Minimizing Enterprise Risk
FT Prentice Hall FINANCIAL TIMES
In an increasingly competitive world, we believe it’s quality of thinking that will give you the edge – an idea that opens new doors, a technique that solves a problem, or an insight that simply makes sense of it all. The more you know, the smarter and faster you can go. That’s why we work with the best minds in business and finance to bring cutting-edge thinking and best learning practice to a global market. Under a range of leading imprints, including Financial Times Prentice Hall, we create world-class print publications and electronic products bringing our readers knowledge, skills and understanding which can be applied whether studying or at work. To find out more about our business publications, or tell us about the books you’d like to find, you can visit us at www.business-minds.com For other Pearson Education publications, visit www.pearsoned-ema.com
Minimizing Enterprise Risk A practical guide to risk and continuity
CORINNE A. GREGORY
FT Prentice Hall FINANCIAL TIMES
IT B RIEFINGS ’ S ERIES EDITOR : S EBASTIAN N OKES
An imprint of Pearson Education London ■ New York ■ Toronto ■ Sydney ■ Tokyo ■ Singapore ■ Hong Kong New Delhi ■ Madrid ■ Paris ■ Amsterdam ■ Munich ■ Milan ■ Stockholm
■
Cape Town
PEARSON EDUCATION LIMITED Head Office: Edinburgh Gate Harlow CM20 2JE Tel: +44 (0)1279 623623 Fax: +44 (0)1279 431059 London Office: 128 Long Acre London WC2E 9AN Tel: +44 (0)20 7447 2000 Fax: +44 (0)20 7447 2170 Website: www.briefingzone.com
First published in Great Britain in 2003 © Corinne A. Gregory 2003 The right of Corinne A. Gregory to be identified as author of this work has been asserted by her in accordance with the Copyright, Designs and Patents Act 1988. ISBN 0 273 66158 2 British Library Cataloguing in Publication Data A CIP catalogue record for this book can be obtained from the British Library. All rights reserved; no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without either the prior written permission of the Publishers or a licence permitting restricted copying in the United Kingdom issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1P 0LP. This book may not be lent, resold, hired out or otherwise disposed of by way of trade in any form of binding or cover other than that in which it is published, without the prior consent of the Publishers. 10 9 8 7 6 5 4 3 2 1 Typeset by Monolith – www.monolith.uk.com Printed and bound in Great Britain by Ashford Colour Press Ltd, Gosport, Hants. The Publishers’ policy is to use paper manufactured from sustainable forests.
About the series editor
Sebastian Nokes is Series Editor for the IT Management series within the Financial Times Prentice Hall Executive Briefings and has written and co-written several works on the subject. These Briefings are designed to provide concise, focused knowledge, concerning critical IT issues facing managers today. They deliver the information and insight needed to evaluate situations and make informed decisions. Sebastian is a partner at Kimbell Evaluation Ltd, a leading consulting and analytical firm. Kimbell Evaluation was co-founded by Sebastian and helps clients measure and manage value added by information technology, both in stable organizations and in business or divisional turnarounds. His consulting clients include international financial institutions and commercial corporations. Sebastian began his career in the IT and investment banking industries, and has been an employee of Credit Suisse First Boston and IBM. He was educated at London University, served in the 2nd KEO Goorkhas, and holds finance and engineering qualifications. Sebastian may be contacted via
[email protected] v
About the author
Corinne A. Gregory is President of the HartGregory Group, which is dedicated to serving the technology and business world through writing, editing, speaking and consulting. Corinne has over 17 years of product engineering, product marketing, corporate marketing and business development experience. She is a recognized visionary in emerging technologies and how businesses can use them to solve business problems. Corinne is a frequent speaker at technology and business conferences, and writer and editor for leading industry analyst groups as well as major publishing houses such as Prentice Hall-PTR, Financial Times, Mightywords, Texere and others. Her expertise in developing business-critical information systems has been recognized by leading tools vendors for whom she has served as a member of several product advisory councils. Corinne’s publishing and writing background includes over eight years of technical writing, review and editing. She is the author of Enterprise Portals: The business case for enterprise information portals, published by Financial Times Prentice Hall, 2002. She is presently the editor for ‘Harris Kern’s Enterprise Computing Institute: Solutions for IT Professionals’ series (published by Prentice Hall-PTR). She also writes, edits and reviews white papers for some of the leading industry analyst groups. Corinne always welcomes comment and feedback about her work and can be reached at
[email protected] vii
Contents
List of abbreviations
xi
Acknowledgements
xiii
Executive summary
xv
1
2
3
Introduction to enterprise risk analysis, management and business continuity
1
Introduction The problem of enterprise risk Definitions and types of enterprise risk Pieces of the puzzle: enterprise risk means integrated risks The state of business continuity today The bottom line
3 4 6 13 19 21
What is enterprise risk management?
23
Introduction Definition and components of enterprise risk management Who is responsible for ERM? Benefits of enterprise risk management Components of enterprise risk management Recent additions to ERM considerations The cost of ERM The bottom line
25 25 26 29 30 35 43 45
Planning for enterprise continuity
47
Introduction The phases of ERM/BCP: review, respond, recover Risk analysis and assessment Business continuity and contingency planning Response and resumption Business recovery Review and re-evaluation The bottom line
49 49 50 51 56 62 63 64
ix
Contents
4
5
6
x
Developing an enterprise risk management programme
67
Introduction Programme vision and justification Programme initiation and management selection Risk identification and assessment Assessing and analyzing the risks Risk control and mitigation Testing and implementing preventive measures Conducting legal reviews Developing contingency plans The bottom line
69 70 71 72 76 81 84 85 86 90
Managing risk in the digital age
93
Introduction The growing concerns over digital risk Digital disasters travel at ’Net speed Effective measures for managing digital risk The bottom line
95 95 97 98 101
Conclusions
103
Enterprise risks are real and growing Enterprise-level risks are interconnected risks The goal of ERM – continuity Growing role of ‘e’ in business brings additional risks The insurance policy you hope you never need
105 105 105 106 106
Glossary
109
Additional resources
119
Abbreviations
24 7
24 hours a day, seven days a week
ARIA
American Risk and Insurance Association
BCP
business continuity/contingency planning
BIA
business impact analysis
CEO
chief executive officer
CFO
chief financial officer
CIO
chief information officer
CRM
customer relationship management
CRO
chief risk officer
CSC
Computer Sciences Corporation
CSI
Computer Security Institute
CSTB
Computer Science and Telecommunications Board
DoS
denial of service
EAP
employee assistance programme
EDP
electronic data processing
ERM
enterprise risk management
ERP
enterprise resource planning
FEMA
Federal Emergency Management Agency
GARP
Global Association of Risk Professionals
HVAC
heating, ventilation and cooling system
ICS
incident command centre
IRMI
International Risk Management Institute
IT
information technology
NASDAQ
National Association of Securities Dealers Automated Quotations system
NYSE
New York Stock Exchange
OSHA
Occupational Safety and Health Administration
QA
quality assurance
RMA
Risk Management Association
SEC
Securities and Exchange Commission
SIM
Society for Information Management
SIMEX
Singapore Money Exchange
UPS
uninterruptible power supply
WTC
World Trade Center
Y2K
Year 2000 – the ‘Millennium Bug’ xi
Acknowledgements
There are a number of people who have helped bring this briefing together who deserve a large measure of thanks. Sebastian Nokes, editor of this series, for everything he has done and continues to do in what has developed as a top-notch working relationship. Peter H. Gregory and Rebecca Lyles, readers and reviewers – helping to ensure I was not writing myself in circles as I worked during the wee hours to try to make up for time lost due to illness. To my mother who always believed in me, to my husband and to my children for being patient and praying every night before dinner ‘for mommy’s book to get done’ and who make my life so worthwhile. And, finally, Thomas Koulopoulos, president of the Delphi Group, who, while he was not involved directly in this book, has had an enormous effect on my writing and speaking career through his continued encouragement and advice.
xiii
Executive summary
INTRODUCTION It should come as no surprise to anyone that one of today’s hottest topics in business concerns the assessment of the security of people, places and things. The World Trade Center bombing on 11 September 2001 served as a harsh wake-up call to all businesses, everywhere, to the vulnerabilities of our industries, commerce organizations and financial markets to the effects of business disruption. While certainly no one would call the WTC event and other similar disasters a ‘good thing’, there have been positive actions occurring as a result of these crises: businesses have begun to realize that they need to be aware of and address the level of risk their organizations face, not only in times of emergency, but also on a day-to-day basis. Moreover, while many organizations previously may have believed that the primary sources of risk involved only isolated areas within the company itself – such as within the IT department or finance groups – it is becoming evident that there is more, in fact much more, to assessing and planning for business risk. This briefing will present, define and discuss the importance of risk management and business continuity efforts in today’s enterprises. The goal for this discussion is to educate organizations on the nature and effects of enterprise-level business risks, not just those which are financial or technology-related. It covers topics such as the business issues, the scope of the problem, market statistics and the impact of business disruption on organizations. It cites recent examples (such as the WTC outrage, denial of service attacks, telecom outages) to give a foundation for the premise that this is no longer just a problem limited to technology or other isolated areas of the business, but that it is an interrelated business problem. Most importantly, however, it offers readers a practical guide on how to identify, mitigate and prepare for business risks in their own organizations, allowing their businesses to resume operations as quickly as possible, with minimal impact.
HOW THIS BRIEFING IS ORGANIZED ■
Chapter 1, Introduction to enterprise risk analysis, management and business continuity, discusses the problem and nature of enterprise risk, and defines and describes the four major categories of risk to the enterprise. This chapter describes how risks cannot be considered in isolation from each other; today’s vastly interconnected business processes require that risks be considered as
xv
Executive summary
related pieces of one larger puzzle. The impacts and issues of ERM in today’s business arena complete this chapter. ■
Chapter 2, What is enterprise risk management?, introduces the key concepts of ERM, its overall scope and individual components, and explanations of when and by whom it is carried out in the organization. This chapter also catalogues a number of recent considerations in the ERM spectrum, many of them brought about by the disasters of 11 September and other ‘extreme events’. Finally, the chapter concludes with a discussion of the costs of implementing full-scale ERM vs. the costs of not doing ERM.
■
Chapter 3, Planning for enterprise continuity, offers the argument that the enterprise should not be interested in merely planning for contingency, but continuity of operations should be its ultimate goal and reason for implementing full-scale ERM. This chapter presents an overview of the phases, elements and philosophies involved in business continuity planning and how enterprise-level risk management supports this paradigm.
■
Chapter 4, Developing an enterprise risk management programme, covers the steps involved in initiating and creating an organization-wide risk management plan. Practical approaches for performing risk identification, assessment and business impact analysis are offered. Additionally, the components of and processes for developing, testing and implementing a contingency plan are presented.
This
chapter
describes
how
a
truly
effective
business
continuity/contingency plan must be continually reviewed, updated and kept current in order to appropriately serve the needs of the organization in the event of a disaster or adverse incident. ■
Chapter 5, Managing risk in the digital age, presents a discussion of the types of additional risks to which enterprises are now vulnerable as a result of the growing trend of e-commerce and Internet interchange. While previous chapters touched on some of the concepts, this chapter goes into further detail about the types of risks that exist, the increasing number of incidents and their growing impact, and presents some practical approaches for mitigating these threats and minimizing their effect.
The briefing concludes with an appendix that contains an extensive glossary of the terms used in this briefing and others related to enterprise risk and business continuity. There is also a section that lists a number of valuable resources and contact information for organizations interested in learning more about issues on enterprise risk management or business continuity, or for those seeking to begin their own ERM programme.
xvi
1 Introduction to enterprise risk analysis, management and business continuity
■
Introduction
■
The problem of enterprise risk
■
Definitions and types of enterprise risk
■
Pieces of the puzzle: enterprise risk means integrated risks 13
■
The state of business continuity today
■
The bottom line
3 4 6
19
21
1
Introduction to enterprise risk analysis
INTRODUCTION All organizations, regardless of their size, industry or customer base, face some degree of business risk. Smaller companies may be dangerously vulnerable to even the smallest unplanned event, such as the demise of a certain supplier or temporary unavailability of a utility or resource. But even large and stable multinational companies are at risk, often as a direct result of their size and operational complexity. The costs, as reported by insurance and financial institutions, related to organizations’ losses in revenue or material goods as a result of theft, negligence, business interruptions such as strikes, natural or man-made disasters and other disrupting events have skyrocketed in recent years. There is no reason to expect these costs to decline in the future, based on historical trends, the numbers of linked organizations that are affected, and the expenses involved in any resulting litigation. The need to assess, plan for and manage business risk is becoming an increasingly important process, yet it is one that many organizations have still not addressed. For most companies, business risk, like security, is an afterthought – the organization’s vulnerability is only recognized after a disrupting event has occurred. Y2K was the first ‘recognized’ pending disaster, which helped companies get better prepared, but since Y2K turned out to have little global effect companies had again become complacent about their enterprise risk. With recent terrorist events, the focus has turned again toward identifying vulnerabilities and preparing for them in advance of any business interruptions or disasters. This preparedness puts organizations in a position to respond if and when an event occurs, rather than being in a merely reactive mode. For many organizations, ignoring the need for managing business risk could indeed be the biggest risk of all. But the issue of enterprise risk and its scope is not one that is always intuitively obvious to business leaders. The impacts to an organization as a result of business disruption are usually defined as being limited to only a small subset of the business, without a true understanding of the potential effects of the disruption on the enterprise as a whole. Furthermore, in today’s business world, where organizations continuously form and reform trading relationships like water molecules, risks considered to be isolated to the primary business alone will have a strong ripple effect on the extended enterprise that may be disastrous if not planned for. In this chapter, the definition and types of enterprise risks are presented, along with their interrelationships. The scope of the enterprise risk problem will be addressed, along with some recent examples of the impacts of various types of business disruption on organizations.
3
Minimizing Enterprise Risk
THE PROBLEM OF ENTERPRISE RISK We are all familiar with governments’ and relief organizations’ precautions and responses to a variety of natural disasters: inhabitants of waterfront properties are evacuated in advance of an approaching hurricane; avalanches are intentionally pre-set by ski patrol members after a heavy snowfall makes the existing snowpack a danger to a popular resort; the Red Cross responds with water, food and medical supplies after a catastrophic earthquake. In the wake of these kinds of events, we rarely stop to think outside the human element – the effects that these disasters have had, and continue to have, on businesses in the area. But the reality is that businesses are just as vulnerable to disruptions as people – in many ways even more so. And, the types of disruptions these businesses face are not limited to those from cataclysmic natural sources. In fact, it is often man’s own doing that will have the more serious and long-term effects on the business enterprise. The business of enterprise risk management is becoming a bigger topic in today’s boardrooms. Companies are beginning to recognize that their organizations are vulnerable to a host of possibly as-yet-unidentified disrupting events. Some of these events can be expected and predicted, but most cannot. Some recent examples of significant business disruptions include the following: ■
In April of 2001, California’s Pacific Gas & Electric filed for Chapter 11 bankruptcy protection.1 This would prove to be the biggest financial disaster in the US energy industry since the oil crisis of the 1970s. The effects of the crisis are easily seen in the ensuing higher retail energy bills, rolling blackouts, bankruptcies, state bailouts and drama in the political arena. So far, the cost impacts as a result of the energy crisis range from a low of $16 billion (US) to more than $50 billion. However, these figures do not take into account longerterm financial impacts resulting from the costs of power supply contracts that were signed while trying to recover from the energy crunch.
■
Online auction merchant eBay experienced a revenue loss of nearly $4 million in the form of customer credits when a software problem caused a 22-hour system outage in June 1999. This lost revenue was just the beginning of eBay’s problems; the impact on investor confidence resulted in a total loss of $5.7 billion in market capitalization.
■
In May of 1998, a Galaxy IV satellite failed, causing 90 per cent of the pagers used in the US to be unreachable for days.
■
The United Parcel Service (UPS) experienced a strike by its employees in August 1997. This strike led to substantial worker layoffs, company failures and major revenue losses. And these impacts were broadly felt in the overall business market, not just within UPS.
4
Introduction to enterprise risk analysis
■
Barings Bank was the UK’s oldest merchant bank, and had accumulated a great deal of respect and prestige in more than 223 years of operation. But all that changed in February of 1995 when this highly regarded institution, with $900 million in capital, collapsed as a result of more than $1 billion of unauthorized trading losses precipitated by Nick Leeson, a Singapore-based Barings trader. The losses corresponded with the Kobe, Japan earthquake, which caused a steep decline in the confidence of the Japanese economy. Because Barings was caught unawares, the bank was unable to make good on its obligations in the financial futures market. Only one month later, the Dutch bank ING purchased Barings Bank for the pitiful sum of one pound sterling, ending the illustrious reign of the bank that had once helped the United States finance the Louisiana purchase.
■
In December of 1994, the County of Orange, a prosperous municipality in California, declared bankruptcy after suffering losses of around $1.6 billion stemming from a failed gamble with interest rates in one of its principal investment pools. This pool was intended to be a conservative but profitable way of managing the county’s cash flow and that of 241 associated local government entities. Instead, it resulted in the largest financial failure of a local government in US history and has spawned new regulations on how governments and municipalities may invest funds.
■
On 24 August 1992, Hurricane Andrew stormed across Florida. It caused an estimated $20–25 billion in damages to homes and businesses, at that time, a new record for a single event. This disaster was largely viewed as one impacting primarily the insurance industry, but we know now that even such ‘limited’ events can have long-term effects on businesses and industries outside the primary area of concern.
■
And, now the events of 11 September 2001 have resulted in the largest insurable losses in history, surpassing the $18 billion direct total losses attributed to Hurricane Andrew. Even now, however, many of the final costs from 11 September remain undefined, as businesses, organizations, and people continue the salvage, recovery and rebuilding efforts; estimates, however, for the US property/casualty industry alone are presently exceeding $20 billion net after recovery from global reinsurance markets.
These are just a few examples of companies and groups that have suffered disruption, loss of revenue and loss of market share to a significant or total degree as a result of unchecked business risks. Broadly speaking, enterprise risk management involves the avoidance of events that can damage the business. While not all of the events in the above list could have been avoided, even those that cannot be forecast with pinpoint accuracy can still be anticipated and planned for.
5
Minimizing Enterprise Risk
Another sobering thought concerns the rise of business risk and corresponding losses as a result of increasing automation. The research and consulting firm Computer Economics has previously estimated that in 1999 alone, businesses around the globe spent $12.1 billion to combat the effects of computer viruses. Their estimate was based on tangibles such as lost productivity, network downtime and expenses incurred to eliminate the infections. And, these costs have only gone up as companies try to win the war against hackers, viruses and other intentional and accidental security compromises. The number of companies spending more than $1 million a year on computer security nearly doubled in 2000 compared with the previous year, yet internal and external security breaches continue to rise because of employee carelessness and increased hacker activity.2 Clearly, there are a myriad of risks to the enterprise. And, as the examples above illustrate, these risks take many forms and have differing impacts on the business. Yet, it should be obvious that each of these can result in serious disruption to – and even failure of – the organization. In order to properly protect the enterprise, the varying types of business risk must be identified, assessed with regard to their importance to the ongoing operation of the organization, and remedied by developing preventative measures that will appropriately mitigate their effects. The next section begins by categorizing and identifying the types of risks present in today’s business environment.
DEFINITIONS AND TYPES OF ENTERPRISE RISK In order to properly identify the risks to which an enterprise is possibly vulnerable, it is important to be able to classify the three elements of the risk equation: ■
Threats are risk events or situations that have the potential to cause damage or adverse conditions to the financial or operational aspects of the company. Threats are measured in terms of probability, indicating the likelihood of their occurring. Threats further have a time duration that represents how long the organization or operation would not be able to function normally, if at all.
■
Assets refer to an organization’s physical resources, such as businesses, equipment and the like, as well as its financial and informational properties. Lost revenue, costs and expenses involved in business recovery, penalties or fines stemming from the incident, damaged reputation or competitive advantages are all considered as assets to the organization.
■
Mitigating factors are any protective measures or devices, safeguards or procedures intended to minimize the effects of threats. They may not actually reduce or eliminate the threat, but rather reduce the impact of the threat. They are often used in consideration of any liability or fines to which the organization
6
Introduction to enterprise risk analysis
may be subject as a result of an adverse incident. Fire sprinklers in buildings, access control mechanisms and facilities on computer systems, and transaction roll-back facilities are all examples of mitigating factors. While the actual specific incidents of risk events or occurrences comprise a long list of issues and activities, the types of risks businesses face can be put into four basic categories: ■
credit risk;
■
operational risk;
■
market risk;
■
business risk.
We will examine each of these types of risks in detail, describe their characteristics and list examples of each.
Credit risk The term ‘credit risk’ refers to the chance that a borrower or signatory entity might fail to meet its obligations. The most obvious source of this kind of risk comes from the lending process – whether from credit cards to corporate loans. Many banking activities contain some form of credit risk, however, whether transactions occur between financial institutions, securities redemptions or other forms of financial settlements. Credit risk is inherent in any transaction that involves a financial institution, so organizations dealing with them assume a certain level of exposure to credit risk.
■
Credit Risk
The risk of a default or failure on an obligation
Ironically, it is not the growing fear about the security of online banking that represents the most significant worry for financial institutions. Credit risk management is still the number one problem for banks and other financial organizations, according to the Basle Committee, the international banking oversight group. These concerns arise from a lack of consistently tight lending
7
Minimizing Enterprise Risk
standards, inadequate diligence to the changes in a borrower’s financial situation that may affect creditworthiness, and overall poor risk management for the enterprise’s portfolio. For industry regulatory groups, some of the most alarming credit events are those that affect whole classes of credit risky transactions. The California Power Crisis mentioned previously involved, among other things, a credit risk event. As a result of several cascading circumstances, the industry as a whole found itself in major debt, with no way to repay what it owed. PG&E was forced to file bankruptcy to seek protection from its creditors, and other utility companies in the California area found themselves in similar circumstances although they avoided bankruptcy proceedings. The growing nature of competition in the financial and securities industries, consolidation and emerging technologies are all adding to the pressure to minimize credit risk exposure and to improve the overall management of credit risk.
Operational risk Operational risk concerns the risk that something in the organization will go awry. These risks may stem from events concerning – singly or in combination – catastrophic natural disasters, bad luck, errors in processes or procedures, ‘near misses’ and other failures in the overall operations of a company.
■
Operational Risk
The risk that a process or function will go wrong
Already estimated at requiring nearly 25 per cent of risk capital assessed to organizations, as companies become more tightly linked with external trading partners, operational risk may certainly play an increasingly larger role in the risk events that plague the enterprise. Emerging technologies such as e-commerce and other Internet capabilities will increase the speed and transparency at which risk events occur, and will likely contribute to broader and more significant losses in the marketplace. The Barings Bank debacle is a prime example of operational risk. Barings’ trader Nick Leeson was supposed to be exploiting low-risk arbitrage opportunities on the Singapore Money (SIMEX) and Osaka exchanges that would leverage price
8
Introduction to enterprise risk analysis
differences in similar equity derivatives. But, as it turned out, he was taking significantly riskier positions by buying and selling different amounts of the contracts on the two exchanges or buying and selling contracts of different types. That the damage was able to reach epic proportions was due to Leeson’s inability to conceal these losses. Because of the lack of stringent procedures and controls, and management’s failure to adequately supervise trading processes, Leeson was given control over both the trading and back-office functions, providing him with the perfect environment for wreaking phenomenal financial havoc.
Market risk Simply put, market risk concerns the possibility that something cannot be afforded. Originally, market risk management was largely the exclusive worry of major investment banks, but now all businesses – even those that are not directly financial companies – are beginning to recognize the importance of this particular activity. Much of this new awareness of the issue is driven by changes in government regulations, such as the US’s Securities and Exchange Commission’s (SEC) policies on disclosure of risky investments such as derivatives.
