330 likes | 702 Views
Enterprise Risk Management. Introduction (Part 1). John Glenn, MBCI Enterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com. Overview. Enterprise Risk Management (ERM) also is known as Business Continuity
E N D
Enterprise Risk Management Introduction (Part 1) John Glenn, MBCIEnterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com
Overview • Enterprise Risk Management (ERM) also is known as • Business Continuity • Continuation Of Operations (COOP) • Enterprise Risk Management is not • Information Technology Disaster Recovery (IT D/R) although IT D/R is an integral part of Enterprise Risk Management
What’s in a name? • Enterprise Risk Management (ERM) defined • Enterprise: The entire organization, working from the profit center(s) out; holistic, all-inclusive • Risk: All risks, both external and internal; no risk is overlooked or considered “out-of-scope” • Management: Control threats through avoidance or mitigation; plan recovery to 'business as usual"
Program or project • Success or failure • ROI or wasted effort and funds • Enterprise Risk Management, to be successful, must be an on-going program; while there is a beginning, there is no end • The program usually consists of projects, each with specific milestones
Who’s in charge? • The ideal candidate to sponsor an Enterprise Risk Management program (best) or project is a very senior manager with fiduciary responsibilities, e.g., CEO, CFO, COO
Who is NOT in charge • Functional unit C*Os and VPs (e.g., VP/MIS, CIO) properly are function focused and lack enterprise fiduciary responsibility; they also may be perceived as working primarily for the good of their unit vs. the good of the overall organization
Crossing silos • Enterprise Risk Management is concerned with threats to “business as usual” from all directions • Enterprise Risk Management focuses on PROCESSES and follows critical processes from initiation to completion
Risk Management Humor Passengers board ABC Airlines Flight 13 Pilot ‘s voice comes over the intercom “Ladies & gentlemen, welcome to ABC Airlines Flight 13 “This is ABC’s first fully automated flight; the only ABC personnel on board are the Flight Attendants “Everything is computer controlled “Nothing can possibly go wrong, go wrong, go . . .
Abbreviated flow diagram • What could possibly go wrong ?
Threats to “business as usual” - 1 • Threats to “business as usual” come from external vendors • Materials suppliers • Utilities supplies • Money suppliers • Transportation providers • “Ubiquitous others”
Threats to “business as usual” - 2 • Threats to “business as usual” come from internal vendors • Facilities • HR/Personnel • Office support (Accounting, Mailroom, etc.) • IT • “Ubiquitous others”
Threats to “business as usual” - 3 • Threats to “business as usual” come from • Government, trade groups, regulators • Customers • Competition • Image (company, product, associations) • Neighbors • Events (holidays) • “Ubiquitous others”
Prioritize threats • Threats are rated by • Probability of occurrence • Impact on organization • You set the scale • Low-Medium-High • 1 to 3, 5, 10 • Avoidance & mitigationcosts are not an issue at this point
Avoid, Mitigate, or Absorb • Threats can be • Avoided: usually the “high cost” option • Mitigated: typically less expensive than avoidance, but with trade-offs • Mitigation includes insurance coverage • Absorption: The organization will accept the loss
Threat chart • Create a chart to list all threats to “business as usual” • This is best accomplished in groups • An amanuensis is a must • A white board that can “write” to memory is useful
Decision makers • The residents of the Corporate Suite review the recommendations and determine • Confirm or change priorities based on business plans • What measures are to be implemented to deal with each threat • When to implement the threat avoidance or mitigation measures • Smart management listens to its Subject Matter Experts (SMEs)
About the practitioner • More than 13 years experience • Certified by the Business Continuity Institute • Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations • Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states
Enterprise Risk Management an introduction (Part 2) John Glenn, MBCIEnterprise Risk Management practitioner Hollywood/Fort Lauderdale Florida 1-954-961-1674 – JohnGlennMBCI@gmail.com http://JohnGlennMBCI.com
Best laid plans of mice & men • When the “best laid plans of mice and men” still fail to fully protect the organization, there must be a plan to “restore to business as usual” • Efficiently • Economically • Expeditiously
Many mini-plans • Enterprise Risk Management is at once top down and bottom up • Top down since enterprise resources may be utilized to restore to “business as usual” • Bottom up since each functional unit needs its own mini-risk management plan
Why mini-plans? • Each functional unit – profit center or resource – needs its own “mini” plan • If a threat is isolated to one functional unit, the mini-plan should guide responders to determine if the unit can be recovered before there is impact on other functional units
Recovery “by the numbers” • Each mini-plan, and the organization’s overall plan, includes procedures to restore critical processes • Procedures are prepared by functional unit Subject Matter Experts (SMEs) • Procedures are documented (by SMEs or others) • Procedures are validated by NON-SMEs to assure completeness and clarity
Practice makes perfect • Restoration procedures must be practiced • So responders understand their tasks • So responders’ confidence is enhanced • So any plan deficiencies are discovered and eliminated • There are various exercise levels • Walk-throughs to “pull the switch” • Exercises, never “tests”
Who responds? • Every response task needs at least two responders, a primary and an alternate • People get sick, go on vacation, change jobs, go to courses away from the work place • Both primary and alternate must be able to do the task • Rank is not a consideration in selecting responders
Planning ahead • A few things to consider before an event • Press releases, and who will give them • Different emphasis for different audiences • Policies and procedures • Work periods, family considerations, etc. • Furlough of non-essential personnel • Relocation options
Training • Personnel awareness & safety training • Sights, sounds, smells • Evacuation & in-place sheltering • What to do if someone refuses to • Leave the building (evacuation) • Stay inside the building (in-place sheltering) • The lawyers say . . .
Plan maintenance • When to review the plan • Depending on organization’s dynamics • By trigger word changes, “P” words • Personnel • Place (location) • Politics (licensing, regulations, zoning) • Procedure • Process • Product • Providers (vendors) • Purchasers (clients)
Planner’s role • An experienced practitioner should be involved in creating the plan and monitoring the program either • As in-house staff, to manage the process and mentor functional unit staff contributing to the plan • As a consultant and mentor to in-house personnel assigned planning tasks
Plan benefits • Potentially lower costs • Reduced risk impact through avoidance, mitigation • More efficient, expeditious recovery • Adjusted insurance coverage • PR – “We have a plan, therefore we assure product delivery” • Enhanced employee loyalty • Employees know management cares about them • Possibly enhanced stock and bond ratings
About the practitioner • More than 13 years experience • Certified by the Business Continuity Institute • Created complete enterprise, key business unit, and IT-specific plans for Defense, Energy, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations • Currently Manager of Business Continuity for a defense industry leader managing 47 sites in 17 states