enterprise risk management introduction (part 1) introduction (part 1) john glenn, mbci enterprise...
TRANSCRIPT
Enterprise Risk Management
Introduction(Part 1)
John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – [email protected]://JohnGlennMBCI.com
Overview
Enterprise Risk Management (ERM) also is known as Business Continuity Continuation Of Operations (COOP)
Enterprise Risk Management is not Information Technology Disaster Recovery (IT
D/R) although IT D/R is an integral part of Enterprise Risk Management
What’s in a name? Enterprise Risk Management (ERM) defined
Enterprise: The entire organization, working from the profit center(s) out; holistic, all-inclusive
Risk: All risks, both external and internal; no risk is overlooked or considered “out-of-scope”
Management: Control threats through avoidance or mitigation; plan recovery to 'business as usual"
Program or project
Success or failure ROI or wasted effort and funds Enterprise Risk Management, to be
successful, must be an on-going program; while there is a beginning, there is no end
The program usually consists of projects, each with specific milestones
Who’s in charge?• The ideal candidate to sponsor an Enterprise
Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO
Who is NOT in charge
Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization
Crossing silos
Enterprise Risk Management is concerned with threats to “business as usual” from all directions
Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion
Risk Management Humor
Passengers board ABC Airlines Flight 13Pilot ‘s voice comes over the intercom
“Ladies & gentlemen, welcome to ABC Airlines Flight 13
“This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants
“Everything is computer controlled
“Nothing can possibly go wrong, go wrong, go . . .
Abbreviated flow diagram
What could possibly go wrong ?
Threats to “business as usual” - 1
Threats to “business as usual” come from external vendors Materials suppliers Utilities supplies Money suppliers Transportation providers “Ubiquitous others”
Threats to “business as usual” - 2
Threats to “business as usual” come from internal vendors Facilities HR/Personnel Office support (Accounting, Mailroom, etc.) IT “Ubiquitous others”
Threats to “business as usual” - 3
Threats to “business as usual” come from Government, trade groups, regulators Customers Competition Image (company, product, associations) Neighbors Events (holidays) “Ubiquitous others”
Prioritize threats
• Threats are rated by– Probability of occurrence– Impact on organization– You set the scale• Low-Medium-High• 1 to 3, 5, 10
• Avoidance & mitigationcosts are not an issue at this point
Avoid, Mitigate, or Absorb
Threats can be Avoided: usually the “high cost” option Mitigated: typically less expensive than
avoidance, but with trade-offs Mitigation includes insurance coverage
Absorption: The organization will accept the loss
Threat chart
Create a chart to list all threats to “business as usual” This is best accomplished in groups An amanuensis is a must A white board that can “write” to memory is
useful
Decision makers The residents of the Corporate Suite review the
recommendations and determine Confirm or change priorities based on business plans What measures are to be implemented to deal with
each threat When to implement the threat avoidance or mitigation
measures Smart management listens to its Subject Matter
Experts (SMEs)
About the practitioner
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states
Enterprise Risk Management
an introduction(Part 2)
John Glenn, MBCIEnterprise Risk Management practitionerHollywood/Fort Lauderdale Florida1-954-961-1674 – [email protected]://JohnGlennMBCI.com
Best laid plans of mice & men
When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” Efficiently Economically Expeditiously
Many mini-plans
Enterprise Risk Management is at once top down and bottom up
Top down since enterprise resources may be utilized to restore to “business as usual”
Bottom up since each functional unit needs its own mini-risk management plan
Why mini-plans?
Each functional unit – profit center or resource – needs its own “mini” plan If a threat is isolated to one functional unit, the
mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units
Recovery “by the numbers”
Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes Procedures are prepared by functional unit
Subject Matter Experts (SMEs) Procedures are documented (by SMEs or
others) Procedures are validated by NON-SMEs to
assure completeness and clarity
Practice makes perfect
Restoration procedures must be practiced So responders understand their tasks So responders’ confidence is enhanced So any plan deficiencies are discovered and
eliminated
There are various exercise levels Walk-throughs to “pull the switch”
Exercises, never “tests”
Who responds?
Every response task needs at least two responders, a primary and an alternate People get sick, go on vacation, change jobs, go
to courses away from the work place Both primary and alternate must be able to do
the task Rank is not a consideration in selecting
responders
Planning ahead
A few things to consider before an event Press releases, and who will give them
Different emphasis for different audiences
Policies and procedures Work periods, family considerations, etc. Furlough of non-essential personnel
Relocation options
Training
Personnel awareness & safety training Sights, sounds, smells
Evacuation & in-place sheltering What to do if someone refuses to
Leave the building (evacuation) Stay inside the building (in-place sheltering) The lawyers say . . .
Plan maintenance
When to review the plan Depending on organization’s dynamics By trigger word changes, “P” words
Personnel Place (location) Politics (licensing, regulations, zoning) Procedure Process Product Providers (vendors) Purchasers (clients)
Planner’s role
An experienced practitioner should be involved in creating the plan and monitoring the program either As in-house staff, to manage the process and
mentor functional unit staff contributing to the plan
As a consultant and mentor to in-house personnel assigned planning tasks
Plan benefits
Potentially lower costs Reduced risk impact through avoidance, mitigation More efficient, expeditious recovery Adjusted insurance coverage
PR – “We have a plan, therefore we assure product delivery”
Enhanced employee loyalty Employees know management cares about them
Possibly enhanced stock and bond ratings
About the practitioner
More than 13 years experience Certified by the Business Continuity Institute Created complete enterprise, key business unit,
and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states