■
Market Risk
The risk that something cannot be afforded
But even for companies that are not participating directly in risky investments, market risk is still a consideration brought on by exposure to fluctuating interest rates and the potential volatility in foreign exchange. As a result, banks have begun to recognize balance sheet entries specifically intended to measure the degree of market risk to which the enterprise is exposed. As an example of how market risk can affect the enterprise, consider the previously mentioned financial disaster in Orange County. The problem arose when the County’s treasurer, Bob Citron, had committed the bulk of the over $7 billion investment pool to funds that were primarily interest-linked. His expectation, at the time of investment, was that short-term interest rates would remain low in relation to longer-term rates. However, when the Federal Reserve Bank began to increase the US interest rates, the result was that many investments in which the pool was participating began to fall in value. The problem was
9
Minimizing Enterprise Risk
compounded by Citron’s continued disregard of the interest rate situation. As government investors became increasingly nervous about the value of their investments, they put pressure on Citron by threatening to cash in their deposits, which could not be supported by the ever-shrinking value of the investment pool.
Business risk Of all the risk categories, business risk is the easiest to define and connect with. Any company faced with a business decision or opportunity inevitably accepts with it a certain degree of risk. While some decisions, such as the chance to add an additional supplier to a list of preferred vendors, are generally of low risk, other decisions, such as taking on a new product direction, can have a major effect on the business’s future. If the company is lucky, a wrong decision can merely result in minor damage to the corporation, but wrong guesses on key issues can be fatal.
■
The risk of a faulty assumption or decision
Business Risk
Ideally, being put in a position to make risky decisions can be avoided altogether. But, since organizations never exist under perfect conditions, reality dictates that companies must do their best to minimize the level of business risk they are subjected to. The enterprise can do a great deal in advance to ensure that business scenarios are properly assessed and assumptions are sound. But, even in the best of situations, things can go awry, such as changes in underlying market conditions that suddenly render the planning assumptions invalid. To minimize the impact on the organization, in some cases, may require the deferral of a key decision or the transfer of the business risk to another party; in other cases, it may necessitate diversification of lines of business, or even securing insurance or additional capital or other resources to offset the expected risk and corresponding liabilities. Essentially, the business risks that an organization faces can then be thought of in two ways: strategic or tactical. The tactical risk occurs as a result of a disruptive change in the underlying bases for a business endeavour, such as the erosion of a target market, changes in technological focus, or shifts in the competitive landscape. So these types of risks involve changes to the business scenario after the initiative has been launched – they are situational in nature. Strategic risk, on the other hand,
10
Introduction to enterprise risk analysis
has a longer-term trend implication that can affect broad organizational direction, such as whether an industry or market, as defined or approached, is appropriate for the enterprise in the first place. The strategic risks are typically the ones that can prove to be fatal if not properly addressed and accounted for. While tactical risks can also destroy the organization, they have a tendency to be somewhat more manageable and easier to recover from, as long as they are responded to quickly. If ignored, tactical risks can rapidly deteriorate into deadly strategic errors. Well-known examples of business risk abound in the marketplace. One of the most obvious stories, although it occurred several years ago, recalls Coca-Cola Corporation’s strategic decision to launch a new product ‘The New Coke’. CocaCola had decided that its old flagship product was in need of updating. The present cola product had been around for decades, and, although it was still in the market leader position among cola products, Coca-Cola believed that this position would soon erode to the number two player, Pepsi, if changes were not made to ‘update’ its formula for a younger audience. Enter ‘The New Coke’ with a splashy new campaign about how it appealed to the new generation. Within months, Coca-Cola’s sales began to drop dramatically. Its rival, Pepsi, began to develop a larger market share as consumers switched from the reformulated Coke. It quickly became obvious that consumers were happy with the original Coke product – they weren’t looking for a change as Coca-Cola had assumed. Fortunately for Coca-Cola, they realized their mistake quickly enough, and soon reintroduced the old formula cola – now called ‘Coke Classic’ – to the market in time to stem their erosion in market position. While business risk may appear, on the surface, to be the most easily addressed of the four discussed, one complicating factor is that drawing a line between business risks and other kinds of risk to the organization isn’t always simple. For example, a falling equity market is clearly a market risk, considered from the perspective of any exposures the bank has in its equity portfolio. But if this bank also owns or operates a brokerage, the financial impact it experiences as a result of the market decline might be greatest from a fall in transaction volumes and revenues. This, in turn, may jeopardize its business plan and overall returns on related investments. So, when a business executive requests a risk analysis for the company’s credit portfolio, it is obvious that the information will include credit risk information based on the bank’s current obligations and existing investment positions, as well as data on futures-related exposure. But, the analysis does not typically consider information beyond its traditional boundaries that might still have a substantial impact on the firm’s business overall, such as target market buying habits, or the risk to the business as a result of a failure to deliver on its obligations due to a system failure. Risk, therefore, is multi-faceted, and underlies every business operation, directly or indirectly.
11
Minimizing Enterprise Risk
The worst news about business risk is that it is increasing. The rapidly changing business landscape means that assumptions on which key decisions are made can be obsolete virtually overnight. The speed at which business decisions and transactions occur can also increase the pace at which errors in judgment or other tactical risks can cause damage to the organization. This, in turn, can dramatically affect the costs to the organization, in terms of lost revenue, negative exposure, liability and other related damages, and loss of market share. A ‘simple mistake’ can rapidly turn disastrous if not adequately planned for and managed. Creating a comprehensive and exhaustive list of all the various types of risks that might threaten the enterprise would be almost impossible, and surely beyond the scope of this briefing. So many risks are business-specific, and may only affect a small subset of companies in general. But, it is appropriate to provide a partial list of risks, many of which are common to most businesses. Table 1.1 itemizes some of the risks that should be considered as part of an overall business continuity and risk management approach. Table 1.1
A partial list of risks to the enterprise
Risk category
Examples
Natural disasters
Flood, windstorm, tornado, hurricane, earthquake, volcano, sometimes fire, lightning strike, etc.
Disruption of services
Public utility (power, communications, natural gas, water or steam) outage, disruption in fuel delivery services, disruption in distribution channel or with vendor/supplier, postal strike or delivery failure
Man-made disaster
Fire (arson or accidental), construction accidents, chemical spill
Business disruption
Strikes, work stoppages, ‘sick outs’, boycotts, social unrest
Political disruption
Wars and other hostilities, volatility in ruling party, unfavourable legislation
Product risks
Defective or damaged products
Technological
Computer virus, malicious or accidental information or application damage, denial of service attack
Liability risks
Death or injury resulting from faulty products, damage to reputation
Financial
Economic upturn or downturn, market volatility, default on loans, rapid change in interest rates, changes in international currency exchange rates
Market risks
Inadequate or erroneous competitive analysis leading to product introduction failure, failure to recognize market trends, poor reputation or inadequate branding, unanticipated business failure of a customer or supplier
Source: The HartGregory Group.
12
Introduction to enterprise risk analysis
PIECES OF THE PUZZLE: ENTERPRISE RISK MEANS INTEGRATED RISKS All organizations face risk on a daily basis; it’s an integral part of doing business. As the old saying goes, ‘No guts, no glory.’ Without taking risks, there can be no rewards. The key to maximizing the chances of success is to understand the possible risks, assess their likelihood, measure the potential impact if a risk event occurs and plan for minimizing that impact. But the task of understanding and assessing the risks is more complicated than it appears on the surface. As if the individual types of risks described above are not enough to worry today’s business executives, the reality is that few organizations are subjected to only one kind of risk. Enterprise risk is truly a multi-faceted problem; the four main categories of risk are all interrelated and can have a serious combinatorial affect on the enterprise if not considered as one integrated whole. This section will describe how the pieces of the puzzle fit together and how they, together, define the whole picture of enterprise risk. The interrelationships of business activities, and the potential impact to the organization as a result of a single triggering event was made obvious in the planning for the century rollover. While Y2K turned out to be largely a non-event, its coming prompted organizations to an unprecedented level of examination of their complete business practices, processes and infrastructures to assess the possible affects of needing to handle date transactions beginning in ‘20’ instead of ‘19’. Many will now argue that the reason Y2K was such a minor event was that companies had been prepared for its arrival and had taken pre-emptory steps to limit possible damage. Regardless of the scope of the actual Y2K ‘bug’, there was significant recognition and acceptance that businesses today exist as multi-faceted operations, in which the events in one area have a causal relationship to events in others. The risk to the business as a result of the Y2K bug involved the entire business as a whole, and was not isolated to one limited area. Interrelationships among organizational risks are not limited to such singular events as the Y2K bug. Figure 1.1 illustrates the four foundational types of enterprise risk discussed earlier, and shows how true enterprise risk integrates these separate pieces into one coordinated whole. The discussion of this integrated scenario will begin by discussing why the historical philosophy of considering enterprise risks in isolation of one another is no longer practical or efficient for sufficiently protecting businesses today. The traditional business belief had it that enterprise risk was a domain exclusively belonging to organizations in the financial sector. Banks and lending institutions, insurance companies, and investment and securities companies were all familiar with the common forms of enterprise risk such as those previously described as market risks. Investment managers, banking executives and other
13
Minimizing Enterprise Risk
high-level leaders in these organizations were intimately familiar with the types of risk their specific businesses dealt with daily. And these risks were handled and managed in discrete, separate business organizations dedicated to these elemental risks. Businesses learned how to mitigate them, but also grew to understand how best to leverage them to maximize the potential riskier endeavours offered. The development of these business units then began to resemble the structures of the specialized initiatives each one was built to address. Fig. 1.1
The risk management jigsaw
Credit Risk
Operational Risk
Business Risk
Market Risk
Source: The HartGregory Group.
These structures operated largely independently, using their own sophisticated but narrow sets of market rules and processes. Operational risks, for example, were the territory of insurers and actuaries; credit risk was a speciality of lenders; market risks were shepherded by traders and investment managers. While these practices were in use for a lengthy period of time, the reality is that these methods – of considering risks to the enterprise to be isolated and independent from one another – don’t really work. They don’t consider the interrelationships in the business processes themselves, and they don’t resemble the way departments and lines of business truly operate and communicate. And, as the enterprise increasingly grows beyond its own organizational borders to include external trading partners that may live in different industries and markets, the old methods don’t account for indirect risks to the enterprise that may threaten it as a result of the risks inherent in its partners’ businesses. And, even without the extended enterprise, risks to the single organization alone don’t usually fit into nice neat packages that are conducive to analyzing and addressing in a separate, unrelated manner.
14
Introduction to enterprise risk analysis
To get a picture of how interrelated these risks are, consider the issue of credit risk. From its past experience and current and projected economic conditions, a company can extrapolate these results to predict an expected level of credit loss for a given future period. If this level turns out to be substantially less than predicted, public expectations rise and new market risk is created. If the company’s actual credit loss exceeds predictions, new operational risks are created if managers give in to fraudulent practices in order to hide the company’s disappointing results. Organizations or regulatory groups may respond to this risk of increased employee fraud by instituting stricter security practices and safeguards, which can correspondingly increase operational or financial risks. Take, for example, the Enron debacle in late 2001. While there were several other factors involved, such as fraud and shoddy business practices, the Enron case is a study in interrelated business risks run amok. It is also another instance of history repeating itself because of businesses’ failure to learn from the past – of not avoiding risky practices that have proven disastrous in past situations. While Enron is best and most publicly known as an energy trading company, in truth, the company had grown into an organization making its daily living from trading in derivatives, a very risky investment practice. Recall that trading in derivatives was at the core of the 1994 fiasco in Orange County, discussed earlier in this chapter. In Enron’s case, its trading and accounting practices allowed it to manipulate the company’s books and tax records, overvaluing its assets and investment transactions while simultaneously understating the actual risks and nature of the transactions. And, all this could remain from governmental view because of regulations exempting certain derivatives trading from oversight. Further, it now appears that much of this trading occurred in markets that saw little trading activity, allowing even small transactions to have a significant effect on share prices. The downturn began after reports emerged that its CFO was fostering business partnerships that enabled Enron to hide over $0.5 billion in debt. When Enron announced its first report of restated earnings in November 2001, it showed reductions of over $580 million in income, reportedly as a result of unwinding some of these business partnerships. The company, at this point, was beginning to lose credibility in the market, but the worst was yet to come. Help appeared to be on the way when Dynegy, Inc., another premier energy merchant although smaller than Enron, offered a $9 billion buyout of its larger competitor. But by late November the deal was already unravelling as a result of Enron’s worsening financial situation. Finally, the hope of a merger faded on 28 November when Dynegy invoked an escape clause to kill the deal, citing material misrepresentations of Enron’s true financial condition as the company disclosed a new figure of $690 million of corporate debt. Meanwhile, the credit firms downgraded Enron’s bonds
15
Minimizing Enterprise Risk
to junk status, with the stock trading at a mere $1.19 before the New York Stock Exchange halted trading on its shares. Only a little over a year earlier, Enron’s stock had reached a high of over $90 a share – such a huge fall in such a short time. But, even later, news emerged linking the company’s accounting firm, Andersen, with the Enron charade. Reports of shoddy accounting practices, questionable business transactions – and, later, document shredding to hide the trail – emerged, raising the profile of Enron from a mere business debacle to a full-scale scandal. So, what are the lessons learned from Enron? Certainly issues of market risk were part of the problem. Combined with that, there were substantial elements of operational risk – how was Andersen able to have such access to files, records and papers that allowed them, as it has been reported, to ‘cook the books’ without anyone within the company knowing, as top executives at Enron have maintained? Andersen accountants were the company’s auditors, but did that mean that they worked on the books in isolation and without anyone from the company being involved? As we all know, these risks, and the inability to plan for them and respond effectively to them, have proven to be fatal to Enron. Moreover, they have been damaging, to say the least, to some of its business partners. And Enron’s employees – those who were looking to company-sponsored retirement plans such as 401Ks in the US to provide for their retirement years, as well as other shareholders – may have been the most damaged of all. The market as a whole now has become more aware of the possibly risky exposure of retirement accounts leveraged heavily into company stocks. Prior to this situation, who would have anticipated that a company as large and seemingly stable as Enron would have gone under – dragging so many funds that had investment relationships in Enron along with it? And what implications are there for other companies that are similarly betting on other companies’ stability and performance? How do companies address such a tangled web of interrelated risks and areas of potential vulnerability? Another historical example that can be used as a successful analogy is that of the Titanic. Reportedly unsinkable, it had been designed with numerous watertight compartments to protect the ship from a leak in one section of the ship’s hull spreading to other areas of the hull and affecting its buoyancy. While it was an innovative design, it became a classic example of not accounting for all the risks… The Titanic’s designers never considered or planned for a horizontal rip in the ship’s sheeting that would compromise several watertight compartments simultaneously. Likewise, when organizations are subjected to multiple simultaneous risks, the result can be equally fatal. Then, there’s the small matter of having insufficient lifeboats in which to rescue survivors… The point is that even in companies such as those in the financial industry, whose risks generally originate from one primary category – credit risk – other risks still need to be considered as potentially threatening. For example, a
16
Introduction to enterprise risk analysis
company preparing to launch a product internationally might need product managers to deal with business risks of pricing, market entry and competition; a treasury function to manage market risks related to foreign currency; and legal and insurance managers to deal with functions of operational risks such as product liability and reputation. Table 1.2 lists the results of a landmark survey by the Sedgwick Group, a risk consulting and insurance brokerage organization, to determine which risks companies considered to have the greatest impact on their business (1 being the highest ranking, 12 being the lowest). Table 1.2
Ranked common sources of enterprise risk
Risk
US
UK
France
Overall
Environment
1
1
6
2
Health and safety
2
2
2
1
Product liability
3
3
5
3
Fire and explosion
6
7
1
5
Business interruption
5
4
3
4
12
6
4
7
Image impairment
8
8
7
9
Security of property
9
5
8
7
Directors’ liability
4
9
9
6
Due diligence
7
11
11
10
Political risk
11
10
10
11
Pension fund integrity
10
12
12
12
Credit risk
Source: Sedgwick Group Survey
Although this data is over ten years old, it is still useful to show the general areas in which concern about business risk was focused. There would certainly be categories in the table today, such as the Internet and e-commerce, that were not there in 1992, but many of the risks today are just as applicable to organizations today as they were back then. Presently, while many of the risks that are noted in Table 1.2 are still viable, several of the most worrisome risks come from what would be considered ‘nontraditional’ sources. In a recent study released by the Joint Economist Intelligence Unit and Marsh McClennon (MMC) Enterprises, a leading risk and insurance services firm, the top three areas of concern were customer loyalty, competitive threats and operational failure. Interestingly enough, for those three risks cited, the majority of respondents feel they are handling the risk fairly well as shown in Figure 1.2. But, other risks that appeared lower on the scale of concern were
17
Minimizing Enterprise Risk
considered to be less well managed, with only a few rising above the 50 per cent marker, indicating there is still a great deal to be done in the area of risk management for these organizations. Fig. 1.2
Major risk concerns and perceived manageability
Rank among top five risks
Manage ‘well’ or ‘very well’
Customer loyalty/satisfaction Competitive threats Operational failure/integration Market shifts Macroeconomic Attraction/retention of quality people Regulatory Employee turnover Political events Potential lawsuits Volatility in commodity prices 0
10
20
30
40
50
60
70
% responding
Source: 2001 Joint Economist Intelligence Unit and MMC Enterprise Risk Study
Recognizing that the likelihood of longer-term business disruption and damage due to natural or man-made – or increasingly technological – catastrophes is on the rise, companies have had to extend their traditional disaster plans to embrace areas beyond merely life safety, emergency response or systems recovery activities. The advent of growing electronic business activities is enabling business processes and data to speed along at higher and higher rates, which also necessitates more substantial levels of protection for these mission-critical assets. The other significant trend in electronic data processing is that it has moved beyond the automation of manual business processes; today’s electronic data exchange – what used to be called ‘EDP’ – is the business process! When today’s electronic interchange fails, there is frequently no manual fallback, and hence the impact of the disaster is amplified. A good example of this is the customer care call centre function. In years past, if the computer was down, the call rep could walk into the back room and pull a hardcopy of the client records. This is generally not the case anymore, for many different reasons.
18
Introduction to enterprise risk analysis
In fact, studies have shown that corporations see natural disasters decreasing as a source of significant business disruption, instead shifting their concerns to more human and IT-related failures. The risks that most concern business continuity professionals now are those that are fundamental to the overall operations and management of the organization. In a late-2000 benchmark study, KPMG analysts surveyed organizations about the risks they had experienced or felt they were at risk for. The top business interruption cited by respondents indicated that power failure was their biggest concern, with an over 70 per cent response rate. This percentage was up from responses to the same question in both 1999 and 1998. Interestingly, hardware failure and human error both jumped over 20 percentage points, increasing from over 40 to over 60 per cent, and from 30 to more than 50 per cent, respectively, in 2000 over the prior year. Natural disasters dropped in significance by the same amount over the same period. These numbers support the conclusion that the today’s organization is most vulnerable to the interdependencies of people, processes and enabling technologies. Put another way, ‘Risk resembles a woven garment: it is difficult to separate the yarns, and if we do, the result is a useless melange. We lose the cohesive whole, since the warp and woof create both beauty and utility. The goal is not to separate the yarns but to understand their interaction.’3 This statement eloquently summarizes both the interrelationships of seemingly independent risks and their complexity.
THE STATE OF BUSINESS CONTINUITY TODAY While it appears that the terrorist events in 2001 have heightened executives’ awareness of the need for business continuity planning, it is not clear that many enterprises have transferred this awareness into action. Studies are showing that most companies have not yet put significant resources into developing plans for guaranteeing operational continuity after a major disrupting event. It appears that, although the 11 September 2001 attacks have generated a great deal of discussion about the need for business continuity plans, these discussions have yet to yield any significant action on the part of most enterprises. At the beginning of 2002, the Gartner Group released the results of a survey jointly performed with the Society for Information Management (SIM) in which they discovered that the majority of enterprises are inadequately prepared for dealing with disastrous events that have the potential for large-scale damage or disruption to the organization. Of the companies surveyed, they found that: ■
only 13 per cent of enterprises surveyed indicated that they were ‘mostly’ prepared for a major loss of life stemming from a catastrophic event;
■
only 28 per cent have business continuity plans available that address consequences of actual physical attacks;
19
Minimizing Enterprise Risk
■
only 36 per cent have a plan that provides for remedies in the case of total loss of physical assets and workspaces.
This news is discouraging, especially in light of the growing understanding that, for most companies, the focus needs to be on safeguarding the operational continuity of the organization, and not just on disaster response. For example, prior to the 11 September 2001 attacks, many New York-based companies had not planned for a complete disruption of a large portion of the city. The expectation was simply that ‘off-site’ backup facilities could exist within a radius of a few blocks of the main corporate office. There was not much accounting for a scenario in which the majority of lower Manhattan would be completely shut down, making local off-site recovery operations impossible. Also, it is rare that an organization has considered business continuity in light of the entire enterprise, instead of separate functions for information technology (IT) groups, business facilities management, security and the like. Corporations are becoming more sensitive to the need to address enterprise continuity plans. Whether the enterprise can remain resilient in the face of disaster will be a question on the list of many boards of directors as they meet with their enterprise CEOs and CIOs during regular meetings. Board members recognize the issue of enterprise risk and are deeply concerned about the organization’s ability to survive and recover from a large-scale business disruption. Shareholders, too, are wondering about many companies’ abilities to continue operations in light of common and uncommon failures or catastrophic events, and may include sufficient disaster preparedness as a ‘soft’ criterion for new or continued investment. While there has not been a huge level of movement toward developing and implementing full-scale business continuity plans, many companies have committed to initiating enterprise-wide business continuity efforts. It should not come as a surprise if tighter regulatory controls are proposed to ensure that public companies have adequate disaster recovery and business continuity plans in place in the future. However, how quickly such regulations might be adopted has yet to be seen. But, certainly the increased pressure of fiduciary responsibility will concern many of the issues involved in comprehensive business continuity planning, and may likely impact on how quickly these issues are addressed. Another change that has come as a result of the 11 September 2001 attacks is that companies are no longer just looking at actual disasters, but are also considering the threat of a disaster to the organization. As was shown during the subsequent anthrax scares, the threat alone of a possible catastrophic event is often sufficient to cause a major disruption. The anthrax scares shut down entire US congressional offices and buildings and post offices, and impacted the operations of numerous other businesses in and around the affected sites. So the
20
Introduction to enterprise risk analysis
emphasis has changed from recovery from physical catastrophes, to operational and business disruptions caused by events such as power outages, to today’s vulnerabilities to threatening events. While all of this increased awareness and sensitivity is good, with it has come the realization that, in a depressed economy, available funds for business continuity may not be as plentiful as the enterprise requires. It is critical, of course, to safeguard the enterprise’s assets, but executives must make some hard decisions about the cost of this protection and security. The recognition of the scope of true enterprise level business continuity planning can be overwhelming; the process of developing, implementing and renewing the plans as the organization changes is a continual one, as will be discussed in the following chapters. Although proper safeguarding of enterprise assets is high on the list of every executive and board-level director, the question of cost will no doubt have a significant impact on the level of thoroughness with which business continuity efforts are undertaken. Again, governmental regulations or requirements may have an effect on how much is spent on developing comprehensive plans and procedures, but the debates about such policies have yet to be waged in full.
THE BOTTOM LINE All organizations face some level of risk as a natural by-product of doing business. The types of risks to which the organization is vulnerable may differ somewhat based on the nature of its actual business function, but these can be grouped into four basic categories: credit risk, organizational risk, market risk and business risk. While it might be tempting to consider these risks in isolation – and historically, this is how they have previously been considered – the risks to which the organization is subjected are actually quite interrelated. The threat of the Y2K bug alerted companies to the pervasiveness and interconnectedness of business processes, functions and operations, leading to the understanding that risks to the company were enterprise-wide. And as the enterprise expands to include trading partners outside of its own physical boundaries, the organization is vulnerable to the risks that threaten these trading partners, in addition to the ones already facing the enterprise. Enterprise risk management, therefore, must consider and address all the various facets of threats and vulnerabilities in the enterprise, and be prepared to ensure business continuity, not just disaster recovery. The Y2K threat may have sensitized corporations to the need for overall, integrated business continuity plans, but the lack of global effect from the Millennium Bug seems to have made companies rather complacent again. While terrorist events of 2001 have renewed the awareness among business executives
21
Minimizing Enterprise Risk
and directors of the need for comprehensive business continuity plans, recent studies have shown that the increased level of discussion about risk management and business continuity has not yet led to concrete action. Perhaps some of this slowness to respond to a need for substantive action is due to the depressed economy and a lack of readily available funds to divert into new initiatives. However, the need to safeguard corporate assets and operations must be one of the key topics on shareholders’ – and therefore directors’ and chief-level executives’ – minds. Shareholder recognition of the vulnerability of their investments has reached an all-time high, thanks in no small measure to the Enron debacle. Companies must be prepared to weather any type of storm – whether natural or man-made – if they wish to continue delivering on obligations and remain in business. The forecast for companies that are not adequately prepared for business disruption is discouraging at best.
