Besides limiting
the downside, strategic risk management helps man-agers improve the odds of success by forcing themto think more systematically about the future andhelping to identify opportunities for growth.
Airbuss focus on a collaborative model that wouldhelp its member companies to escape shrinking mar-gins enabled it to create sufcient market share tobecome a true rival to Boeing. For American Express,
1985 1990 1995 2000 2003
PERCENTAGE
O
F
3000
S&P
RATED
STOCKS
28%
53%
63%
67%
73%
19%16%
13%
Low-Quality Stocks
High-Quality Stocks
41%
35%
Strategic Risks are GrowingSource: Harvard Business School Review, April 2005
Note: High-quality stocks include those rated A+, A and A-. Low quality stocks include those rated B, B-, C and D.
the fundamental change in its brand investment mix,in response to competitive threats from other bankcards, set off a decade of growth. For Target, shiftingits focus to a customer segment that was differentfrom Wal-Marts not only helped it sidestep a newcompetitor but sparked protable growth.
While managers often see a trade-off between riskand reward, creative risk management combinedwith a good business model can allow a companyto improve in both areas. This is analogous to theevolution, 30 years ago, from a cost-quality trade-offto total quality management which achieved lowercosts and higher quality simultaneously.
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
53/108
5
The Eect o Supply Chain Disruptions on Long-
Term Shareholder Value, Proftability and Share
Price VolatilityVinod Singhal and Kevin HendricksThe Logistics Institute 2005
Researchers looking at the impact of supply chaindisruptions found that such events can be cata-strophic for businesses and their shareholders.Based on a sample of more than 800 companiesthat announced a supply chain disruption between
1989 and 2000, 33-40 percent experienced lowerstock returns than their industry peers, regardlessof industry, cause of disruption or time period. Suchrms experienced 7 percent lower sales growth and11 percent higher costs.
The study shows that rms that experience disrup-tions, on average, experience a 107 percent decreasein operating income, 114 percent decrease in returnon sales, and 92 percent decrease in return onassets. Changes in operating income, sales, total
costs and inventories remained negative in the twoyears after the problems were disclosed.
Innovators in Supply Chain Security:
Better Security Drives Business ValueStanford and Manufacturing Research Institute, NationalAssociation of Manufacturers, 2006
International trade is no longer just about movinggoods quickly and cheaply. In this age of global ter-rorism, there is a third element: it is about movinggoods quickly, efciently and securely. Some of theimplications of the 9/11 events include an increaseof 15 percent in airfreight costs and an increase of20 percent in the costs of commercial insurancepremiums to about $30 billion per year. New secu-rity measures following 9/11 are estimated to costthe U.S. economy alone more than $150 billion, ofwhich $65 billion is for changes in supply chains.
The study also quantied benets, through casestudies of eleven major manufacturers and threelogistics providers, that have the potential to offsetor exceed the costs of security, including:
Improved product safety (38 percent reductionin theft/loss/pilferage, 37 percent reduction intampering);
Improved inventory management (14 percentreduction in excess inventory, 12 percent increase
in reported on-time delivery); Improved supply chain visibility (50 percent
increase in access to supply chain data, 30 percentincrease in timeliness of shipping information);
Improved product handling (43 percent increasein automated handling of goods);
Process improvements (30 percent reduction inprocess deviations);
More efcient customs clearance process (49percent reduction in cargo delays, 48 percentreduction in cargo inspections/examinations);
Speed improvements (29 percent reduction intransit time, 28 percent reduction in delivery timewindow);
Resilience (close to 30 percent reduction in prob-lem identication time, response time to problemsand in problem resolution time); and
Higher customer satisfaction (26 percent reduc-tion in customer attrition and 20 percent increase
in number of new customers).
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
54/108
-
7/29/2019 Prepare: Why Enterprise Resilience Matters
55/108
5
The Business Value o ResilienceCouncil on Competitiveness, Transorm.Company Vignettes
Wal-MartWal-Marts reputation for supply chain gymnasticswas showcased during Hurricane Katrina, when thecompany was able to bring 66 percent of its storesin the affected region back into operation with 48hours, and 93 percent within seven days. But, itssupply chain sophistication was not developed as a
disaster management tooland in fact, the invest-ment could not have been justied solely on disasterpreparedness grounds.
The inventory visibility and supply chain agility isrooted in a business model that requires quickchanges in the merchandise mix as a source ofcompetitive advantage and new business opportuni-ties, and robustness in its information and logisticssystems. Resilience has been embedded in thecompanys DNA to handle peak requirements.
GeorgetownThe availability of student housing is a critical partof the universitys business continuity. If housingis not available, then one of the main sources ofoperating revenuetuitionis also at risk. Georgetownundertook a project to improve residence hall safetystandards that exceeded codeinstalling sprinklersand other equipmentresulting in a signicantdecrease in its insurance premiums. The universitytook these savings and increased its business
interruption insurance vefold (well before Katrina).
That became a positive factor in determining theuniversitys rating and cost of capital in a subsequentbond issue.
Waste ManagementAfter 9/11 and a break-in a few months later ata landll in Cut and Shoot, Texas, that destroyedhalf a million dollars in heavy equipment, WasteManagement began to investigate the benetsof a state-of-the-art security operations center. It