NOTES 1. In the US, Chapter 11 bankruptcy is one type of bankruptcy filing that can be done through the courts to allow companies and individuals an opportunity to reorganize and restructure existing liabilities. Chapter 11 bankruptcy is primarily used by larger businesses to protect them from creditors while they attempt to pay off their debts and is usually the first type of remedy they seek when in a situation of pending or existing insolvency. 2. Christine M. Campbell (2000) Hacking Rises Despite Increased Security Spending, IDG News Services, Boston Bureau, 5 October. 3. Felix Kloman (2001) ‘Four Cubed’, Risk Management magazine, September.
22
2 What is enterprise risk management?
■
Introduction
■
Definition and components of enterprise risk management 25
■
Who is responsible for ERM?
■
Benefits of enterprise risk management
■
Components of enterprise risk management
■
Recent additions to ERM considerations
■
The cost of ERM
■
The bottom line
25
26 29 30
35
43 45
23
What is enterprise risk management?
INTRODUCTION We are all aware of the old adage ‘an ounce of prevention is worth a pound of cure’. But nowhere is this more true than in today’s business world. Shortly after the 11 September 2001 attacks on the World Trade Center and the Pentagon, the Gartner Group went on record to say that, in its estimation, two out of five companies that experienced a disaster would be out of business in five years. Their definition of disaster was very business-specific; ‘disaster’ did not necessarily require a catastrophe on the scope of WTC. For some companies, ‘disaster’ might mean a large-scale snowstorm that prevented key operating personnel from reaching their positions thereby seriously affecting normal operations. Indeed, many companies that truly face a disaster will never recover, but there is a great deal that organizations can do to improve their abilities to deal with and recover from man-made or natural disasters. As discussed in Chapter 1, today’s enterprise is vulnerable to a host of different, interrelated risks that can affect any and all functions of the organization. These risks range from simple power outages to changes in customer buying patterns, errors in IT applications, full-scale terrorist activities, threats of bioterrorism and natural disasters. The increasingly global and interconnected nature of enterprise commerce makes the already blurred lines of demarcation between risks all but indistinguishable. Extended enterprises now must be on guard for the risks they inherit as a result of doing business with external trading partners. Conglomerates or pooled investment funds must be cautious about the stability and security of even the smallest of their participants, or risk being brought down by a misstep at the lowest level. As broad as these boundaries are, enterprise risk management must be an intrinsic part of the way the organization operates in order to continue providing safe, secure and lasting commerce to its varied constituents. This chapter aims to provide a detailed definition of exactly what is meant by enterprise risk management, and a discussion of its scope and functions as well as information about its benefits to the organization.
DEFINITION AND COMPONENTS OF ENTERPRISE RISK MANAGEMENT Traditionally, managing risk within the enterprise meant ensuring that sufficient insurance policies, adequate capital resources and forms of physical protection such as fire extinguishers were available to address the most common forms of danger to the business. Physical protection and asset protection were the primary considerations for safeguarding the business. Over time, it has become more
25
Minimizing Enterprise Risk
obvious that businesses are subjected to all kinds of risks, such as those described in Chapter 1. As the risks to the organization become more complex and interrelated, the necessity for a centralized approach to managing enterprise-wide risks has become more critical. The American Risk and Insurance Association defines business risk management as: …a systematic process of managing an organization’s risk exposures to achieve its objectives in a manner consistent with public interest, human safety, environmental factors, and the law. It consists of the planning, organizing, leading, coordinating, and controlling activities undertaken with the intent of providing an efficient pre-loss plan that minimizes the adverse impact of risk on the organization’s resources, earnings, and cash flows. But, rather than restrict the responsibilities of enterprise risk management to a central, corporate function as risk management responsibilities have typically been, true enterprise risk management (ERM) needs to involve all facets of the business. It needs to be integrated into the intrinsic way the organization does business, both internally and externally, manages operations and communicates to all its stakeholders. Given that the risks that may threaten the enterprise are so diverse in nature and broad in scope, it stands to reason that the functions and responsibilities of ERM are equally expansive. The actual duties and boundaries of the ERM function may be difficult to define and often overlap with other management functions such as change management, security or quality assurance. But the focus of ERM is different from these other disciplines; for example, while the QA (quality assurance) management function is involved with the overall integrity of a product or process, the ERM position is primarily interested in managing the avoidance of, protection from and response to any extreme risks inherent in or resulting from the QA process.
WHO IS RESPONSIBLE FOR ERM? Because of the centralized nature of true ERM, it is important that the individual or group responsible for this function be an integral part of the organization as well. Previously, the risk management function may have belonged to an ancillary or administrative department within the company not directly related to the business, such as Security or Finance. Recognizing that the responsibilities of overseeing and managing business risk are such a critical part of the intrinsic wellbeing of the organization, many companies are adopting or creating a special executive level or senior management function, that of the chief risk officer
26
What is enterprise risk management?
(CRO). But while this may be one single individual or a set of responsibilities and processes parcelled out to several members of the organization, ultimately the responsibility of providing a secure and resilient organization is in the hands the company’s senior management and its board.
The chief risk officer The CRO – also nicknamed the ‘chief worry officer’ – has the ultimate responsibility for addressing ERM in the company. Not all companies will need or want a C-level or full-time individual dedicated to the risk management function, but there are valid reasons for why the responsibilities and duties of the ERM point-person should be visible and as important as other critical enterprise functions. First, because the activities involved in ERM may overlap with many other functions in the organization, as was described in the previous section, it is important that the person responsible for assessing and addressing risks has sufficient visibility and authority to get the job done. ERM is all about finding problems and either fixing them in advance or creating processes for dealing with them if and when they occur; this ‘ferreting out’ of risky processes may be met with a great deal of resistance if the head of ERM is not adequately empowered to make potentially unpopular appraisals and tough decisions. Also, some of the actions that may be needed as a result of the assessments may call for aggressive effort to remedy a risky situation. The CRO must be a figure of sufficient authority in order for the benefits of ERM to be realized. For some companies, the CRO function can coexist as the title and responsibilities of an existing executive or senior-level management position. Common areas in which the CRO title may lie are in the operational (chief operating officer), legal (chief legal officer), financial (chief financial officer) or IT (chief information officer) domains. In smaller organizations, it may be appropriate to have the chief executive officer function as the CRO, but for larger enterprises this is usually not practical or desirable. As mentioned earlier, the department or division responsible for enterprise security may also be well-placed within the enterprise to assume the responsibilities necessary to perform the ERM functions, but it cannot be stressed enough that ERM cannot be an afterthought or adjunct to the business. It is a mission-critical component of the business, and must be treated with the respect due any other business-critical function within the enterprise. Given that, it becomes clear that any individual or group assuming the ERM responsibilities must be intimately familiar with how the organization does business. While that may sound obvious, in actuality it is not as intuitive as it seems, and is a qualification that is frequently overlooked. Since the CRO is in the business of protecting the organization against any real or perceived threats or
27
Minimizing Enterprise Risk
risks, an individual who does not know the actual business functions of the company may miss things that might be specific to the distinct line of business, operational processes or market conditions in which the company operates. The primary concern of the CRO is to ensure continuity of business operations. As we will see later, risk management is only one portion of this responsibility, which includes continuity and contingency planning, as well as business recovery and resumption efforts when a risk event occurs. The CRO position, then, functions on an ‘administrative’ level in the analysis, assessment and planning phases of ERM, but can also take on a value added type of function as a resource to the other groups if and when business disruption occurs, providing leadership, coordination and communication capabilities to affected parts of the company, the media and shareholders.
Board of directors Once senior executives comprehend the different divisions of risks that are linked within the company, the next step is to make them aware of their role in risk management. Ultimately, the board of directors needs to approve of the overall approach to risk-taking. The company’s risk management policies and procedures should provide guidance and operating parameters that allow for the identification, monitoring, measurement and control of the risks involved with its business lines and other significant activities. Additionally, the lines of risk-taking authority and accountability should be clearly defined. The board must undertake the following: ■
Create an annual review of risk policies and critical procedures. This is the most fundamental practice by which the board of directors can express its appetite for risk and its attitude toward risk management.
■
Be involved in approving the risk limits. Limits are an essential method for controlling risks. Limits are an explicit statement of the company’s appetite for risk.
■
Create a new product development process. This is a key process in controlling future exposures. The board should ensure that all new products are subject to a comprehensive review by such areas as audit, legal, compliance, operations and risk management
■
Monitor policy exceptions. It is equally important for the board to ensure the proactive elements of risk management, as defined above, as it is to determine a reactive approach. Handling exceptions to risk policies should be well defined and strictly audited, and should be closely monitored by the board.
28
What is enterprise risk management?
BENEFITS OF ENTERPRISE RISK MANAGEMENT The benefits of enterprise risk management are not always easily quantifiable. While risk is applicable to all businesses, some companies are more likely than others to benefit from an organized, formal risk management programme. Risk management is particularly important to an enterprise that: ■
has many locations;
■
is too large for any one single individual to have detailed knowledge of every task and function;
■
has multinational operations or exposure;
■
uses many subcontractors, vendors, suppliers or other trading partners not directly under the enterprise’s control;
■
has widely-diversified business operations.
As a general rule, the larger or more complex the business, the more it will benefit from a formal ERM programme. Table 2.1 describes some typical benefits an organization can expect to see as a result of implementing a formal ERM plan. Table 2.1
Benefits of implementing ERM
Type of risk
Expected benefit
Business interruption
Avoid loss of production; avoid legal liability; gain operational reliability; avoid business failure
Environmental
Avoid litigation from government regulatory authorities and other groups; reduce insurance premiums
Health and safety
Prevent worker injuries or fatalities; avoid worker litigation; reduce insurance premiums
Marketing
Avoid damage to reputation or brand; increase or maintain market share; gain competitive advantages
IT
Avoid lack of access to information; prevent or avoid operational failures due to technology, such as inability to invoice or pay
Product liability
Avoid damage or harm to customers; prevent litigation
Technical
Avoid obsolescence due to outdated equipment, manufacturing techniques or technologies; prevent production stoppages
Theft and fraud
Prevent loss of money, assets or intellectual property; prevent loss of market share; avoid damage to reputation
As Table 2.1 illustrates, there are many direct benefits to the organization related to putting a formal ERM plan in place. However, there are also indirect benefits,
29
Minimizing Enterprise Risk
such as the increased communication resulting from interdepartmental interaction that must occur during the ERM assessment and planning phases. This increased communication can lead to improved awareness of how operations in one area of the organization affect others, giving rise to greater enterprise-wide interoperability and support. The reality is that businesses and governments are facing tighter scrutiny over how they are managing their business risks and protecting their organizational assets. Business executives are finding that they have an increasing responsibility to assure their shareholders of the stability and safety of their investments. While the organization can be proactive in the development of its own risk management plans, many organizations today are further starting to demand that their first- and, in many cases, second-tier suppliers have documented disaster recovery and continuity of operations plans of their own in place as a requirement for doing business. And this criterion is increasingly being required across all industries. Customers have become more sophisticated and their expectations are higher. The increasing use of Internet-based technologies and commerce capabilities has allowed customers to have continual access to more products and services than ever before. As a result, ‘zero tolerance’ is becoming the norm when it comes to downtime. For some organizations, risk and crisis management has now become ‘reputation management’. Companies are beginning to use their risk management capabilities as selling points to gain or keep a competitive edge. For example, the previously lofty goal of ‘5 9s’ of uptime (that is, 99.999 per cent uptime, or just over five minutes of total downtime per year!) is becoming the minimum entry-level bid for becoming a serious e-commerce player. Full recovery of normal operating levels within 24 hours is now no longer acceptable for many corporations. Fault-tolerant systems, with their automatic failover, mirroring and recovery abilities have set expectations for IT systems that human systems usually cannot match. But the organization must address the two elements as part of a unified, interrelated whole if it is to establish reasonable and realistic business recovery and resumption expectations for its stakeholders in the event of a catastrophic failure or event.
COMPONENTS OF ENTERPRISE RISK MANAGEMENT The fundamental goal of ERM is to avoid disruption or damage to the organization as a result of unplanned or unmanaged risk events. To that end, ERM must ask two fundamental questions: 1. Can a risk be eliminated before it affects the organization? 2. If it cannot be eliminated, what must be done to minimize its impact on the organization and to limit its effects?
30
What is enterprise risk management?
Business executives have the responsibility to ensure that the organization’s missioncritical operations and assets are sufficiently protected. To that end, a cost-effective strategy must be developed that stresses broad thinking and problem solving. The process of developing a comprehensive ERM strategy involves three major components: risk awareness, risk assessment and measurement, and risk control. These components are focused on risks related to the unplanned interruptions of the business’s mission-critical operations in order that they may continue to function at a predetermined acceptable level and that normal functioning may be restored as quickly as possible. The components of ERM form an iterative lifecycle, as shown in Figure 2.1. The processes involved in risk awareness, risk measurement and risk control must be continuous in order to remain active, current and valid. Additionally, as risks in one area are exposed and worked through, another layer, previously hidden, may surface, requiring further exploration, assessment and management. In order to convey a thorough understanding of the components of the full process and how they work together, each of these aspects of ERM and its purpose will be described in detail below. Fig. 2.1
The continuous ERM process
ERM
ss ur m e n em t ent
eness awar k s Ri
Risk control
e ss as a k s i R me and
Risk awareness Risk awareness is the first step in the process of developing an effective ERM strategy. This component actually involves two elements: the need for internal corporate education about enterprise risk, and the requirement for efficient
31
Minimizing Enterprise Risk
communication to all enterprise stakeholders. The first element is the responsibility of the enterprise’s control organizations, such as the one headed by the CRO. The second may be a shared effort involving corporate executives and directors, including the CRO, company communications groups, such as public relations and investor relations, and line-of-business managers. The first key element of risk awareness involves recognition, on the part of executive management, that significant business risks exist and may threaten the well-being of the organization. This may sound obvious, but it is surprising how frequently executives ignore or underestimate the potential threats to their business until it is too late. If we have learned anything from Y2K or the 11 September 2001 attacks, it should be that disasters can, and do, happen. And, while such events may be rare, there are any number of smaller incidents that can leave the organization damaged or crippled for a period of time. The best way to prevent significant loss of revenue, operational capacity and reputation is to identify any and all risks, eliminate those that can be eliminated, and plan and work around those that cannot be eliminated. But none of that can occur if the enterprise is not willing to admit that risks are real. Once the organization has accepted the reality of business risks, the next step is to identify the types of risks and where they may lie. This involves a great deal of sleuthing and creative thinking because the organization’s vulnerabilities may not always be obvious and intuitive. This is where the expertise of the CRO and the risk organization will be key, and why the CRO must be intimately familiar with the company’s overarching business model and operational processes. The way the company operates and the type of business it conducts has a direct bearing on the types of potential risks to which the company is subjected. Chapter 1 provided a partial list of several types of risks today’s companies face. The goal of the risk awareness process, at this point, would be to draft a comprehensive list of all the risks and hazards, both physical and logical, which are known or perceived threats to the organization. It is not out of line to list imagined threats at this stage of the ERM process. It is better to start with too large and comprehensive a list and weed out those risks that are shown not to exist, than it is to need to recover from a risk that was missed during this phase and, subsequently, not addressed in the ERM plan. Finally, communication will be key to ensuring that all stakeholders are aware of the potential risks to the organization. There are many parties, both internal and external to the corporation, that have an interest in business risks. These may include the company’s employees and executives, subcontractors, vendors and suppliers, investors (both individual and institutional), government and regulatory agencies, customers and the public at large. Depending on the nature and scope of the company’s business activities, any or all of the above may require
32
What is enterprise risk management?
careful, comprehensive and distinctly targetted messages about the risks or threats to the organization. Government and regulatory agencies, specifically, may have specific risk-reporting and communications requirements, designed to ensure that proper safeguards and sound business practices are in place, and that they are in compliance with all regulatory requirements. These regulations may involve environmental concerns, operational directives, financial practices and information handling requirements. For example, investors, shareholders and ratings agencies are keenly interested in a company’s risk exposure as an element for developing objective balance to their investment positions and credit opinions. Customers and business partners may have a specific interest in the way the company addresses risk inherent in information sharing, such as the organization’s adherence to mandated privacy policies, that may strongly affect their desire to do business with the company.
Risk assessment and measurement Making a list of potential threats to the organization is a good starting point for an ERM programme, but it is not, by itself, sufficient for developing the accurate and useful communications described in the risk awareness phase. Once risks have been identified, the next step is to assess their likelihood and their potential impact on the enterprise. This step involves assigning an objective and quantifiable value, as well as a probability, to the risks identified in the previous phase. In order to do this, many companies require the help of analytical techniques and reporting mechanisms specifically designed for risk management. These types of tools were originally developed for use by the financial, credit and insurance sectors to determine the level of risk exposure and the potential monetary and operational impacts on the organization in the event of business disruption. Over time, these tools have become increasingly sophisticated and can provide excellent scenariobased simulations of actual risk events and their effects on the organization. These tools and techniques may be particularly necessary for developing realistic scenarios and impact estimates because of the interrelationships of many enterprise risks. As discussed in Chapter 1, a risk event occurring in one area of the business may trigger another event in a different area, compounding the overall impact. The analytical techniques and risk management tools can take many of these additive events into account, providing a better view of the company’s risk exposure than could be generated manually. The analytical tools are not automatic, however. Data is needed to feed these tools, and this data frequently comes from the company’s own information systems. If the information collected in these systems is not adequate or packaged in a way that best supports the analytical tools, the company’s overall technology
33
Minimizing Enterprise Risk
infrastructure may need revamping before the risk management tools are of any use to it. This can present a major challenge to the CRO. Although the overall push within many organizations is to integrate and connect their entire information infrastructure, the reality is that frequently the systems and data stores required to provide a complete and comprehensive view of the company’s portfolio, material and logical assets, and business processes are still in separate, unrelated systems. An alternative to using analytical tools in-house is to rely on a combination of manual methods and expert consulting advice. The manual methods will be described in further detail in Chapter 3. Once manual assessments have been made of the potential severity and impact of identified risk events, an expert in risk management can assist in the review of the assessment and further quantification of the company’s risk exposure. These experts may be found within the organization’s insurance or credit partners, financial institutions with whom the company does business, or outside the business through risk management and business continuity planning groups or associations. The important point of this stage of ERM is to gain an objective, impartial understanding of the true potential impact to the organization of the risks that were identified. Once this phase has been completed, the next step is to focus on eliminating or controlling these risks in order to minimize the impact on the enterprise.
Risk control The identification and quantification of enterprise risks is not adequate to effectively protect the enterprise against them. This is the job of the risk control portion of the ERM plan. Risk control involves the steps necessary to minutely examine and limit the vulnerabilities to which the company is exposed. And, this is where the active ‘management’ of risk management takes place. Companies may control risks in several ways, adopting only one technique or a combination of them, as appropriate. The first way is to control the risk at its point of origin. This may involve re-engineering a manufacturing process that may have subjected the organization to a risk from a potentially flawed product, or discontinuing a risky investment practice, or improving a configuration or change management process to reduce the likelihood of errors being introduced into systems. In this case, line management will need to be involved in making the necessary changes outlined in the ERM policy. Another way to control risks is to scrutinize the interrelated company risks, seeking to limit the overall level of risk in the organization. This type of control measure usually requires delving into the most risk-prone areas of the business, including business and product development, research, customer and trading partner relationship management, and support. The goal is to determine where the interconnected risks put the company in the greatest danger and see whether
34
What is enterprise risk management?
an overarching change to the business activities can successfully limit the risks substantially or eliminate them altogether. Perhaps these limiting measures dictate that the organization ceases business with a trading partner that consistently engages in risky practices, or that a method of customer relationship development be discontinued or altered to limit the chance of liability and damage to the company’s reputation. These types of change usually cannot be implemented by the company’s line management alone since they often involve multiple areas within the business that are frequently interrelated. This type of change is best dictated by executive management and implemented by the affected line managers and business units. Finally, if the risks cannot be controlled adequately within the company, it may be appropriate and necessary to transfer them out of the company. Typical ways of doing this might involve allocating risk capital to cover the expected costs of a particular risk event, or acquiring additional insurance policies to secure against the event. But keep in mind that not all risks are insurable. And even for those that are, it may not be practical or feasible to insure against them. Ultimately, the goal of ERM is to manage the balance between risk and return for the company overall. Risks to the organization must be thought of as another type of portfolio in which the company is involved. And the job of the CRO is to consider the management of undesirable risks against the potential returns to the organization. Where certain risks are deemed beyond acceptable limits, measures need to be in place to mitigate them, or other reserves must be allocated to deal with potential outfall. When these efforts still result in an unacceptable amount of risk, the company must make informed and intelligent decisions to transfer the risk to an outside party.
RECENT ADDITIONS TO ERM CONSIDERATIONS One cannot conclude this discussion of ERM without looking back to see how recent catastrophic events have affected risk management philosophy. Since the 11 September 2001 tragedy, there have been many written assessments of how organizations and industry in general could have been better prepared for such risk events. But could we truly have been better prepared? Prior to the terrorist attacks, it seemed unlikely that such a scenario, with such widespread impacts, could have occurred. True, with the clarity that hindsight provides, such a possibility should have been included in worst-case risk management scenarios, but the expected likelihood at that time of such an event may not have justified the time and effort involved. But, now that a worst-case scenario has occurred, organizations can learn from these experiences. The intricate interrelationships of enterprise risks and their
35
Minimizing Enterprise Risk
combinatorial impacts on the organization itself – and on the extended enterprise – has painfully been shown and proven. One presentation on the topic of 11 September and its risk management relationships has termed this ‘The Perfect Storm’ of the insurance and economic world in which the combining forces of a number of events have led to an impact that is greater than the sum of its independent parts. The overwhelming consensus is that the integrated and systematic way of developing ERM strategies would have likely led to better preparedness on the part of organizations in the event of such a catastrophe like the 11 September event. Where could ERM have aided in better preparedness? There are a number of key areas in which the effectiveness of a comprehensive ERM discipline could have made a significant difference. These areas are: ■
planning for extreme events;
■
responding to wide-scale disasters;
■
managing risk exposure;
■
managing enterprise capital and assets;
■
communicating to the enterprise’s stakeholders.
The following discussion examines each of these additional benefits separately in greater detail and explains why ERM can be so helpful in times of crises.
Planning for extreme events The value of ERM to the enterprise under ‘normal’ risk conditions is clear. But, ERM planning can offer additional value by preparing the organization for extraordinary situations, such as those experienced during the WTC and Pentagon attacks. These types of catastrophes have the ability to broadly disrupt a wide range of businesses, industries and areas, even outside of the geographical or industrial areas immediately affected. Because of the extensive influence of these events on a large scale, usual risk mitigation techniques may not be sufficient. Because such an event – one so catastrophic that it can be fatal to several companies or even industries – is so unlikely, it is difficult, and probably financially unrealistic, to ‘plan for’ such a disaster and prepare for it by buying extra insurance or reserving extra capital resources. But, as we’ve seen, major catastrophic events, regardless of how unimaginable they might be, can happen. It is the job of the ERM process to ask and assist in answering the question, ‘But, what should be done if it does happen?’ The ERM discipline can be used to examine even the most extreme events and craft scenarios that would give businesses an idea of how such an event would look, the types of responses and resources that might be required to deal with it, and what sort of outlook the business has post-event. 36
What is enterprise risk management?
Governments and municipalities have done some degrees of modelling for severe risk events such as catastrophic earthquakes and nuclear attacks; these are the sorts of events that, while highly unlikely and rare, would have a significantly devastating effect on businesses, geographic locations and industry segments. Businesses, in cooperation with government entities, could work together to ascertain what is a reasonable and practical response to such extreme events, and determine in advance where government or regulatory participation and assistance might be required to restore order.
Responding to wide-scale disasters The next natural topic following one on extreme events is that of handling responses to wide-scale disasters, such as the catastrophic earthquake mentioned previously. ERM’s modelling and scenario-building capability is tailor-made for developing effective plans for responding to major crises. Many of the modelling tools are designed to deal with the intense complexity that interrelated risks present, and companies can use these to help simulate pending disasters and develop effective anticipatory response plans. In December 1992, a major ‘Nor’easter’ – a type of storm that is native to the eastern seaboard of the United States – hit New York City and much of the New England coast. As it slammed into the financial district of New York City, it initially brought with it intense rain and winds high enough to knock glass panes out of skyscrapers. Several hours into the storm, the streets were littered with broken glass and debris. Airports all around the region, including all three in the metropolitan New York area, closed as a result of flooded runways, cyclonic winds and dangerous conditions. To make matters worse, some of the subway system and underground tunnels leading to and from Manhattan shut down, again due to flooding and the accompanying power outages. Wall Street responded to the adverse conditions and closed major financial markets because of the danger to personnel travelling to and from the trading floors and to those all around the financial district. To make matters worse, when evening fell, the heavy rain turned to heavy snow, paralyzing any remaining traffic in the city and in neighbouring regions. This storm, although predicted, surprised meteorologists and businesses alike with its ferocity. Most were unprepared for disruption of this magnitude at that time of the year, and the quixotic nature of this Nor’easter was particularly disruptive as it changed from heavy rains to blizzard in a few short hours. This is just the type of complex scenario that mature ERM planning can address: what begins as one seemingly isolated risk to a limited set of businesses or industries – say, the obvious threat of the storm to fishing vessels and maritime traffic – can quickly develop into a complicated event affecting a large area. In the case of this
37
Minimizing Enterprise Risk
storm, the early closure of the financial markets had a domino effect that was felt not only on the opposite coast, but even globally as trading on Wall Street was suspended for the day. In the case of disaster planning, what is most important is the ability of ERM to model the effects of concurrent, complicated sets of interrelated risks in order to develop appropriate and adequate operational and financial plans. Insurance industries, for example, need to know what scale of damage or disruption to expect from a potential disaster as they need to have adequate resources, both personnel and financial reserves, on hand to deal with the aftermath. Companies directly affected by a disaster need to know what level of response will be required, so that plans can be made to move operations, to staff any needed facilities and to make any advance preparations that are necessary to keep the business operating at as normal a level as can be expected given the circumstances. Again, the key point is advance planning. Companies that take the time and devote the resources to planning for such events before they occur will be in a much better position to respond and recover if and when they actually happen.
Managing risk exposure Because of ERM’s ability to ‘think’ in terms of highly interconnected risks and vulnerabilities, it is able to transcend traditional consideration of threats as isolated entities. As was shown earlier, large-scale disasters tend to have a domino effect on risk, beginning with one or a very few risk triggers, which lead to a rapid cascading of other risk events, until there is a myriad of issues threatening enterprises, locales and industries. The effects of the 11 September 2001 attacks were so widespread that the impact was felt within numerous areas of society and the economy. The result was that nearly every industry in the country – and in several cases, extending beyond the US to international markets – felt some impact of the events. Financial markets worldwide were impacted by the shutdown of the NASDAQ and NYSE. Air travel was disrupted globally, not only for the time that US air traffic was suspended, but also afterwards as the travel industry took a strong negative hit resulting from travellers’ fears and new security regulations. Underlying all this tumult were the effects of the disasters on the banking and insurance segments, which suffered simultaneous losses in nearly every sector as people and businesses filed claims for damage, destruction and suffering. In hindsight, while organizations could have done little to stop an event like 11 September from occurring, there are areas in which ERM would have been useful. The ability to consider the interdependencies among risks to the business – then develop scenario-based models of certain catastrophic events – is useful in helping organizations understand where they may be heavily impacted by related risks. If
38
What is enterprise risk management?
a scenario shows that a particular event may cause an especially strong impact as a result of multiple vulnerabilities interacting, the organization has the knowledge with which to develop more effective ways of mitigating or managing that impact. Perhaps this management requires that the organization limits doing business in a particular way that subjects it to more risk in a certain area. Or that it transfers risk out to another third party or resource in order to avoid the combinatorial effects of multiple, cascading risks. In any case, the information that ERM can provide companies about their interrelated risk scenarios can assist in preventing, or limiting, catastrophic effects as a result of the occurrence of extreme events.
Managing enterprise capital and assets One question in the minds of many organizations as a result of recent disasters may be ‘Do we have enough resources on hand to deal with a true emergency?’ Companies are keenly involved in the appropriate management of capital and assets to support day-to-day operations, and a major crisis such as 11 September 2001 can have a significant impact on its overall resource requirements. In the event of a catastrophe, a company may need substantially more cash to deal with recovery or response efforts than it might otherwise have on hand. Yet this cash may typically be held with lower liquidity than would be required during such a time. The company needs access to ready funds, and a catastrophic event should not be made more so by the results of needing to pry these funds out of less liquid holdings. Conversely, it is equally undesirable to have too much of the company’s reserve held in lower return but more liquid investments ‘just in case’ a highly unlikely disaster should strike. ERM can assist the company in developing a model that provides an appropriate balance between capital fluidity and deep assets. Moreover, since ERM can identify and illustrate interdependent and well as independent risks, the company can examine the areas within and beyond the organization in which greater risks lie, and allocate appropriate resources to or from these areas to account for and address the increased exposure. This provides an informed basis from which to make the allimportant capital and asset allocation decisions, both before a catastrophic event occurs and during the recovery and rebuilding efforts after the event.
Communicating to the enterprise’s stakeholders Finally, ERM can have a positive effect on the critical task of being able to effectively communicate to all the organization’s stakeholders in the event of a catastrophic situation. This communication is certainly important for all the various categories of affected parties, including the company’s employees, trading partners and so on. But there are groups of stakeholders for whom this communication is especially
39
Minimizing Enterprise Risk
important, and these include banks and lending institutions, securities and investment groups, and the insurance sector. For these constituents, having an effective ERM strategy in place can provide a huge benefit to the organization before, during and after times of crisis. For example, having a rigorous ERM process in place and sharing this information with the appropriate interested parties before an event occurs helps to reassure stakeholders that the company is adequately prepared for a disastrous event. Later, when an actual event occurs, the ERM process will have already been used to model such an event in advance, providing the company with a lookahead toward what potential effects might be, and the scope of those effects, allowing the company to develop better plans for minimizing the impact, if possible, and preparing the company for institutional, governmental and media enquiries. Again, appropriate communication of the magnitude of the expected and actual impact, and the actions the company has taken to limit the impact and restore normal operations will help restore confidence in the minds of the company’s key stakeholders. ERM is the tool that helps shed light on uncertainty – for the company threatened with a catastrophic event, and for all its constituents and supporters. While much of the communication with which ERM is concerned involves proactive communication about the organization’s preparation and contingency plans, there is another type of communication that is equally important, and must be given serious consideration as part of any business continuity planning. This is crisis communication, and it can make or break even the best of organizations if it is not properly planned for and executed when a difficult situation actually arises.
Crisis communication An organization that is facing a crisis is compromised in a similar way to when the human body is weakened by a critical illness. While it may be impossible to get all systems up and running at peak efficiency at the same time, continuity planning stresses the importance of addressing each element, fixing problems as they arise and recognizing that the failure or prolonged disruption of any one vital system may make it impossible for the organization, or the body, to survive. While these systems are undergoing the process of stabilization and recovery, another important function, that of crisis communication, must be active and fully operational, keeping lines of communication freely flowing between the organization and its interested parties. Delivering corporate communications during a crisis is a specialized skill that, in fact, virtually borders on an art form. This speciality is most frequently considered as part of the discipline referred to as crisis management, which is a natural extension of the risk management process overall. While risk management focuses on strategies for anticipating and dealing with mundane as well as urgent
40
What is enterprise risk management?
matters, crisis management is primarily concerned with only the most dramatic events and circumstances that could disrupt operations or make it impossible to continue business. Both disciplines need to be applied before and after the risk events that they address. A proper discussion of the complete topic of crisis management, with its highly specialized processes and activities, is beyond the scope of this briefing, but one key aspect of its many functions, that of crisis communication, deserves mention in this section. Crisis communication is a necessary and intrinsic part of the overall ERM and BCP function that is frequently overlooked or its importance is underestimated. While organizations carefully plan and prepare for corporate communications during normal operations, such as communications to shareholders and the media, they fail to consider how significant providing the right communications competently and appropriately during times of high stress can be. This business function must be planned, prepared for and rehearsed with as much diligence and focus as other activities and processes that are part of the contingency plan are given. In fact, it can be argued that the communications aspect is almost more strategic than other resumption and recovery activities, since communications involves being on the front line of public exposure, whereas the other activities occur essentially away from public viewing. To illustrate exactly how important effective crisis communication is, it is helpful to study a situation of communications gone wrong. The case of what occurred in the Firestone tyre separation tragedy points to one of the greatest crisis communication breakdowns in recent memory. Under layers of problems including a lack of clear decision making, corporate denial and blatant arrogance was a seriously misguided public relations effort. The cascading series of incidents beginning with reports of fatal automobile rollover accidents related to the Bridgestone tyre brand and culminating in an unprecedented product recall and a slew of litigation is a study in risk gone awry. In a nutshell, a lack of communication at the highest levels of the company’s management and a complete disregard for the power of public opinion may likely permanently scar and possibly even ruin the Firestone brand altogether. While the underlying issue in the debacle appears to be a problem in a manufacturing process – an operational risk – a deeper probe reveals an unsettling pattern of corporate denial and communications disconnects that add to the sense of distrust. Company documents released to the media showed that Firestone had received more than 1500 legal claims, many of which were dated as far back as 1997, for property damage, injuries and deaths resulting from failures in some of its more than 6.5 million tyres that were eventually recalled. As the story unfolded in late 1998, in response to the numerous enquiries from Ford, the maker of the Explorer model on which the failing tyres were used, and the general public, Firestone repeatedly gave the same answer that it had been
41
Minimizing Enterprise Risk
giving plaintiffs’ lawyers for years: some tyres inevitably fail, and the usual cause is abuse by customers who do not inflate the tyres properly or overload the vehicle. While this may have been partly true, the statements by Firestone appeared to dismiss the growing public concern about the tyres themselves and to be an attempt to shift blame onto the manufacturer. But, regardless of whether there was an actual problem with the tyres, once the information about the corporate documents was released, Firestone’s problems were clearly an issue of public relations and damage control. Although Bridgestone/Firestone had to eventually bow to public and legislative pressure and undergo the recall, what could have salvaged the situation was a willingness by the company to fully address and respond to obvious consumer concerns. Firestone needed to adopt and communicate a position that would promote a commitment to the integrity of their product. But, instead of moving in this direction, Bob Wynant, Bridgestone/Firestone’s vice president of quality assurance, was quoted in news reports as saying, ‘We’ve got such a high volume of tyres that looking for the root cause is like looking for a needle in a haystack.’1 To further exasperate the public and the media, the company continued to insist that no design or manufacturing defects had been identified to explain the problem, but explained that it was submitting to the recall merely as a precaution. Contrast this with the publicly visual stance taken by Ford, in which not only did they not openly blame Firestone, but rather they used the crisis as an opportunity to voice their commitment to their vehicles and public safety. In his frequently aired TV spots, Ford CEO Jacques Nasser claimed Ford handled the recall in a responsible and timely manner. Regardless of all the finger-pointing going on between Ford and Firestone, and cross-claims of negligence and information withholding on either side, the public side of Ford gave the consumer the perception that Ford was indeed worried about consumer safety and was doing everything in its power to ensure continued safety. Ford was able to weather its damaging crisis in no small part because of the effectiveness of its crisis communication plans and actions. This serves to reinforce the marketing adage that ‘perception is reality’.
Crisis communication lessons learned True organizational crises deliver with them periods of intense stress. When the company is in the middle of a serious crisis, it is not the time to begin inventing communications and looking for the spokesperson to deliver them. Long before a crisis actually occurs, the following steps should be taken to ensure adequate preparation for effective communication in the event of a crisis. Some of these will already have been undertaken as part of overall ERM and BCP, but they bear repeating here.
42
What is enterprise risk management?
■
Identify potential crises or threats that could affect the business. This should take place as an early and routine part of the overall ERM process.
■
Draft preliminary press releases for the types of crises that have been identified. Naturally, all the actual details of the release appropriate for public consumption will need to be added if/when the crisis occurs, but a general document addressing the major expected issues can be prepared well in advance.
■
Appoint and train primary and backup company spokespeople. It is highly essential that these people be identified in advance and trained in the art of crisis communication by experts in that field prior to any exposure to the public or media.
■
Prepare lists of media contacts and reporters likely to have an interest in covering the company. Develop a list of contact information, including phone and fax numbers in advance.
■
Consider the arrangements for working space for reporters during a time of crisis as part of the overall contingency plan.
■
Maintain up-to-date media-appropriate information, including online and printed versions immediately accessible to reporters and other interested parties such as key shareholders.
■
As with other elements of contingency planning, keep checklists at hand so that the many necessary details are not overlooked during the actual crisis.
There is much more involved in crisis communication and management that is outside the scope of this briefing, but this information is presented to provide a basic understanding of the special requirements of this important and oftenoverlooked aspect of contingency planning.
THE COST OF ERM From the previous discussions of the scope and actions involved in developing an accurate and effective enterprise-wide risk management programme, it quickly becomes obvious that these efforts do not come without significant cost. Certainly, there are direct costs involved in hiring and paying for a CRO-level individual whose primary – and often only – responsibility is to focus on protecting the organization from something that may never occur. This is hardly a cost that can be justified and offset by increases in productivity or production. Then, there are additional costs incurred as a result of: ■
time spent on supporting work done by other members of the organization while assisting in risk identification and assessment, the development of risk
43
Minimizing Enterprise Risk
management and business continuity plans, and the review of, testing and training for the plans; ■
time not spent by these same organizational members on their typical tasks such as accounting, production, manufacturing, business development, etc.;
■
expenses related to the production of disaster recovery or contingency plan manuals or other documentation;
■
any capital or expense costs involved in infrastructure upgrades made necessary by the risk management or contingency planning process, such as newer or additional telecommunications equipment, computers, software or analytical tools.
All of these are indirect costs that contribute nothing to the organization’s bottom line. Primarily this is because an organization’s disaster preparedness cannot be easily or directly reflected upon its balance sheet. How, then, can these costs be justified? Some of these costs can be offset by real or potential savings directly attributable to the ERM process. For example, insurance premiums or costs for additional policies may be reduced or eliminated as a result of the organization’s risk awareness, mitigation efforts and thorough contingency planning. Regulatory agencies may waive some fees or penalties because of the elimination or mitigation of certain identified risks. Utility or materials-processing costs may decrease, as these agencies see reductions in the types or quantities of hazardous or dangerous materials requiring processing or handling as a result of a transfer of this risk to another third party. There are any number of areas in which the organization may see cost reductions or decreases in certain expenses directly attributable to the efforts involved in ERM. Regardless of the cost savings, the biggest justifying point for having ERM in place can be made clear by this simple discussion. What would it potentially cost the business to not do ERM? If that question seems too open-ended, consider these scenarios: ■
What is the potential cost to the business of not having one key employee available to manage a key account? To run a production line?
■
What is the potential cost to the business to lose a major software business application, like the ERP or CRM system, for a day, a week or a month?
■
What would be the effect on the business if 10 per cent of the customers left because of the unavailability of the organization’s e-commerce site?
■
What is the potential cost to the organization of delivering a defective product to market? What if this product is included in life/safety applications such as automobile production, aircraft parts, medical equipment?
■
What if employees were unable to access the organization’s primary business location for a day, a week or a month?
44
What is enterprise risk management?
■
What if all vital records were lost at the corporate office?
■
What if 200 of the organization’s key members were killed or injured?
It quickly becomes obvious that the prevention or mitigation of the effects of disruptive events to the organization can have a significant impact on the company’s continued ability to do business. And this is ERM’s primary goal: to ensure continuity of critical business functions, and to eliminate the source of risk or minimize the effect of adverse incidents on the organization. The process of identifying, measuring and quantifying risks and their potential impacts will be the greatest justifier of them all. That is the step in which the scope of potential risks and their impact becomes known. The organization can then use those estimates and event probabilities to determine how much of an effort is appropriate to dedicate to an overall ERM programme.
THE BOTTOM LINE It should be clear by now that there is no substitute for an effective, well-thoughtout ERM strategy. Every business is subjected to a myriad of risks daily; it is only a matter of time before one or more of these risks is in a position to have an impact on business operations. Enterprise risk management can actually be better thought of as ‘enterprise continuity management’. Advance planning, training and preparation for a worst-case scenario positions the enterprise to respond effectively to an unplanned business interruption, and ensures the continued availability of mission-critical operations. More companies are recognizing the importance of appropriate and rigorous ERM activities. As a result, they have begun putting an executive-level CRO in place, whose primary responsibility, as ‘chief worry officer’, is to ensure that the proper levels of safeguards and processes are in place to anticipate the vulnerabilities to the organization and minimize its effects. While not every company will justify a true CRO, the individual or department that holds these responsibilities must have sufficient authority and visibility in the organization to be able to effectively operate across and make decisions that affect the entire enterprise. ERM is primarily concerned about fostering risk awareness in the organization, assessing and measuring that risk, and taking steps to control it. ERM is uniquely suited to the purpose of examining and modelling highly complex, interconnected risks and developing worst-case scenarios based on these areas of vulnerability. ERM assists the company in making rational, educated decisions about the types and scope of business risks, how best to limit them or whether to transfer them out to an outside party, when all efforts at internal control still result in unacceptable levels of risk weighed against possible return. While it may seem to
45
Minimizing Enterprise Risk
be a waste of time and resources to focus on the unthinkable or unlikely, ERM will prove to have been an invaluable tool when the unthinkable actually occurs. The lessons learned from recent catastrophic events shows that ERM could have been used as an effective discipline for everything from minimizing risk exposure to providing for adequate resources in times of crisis. The abilities of ERM to analyze and quantify event scenarios can lead to better preparation on the part of the organization, improved communication to its stakeholders and an increased level of security that adequate and appropriate measures have been taken to safeguard human and capital assets and to ensure an orderly and effective response during a disaster. ERM provides peace of mind and proof that effective plans are in place. From that perspective, ERM can be thought of as another form of insurance – insurance that every bad thing that may threaten the enterprise has been accounted for. But, just like insurance, it is a policy that the organization hopes it will never need to invoke. Another insurance analogy becomes appropriate here: many people do not buy insurance because they feel they can’t afford it. True, developing an effective enterprise-wide risk management programme will not be cheap. However, given the alternatives of incurring additional downtime, expenses involved with recovery of critical business operations or safeguarding the company’s reputation or even its very existence, what organization can afford not to practise rigorous risk management? What is the cost of not having ERM in place? Viewed from that perspective, most organizations will agree that ERM is a justifiable and necessary expense.
NOTE 1. ABC News and Associated Press, 14 August 2000.
46
3 Planning for enterprise continuity
■
Introduction
■
The phases of ERM/BCP: review, respond, recover
■
Risk analysis and assessment
■
Business continuity and contingency planning
■
Response and resumption
■
Business recovery
■
Review and re-evaluation
■
The bottom line
49 49
50 51
56
62 63
64
47
Planning for enterprise continuity
INTRODUCTION Previous chapters touched on the need for today’s organizations to be prepared for potential business disruptions and damage caused by common or uncommon risk events. The activities and disciplines involved in enterprise risk management were described as a critical means of ensuring that the organization was properly aware of any risks to the business, was conscious of the interrelationships of these risks, was informed about the magnitude of the impact resulting from risk events, and was able to consider ways to eliminate or minimize the effects of the risks. While all this is certainly necessary, one key element, though alluded to, has not yet been sufficiently explored. Managing the risks in the organization is extremely valuable and necessary, but it is only a portion of the process needed to truly address the goal of maintaining enterprise continuity. What is meant by enterprise continuity management? This is the ability to keep the organization operating, at some pre-defined acceptable level, given conditions that led to some degree of partial or total business disruption. What the enterprise is after, then, is a full programme of enterprise risk management (ERM) coupled with business continuity planning (BCP) in order to minimize the total effects of a risk event, respond appropriately to the event, and restore the business to normal operational status as quickly as possible. This chapter will explore the phases of a full ERM/BCP programme and offer insights into the activities that are included in each phase. Chapter 4 will then further detail the steps for actually developing such a programme within a typical enterprise.
THE PHASES OF ERM/BCP: REVIEW, RESPOND, RECOVER Traditionally, the main focus of any organization’s continuity plans was the portion that related to disaster recovery. Companies generally had a plan in place for storing critical documents off-site, procedures in place for computer system backups and recovery, and perhaps a manual that described what to do in the case of loss of physical assets such as buildings or equipment. As businesses have become more complex, both in terms of the way they function and their relationships with other businesses, the bare-bones disaster plan has become inadequate. Planning for Y2K was generally the first opportunity, outside of the financial and insurance sectors, for companies to realize how interrelated business processes and functions truly had become. What started out as ‘merely a computer bug’ quickly grew to involve any business, in any industry, regardless of size, shape or origin. As technologically dependent and process-centric as businesses have become, no company can ‘just do business’ anymore without being subjected to a host of different risks and vulnerabilities. 49
Minimizing Enterprise Risk
Technology, too, has had an enormous effect on the speed and availability with which companies do business today. The Internet and web-based applications have contributed a great deal to companies’ abilities to do business quickly, efficiently and continually. However, the same technology advantage has its downside: the Internet’s very 24 7 availability has increasingly restricted a company’s ability to have any downtime, for any reason. For a company experiencing a business disruption, the timeframe for an acceptable recovery period has dramatically shrunk. Not all that long ago, a 72-hour recovery period seemed phenomenal. Now, many companies are planning for shorter and shorter windows of downtime. Even 24 hours, in this age of constant availability, is too long for a company to be completely unavailable. Yet, realistically, how many companies can resume normal operations after a major risk event has occurred? And, depending on the circumstances of the event, the definition of ‘normal’ may need to be altered. All these factors need to be considered as part of the overall business continuity plan. The methodology of a successful ERM and BCP programme involves the following categories of effort: ■
risk analysis and assessment;
■
business continuity and contingency planning;
■
response and resumption;
■
business recovery;
■
review and re-evaluation.
Each of the five elements listed above plays an important part in ensuring that the enterprise is prepared for adverse incidents, can experience minimal disruption to mission-critical business function and is able to recover quickly from such events.
RISK ANALYSIS AND ASSESSMENT This phase of the ERM project is the one in which comprehensive evaluation of the risks to which the business is vulnerable is made. This involves the following activities: ■
risk identification;
■
risk impact analysis;
■
mitigation planning.
Risk identification, discussed in Chapter 1, is the process of exposing and cataloguing the risks to which the organization may be vulnerable.
50
Planning for enterprise continuity
The risk impact analysis process takes the identified risks and begins to map them against the expected likelihood, severity, time-sensitivity and potential impact on the business. Chapter 4 will provide extensive detail on risk evaluation and analysis. Mitigation planning is the process of developing actions to either prevent or reduce the likelihood of the occurrence of a risk event, performance failure or adverse incident, or to minimize the impact of the expected event.
BUSINESS CONTINUITY AND CONTINGENCY PLANNING This phase is the one with which most risk managers are familiar. This is where the old disaster recovery plans were created and where they lived. However, the old term ‘disaster recovery’ is no longer valid. Companies do not just want to ‘recover’ from a disaster, they want to be sure that they can remain in business. Also, as mentioned previously, the old disaster recovery plans usually only accounted for damage or destruction to property, life and hard assets. They were not adequate, for example, to address the present number one asset in most organizations: information. Business disruption need not occur as part of a catastrophic natural disaster, as we’ve seen; merely a disruption to the flow of information throughout the organization and between its business partners is enough to have a significant impact on the business. Business continuity and contingency planning is the process of planning to ensure the continued availability of essential services, programmes and operations, including all the resources necessary to operate the enterprise at a level predetermined by executive management in response to the loss of operational capability due to a risk event or disaster. This plan contains policies and procedures for emergency response, backup and post-disaster recovery to ensure the continuity of missioncritical operations. True contingency planning has the benefit of forcing managers to think in terms of possible outcomes instead of just those that are the most likely. The organization may seem on the surface to be adequately covered, but has every aspect truly been examined? For example, a systems outsourcer or Internet service provider that is housing the company’s server makes the statement that they are backing it up. On the surface that may seem an adequate measure of protection and contingency in case the primary server at the company itself fails. But has anyone in the company actually questioned the backup organization to determine if they have a contingency plan covering the case of their own disruption in service? The contingency planning process allows managers to brainstorm and come up with many possible outcomes such as this, preparing the organization for the worst.
51
Minimizing Enterprise Risk
Each business operation and, by extension, each business unit should have a contingency plan written based on the essential elements that are needed for that operation to continue normal business operations. An important point of the concept and focus of BCP is to study how the business will continue if, in fact, mission-critical business operations are impacted. In order for the business to survive, the flow of business operations should not stop; operations may be located elsewhere or other personnel may be doing the work. BCP plans must be written based on these premises and contingencies. So this phase concerns itself with addressing the risks identified in the previous phase and planning for how business will conduct itself in the event that the risk is triggered. The BCP portion of the ERM programme’s main goal is to maintain integrated continuity of business-critical functions. Naturally, every company – even two within the same industry – has a different definition of what is critical to its business, and so each business continuity plan will be unique to that organization.
The contingency and continuity plan The critical deliverable in this phase will be the actual documentation that clearly identifies what types of risk events are considered, how they are identified, what level of response is appropriate according to the scope of the event, how to determine the level of impact or damage, what procedures should be followed, and how and when they should be invoked. There are two basic types of contingency plan that must be developed by the enterprise. The first type of plan, often referred to as a business continuity plan, focuses on responding to and restoring a failed essential element(s), while the second type, the contingency plan, centres on the identification of alternative processes necessary for mission-critical operations to continue functioning until the failure has been resolved. A department that is responsible for cross-functional support, like facilities, IT or communications, normally develops the failure response and continuity plan. The second type of plan is developed by a department responsible for a specific function, like finance, marketing, human resources or engineering, and addresses the need for the critical operations to continue to function despite a failure. When the plan’s detailed function recovery procedures are developed, they must be at a level of sufficient detail that allows the plan to be followed just by reading the procedures. Minimizing the need for decision making during a disastrous situation is one of the goals of contingency planning. The plan should encompass activities necessary from the time of the interruption all the way through to the return to normal operations. Also, the focus should be on the impact of the business interruption, not on identifying or resolving the actual cause of the
52
Planning for enterprise continuity
interruption. Many contingency plans have been written to address only a specific type of interruption, and consequently fail when a disaster of a different nature occurs. In addition, the plan for each function to be recovered and the plan for the enterprise as a whole should incorporate the costs of implementation in terms of personnel and financial resources.
Monitor results and set up detection process Processes to monitor for and detect a potential threat to the enterprise must also be put in place. Criteria and associated metrics, parameters and alert mechanisms that could be used as indicators of actual or impending impairments to missioncritical operations must be identified. Examples of these include criteria to monitor the performance of a function and criteria to monitor the status of an essential element. Function monitoring criteria allow management to gauge the actual performance of a business function against established standards and signal when less than optimal results are being experienced. Element monitoring criteria allow oversight personnel to evaluate the operating quality of an essential element (for example, suppliers, customers, facilities, equipment, data, staff, communications, hardware and software). Together, the function and element monitoring criteria provide the foundation necessary for rapid incident and crisis response. Identification of monitoring criteria, metrics and operating parameters enables the enterprise to implement alert mechanisms and diagnostics that indicate when the performance of a function or element either exceeds or falls below established norms. Additional alert points should also be considered to trigger the initiation of contingency procedures, or to prevent or alleviate pending crisis conditions. Prior to finalizing the plan, reviewers and auditors from the enterprise must become involved in conducting a thorough examination and audit of the plan to determine its fitness for protecting mission-critical operations, and must attest to the plan’s compliance with laws or regulations regarding contingency planning. Auditors may also be able to expose possible competitive risks to the enterprise. For example, in the event of a regional disaster, a direct competitor who already has a contingency plan in place could conceivably gain additional market share by maintaining adequate service levels for its operations. Developing the initial contingency plan is only the beginning of the process. Ongoing changes in technology, staffing and business goals and objectives require that the plan be regularly reviewed, tested and updated in order to remain an effective risk management tool. Contingency planning dictates detection, response, recovery and resumption of business operations. Businesses may have diverse strategies within the planning
53
Minimizing Enterprise Risk
process based on the type of failure. For example, technology-based disruptions may include the following: ■
Failure in embedded software control mechanisms in manufacturing or assembly lines. This type of failure may result in a complete or partial shutdown in manufacturing operations for perhaps even several weeks, leading to a reduction in output and profits and a potential increase in costs.
■
Failure in software handling process-control applications such as those found in oil refineries, pharmaceutical manufacturers, chemical producers and automotive assembly-lines. Similar to the failure described above, this may lead to a total shutdown of operations or to chemical or process-related accidents, resulting in indeterminate periods of financial losses.
■
Failure of software applications such as accounting and other financial applications that cause inaccurate invoicing or errors in billing and collections processes, affecting cash flow, customer service and relationship management.
■
Errors in software processing for employee and subcontractor payroll, causing missed or faulty paycheques or inaccurate payment information and reporting, which may open the organization to legal action, fines, penalties and audits by financial and tax regulatory agencies such as the United States’ Internal Revenue Service.
■
Flaws or defects in products from the aircraft, medical instruments or healthcare sectors, defence and weapons systems, tools or manufacturing equipment resulting in injury or death to individuals. In addition to the obvious damage caused by loss of life or injury, the organization may suffer adverse affects to its reputation or be subjected to litigation and other negative effects.
The contingency plan should be explicit in discussing the process of maintaining business continuity during a failure in order to support and uphold the concept of fiduciary duty and responsibility. This helps to safeguard the company from litigation and also aids in ensuring continuity of business-critical operations. It is important to note that, while developing electronic-based contingency plan documents can be desirable, there should be paper copies of this documentation readily available as backup in case the system on which the electronic versions is stored is not available. Likewise, consider that having paper-only versions at the physical company locations may not be sufficient in the event that the facility at which they are kept is damaged or destroyed, or access to it is prohibited or prevented in some way. But, since there is no foolproof way to ensure that all parties identified in a contingency plan always have a copy of the plan immediately with them, access to the documents should be reasonably and quickly possible from a number of reliable sources should an adverse incident occur.
54
Planning for enterprise continuity
Communication and training Another frequently overlooked portion of this phase is that of communication and training. It does the organization no good to have created a detailed contingency and continuity plan if the members of the organization do not know about it or know how to use it. And, while it is more common that key members of the organization who are identified in the plans are notified and aware of the location of the plan, it is equally important that all the company’s members are made aware of it. Should key personnel on the response team not be available, someone else in the organization may need to initiate the response, so they need to know what resources are available to them, what procedures to follow and where to find them. Once the contingency plan is completed, the organization should begin a process of ensuring that the company’s members are also adequately and appropriately trained. This training serves two main purposes: it educates the organization’s members on the risks to the organization, and it familiarizes them with what to do in the event of an incident. There is one additional benefit of training that is not generally considered: any effective training will include simulations or drills of the actual event, as feasible, using the contingency and continuity plans as the response roadmap. The plan must be thoroughly tested before a disastrous event occurs. This point cannot be overemphasized. Testing the plan proves that each step has been well thought out and that nothing has been overlooked. A scenario for testing the plan in the most realistic manner possible should be developed and carried out on a regular basis. Performing these sorts of ‘fire drills’ will have the effect of ferreting out any omissions or inaccuracies in the plan in advance of the actual occurrence of a risk event. Results of the tests should be measured and documented to determine the effectiveness of the plan. Subsequent evaluation of test results may reveal areas of the plan that need to be updated. A master data repository that can relate causes to their impacts on essential elements and mission-critical operations really boosts the effectiveness of the testing process. It is a hundred-fold better to discover an error in procedure or logic during a simulated event than it is to encounter it in the middle of an actual disaster, where actual business operations – and even lives – might be jeopardized. Should any changes to the plan arise as a result of training or simulation practice, the plans will need to be revised and re-reviewed, and staff retrained and repractised until the procedures appear to work flawlessly. Of course, actual disasters may include events or conditions that were not anticipated that would have an effect on the overall performance of recovery against the plan. However, with good diligence, the vast majority of circumstances will be considered and appropriately addressed, and the organization will be prepared to manage most scenarios and significantly reduce their impact on business operations.
55
Minimizing Enterprise Risk
Once the plan has been adequately reviewed and tested, executive management must approve the contingency plan and issue a blanket authorization for its funding and execution provided certain conditions exist. Necessary agreements, letters of intent and memos of understanding should be signed and put in place so as not to impede the response management team’s efforts during an actual event.
RESPONSE AND RESUMPTION This is the first part of ERM that is not a planning or practice activity. The business resumption stage of the ERM plan is activated as a result of an actual or perceived adverse incident or anomaly occurring. When an event or the threat of an event has been detected, the crisis management team is notified and responds accordingly. The organization responds to such an event by executing detection, response, resumption and recovery processes to regain ‘normalcy’ with hopefully minimal cost. At this phase, the business is concerned with putting into action those plans and procedures developed in the previous phase. Contingency plans, as previously described, spell out the mission-critical business operations of an organization, the criticality of essential elements to these operations, and what impact an event may have on them if something affects the normal operation of an element. This impact on a given element may affect the operation’s mission critical business operations to the extent that failure of the operations triggers a response process. This pre-planned response uses a two-fold process: 1. to implement alternative or backup processes to continue mission critical business operations; and 2. to counteract the impact of the event at the source of the failure(s). The reaction of the organization may include organizing technical people and deploying them to pre-identified locations to initiate procedures that are specifically focused on mobilizing backup operations for continuing business operations and conducting triage, and for salvaging, renovating and testing affected essential elements of the organization.
Operational continuity in four steps The first step in this phase involves the detection that a risk event or adverse incident has actually occurred. This may include notification by an alarm company or monitoring facility of an incident or threat, actual physical evidence that an event has taken place, or the perception or realization that an identified risk is about to occur.
56
Planning for enterprise continuity
The response portion is the actual reaction to the event or emergency and includes activities designed to assess any damage or other impact as a result of the event, determine the amount of control or containment required, and the level of involvement by the organization’s key personnel. These elements should all be part of the contingency and continuity plan as documented and practised. The resumption phase concerns the activation of only those most time-sensitive and critical business operations immediately following the disaster or adverse event according to procedures outlined in the contingency plan. This will likely not restore the business to a state of normal operations, but is intended to get the business functioning again in such a way that limits long-term impact and helps guarantee the survival of the organization. Finally, the last step in the process is recovery, which begins immediately after the time-sensitive business operations have been returned to an active status and is discussed in further detail in the following section on business recovery. During these phases, and during the subsequent recovery phase, it is important to carefully track the costs associated with the process for insurance purposes. Also, any cash advances or payments for necessary supplies or replacement parts and equipment must be made quickly available to minimize the amount of unnecessary business downtime.
‘Who ya gonna call?’ Contingency plans are executed by the enterprise’s response organization, which may be a team of specialized consultants or selected company staff, reassigned from their normal duties within the organization and trained to deal with anticipated or unanticipated events. Once the contingency plan has been activated, a general action plan summarizing the tasks to be executed for business recovery should begin.
Securing the safety of employees One of the most important considerations of any contingency plan is how the organization will protect, move and/or assist its employees when a disaster occurs. As an example, consider the case of a bomb threat at the organization’s headquarters. Procedure must be developed and in place for evacuating the facility, and regular drills must be conducted to test the plan and to determine employees’ familiarization with evacuation orders and actions. Evacuation plans should also be coordinated with local law enforcement and public safety agencies to be sure the company’s procedures do not conflict with any law enforcement activity that may occur on-site as a result of the incident.
57
Minimizing Enterprise Risk
Special considerations will need to be made if any key employees need to remain at the site to safeguard operations or shut them down in the event of a precipitous incident. In these potentially hazardous circumstances, procedures that are developed to address them and are activated as a result of an occurring or imminent disaster will need to be carefully coordinated and approved by local or regional life safety organizations, and possibly law enforcement or government agencies.
Damage and site assessment One of first things that will be done after the early response activities have been initiated is to get an idea of how severe the effects of the adverse incident are. It is difficult for an organization to execute an effective business resumption or continuity plan without knowing the scope of any damage, or whether they have access to vital systems or facilities in which important business equipment, material, documents or supplies are kept. And, if the damage from the incident does include physical property damage, specific things must be done in the site review to develop an accurate assessment of damage and estimates for potential recovery time, and to provide for the health and safety of employees or other workers who may be required to operate in the damaged spaces during business resumption efforts. Ideally, a great deal of the communication with local authorities, regulatory agencies and insurance providers necessary to understand the possible requirements for site assessment and damage estimates has taken place prior to the occurrence of any actual risk event. In the event of an emergency, these or other experts may be required to assist in assessing the integrity of any structures affected, developing detailed damage estimates or providing access to facilities. If any of the disaster response resources require them, develop and execute any pre-event contracts or agreements that may be required to secure such services as part of the organization’s overall contingency planning efforts. When a disaster strikes, the organization will require an immediate response from its resources; waiting to sign agreements until an event has actually occurred will incur additional cost and delay in beginning time-critical damage assessment and business resumption efforts. It is important, too, to be sure that the resources that are selected to help with any emergency response or recovery work are appropriately qualified to do the job. In the event of loss, insurers will require a great deal of documentation and evidence of that loss. Anyone who is involved in recovery or assessment efforts on behalf of the enterprise must be sensitive to and familiar with the evidence gathering and documentation processes required by authorities, regulatory groups and insuring organizations. Again, these requirements for documentation and evidence gathering will have been determined prior to the incident through
58
Planning for enterprise continuity
discussions with the appropriate agencies, insurers and other financial groups involved and are documented as part of the organization’s contingency plan. Emergency response and recovery measures are frequently extraordinarily timesensitive. In the case of physical loss of facilities or property, much must be done in the first 24–72 hours to control or minimize the amount of damage to buildings, property or documents. This can include damage from smoke or water in the case of a fire on the premises, damage from other corrosive material or from dust or other debris affecting critical equipment or telecommunications and computing systems, etc. Depending on the type and extent of any damage, facilities and equipment may require cleaning, testing and recertification, or removal from the premises and/or controlled destruction and disposal. Certain categories of items or property require special consideration, and damage assessments and recovery work should only be performed by specialists in that particular area of concern. Some of these are discussed below.
Structural damage assessment Depending on the requirements of the municipality or regulating authority, damage to buildings and other structures necessitates that a thorough and complete investigation and examination be carried out by certified experts, such as structural engineers. These experts are uniquely qualified to operate within their particular domain to determine the extent of damage, structural integrity and recovery timeframes and estimates. They may also be involved in developing emergency repair plans that will enable the organization’s staff to safely enter the premises to carry out any property assessment or recovery operations that may be necessary after the event.
Fire damage assessment As if the direct damage resulting from a fire is not sufficiently disastrous, there are other by-products of such an incident that usually require special consideration. For example, water and other materials used to extinguish the fire may add a significant amount of weight to buildings and other structures, subjecting them to stresses they would normally never experience. Soot and smoke can damage electronic and communications equipment, computer systems and peripherals, magnetic media and paper documents, to name a few items. Extra cleaning and decontamination processes may be involved to return a facility to a safely operable state once the main objectives of business recovery have been begun or completed. Also, consider that, as a result of the fire, some normally safe items may have become or generate hazardous materials, discussed in further detail later in this section, and may require special handling by trained experts.
59
Minimizing Enterprise Risk
Water damage assessment Alluded to earlier in this section, water damage is one natural result of extinguishing a fire. But water damage may be the primary risk event that causes the activation of the contingency plan. This type of damage may occur as a result of leaks in the building’s water system, a malfunction in the HVAC (heating, ventilation and cooling system), a rip or hole in roofing, storm damage or flooding, etc. Damage to paper documents, files or books can be an immediate concern, but these materials also are vulnerable to later damage resulting from humidity, organic contamination (see the section on mould and mildew below) or faulty handling during any drying and recovery processes. Equipment, naturally, is subject to water damage from the release of corrosive or hazardous materials to complete destruction.
Hazardous materials contamination Hazardous materials, whether manufactured or stored by the damaged business or used in or generated as a by-product of a disaster or adverse event, pose special challenges during the business resumption phase. There are any number of regulatory agencies that can and must become involved whenever hazard materials are in the risk equation. In the US, OSHA (the Occupational Safety and Health Administration) is one of the organizations that is keenly interested in ensuring the protection and ongoing safety of persons in and around a hazardous material situation. Workers involved in recovery efforts dealing with hazardous materials may require special working conditions, protective garments, cleaning facilities and so forth. Additionally, debris, supplies and equipment may need to be specially handled during removal and disposal. The costs involved in dealing with hazardous materials can be quite high. Additionally, there may be extreme levels of legal exposure, and public relations and/or media communications that might not exist in situations where these elements are not a consideration.
Mould and mildew Any of the damage conditions described above can lead to a situation in which mould, mildew and other organic agents can grow and multiply. Water used in fire suppression can leave a facility soaked and humid. Failure in a ventilation system can lead to warm, moist conditions that promote mould and mildew spore growth in the system itself. Mould and other fungi can develop on papers, carpets and work surfaces, long after the actual risk event, if proper handling and restoration techniques are not followed. These organics can also contribute to equipment failure, degradation of building and office materials and environmental toxicity. Unfortunately, not all contamination will be obvious after a short period of time; many spores can lie dormant for extended periods, ‘blooming’ only when
60
Planning for enterprise continuity
conditions reach optimum levels for their growth, such as in a summer heatwave years later. Again, there are many regulatory agencies that dictate specific types of procedures that will need to be followed to safeguard against this type of damage, and to prevent its spread if it has already occurred or is suspected to have occurred. But, as with the other specific types of damage discussed previously, it will require experts in the distinct field to help ensure that proper measures have been taken and that the area returns to compliance with all regulations.
Crisis communications and media relations As mentioned in greater detail in Chapter 3, defining a system for how the organization will respond to the media can make or break the business in the public eye. The way crisis communication is handled depends greatly on how the crisis situation has evolved, and how news of the situation has been made public. If the media is the group alerting the business to the crisis, there are certain strategies to apply, in contrast to those situations where the business seeks out the media to tell its story. In both scenarios, however, it is important to have predetermined, pre-rehearsed key messages and to be available to the press. The official corporate spokesperson, whether this is an employee or an outside representative, shoulders the responsibility for providing a status report on the crisis and the way the organization is managing it. One mistake organizations make in their zeal to be responsive to the crisis is to assume that they need to be the primary media contact when the incident occurs on their turf. Remember that any media response should be carefully coordinated with any law enforcement, government or regulatory agencies that may be involved who may provide more appropriate media messengers. For example, if the incident originates from criminal activity on company property, the police department’s spokesperson will update the media on the status of the building evacuation, the status of the investigation and any other area where law enforcement is in charge. While risk managers and executives frequently indicate a reluctance about giving media interviews, too often when the lights are pointed in their direction they feel duty-bound to respond. They forget that they are not in a position to comment, or that some questions simply cannot and should not be answered with the information presently available. Regardless of how compelling or urgent it may seem to make a statement regarding the incident, it is better to wait for the right statement to be made by the designated spokesperson for communication in a crisis. Moreover, the organization’s spokesperson needs to answer only those questions concerning the organization’s areas of actual responsibility such as company values, safety precautions in place at the time of the incident, company investigations, changes in the hours of operation or changes to product distribution. Too often, the
61
Minimizing Enterprise Risk
mistake is made of volunteering information that is out of the organization’s direct purview in an attempt to seem exceptionally honest or helpful.
BUSINESS RECOVERY Recovery is the process of planning for and implementing expanded business operations outside the scope of the mission critical functions previously activated in the resumption stage. The goal of business recovery is to return the business to the functional state it was in prior to the risk event as quickly and as costeffectively as possible. One area deserving special consideration during the business recovery stage is the issue of employee assistance. While the organization as a unit certainly suffers from the disruption of its business operations, the employees that work in that organization undergo differing types and varying degrees of disruption in their lives as a result. Following a disaster or risk event, employees may require various types of special assistance, such as counselling for depression or post-traumatic stress disorder, short- or long-term childcare, emergency financial aid, assistance with filing insurance claims, or legal aid. During the time of the actual business resumption and recovery other short-term needs may appear as the employee may be needed to work longer hours assisting in bringing business processes back online, possibly away from his or her family. Whether these conditions affect only one employee or most of the workforce, addressing these needs is an important part of resuming business as usual. One source of ready assistance may possibly come through an existing employee assistance programme or EAP – a company-sponsored initiative whose purpose is to help in resolving productivity and job satisfaction issues associated with employees’ personal problems through such activities as training to identify problems, confidential problem assessment services and referrals for appropriate professional diagnosis and assistance. An effective EAP includes a list of community-based service providers that employees can go to if they require long-term or extensive services. Such a list is especially important for small organizations that will need to depend on community services to assist in a crisis. A copy of EAP services and contacts should be included in the contingency plan and stored off-site. Another area of consideration is around the organization’s standard employee policies. During a time of crisis, regular modes of conduct and operation may need to be examined and modified to meet altered circumstances. For example, the organization’s telecommuting policy parameters may require reworking when the company suddenly finds itself needing a large number of its staff to telecommute following a disaster. Or the company’s policy on unscheduled absences may need to be adjusted if a disaster affects major commuting routes,
62
Planning for enterprise continuity
such as during the Loma Prieta earthquake that disrupted the entire San Francisco Bay area, or an incident heightens anxiety among workers. It is important to examine employee policies in advance and discuss where policy exceptions may be warranted in the event of certain incidents.
REVIEW AND RE-EVALUATION Once the business has resumed normal operations, the work is not yet over. A formal review of the incident, how it was managed, its outcomes and impacts should commence as quickly as practicable. This is the ‘learn from one’s mistakes’ portion of the process where any errors or lapses in procedures will be noted. In their relief to be over a crisis, many companies ignore this step in the process, but it is critical that it be performed. Without an ability to evaluate honestly how well the previous ERM plan was able to anticipate and control risks, the company is doomed to repeat the same process, complete with any missteps. This alone is a risk to the organization – that the ERM plan and procedures are not adequate for addressing identified risk events. Once the review has been completed, the process, in essence, begins again at the first step: analyzing risks and assessing their potential impact. The review process may shed light on previously unanticipated risks, which must now be accounted for and addressed. This, in turn, will generate changes to any existing plans and procedures, which must be documented, disseminated, communicated, trained for and practised. The iterative nature of ERM should now become clear; not only is new information from changes or alterations in the business model and operations continually added, but the business continuity plan is refined as a result of having truly put its processes to the test. Lessons learned from other organizations’ having had to execute their business continuity plans should also be incorporated, as well as emerging business continuity standards and best practices. New laws, regulations and even economic, political and social circumstances may also influence the company’s business continuity plan. The risk management programme as a whole is an ongoing effort that never really ends. After procedure-tracking processes have been put in place, regular follow-up reviews and testing of contingency plans are required to ensure the readiness of the enterprise to deal with an unplanned interruption at any time. This review process can be triggered by regularly reporting on follow-up dates for all newly implemented mitigation procedures, and includes updating and/or modifying procedures as necessary. Progress tracking of the risk management programme involves providing accurate, meaningful and readily understood reports to enterprise management.
63
Minimizing Enterprise Risk
This is essential to facilitate decision making regarding the newly implemented mitigation measures. The primary objective of this reporting is to assist with identifying problem areas that could result from the implementation of new procedures, as well as to monitor their effectiveness.
THE BOTTOM LINE The goal of today’s business is not only to minimize the risks to the enterprise, but to ensure that everything can be done to assure continuity of its business functions in the wake of a risk event, catastrophic disaster or other adverse incident. To that end, not only must effective enterprise risk management disciplines be used, but the organization will need to develop and document an appropriate business continuity and contingency plan. This chapter has presented an overview of the phases, elements and philosophies involved in enterprise-level risk management and business continuity planning. Chapter 4 will expand on this more academic discussion by providing detailed steps of how an organization actually creates such planning documents and what considerations must be taken. An effective enterprise risk management and contingency plan outlines in detail: ■
what the nature and expected effects and impacts of disrupting events might be;
■
how to detect and determine that such an event has occurred, or is about to occur;
■
how to respond to a detected event;
■
who is to be contacted in the case of a disrupting event and how;
■
what processes are the most time-sensitive and mission-critical to the organization;
■
what steps need to be taken to continue the most mission-critical processes or return them to an acceptable level of functionality;
■
how to monitor and report the progress of business resumption efforts;
■
what the next steps should be to begin to return the organization to the same level of business operations as prior to the event, if at all possible;
■
a review of the organization’s response, capturing lessons learned, so that the enterprise risk management and contingency plan can be updated and improved.
The plan must be reviewed, audited and approved by executive management prior to its activation within the enterprise. Everyone in the enterprise should be aware of the plan’s existence, familiar with its contents and trained in its use. Copies of the plan need to be readily available in the event of an adverse incident, which may require that several copies, in several formats – both paper and electronic – be stored to provide adequate contingency in case access to primary copies is unavailable.
64
Planning for enterprise continuity
Prior to actual adverse events or disasters, the plan should be exercised via realistic but simulated drills. These drills will have the effect of training personnel under fairly credible conditions similar to those they might find in an actual emergency situation, and will expose any erroneous or inaccurate processes in the contingency and continuity plan. Several types of damage that may occur during an adverse incident may require special handling by experts in specialized fields such as structural engineering, toxicology and hazardous materials. Any of these experts who may be required in the event of an emergency should be identified as part of the contingency planning cycle, and any agreements or contracts that may be necessary to secure their services during a crisis should be agreed on and executed before the event occurs. The organization should not need to suffer undue delay in beginning disaster recovery efforts as a result of not having proper service agreements in place at a time where every minute counts. In the event of a widespread disaster such as a flood or earthquake, arrangements for ‘importing’ these resources from distant locales should be a part of the plan. Finally, the process of mature enterprise risk management and continuity planning is a continuous cycle. The plans that are developed must be regularly reviewed, revised as business conditions or risk circumstances dictate, and tested to ensure that the information and processes contained therein will adequately and appropriately safeguard the organization and minimize the effects of untoward things that may happen.
65
4 Developing an enterprise risk management programme
■
Introduction
■
Programme vision and justification
■
Programme initiation and management selection
■
Risk identification and assessment
■
Assessing and analyzing the risks
■
Risk control and mitigation
■
Testing and implementing preventive measures
■
Conducting legal reviews
■
Developing contingency plans
■
The bottom line
69 70 71
72 76
81 84
85 86
90
67
Developing an enterprise risk management programme
INTRODUCTION There are no shortcuts for establishing and operating a successful enterprise risk management programme. There are only trade-offs between levels of risk and resource requirements. While the process of developing risk management strategies and business continuity/contingency plans can be lengthy, time-consuming and expensive, it can make the difference between surviving a risk event or not. Additionally, information unearthed during this process can also lead to everyday operational improvements within the organization itself, and between it and its business partners. Previous chapters have focused on providing answers to the typical questions on enterprise risk management that cover the four Ws: ‘who, what, when and why?’ This chapter will focus on an additional question, ‘how?’ Given the discussion of the elements that concern risk management, what is a practical approach for developing an enterprise risk management programme? And how, exactly, is it done? The first thing to do, when faced with the task of initiating a risk management programme in the organization, is to break the complex tasks into manageable chunks. Recall from Chapter 3 that the basic steps for creating an enterprise-wide risk management programme include the following stages: ■
risk analysis and assessment;
■
business continuity and contingency planning;
■
response and resumption;
■
business recovery;
■
review and re-evaluation.
But, in order to actually begin work on these activities, we must further break them down into their component parts. An expanded risk management programme structure would then look something like this: ■
Programme inception and justification
■
Programme initiation and management selection
■
Risk analysis and assessment: – risk identification and awareness – risk analysis/measurement – also known as ‘business impact analysis’ – risk control/mitigation – legal review
■
Business continuity and contingency planning: – plan recovery strategies – contingency plan development – training and communication programmes 69
Minimizing Enterprise Risk
– plan testing – review and revision, as required – plan approval – final plan distribution – plan maintenance ■
response and resumption
■
business recovery
■
review and re-evaluation.
Note that the last three phases have not been expanded here. This is because these phases were discussed in relatively significant detail in Chapter 3. While they are certainly part of the responsibilities of the risk management programme, these activities are begun as part of response to a risk event, not part of developing the actual risk management programme. For those phases that are expanded in the list above, further detail will be provided in the coming sections in this chapter with one exception: the topics under the expanded business continuity and contingency planning phase that appear after contingency plan development have been discussed in prior chapters and will not be repeated here.
PROGRAMME VISION AND JUSTIFICATION A successful and comprehensive risk management programme cannot be created in a fortnight. A great deal of time, effort and resources will be required to develop a discipline that addresses the needs of the entire enterprise. As a result, it requires the total and complete support of the organization’s executive management; without this support, the activities that are needed to develop the programme will not be given appropriate priority, funding and attention. If the risk management philosophy is being introduced to an organization for the first time, it may require a justification of effort and purpose from the executive management or board of directors level. Awareness of the need for risk management and its value can be raised in the following ways: ■
by highlighting potential risks to the enterprise, possibly by drawing comparisons with other organizations that have suffered serious business disruption and successfully weathered the crisis;
■
by illustrating potential impacts to the enterprise in terms of key performance indicators, such as customer service levels, costs, staff turnover, profitability and market share;
■
by drawing attention to a commitment to risk management made by comparable organizations, particularly competitors in the same industry.
70
Developing an enterprise risk management programme
A useful and reasonable first step for justifying the value of the programme might be to undertake a high-level impact assessment project. A project of this type will vary in length depending on the size of the organization and the number of staff assigned to it. Ideally, a high-level impact assessment should take roughly one month to complete, and involve the following activities: ■
identifying mission-critical operations and associated risks;
■
conducting a high-level analysis that reveals the severity of impact on the enterprise, given the loss of a key operation(s);
■
identifying immediately apparent areas of vulnerability, such as the use of single-source suppliers or outdated technology infrastructure;
■
prioritizing mission critical operations;
■
producing and presenting to executive management an in-depth report that, at a high level, outlines the structure and process flows of the enterprise, identifies critical areas of risk exposure and potential management liability, and estimates the scope and cost of proceeding with risk mitigation and contingency planning.
Once executive management has given its go-ahead for the programme, the actual initiation and programme management selection activities can begin.
PROGRAMME INITIATION AND MANAGEMENT SELECTION At the completion of the high-level risk assessment project, or as soon as is reasonably possible, executive management should initiate the formal risk management programme. The following activities provide an outline of the steps necessary to establish and operate a successful risk management programme: ■
Appoint or acquire an executive-level or senior management leader (the CRO).
■
Form an enterprise-wide risk management team consisting of appropriate stakeholders.
■
Communicate the existence and purpose of the risk management programme to employees.
■
Create an enterprise-wide inventory of business operations, and conduct a high-level impact assessment (only if a high-level impact assessment was not done as a first step, as described in the previous section).
■
Create an enterprise-wide inventory of essential elements that support critical operations.
■
Conduct risk assessment interviews with key staff from each functional area.
■
Conduct a legal review and assessment.
71
Minimizing Enterprise Risk
■
Collect, store and analyze risk data and report the results.
■
Plan, develop and budget for risk prevention measures and event detection processes.
■
Test, train for and implement preventive measures and processes.
■
Develop contingency plans for risks that cannot be adequately prevented.
■
Review, test, train for and revise contingency plans.
■
Approve and distribute final contingency plans.
■
Monitor results of preventive measures and revise new processes as necessary.
■
Implement event warning and detection processes.
■
Plan and communicate the programme.
To monitor and guide the programme, an enterprise-wide risk management team must be formed. This team is responsible for ensuring that potential problems that may cause operational failures and income/profit reduction are minimized and, to the greatest extent possible, eliminated. Enterprise staff who possess business expertise and skills in the areas of business analysis, corporate communications, legal and contract administration, strategic and tactical planning, financial management, project management, information technology and staff training delivery should be recruited as essential members of this team. All employees of the enterprise should be made aware of the programme and should be given a general introduction to the issues and risks the enterprise intends to address. They should be educated on the business implications of these risks, who the risk management programme contact person is, and the plan being developed to deal with identified risks. Initial employee communication should include a description of the resources being focused on the risk management programme and generally how the project is expected to proceed. Ongoing communication regarding the status of the project is as important as initial awareness education. Ongoing awareness can be accomplished in many ways, such as by including a risk management programme column in the organization’s internal newsletter, developing a specialized risk management newsletter, sending periodic e-mail messages from the programme’s management team, or publishing progress information on the organization’s intranet.
RISK IDENTIFICATION AND ASSESSMENT The next step in the risk management programme is to develop a strategy and establish guidelines for conducting an enterprise-wide inventory of business operations and essential elements that support those operations. This strategy will
72
Developing an enterprise risk management programme
establish general objectives as to the risk exposures on which the enterprise intends to focus its efforts. Risks that are inherent to an organization typically originate from three sources: ■
the mission, structure and culture of the enterprise;
■
the assets and resources either owned or controlled by the enterprise;
■
the organization’s business partners.
If a high-level business impact assessment was not conducted as a first step prior to the formal risk management programme being introduced, it should be done at this time. As mentioned previously, the purpose of this high-level impact assessment is to identify and prioritize mission-critical operations and their associated risks. If a complete and up-to-date contingency plan (that is, disaster recovery, business continuity or business resumption) exists, it should contain a list of mission-critical operations for the enterprise. If a contingency plan does not already exist, then a business impact assessment can be conducted by: ■
identifying all business operations – these include those directly within the organization but should also consider any business functions that link the organization to or interact with external trading partners;
■
developing a questionnaire that will help identify and prioritize mission-critical operations;
■
meeting with enterprise management to complete the critical business operation questionnaires;
■
collecting and tabulating questionnaire responses;
■
producing a prioritized list of mission-critical operations based upon tabulated questionnaire responses.
For each of the identified operations, an inventory of essential elements that provide direct or indirect support must be conducted. Generally, an inventory of essential elements in the following categories is needed to facilitate an effective risk assessment: ■
business partners, including suppliers, vendors, customers or other third-party organizations that regularly provide services or products;
■
organizational structure;
■
enterprise-based performance measurements;
■
facilities and office equipment;
■
telecommunications systems;
■
computer software and equipment;
73
Minimizing Enterprise Risk
■
network connectivity within the enterprise and to external entities;
■
architectures, designs and configuration management information required to operate applications, systems and networks;
■
contracts, agreements, insurance and investments.
The previously established inventory strategy will dictate the level of inventory detail that must be collected prior to performing an assessment of each risk. Multiple approaches to collecting this inventory data should be examined, including: ■
performing only a high-level (macro) inventory;
■
performing a complete and detail-level (micro) inventory;
■
performing a combination of both a high-level and, as needed, a detail-level inventory.
Where time and financial resources available to the risk management programme are limited, one approach for accomplishing the essential elements inventory might be to conduct a high-level inventory and then to proceed with a risk assessment based on summarized inventory data. This approach has the advantage of enabling an expeditious inventory collection that can then be used to begin the risk assessment process. However, it has the disadvantage of introducing the risk of overlooking critical operations, functions or essential elements, creating an incomplete baseline from which to conduct a risk assessment. The enterprise must be diligent in weighing the advantages and disadvantages of each inventory approach before making its decision. The selected inventory approach must provide data essential for enabling the more specific identification of potential risks to mission-critical operations. At the conclusion of this process, the results of the inventory will help establish the extent of the risk management programme, the overall strategy of the programme and its impact on the organization.
Determining mission-critical operations The business impact analysis is a means to quickly identify areas that would suffer financial, legal, regulatory and/or operational pain in the event of an interruption. Using severity of impact of an operation’s interruption as the primary rating factor, management should rate the impact that an interruption in an operation would have on the critical success factors for the organization. These critical success factors include, but are not limited to, the following: ■
Safety and security – would the safety and security of the staff or the physical assets of the organization be in danger?
74
Developing an enterprise risk management programme
■
Revenue generation – would the organization’s ability to generate revenue and service its customers be affected by the event?
■
Legal – would the organization be in violation of regulatory requirements or contractual agreements?
■
External reporting – would the incident affect the organization’s ability to generate external reports such as financial statements, tax returns and so on?
■
Communications – would the organization’s ability to communicate (for example, electronic data interchange) with its business partners be interrupted?
■
Internal controls – would the organization’s internal controls, measurements and reporting be jeopardized by an adverse incident?
■
Reputation – would the organization suffer harm to its image or brand as a result of the risk event or other ancillary effects?
All these factors must be considered for each of the listed operations or business functions. For processes that extend beyond the immediate enterprise, the organization may require assistance from its trading partners or affiliated businesses to create an inventory of critical success factors for those functions. Using these questions and considerations as a guide, the next step is to determine the impact that an incident would have on a given business function, and an estimate of the business loss for the duration of an expected disruption in that process. Again, this process will likely require additional input from business unit managers in addition to members of the risk management team, who generally act as the facilitators in this process. The next stage in analyzing business impact is to develop a prioritized list of business functions in order to determine what is considered truly ‘mission-critical’ to the enterprise. For each function for which a business impact has been identified, the following classifications should be assigned indicating a recommended recovery timeframe: 1. Highest category of availability. Indicates that immediate resumption of business functions is required. No downtime of this function or business process can be allowed, requiring that a fully equipped and staffed alternative site must be in place and available at all times. 2. Short period of downtime can be tolerated. Functions classified in this category may be subjected to four hours or less of downtime, but must be functional again within the four-hour timeframe. Again, an in-place alternative site must be available, which can be staffed and functional within the four-hour window. 3. Same business day resumption of function is required, but it does not require a specialized alternate site. Business function can take place in any type of alternative location such as a leased office, an employee’s home, etc.
75
Minimizing Enterprise Risk
4. Business function can tolerate up to 24 hours of downtime. 5. 24–72 hours allowed for resumption of business function. 6. More than 72 hours permitted for resumption of business function. In developing the list of business functions and resumption criticality, all external, as well as internal, dependencies should be taken into account and documented.
ASSESSING AND ANALYZING THE RISKS Having identified and prioritized mission-critical operations, and having collected an inventory of essential elements that support those operations, the risk management team can proceed with the next step of the project. Practical alternatives and guidelines must now be defined that will be used to assess, quantify and evaluate risk, gather risk assessment information, and store accumulated risk assessment data in a manner that allows risk analysis and reporting to be performed. Performing a risk assessment of the probable dangers to which the enterprise is exposed is fundamental to the contingency planning process. The nature of a disaster can vary based upon several factors including but not limited to: ■
the geographic location of the enterprise;
■
the degree of physical accessibility to the organization;
■
the track record of local utility companies in providing uninterrupted services;
■
the history of the area’s susceptibility to natural threats.
Risk evaluation criteria Developing an approach that can be used to assess risk involves the identification of risk measurement criteria. These criteria consist of five main factors used to assess the probability and severity of a business operation or supporting essential element failure, the organization’s exposure, timing and the volatility of the event’s occurrence. Rating the probability of a performance failure helps to highlight potential failures that pose real or very likely threats to the organization. This separate and distinct rating step helps to focus mitigation and contingency planning efforts on appropriate high probability areas of risk. Some risks are low in severity but occur quite frequently, while other risks may be severe but rarely occur. Gathering failure frequency data from staff, vendors or suppliers responsible for an essential element can provide relatively accurate failure probability estimates for most items under their scope of responsibility. Similarly, acquiring from subject matter
76
Developing an enterprise risk management programme
experts the frequency and severity of natural disasters for a given geographic location will provide probabilities for these types of events. The severity factor answers the question ‘how bad can it get?’ The greater the severity, the bigger the risk is to the organization. For rating the potential severity of impact of a performance failure, the following factors should be considered: ■
The impairment level of the failure, which represents the maximum impact resulting from the failure if it is not quickly resolved.
■
The time horizon from failure to full impairment, where there could be a time difference between the failure event and the full realization of its effects. For example, a failure of the general ledger system may ultimately cause severe impairment to a company’s ability to produce financial statements, but the full effect of the loss of that system might take several weeks to be fully realized. There may also be other circumstances at play that mitigate the time horizon. If a production line fails, but there is three months’ normal sales worth currently in inventory, the failure may be recovered from before there are any significant impacts to the organization. In general, however, the longer the duration of the exposure (discussed below), the higher the risk.
■
Failure tolerance is an indication of the maximum length of time that the loss of an essential element or operation can be reasonably tolerated. For example, how much time will pass after a failure occurs until service to customers is impacted. Put another way, how often during a defined length of time (for example, one month) is an essential element used in support of an operation?
■
A contingency plan could serve to reduce the ultimate impact experienced by a performance failure.
A precise and easily understood rating scale is needed for assigning a severity impact to the interruption of an operation or an essential element failure, for example: A = Total impairment B = Considerable impact C = Moderate impact D = Minor impact E = Negligible impact on the enterprise, or supported operation
Applying severity ratings to operations and essential elements provides the raw data needed to conduct performance failure impact analyses. In many cases, severity impact ratings may provide enough information for management to make informed decisions regarding mitigation and contingency strategies. The impact of
77
Minimizing Enterprise Risk
an operation or element’s failure provides a clear indication of that operation or element’s importance to the organization. The likelihood of a failure actually occurring should not alter the importance of the operation or element to the organization. Therefore, a rating model based upon severity of impact provides a straightforward means to establish a prioritized list of mission-critical operations and supporting essential elements. The organization’s exposure generally refers to the maximum amount of damage that will be experienced as a result of some risk event. Or, to simplify matters, consider that, in the absence of other factors, the risk to the organization associated with a given event increases as its exposure increases. The exposure factor can be minimized by transferring the risk out to an external party, such as an insurer, or it can be accounted for by allocating additional capital to cover it. The volatility of an event describes the variability of circumstances that dictate the potential outcome of the risk. It is an important component of the risk as it generally dictates that the more volatility that is present – as in some market conditions – the higher the corresponding risk. For instance, investment in derivatives is an extremely risky venture because their underlying market conditions can be quite volatile, especially in illiquid markets.
Developing a risk survey After a risk assessment approach is established, it is used to guide the development and use of an effective assessment survey tool, as applicable. A set of comprehensive and business-unit-specific questions is developed to assist during a series of risk assessment interviews that are conducted with key staff from each functional area of the enterprise. These interviews help to identify and quantify risks related to the potential for failure of an essential element, provide insight about the dependencies that exist between mission-critical operations and supporting essential elements, and provide information on which to base mitigation and contingency planning activities. In order to uncover the full spectrum of potential risks, it is important to identify both unfavourable and beneficial events. Whether the organization is considering the effect of better interest rates than forecasted or the death of a key executive in the organization, this is the time to brainstorm about worst-case scenarios, including events that may not be immediately obvious. Companies may also fail to realize the true extent of their liability exposure. The chemical industry, for example, may have a good understanding of their liability at their big manufacturing plants, but it is not so obvious to consider the impact of lesser pipeline failures or a problem where they are shipping products. For example, if a chemical producer stores a product for which they are liable at a railhead and there is a spill or chemical release, what happens? While it is easy to consider the big, obvious issues, the devil, as always, is in the unique and smaller details.
78
Developing an enterprise risk management programme
In order to develop a comprehensive survey that address the large and the small issues potentially impacting the company, it may be helpful to start with a checklist of questions to stimulate thinking. For example, consider the list of questions in Table 4.1, organized by major risk category. Table 4.1
Questions to stimulate organization risk thinking
Functional area
Questions to consider
Business operation Production
What factors might interrupt the production of goods and services?
Distribution
What factors might interrupt activities with existing channels, such as suppliers, wholesalers, retailers and the Internet?
Customer service
What factors could disrupt relationships with purchasers of goods and services?
Post-sales service
What factors could interrupt servicing after the sale is made?
Changing markets
What factors could prove costly as a result of changes in consumer demand?
Changing technology
What factors could prove costly as a result of changes in technology?
Legal or government
What factors could interrupt activities or be costly as a result of existing or new laws and regulations?
Business liability Product
What hazards exist because products are used or misused or might be potentially defective?
Environment
What hazards could prove costly because of pollution or other accidents?
Facilities
What hazards exist because of physical facilities or operations?
Employees
What risks exist from current or former workers?
Trading partners
What hazards exist from buyers or suppliers of goods or services?
Third parties
What hazards exist from unrelated parties?
Risks to physical or intellectual assets Catastrophes
What hazards exist from floods, earthquakes and similar occurrences?
Governmental
What hazards could prove costly as a result of governmental actions?
Computer systems
What hazards could disrupt telecommunications systems?
Property exposures
What hazards exist from fire, explosion, utility failures and similar occurrences?
79
Minimizing Enterprise Risk
Functional area
Questions to consider
Financial considerations Fixed assets
What factors could interrupt sources of long-term debt and equity funds to finance productive assets?
Working capital
What factors could interrupt sources of liquid assets and shortterm debt?
Source: The HartGregory Group.
Some common questions that may arise in the course of discussing points such as those in Table 4.1 are as follows: ■
If certain natural or man-made disasters occur, such as the destruction of manufacturing facilities due to earthquakes, tornadoes or hurricanes, of if there is a loss of computer capabilities, a hostile takeover attempt or a loss of patent protection, what actions should our firm take to minimize or ameliorate the effects?
■
If a technological advancement or emerging market condition make our new product obsolete sooner than the company expected, what actions should be taken?
■
If demand for the company’s product exceeds forecasted plans, what steps should be taken to meet the increased demand?
■
If forecasted sales objectives are not reached, what will the company need to do to avoid profit losses?
■
If a major competitor withdraws from a particular market, what should the company do to address the potential void?
The list of issues that arise as part of the survey development will be – and should be – extensive since the goal is to come up with a comprehensive set of potential and imagined threats or opportunities that may impact on the company. Ideally, a database application will be developed or purchased that will serve as the master data repository for the risk management programme, and contain data from the risk assessment surveys and inventory lists and other project-related information. It will also provide reporting and query capabilities to support risk assessment analysis as well as mitigation and contingency planning efforts. The assessment and analysis reporting requirements must specify a set of criteria and metrics that will be used to drive the selection, order and level of mitigation and contingency planning activities. Methods of risk evaluation vary depending on the types of risks being addressed. In addition, time, budget and resource constraints can significantly influence the
80
Developing an enterprise risk management programme
risk analysis activity. These factors influence the types of risk criteria and metrics that will be employed and the levels of precision that are to be produced from the analysis. For example, a risk analysis might be structured in the following manner: 1. Identify business operations and assess their severity with respect to their impact, in the event of an operation’s interruption, on the critical success factors of the enterprise (for example, safety and security, revenue generation, legal, communications and so on). 2. Identify essential elements (for example, suppliers, vendors, customers, IT systems, documents, data, staffing, equipment, facilities and so on) and assess their severity with respect to their impact, in the event of an essential element’s failure, on the business operations they support. The first step can be used to determine the overall project scope and priorities. The second step can then be applied to each business operation, in order of business operation severity, to the extent that time, budget and resource constraints permit. One issue with the above analysis approach is that it could generate a large number of items with the same severity rating value. Additional metrics can be used to refine the precision of the risk assessment and provide executive management with more comparative information for decisions. These may include: ■
time horizon from the moment of performance failure to full impairment;
■
estimated maximum time that an operation can reasonably tolerate loss of one of its essential elements – this factor is referred to as failure tolerance;
■
time required to launch contingency plans or to implement backup systems;
■
the number of operations dependent on or supported by the essential element or operation. The risk assessment and analysis process should be fully documented and
presented to management for their approval. Because of this, sound preparation on the part of the risk management team is required in order to present a clear and convincing case for their proposed approach to risk data analysis. These analyses deal with the prioritization of key areas of the enterprise, and therefore it is likely that management will challenge them.
RISK CONTROL AND MITIGATION Now that the mission-critical operations and supporting essential elements of the organization have been identified and prioritized with regard to their importance and criticality to the overall success of the enterprise, this information can be used in the development of risk mitigation plans.
81
Minimizing Enterprise Risk
As mentioned in Chapter 2, mitigation planning is the process of developing a planned action designed to either prevent or reduce the likelihood of the occurrence of a performance failure or disruption, or to reduce its impact on the organization. In the context of risk management, prevention includes everything that can be done proactively to avoid bad things from happening to the enterprise. Executive management must now make decisions regarding the allocation of capital for the remainder of the risk management programme and the priority to be given to the programme, and consider the impact such resource allocation and priorities will have on other efforts throughout the enterprise. It is imperative that sound business rules be established regarding what risks are to be mitigated, what risks are considered to be acceptable and what risks justify the retirement of an essential element. Establishing business rules at the outset of this process will help to avoid decisions being made in an arbitrary or prejudicial manner. This should also help executive management to view elements of the risk management programme as a series of business decisions, allowing them to focus on appraising the value of managing each identified risk. Cost and benefit guidelines and constraints must be clearly defined and must state procedures for justifying mitigation and contingency planning efforts. The risk management team should not embark on a project that does not have adequate time and resources allocated, preventing them from achieving quality results. If the scope of the project is too broad given allocated resources, meaningful results will probably be impossible to achieve, resulting in poor return on investment. Instead, budget constraints may need to drive the scope of the risk areas to be addressed by the risk management programme, confining it to specific business functions and/or severity levels. Decisions made during this process will commit the enterprise to a strategy designed to accomplish the stated goals of the risk management programme. The result of the mitigation planning process is a set of business-function-specific (as well as supporting cross-functional) action plans focused on reducing the likelihood of a risk scenario causing an interruption of a mission-critical operation as a result of the failure of one or more essential elements. The prevention planning process should examine existing capabilities within the enterprise. Any existing mitigation and contingency plans should be leveraged to the greatest extent possible in an effort to avoid ‘reinventing the wheel’. For example, plans may already exist that contain procedures for dealing with system failures within the IT department of an organization. Plans of this type are generally referred to as disaster recovery, business resumption or business continuity plans. The use of these existing plans will help to minimize the need for new processes, awareness and training. As with other plans, a risk mitigation plan and its subordinate and functionally specific action plans must reflect the enterprise philosophy, must be dynamic and
82
Developing an enterprise risk management programme
must be sustainable. Plans that do not reflect the organization’s philosophy will soon be in conflict with other enterprise interests and run the risk of being shelved or otherwise unused. Plans must be dynamic if they are intended to survive. Conditions driving plans quickly change over time, and if a plan is not designed to change over time, it will rapidly become obsolete and fall by the wayside. The sustainability aspect of planning is often ignored. Sustainability simply means that the enterprise has the resources, the motivation and the management focus to follow a plan, make needed updates to it and practise its use. It is common for an organization to outsource the development of a plan. When that happens, the plan is designed and built by planning and subject matter experts as they see the enterprise. However, to be sustainable, a plan must be developed in concert with the functional and guidance expertise found within the enterprise. Third-party experts are an excellent source of impartiality, guidance and assistance, but they should only be part of a primarily enterprise-staffed risk management planning team. Various methods, or ‘fixes’, that address risk issues can be employed during mitigation planning. ‘Fix’ methods must be clearly defined initially and then individually assigned to each essential element being subjected to this planning process. These fix methods include but are not limited to the following: ■
Quick fix – adjustment or correction to an essential element that requires significantly less time than other potential remedies.
■
Partial replacement – usually applied to a system: replacing a non-working or unreliable part or function within a system with a working part or function.
■
Full redundancy or replacement – actually involves two approaches: full redundancy refers to pre-positioning a working part or function to be used upon failure of the incumbent part or function; full replacement refers to the total replacement of a failed or defective system or essential element with a functioning one.
■
Outsourcing – refers to the utilization of a third-party organization to correct failures or defects of a given essential element.
■
Hire and train additional staff – a manual alternative to the above methods which can be used to replace all or part of a failed or defective automated process.
A plan outline to be used for individual mission-critical operations, and which, with all operations considered together, forms the enterprise risk mitigation plan, must be established and be based upon the strategy and project scope decisions established when the business rules guidelines were adopted at the beginning of the mitigation planning process. To avoid any delays in implementing the newly developed mitigation plans, it is necessary at this point to estimate, justify and formally allocate the budget needed
83
Minimizing Enterprise Risk
to execute all such plans. At a minimum, this budget must include the funds required to purchase computer equipment and software, compensate vendors for services and pay for new facilities or infrastructure or any other expenses that will be incurred during the effort of implementing the mitigation plans. This budget is then dedicated to mitigation plan implementation efforts.
TESTING AND IMPLEMENTING PREVENTIVE MEASURES The objective of testing the mitigation plans is to evaluate whether the individual plans are capable of providing the desired level of support for the organization’s mission-critical operations, and whether these plans can be implemented within the estimated period of time. An overall implementation and testing strategy must first be established for this purpose. In some cases, a specific action plan might require a special testing and implementation process because of a unique situation. These situations can impact on the overall implementation strategy and testing approach. The testing plan adopted for this purpose is guided by the quality assurance standards in use by the enterprise. Test planning and the testing of risk mitigation plans are a critical part of the risk management programme. Formal acceptance testing guarantees the functional viability of each plan. Because of the scalable nature of testing, test planning becomes important to the critical path of this part of the project. The formal test plan for each mitigation plan is unique and specific to a business function or group of related functions. Because of the size of this project, the quality assurance process must be thorough. Testing and quality assurance issues must be addressed to determine if any changes are needed to the enterprise’s quality assurance practices. The following questions are representative of quality assurance issues that must first be answered: ■
How and where is the test environment established?
■
If a separate test environment does not exist, what are the risks associated with inadvertent damage to the production environment?
84
■
What are the differences between the test and production environments?
■
How are the baseline test standards established?
■
What and where will test results be saved for future comparisons?
■
What organization is responsible for conducting the tests and storing the results?
■
Who will create test documents and test scripts?
■
Is there a standard database(s) for system-wide testing?
■
What types of tests are required?
■
What constitutes acceptable test results?
Developing an enterprise risk management programme
Prior to implementing risk mitigation plans, staff training regarding new processes and procedures will be required. The amount of training can vary widely depending upon the extent of operational changes needed to accommodate the mitigation plans. For long-time employees, changing old habits can be an extremely difficult task. In a case where a crucial legacy software application, after many years of use, is being replaced with a state-of-the-art system, a significant training effort will be needed in order for the transition to succeed. A ‘training needs assessment’ must be conducted to answer the questions of who needs training and what specific training will be required. When this is known, possible training alternatives can be assessed. These include mentoring within the project staff, using subject matter experts from outside the project to hold classroom training, distributing a training document to be used individually by staff, or presenting formal classroom training by the enterprise’s own Training Department staff.
CONDUCTING LEGAL REVIEWS A review and assessment from a legal perspective of liability related to an interruption of mission-critical operations is an important part of the risk management programme. It involves a detailed review of all contracts, agreements, documented performance standards and management liability to shareholders. This includes reviewing all contractual relationships with third parties, including vendors, suppliers and customers, and identifying obligations related to maintenance or other outsourced services being delivered to the enterprise. One of the stated objectives of any corporate counsel is to protect directors and officers from legal matters. In the case of any potential business interruption, this protection extends beyond advice about how to respond and react, and includes an analysis of management’s awareness of the risk management programme and the general issues that relate to risks being addressed by the programme. In some cases, managers, directors and officers can be held personally liable for the failure or poor performance of the enterprise in contingency planning. A risk-reduction strategy should be prepared to respond to issues discovered during the legal review and then presented to executive management for approval. The organization will use this strategy to mitigate identified risks. The aim of the legal risk strategy is to provide executive management, and possibly the board of directors, with sound legal advice and viable alternatives as management strives to make responsible business decisions relative to the goals of the risk management programme. While developing the legal risk strategy, special attention should be paid to the following conditions:
85
Minimizing Enterprise Risk
■
areas where the impact of an interruption to enterprise operations far outweighs the remedies available;
■
the probability of such a problem occurring seems likely;
■
recovery from the potential problem is difficult and costly to the enterprise.
To validate the organization’s current efforts and to ensure that current activities and plans will achieve the goals of the programme, a review and audit of the risk management programme could be one of the recommendations resulting from the legal review. Other recommendations could include but are not limited to the following: ■
Prepare an outline of the policies and procedures related to business partner management.
■
Make any needed changes to insurance coverage.
■
Implement operational and procedural changes required to avoid injury and improve safety risks.
■
Implement risk management programme activities that are required for regulatory compliance.
■
Implement financial practices required to comply with reporting and disclosure guidelines.
■
Conduct ongoing legal activities required to support the risk management programme.
DEVELOPING CONTINGENCY PLANS Despite its best risk-avoidance efforts, the organization must be prepared for a worstcase scenario. For example, if multiple serious incidents occur across organizational and geographical boundaries, accompanied with communication and power disruptions, the enterprise needs a means to collect, filter, prioritize and escalate issues up the management chain as appropriate. Operational stability and reliability must be maintained to ensure the survival of the enterprise, which represents the primary objective of contingency planning. To that end, a comprehensive contingency plan must include the following goals: ■
Ensure that threats to the safety of the enterprise’s employees and visitors are minimized or eliminated.
■
Minimize damage to, or loss of, enterprise assets.
■
Minimize the risk of delay in setting up an alternative processing location for the restoration of mission-critical operations.
86
Developing an enterprise risk management programme
■
Be cost-effective.
■
Minimize the need for decision making during a disastrous situation.
■
Provide a standard for testing and updating the contingency plan.
■
Ensure the availability of necessary resources to help the enterprise continue to meet customer needs during an interruption.
As with mitigation planning, the previously defined mission-critical operations and supporting essential elements of the organization are used to drive the development of a comprehensive contingency plan. Recall that the aim of contingency planning is to develop processes, policies and procedures that ensure the continued availability of essential services, programmes and operations, including all the resources necessary to operate the enterprise at a level pre-defined by executive management, in response to the loss of operational capability due to a disaster. Before beginning the contingency planning effort, the risk management team must gather and analyze any existing documentation on organizational capabilities and processes the enterprise might already possess that address issues surrounding worst-case scenarios such as those described above. It may not be necessary to rewrite these existing plans for the sole purpose of conforming to a new format. However, the plans and the processes used to develop them must be assessed as to their adequacy for contingency planning purposes and leveraged to the greatest extent possible. Using these existing plans and processes should serve to minimize the effort required to develop an overall enterprise contingency plan, and it could encourage re-use of the procedures employed to develop those plans.
Developing recovery strategies Once the critical and necessary business functions have been identified and their impacts on the business during an interruption have been assessed, the next step is to establish the resources that are required to continue to perform these functions. These typically fall into one of the following categories: ■
facilities – including development of a facility recovery plan, identification of alternative physical work environments, inventory items and any other fixed assets required to resume essential functions;
■
information systems – including duplication of all needed computing equipment, the required operating environment and data recovered from off-site storage. This category also includes the requirements for distributed processing capability if that is a support resource to an essential function;
■
telecommunications – including resumption of voice and data communications;
■
operations – including staffing and supplemental staffing if necessary. Direct customer service functions are normally given a high priority within this category;
87
Minimizing Enterprise Risk
■
key business partners – including suppliers, vendors or other third-party organizations providing crucial products or services to the enterprise.
In planning for operational contingency, consider a wide range of possible solutions to deal with the failure of an operation, process or essential element, including: ■
stockpiling extra supplies from a key supplier;
■
making arrangements for space to store additional supplies/raw materials;
■
making arrangements to have supplies delivered by an alternative mode of transportation;
■
acquiring cellular or satellite telephones for emergency communications;
■
reverting to ‘old’ manual procedures for a process that has been automated;
■
consider using retired employees to provide additional staffing resources.
Regardless of the other conditions for which the business function resumption procedures account, they must consider the following two major scenarios: 1. The building and its contents in which the function usually takes place are not presently available, and recovery may need to occur at an alternative site. 2. The systems services on which the business function usually depends are not available and critical business functions must continue without them. These can include electricity, water, manufacturing materials, etc. All options for meeting the goal of business operations resumption within the mandated timeframe must be investigated, and cost estimates developed and compared against the potential costs to the business resulting from a resumption failure. Business function resumption options include: ■
transfer of work from the affected location to another within the organization that has available facilities;
■
alternative internal space such as training rooms, cafeterias or conference rooms may be equipped to temporarily support business functions;
■
reciprocal agreements with other business units to accommodate the disrupted functions – this may involve suspending non-critical functions within the business units that have not been affected by the incident until full recovery of the disrupted function has been achieved;
■
dedicated alternative sites, built and equipped by the enterprise, may be used to support business function resumption;
■
using facilities from an outside service or facility provider may support a number of business function resumption needs.
There is also one final option that requires careful and sound business judgement: the possibility that no formal advance arrangement is made to support resumption
88
Developing an enterprise risk management programme
of the business function. Clearly, this is an option that should be considered for non-critical operations only, but may be appropriate in certain cases. Critical staffing resources must be identified that are necessary to respond to a disaster. Developing an organizational chart showing the command and control structure of a crisis management team and its relationship to the enterprise organizational structure achieves this. Members of the crisis management team are identified and their roles and responsibilities defined by establishing standard operating guidelines for each team assignment. This ensures that the enterprise has in place a command and control structure that will be able to successfully respond to an event, minimizing the impact on critical operations.
Documenting the plan Once business resumption strategies have been developed and agreed on, the information must be documented and the final contingency plan developed. The plan should include the following elements: ■
preliminary introduction that includes the reason and purpose for the plan, the scope of the plan, who is involved and the range of events that are covered;
■
a definition of the crisis management structure, providing an organizational chart, as appropriate, along with roles and responsibilities of the team members;
■
policies and procedures to be activated in the event of the adverse incident occurring – these include detection and notification processes, site damage assessment procedures, alternative site notification policies, procedures for retrieval of off-site records or materials, etc.;
■
information and procedures for establishing and activating the emergency operations centre, including location information;
■
information about any events requiring specialized personnel or equipment for site damage assessment or hazardous material containment (as discussed in Chapter 3), including copies of any pre-event agreements or contracts for services;
■
emergency notification lists for each business unit – these should contain phone numbers, cell or pager numbers, home phone numbers, etc. for each team member designated as a participant in the business resumption team, as defined later in this section;
■
contact information for internal and external vendors, key customers and other commonly used numbers that may be appropriate and necessary during an emergency, such as building or facilities security agencies, off-site storage vendors, insurance agents, local or national government agencies, etc.
Each plan must have fully documented procedures for handling an incident that results in the activation of the plan. A general action plan that summarizes the
89
Minimizing Enterprise Risk
tasks to be executed for business resumption for use once the plan has been activated should be included. Additionally, a checklist for each team member that details business resumption and recovery procedures for each business function, in order of business criticality, will need to be developed. It is important to note that, when developing the business resumption procedures, they should be detailed enough, and explained with sufficient clarity, that any person with a skill set similar to that of the usual business unit members is able to execute them without having ever performed the task before. Once the plan has been drafted, the process of ERM continues with developing training and communications programmes designed to familiarize and educate the organization about the plan and how to use it. This prepares the enterprise for the all-important testing phase, which then provides input for any plan revisions. These actions have been discussed in earlier chapters in this briefing and do not require repeating here.
THE BOTTOM LINE Managing business risk is a major challenge for every enterprise. No one can really predict most adverse events that will result in business interruption, but given the complexity of today’s business relationships and the possibility that internal failures may occur, a risk management programme will help to manage enterprise risks effectively. This makes the risk management programme crucial to a company’s overall success. The essential ingredients of awareness, identification, assessment, mitigation and contingency planning, crisis response and rigorous project management are necessary to successfully limit the organization’s exposure to risk. Managing risk related to mission-critical operations of the enterprise becomes the primary focus of the risk management programme. Establishing the best, most practical priorities for mitigating risk associated with mission-critical operations is the ultimate goal of this process. This chapter was dedicated to a detailed explanation of the many interrelated steps involved in identifying and assessing enterprise risk, developing preventive strategies, identifying mission-critical business operations and quantifying the impact of disruption to them, creating contingency and continuity plans, and developing plan documentation. While there is a great deal of effort involved in planning for business disruption, existing documentation such as previous contingency or disaster recovery plans can be used as a springboard for the larger enterprise-wide process. The level of effort involved in creating an enterprise risk management programme dictates that unanimous and unfailing support by the highest levels of management is required in order to drive the plan actively to completion, and to circumvent any
90
Developing an enterprise risk management programme
roadblocks that may arise during the process. This support includes a commitment to the funds and personnel resources required to produce quality deliverables, and to maintain the contingency plans on an ongoing basis to ensure continued accuracy and applicability. One of the key benefits of successfully implementing a risk management programme as a business solution is the assurance of the continued viability of the enterprise through the protection of its critical operations and assets, achieved by proactively working to eliminate or minimize the impact from a business interruption. Accomplishing this goal means that the most effective and efficient use of the organization’s resources – its staff, time and money – will have been realized.
91
5 Managing risk in the digital age
■
Introduction
■
The growing concerns over digital risk
■
Digital disasters travel at ’Net speed
■
Effective measures for managing digital risk
■
The bottom line
95 95 97 98
101
93
Managing risk in the digital age
INTRODUCTION In the past several years, companies have seen a dramatic rise in the number of risk events occurring as a result of the increased use of electronic media for conducting business. Hardly a week goes by in which some new virus, worm, attack or other form of cybercrime does not make the news headlines. It is clear that the threats to the enterprise, both inside and outside the organization, are growing. The effects of digital risk events are soaring; the present cost estimates are certainly conservative, as many companies suffering losses due to IT-based incidents cannot even quantify the true impact on revenue, reputation or customers. The most concerning issue of all, however, is that companies frequently are either unaware of the risks or are not taking them seriously enough to implement even the simplest of preventative and defensive measures. While the issues of digital risk have been touched on briefly in previous chapters within this briefing, this chapter is specifically devoted to the impacts that technology has on enterprise risk exposure and covers some measures for managing that risk. However, a complete discussion of digital risks and IT security is far too broad to be covered in any detail here. For more comprehensive information on the risks facing organizations and countermeasures to protect vital information assets, see the Financial Times Prentice Hall Executive Briefing by Peter H. Gregory entitled Enterprise Information Security.
THE GROWING CONCERNS OVER DIGITAL RISK Over the past few years, the Internet has rapidly evolved as a business tool. In 1999, according to the Gartner Group, 75 per cent of all organizations were isolated from any Internet connectivity. By 2004, the expectation is that 80 per cent of organizations will be using the Internet as an integral part of their business processes. As more companies adopt and implement electronic methods for conducting business, the risk of cybercrime, theft and sabotage of critical information and other digital disasters grows. Unfortunately, recent studies speak of the dramatic increases in the number of technological disasters and their resulting impact: ■
In the 2001 edition of their annual Computer Crime and Security Survey, the Computer Security Institute in conjunction with the FBI reported that, of more than 580 respondents, 85 per cent reported unauthorized access to their systems. Additionally, 64 per cent reported that their organizations experienced direct financial loss as a result of these security breaches. These incidents of security violations have occurred even though almost all of the respondents reported some measure of access control to their computing resources.
95
Minimizing Enterprise Risk
■
The same CSI/FBI study released a sub-report entitled The Cost of Computer Crime. In it, CSI says that losses from computer crime for a five-year period from 1997 to 2001 were an astounding $1 trillion.
■
Computer viruses and worm attacks have cost businesses in excess of $17 billion in 2000, according to Computer Economics. This is up from $12.1 billion in the previous year.
■
CERT/CC, the information technology security research and development centre at Carnegie Mellon University, released its vulnerability statistics for the first two quarters of 2001. In these, it stated that the number of security incidents reported through June 2001 were more than 15 400; the total number of reported incidents for all of 2000 was 21 756.
From these statistics, it is clear that the risks and impacts of technology-based incidents are on the rise. And this takes into consideration that nearly 90 per cent of the computer crimes go unreported or even undetected. There is a growing concern among businesses, information technology research groups and government that the widespread use of the Internet for commerce and other business functions is leaving organizations open for more damage. As a result, many business leaders and organizations are calling for tougher measures to counteract the growing impact of computer-based incidents. In early February 2002, the US House of Representatives authorized $880 million in funding for computer security research. This represents an unprecedented amount of financial support for this key issue, proof that governments are increasingly concerned and are taking the matter seriously. With the myriad of ways in which companies use technology and the Internet for conducting business, there is no simple, one-stop solution for managing e-business risks. Some of the new risks inherent in the ‘e’ model include:
96
■
theft of corporate or customer information, including credit or payment data;
■
theft or misuse of trade secrets or intellectual property;
■
theft or interception of electronic funds;
■
misuse or theft of trademark or Internet domain names;
■
violation of privacy rights;
■
patent or copyright infringements;
■
fraud;
■
unavailability of e-business platforms as a result of hacker attacks;
■
loss of key corporate information assets as a result of hackers, viruses or worms;
■
damage to corporate reputation/brand from hackers;
Managing risk in the digital age
■
exposure to liability claims from customers, business partners or others claiming damage as a result of any of the above security violations or breaches.
Much of this type of damage does not directly result in property loss as the insurance company has traditionally defined it, so it may be difficult for organizations to insure themselves against these types of threats or recoup any losses through their policies. While there is much discussion in the insurance and reinsurance industries about this topic, it remains to be seen how quickly changes will be made to account for losses that are difficult to prove and even more difficult to quantify objectively. Information technology has traditionally been used as a high-performance substitute for manual processes. In decades past, in the event of the interruption of IT capabilities, organizations could fall back on its manual paper-based processes. However, information technology has grown beyond merely supporting manual processes; increasingly, an organization’s IT functions are the critical elements supporting the business. For instance, companies with only an online presence such as Amazon.com, eBay or Etrade have no manual processes to fall back on. In the event of a disastrous IT event in such an organization, they are literally at a standstill until capabilities can be resumed. The criticality of technology-related disasters becomes far more important when IT is the business.
DIGITAL DISASTERS TRAVEL AT ’NET SPEED For companies today, the main reason behind the explosiveness of Internet adoption is the speed with which transactions and communications can occur. Doing business digitally can facilitate information exchange and interactions not even imagined in pre-Web days. But that speed and convenience is a two-edged sword. When things are operating well, the ’Net is a capitalist’s dream. But, when something goes wrong, it can do so with equally amazing swiftness. One seemingly innocuous incident can travel quickly through the communications network, snowballing into a major disaster for many businesses within hours or days. And given the sheer number of interconnected systems, any breach can propagate itself at an alarming rate, spreading out of control like wildfire. As proof of the rapidly escalating effects of adverse incidents on the business infrastructure, consider some statistics on these recent events and their impact: ■
Recently, viruses such as Code Red and Nimda have been reported to have infected over 100 000 systems within hours. By mid-September 2001, the Nimda virus had inflicted an estimated $370 million in damage worldwide, infecting some 2.2 million computers.
97
Minimizing Enterprise Risk
■
A graduate student recently calculated that, with careful design, an effective worm could infect several hundreds of thousands of systems in under a minute.
■
Several of the Internet’s largest sites – Yahoo!, Buy.Com, CNN, eBay, Amazon.com, Etrade and Zdnet.com – became unreachable for several hours at a time over the span of a few days in February 2000. One of the largest and most insidious of denial of service (DoS attacks) on record, it was allegedly launched by a 15-year-old hacker. Yahoo!, the most popular Internet directory, delivers an average of 465 million page views per day.
■
In January of the same year (2000), a Russian data thief using the alias ‘Maxus’ raided the online music seller CD Universe, taking as many as 300 000 credit card numbers. Maxus had initially attempted to extort as much as US $100 000 from the retailer in exchange for not releasing the card numbers to the Internet. The company refused his threat and Maxus duly posted the credit card numbers.
From these statistics, it appears that information system vulnerabilities are growing faster than the companies’ ability and willingness to respond to them. The mantra of ‘bigger, better, faster’ applies to the bad things as well as the good when it comes to the Internet. While it is true that the e-commerce revolution has spawned a host of new threats to the business landscape, organizations have the responsibility to raise corporate awareness of these vulnerabilities and, indeed, can do a great deal to protect themselves against digital risk. The following section discusses a number of practical and, in many cases, simple methods for minimizing the enterprise’s exposure to many forms of digital risk.
EFFECTIVE MEASURES FOR MANAGING DIGITAL RISK Regardless of the growing awareness in organizations of the risks of conducting technology-based business, companies are not being effective in their protective measures. A recent report released by the Computer Science and Telecommunications Board (CSTB), part of the Washington DC-based National Academy of Sciences, argues that US companies aren’t doing enough to protect their IT systems from cyberattacks. The CSTB charter is to provide independent advice to the US government on technical and public policy issues on computing and communications. In its report, Cybersecurity Today and Tomorrow, the CSTB states that cybersecurity today, from an operational standpoint, is far worse than it should be given current best practices. While many organizations claim that the technology to protect against electronic threats is inadequate, many groups, including the CSTB, argue otherwise. Even without any new security tools, it believes, security could be significantly improved if only the operators and users of critical systems and technology tools providers would make use of appropriate protective measures.
98
Managing risk in the digital age
A recent report released by Computer Sciences Corporation (CSC) indicates that the events of 11 September 2001 and the resulting war against terrorism haven’t had much effect on the level of companies’ protective and defensive measures; corporate IT systems are still dangerously vulnerable to cyberattacks. The survey of more than 1000 information technology executives worldwide found that 46 per cent of companies do not have a formal information security policy in place, while 59 percent do not have a formal compliance programme supporting their IT systems. The survey also found that 68 per cent of companies currently do not regularly conduct security risk analyses or security status tracking. Traditionally, the primary blame for computer system downtime was placed on the unavailability of physical systems. Having adequate power systems or other redundant computer hardware in place was an appropriate mitigation method. This was a best practice in the era of non-networked computer systems. With the proliferation of networks, however, most system outages are no longer hardwarebased, making these types of strategies inadequate for dealing with today’s technology risks. And recent research supports this observation. In July 2001, the Gartner Group announced that its research had determined that an average of 80 per cent of downtime in mission-critical applications is directly caused by people or process failures. Only 20 per cent have been shown to be caused by technology failures, environmental incidents or disasters. Given this, how does the organization protect itself from the threats in the networked world? The problem is that, for most companies, computer security is still an afterthought. As revealed in the CSC report cited above, while most IT professionals recognized the benefits of protecting and securing data, many managers still view security as a ‘nice to have’ feature rather than a ‘have to have’ set of services. Perceptions tend to change as a result of having something go wrong. However, just as with other risks and threats to the organization, it is far easier and cheaper to account for and address problems before they occur than recover from them once they have taken place. While not every company may choose to implement a ‘rock of Gibraltar’ type of approach to their IT security, there are a number of practical and reasonable approaches that can be adopted to increase the level of protection for its technology and IT-based assets. ■
User IDs and passwords should be monitored and managed more effectively; users should be counselled and trained not to use intuitive passwords or the same password for multiple systems. Users should not share passwords. System administrative and ‘default’ logins should be changed from their initial or factory settings once the system is up and running.
■
User access must be disallowed by disabling the account once the user leaves the organization. User authorizations must be changed when an employee transfers to another part of the company. Contractor user accounts should be set to automatically expire, thereby limiting exposure to unauthorized access. 99
Minimizing Enterprise Risk
■
Backup power via UPS (uninterruptible power supply) and/or emergency generators should be used on all mission-critical computers, communications equipment, HVAC and peripheral devices.
■
Data and applications backups should adhere to a rigorous, diligent schedule with off-site storage used regularly. Test the backup and restore procedures prior to an actual incident to make sure they work as planned.
■
Utilize firewall protection capabilities for Internet-connected systems. Even if only one PC is connected to the Internet, that system can be attacked and any damage to it propagated to an entire networked organization if it is not sufficiently protected. With the increasing number of corporate users who access enterprise systems from their home offices, such as when telecommuting, this is a real scenario that will leave many organizations vulnerable to attack.
■
Update virus protection software frequently. Not all viruses, worms or other damaging breaches make the news, so updating only when an incident becomes a media headline is not sufficient. And, with viruses and worms that travel at ’Net speed, an organization can no longer respond quickly enough to a proliferation in progress.
■
Security patches must be applied to all systems in the enterprise; this is one of the most effective defences against viruses and worms which generally exploit vulnerabilities that have been known for months if not years.
■
Use e-mail programs and other external collaboration applications with caution and a measure of suspicion. If e-mail is received from someone unknown, especially with an attachment, it is wise not to open it. Many e-mail programs provide the ability to view a message before actually ‘opening’ it – use this facility whenever possible to verify the sender and content.
■
Examine the systems security policies of trading partners and other connected external users. A network is only as secure as its weakest link. Ninety per cent of all security breaches will come from inside the enterprise as the actual boundaries between organizations blur and former ‘outsiders’ become ‘insiders’ now that trading partners have access to each other’s information and environment.
Certainly this is not a comprehensive or exhaustive list; there are many more sophisticated security safeguards that can be and are put in place in risk-aware, mature organizations. Although some of these protective measures may seem entirely obvious and based on common sense, it is surprising to see how infrequently and inconsistently they are applied. It shows that any organization can make use of ‘ordinary’ tactics to decrease the level of IT risk to which it is subjected, and likely reduce the impacts of any potential breach.
100
Managing risk in the digital age
THE BOTTOM LINE With companies growing more reliant on technology-based systems as part of their mission-critical operations, the vulnerabilities of these areas to the risks and threats of cyberspace and the effects of incidents that occur are increasing dramatically. Organizations are using the Internet and other web-based solutions to increase their reach into the marketplace, to attract new customers, to perform business functions more quickly and effectively and to be continuously available to all stakeholders. This type of operational model dictates that the underlying infrastructure is continually accessible and reliable, necessitating the adoption and application of rigorous controls to prevent unwanted downtime. While companies have traditionally focused on redundant hardware as the primary measure of guaranteeing maximum availability, the reality is that only a minority of systems disruptions are caused by environmental or equipment failures. So, although redundant systems are certainly an important part of an organization’s business continuity plan, this method of risk mitigation is inadequate by itself to ensure the constant availability of business processes and information. Along with the increased speed of business processing as a result of living on Internet-time, organizations’ tolerance of downtime or recovery in the event of a failure or disruption in business processing is shrinking. Most organizations that do business electronically expect a window of less than 24 hours to recover from a failure in mission-critical processing. This clearly indicates an increasing dependency on technology-based systems for key business operations. And many of these systems are experiencing unprecedented integration with other systems both directly within the organization and beyond with other trading partners or services. All this points to organizations’ reliance on systems that are growing in complexity and that are increasingly vulnerable to disruptions from internal or external forces. There is a simultaneous decrease in the amount of time organizations can afford to have systems unavailable during recovery efforts after an incident has occurred. Yet there is not a corresponding increase in the priority or emphasis these companies are making on keeping these vital business components secure and reliable. If companies are to continue to do business through technology-based solutions, it is clear that they will need to make these systems an integral part of their overall business continuity management programmes. This will necessitate a far greater investment in terms of time and money than they have been willing to dedicate so far if they are to achieve the availability and recovery objectives that they indicate are necessary to remain competitive in the marketplace.
101
6 Conclusions
■
Enterprise risks are real and growing
■
Enterprise-level risks are interconnected risks
■
The goal of ERM – continuity
■
Growing role of ‘e’ in business brings additional risks
■
The insurance policy you hope you never need
105 105
105 106
106
103
Conclusions
ENTERPRISE RISKS ARE REAL AND GROWING Today’s enterprises are increasingly faced with a myriad of risks that threaten their daily operations, their revenue and profit, even their very existence. Examples are plentiful in the news about the latest incident plaguing an industry or a business and its impact. The level at which businesses operate, along with growing costs and expenses resulting from litigation, help to escalate the effects of even the smallest of mishaps into fully-fledged business disasters. More than ever, companies need to be aware of the risks their organizations face, and understand how to address them and how to plan for business resumption and recovery if and when they occur. Not only do companies have a strong interest in maintaining a stable environment in which to transact commerce for their employees, business partners and customers, but they also have a fiduciary responsibility to do so. Governments, financial institutions and regulatory agencies are keenly interested in how organizations are prepared to deal with enterprise risk. For some companies, adequate preparedness may even be considered a competitive advantage over another near-market neighbour that is not so well prepared.
ENTERPRISE-LEVEL RISKS ARE INTERCONNECTED RISKS In bygone days, enterprise and credit risk could be assumed to be the exclusive worry of financial, insurance and lending institutions; today, no business is immune to the threat of business risk. Although four seemingly distinct categories of risks exist – credit, organizational, operational and business risk – the interconnected way that companies do business today means that all risks are just related pieces of a larger ERM puzzle. An incident that takes place in one quadrant of the puzzle may trigger the occurrence of a risk in another area. And, as these risk events combine, their effects together may far eclipse the impact of any incident occurring on its own. An effective ERM programme seeks to address these risks and their relationships to one another, looking to eliminate them entirely or at least to minimize their effects on the organization.
THE GOAL OF ERM – CONTINUITY One of the terms by which BCP is known is ‘business contingency planning’. Naturally, planning for business contingency in the event of a disruption is an important part of ERM. But the far more crucial goal – and one to which most organizations aspire – is that of maintaining continuity of business operations. Few
105
Minimizing Enterprise Risk
organizations can afford to experience significant operational downtime of more than 24 to 48 hours; an increasing number of enterprises cannot tolerate even 24 hours without a major impact to their revenue, customer base or reputation. So the focus of ERM is truly on business continuity, not just contingency, and seeks to resume mission-critical operations in the least amount of time possible in the event of an emergency or business disruption.
GROWING ROLE OF ‘E’ IN BUSINESS BRINGS ADDITIONAL RISKS The growing number of companies conducting business on the Internet has had a significant effect on the types of risks that threaten the enterprise, the exposure likelihoods and the effects of adverse incidents. Consider some statistics on these events in the not-too-distant past and their impact: examples such as the Code Red and Nimda worms have shown how quickly bad events can spread through the vastly interconnected set of business systems over the Internet. With Webbased applications providing an increase of continuously available commerce vehicles, companies are placing a premium on keeping their systems available and fully operational on a 7 24 365 basis. In the event of a disaster, this puts enormous pressure on human systems, as well as automated systems, to quickly recover from any disruption in availability. Despite the importance of high-availability processing, many organizations have yet to fully implement even the simplest types of security measures that can protect against the most common forms of breaches. Many of these safeguards merely involve common sense and diligence, but so far the business world has not learned enough from recent events to give the matter of information and systems security its deserved priority. As a result, security remains an afterthought or a ‘bolt on’, one that gains notoriety in the organization usually only after an incident has occurred.
THE INSURANCE POLICY YOU HOPE YOU NEVER NEED While there is certainly a great deal of effort involved in initiating and developing a full-scale ERM programme that can adequately identify and address all the risks to the organization, it is an endeavour that deserves the highest consideration. Many organizations may review the number of resources involved, both in terms of manpower and costs, and decide that it is an unnecessary expenditure to protect against threats which may never occur. It may be true that many of the risks to which the enterprise may be subjected are extremely rare. Some liken ERM to just another ‘fancy insurance policy’ that will probably never be needed. Certainly, that
106
Conclusions
may true for large-scale natural disasters or man-made catastrophes, but companies are faced with risks daily that are a natural occurring by-product of the way they do business or which exist within their industries. To those who believe ERM is unnecessary, there is this thought: if you’re not buying insurance, you are betting that the accident will not happen. How confident are you that you will be right? Accidents happen every day to the best of drivers, not because they were at fault, but because they were at the wrong place at the wrong time. Ignoring the need for appropriately managing enterprise risk could prove to be the biggest risk of all.
107
Glossary
Activation
The implementation of recovery procedures, activities and plans in response to an emergency or disaster declaration.
Adverse incident
An unplanned event that has a negative impact on the organization. (Associated terms: risk event; disaster; catastrophe.)
Alternative site
A location where critical business functions (such as support departments, information systems and manufacturing/operations) can resume processing in the event of a business disruption when the primary facilities are inaccessible. (Associated terms: backup site; hot site; warm site.)
Available resources
Incident-based resources that are immediately available in the event of a disaster or adverse event.
Business continuity management
A concern with managing risks so that at all times an organization can continue to operate to, at least, a pre-determined level.
Business continuity plan
An overall plan including risk mitigation strategy, contingency, resumption and recovery to ensure that the business’s core processes continue in spite of disruptions to infrastructure and/or support systems. (Associated terms: business recovery plan; disaster recovery plan; contingency plan.)
Business continuity planning (BCP) The advance planning and preparations which are necessary to: identify the impact of potential losses; formulate and implement viable recovery strategies; develop recovery plan(s) which ensure continuity of organizational services in the event of an emergency or disaster; and administer a comprehensive training, testing and maintenance programme. (Associated terms: contingency planning;
109
Glossary
disaster recovery planning; business recovery planning.) Business continuity programme
An ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, to maintain viable recovery strategies and recovery plans, and to ensure continuity of services through personnel training, plan testing and maintenance. (Associated terms: disaster recovery programme; business recovery programme; contingency planning programme.)
Business impact analysis (BIA)
A management-level analysis that identifies the impacts of a disruption in company resources or business processes. The BIA measures the effect of resource loss and escalating losses over time in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. (Associated terms: business impact assessment; business impact analysis assessment.)
Business operation
A set of logically related tasks/activities that are performed together and produce something of value for an internal or external customer of the organization or enterprise.
Business partner
Any organization with which the enterprise has a relationship, such as a vendor, supplier or customer. (Associated term: trading partner.)
Business recovery plan
A collection of procedures and information which is developed, compiled and maintained in readiness for use in the event of an emergency or disaster. (Associated terms: business continuity plan; disaster recovery plan; recovery plan.)
110
Glossary
Business resumption plan
A set of procedures, policies and actions intended to ensure the continued availability of all essential services, programmes and operations, including all the resources necessary to operate the enterprise at a level pre-determined to be acceptable by executive and/or senior management.
Cold site
One or more data centres or office space facilities equipped with sufficient pre-qualified environmental conditioning, electrical connectivity, communications access, configurable space and access to accommodate the installation and operation of equipment by critical staff required to resume business operations.
Contingency plan
A sub-plan or supporting portion of the overall business continuity plan for responding to the loss of a system, business process or resource as a result of a disaster or adverse incident. The plan contains procedures for emergency response, backup and post-disaster recovery to ensure the continuity of an organization’s core business processes.
Continuity of business operations
The ability to sustain business operational capability by preserving critical functions and core processes in spite of any unforeseen impact to the enterprise.
Critical business functions
Those functions considered essential to the ongoing operation of the company or business unit. If these functions could not continue, there would be a significant negative impact on the products or services provided by the organization.
Data security
The securing or safeguarding of electronic information owned by an organization using technology such as security software packages and data encryption devices.
111
Glossary
Declaration
A formal acknowledgement or statement by authorized personnel that a disaster exists within the organization.
Detection
The discovery of an event that will be detrimental to the enterprise.
Digital risk
A term used to refer to any one of the disparate risks associated with doing business in an electronic or networked environment.
Digital risk event
An incident or unplanned event occurring which has its origins in electronic or networked environments, including such events as viruses, denial of service attacks, malicious or accidental destruction of corporate records, etc.
Disaster
A sudden, unplanned catastrophic event that causes loss and hardship to all or part of an enterprise, industry or geographical region and thereby significantly impacts the affected area’s ability to deliver essential services for some period of time.
Due diligence
Such a measure of prudence, activity or assiduity as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent person under particular circumstances; not measured by any absolute standard, but depending on the relative facts of the special case.
Emergency
An actual or impending situation that may cause injury, loss of life or destruction of property or interfere with normal business operations to such an extent as to pose the threat of disaster.
Enterprise-wide
A term synonymous with company-, organization- or corporate-wide, but which is used to more accurately include all affiliates or subsidiaries of a parent company regardless of line of business or geographic location.
112
Glossary
Escalation
The process of informing the recovery organization that an emergency exists in accordance with incident or emergency response procedures.
Essential element
An item that supports a business operation. This can be a resource or a process, such as an employee, a process input or output, or the element responsible for the performance of the process, such as business staff members.
Event
An action from some source causing a positive or negative impact on the organization: (1) a planned, nonemergency activity or (2) an unplanned event with a negative impact sometimes becoming an incident, perhaps escalating into a disaster.
Exposure
The susceptibility to loss, perception of risk or threat to an asset or assetproducing process, usually quantified in terms of financial impact. An exposure is the total financial value at risk without regard to the probability of a negative event. A measure of importance.
Extraordinary expense
An operating expense that exists as a result of an interruption or disaster and which directly affects the financial position of the organization.
Financial impact
An operating expense that continues following an interruption or disaster, which as a result of the event cannot be offset by income and directly affects the financial position of the organization.
Hot site
A data centre facility with sufficient hardware, communications interfaces and environmentally controlled space capable of providing relatively immediate backup data processing support.
113
Glossary
Incident
An occurrence, caused either by human action or natural phenomena, that requires action by the organization to prevent or minimize loss of life, damage to property and/or natural resources, or loss of business continuity.
Incident command centre (ICS)
A widely used term referring to the standardized, on-scene, incident response concept of operations. It is specifically designed to allow its users to adopt an integrated organizational structure equal to the complexity and demands of single or multiple incidents with single or multiple response organizations, without being hindered by ownership constraints or jurisdictional boundaries.
Information security
The securing or safeguarding of all sensitive information, electronic or otherwise, that is owned by an organization.
Inherent risk
The risk found in the environment and in human activities that is a natural part of existence or of doing business.
Initial response
Resources initially committed to an incident. Specifically executed in the detection phase.
Managed risk
The risks and consequences after the application of internal controls.
Man-made disaster
A disaster that is intentionally caused by human intervention (such as terrorism, vandalism or industrial sabotage).
Mitigation
Planned action(s) designed to reduce or eliminate the likelihood of the occurrence of a risk event and/or the impact of a risk event.
Mobilization
The activation of the recovery organization in response to an emergency or disaster declaration.
Natural disaster
A disaster that occurs as the result of forces occurring in nature, such as an earthquake, flood, hurricane, tornado, etc.
114
Glossary
Off-site location
A storage facility at a safe distance from the primary facility that is used for housing recovery supplies, equipment, vital records, etc.
Operational impact
An impact that is not quantifiable in financial terms but its effects may be among the most severe in determining the survival of an organization following a disaster.
Outage
The interruption of automated processing systems, support services or essential business operations that may result in the company’s inability to provide service for some period of time.
Prevention
The process of planning for and/or implementing controls to prevent incidents and manage risks by decreasing the potential for incidents or the affects thereof that may threaten the assets of the organization.
Probability
The measurement of the likelihood of an event’s occurrence.
Recovery
The process of bringing the business operations of the organization back to normal after an incident. The process of planning for and/or implementing recovery of less time-sensitive business operations and processes after critical business functions have resumed.
Recovery strategy
A predefined, pre-tested, management approved course of action(s) to be employed in response to a business disruption, interruption or disaster.
Recovery team
A group of individuals given responsibility for the coordination of response to an emergency or recovering a process or function in the event of a disaster.
Recovery window
A period of time in which time-sensitive business operations must be resumed. (Associated term: recovery timeframe.)
115
Glossary
Response
Activities to address the immediate or short-term effects of an incident or unplanned event. The reaction to an incident or emergency in order to assess the level of containment and control activity required. Response activities include immediate actions to save lives, protect property and meet basic human needs.
Restoration
The refurbishment of affected assets and structures to their previous condition.
Resumption
The process of planning for and/or implementing the recovery of critical business operations immediately following an interruption or disaster.
Risk
The possibility of an undesirable event occurring. An exposure to uncertainty.
Risk analysis
The combination of risk assessment and risk evaluation performed at a particular point in time that generates specific decision-making data. A process of quantifying the risk to which the organization is vulnerable.
Risk assessment
The identification and measurement of risk (damage, loss or harm) and the process of prioritizing risks. A process of qualifying the risks and establishing acceptable levels of risk.
Risk evaluation
A component of risk assessment. A process of determining the acceptability of risk.
Risk event
Precisely what might occur that would be detrimental to the organization.
Risk factors
Measurable or observable manifestations or characteristics or a process that either indicates the presence of risk or tends to increase exposure.
Risk identification
The method of recognizing possible threats and opportunities.
116
Glossary
Risk management
(1) A management approach designed to reduce risks to the organization. (2) The procedures used to identify, assess, control and finance accidental loss; management of the pure risks to which the organization might be subject; the application of resources to reduce and finance identified loss exposures.
Risk mitigation plan
A plan developed for each mission-critical business operation that is designed to prevent or reduce the likelihood of the occurrence or the impact of a risk event.
Scenario
A predefined set of events and conditions that describe an interruption, disruption or disaster related to some aspect(s) of an organization’s business for purposes of exercising a recovery plan(s).
Severity
The measurement of the level of an impact’s intensity.
Technological disaster
A disaster involving automated systems. See also digital risk event.
Uncertainty
A condition where the outcome can only be estimated.
Uninterruptible power supply (UPS) A backup power supply capable of storing and allocating enough power to provide for the safe and controlled shutdown of information processing systems should there be an interruption or loss of normal electrical service. Vendor
An individual or company who provides a service(s) to a department or the organization as a whole. (Associated terms: supplier; third-party vendor.)
Vital records
All data and records that are essential for supporting, preserving, continuing or reconstructing the operations of the organization and protecting the rights of
117
Glossary
the organization, its employees, its customers and its stockholders. These may include policies and procedures manuals, vendor and customer lists, input documents or data, telephone/address records, manuals for software, applications and equipment. Warm site
A data centre or office facility that is partially equipped with hardware, communications interfaces, electricity and environmental conditioning capable of providing backup operating support.
118
Additional resources
The following organizations and contact information can serve as excellent resources for any organization seeking to learn more about enterprise risk management or to begin its own risk management programme. The American Risk and Insurance Association (ARIA) ARIA is the premier professional association of insurance and risk management scholars and professionals. Its website, ARIA Web, will enable organizations to learn more about the association, its members and the risk management industry. www.aria.org Collections and Credit Risk magazine Articles in Collections and Credit Risk emphasize electronic data networking as a means to operate more efficiently, and how this more sophisticated collections function is rapidly becoming integrated with the credit risk management operation in banks, credit card companies and other major credit grantors. www.collectionsworld.com Contingency Planning & Management magazine Available through a free subscription as a paper-based magazine, as well as an online version, including archives. The premier magazine for professional contingency planners. www.contingencyplanning.com One note worth mentioning: this site has a Corporate Technology Risk Assessment Questionnaire online that can help determine technology disaster preparedness. Find the questionnaire at: http://www.contingencyplanning.com/article_index.cfm?article=422 FEMA (The Federal Emergency Management Agency) The Federal Emergency Management Agency is an independent agency of the United States federal government, reporting to the President. From its website, FEMA’s range of activities include: ‘Advising on building codes and flood plain management…teaching people how to get through a disaster...helping equip local and state emergency preparedness...coordinating the federal response to a disaster...making disaster assistance available to states, communities, businesses and individuals...training emergency managers...supporting the nation’s fire service...administering the national flood and crime insurance programs…’
119
Additional resources
500 C Street, SW Washington, DC 20472 Ph: (202) 646-4600 http://www.fema.org/ The Gartner Group A leader among industry analysts, Gartner provides research on a number of business topics including information technology and enterprise risk. www.gartnergroup.com The Global Association of Risk Professionals (GARP) The Global Association of Risk Professionals is an independent organization of risk management practitioners and researchers, founded by a group of risk managers from the finance industry. www.garp.com International Risk Management Institute (IRMI) IRMI is a research and publishing company focusing on risk management and insurance. This organization presents up-to-date, objective and practical strategies and tactics to help you succeed and prosper in a changing insurance and risk management environment. www.irmi.com The Risk Management Association (RMA) RMA is the leading association of lending, credit and risk management professionals serving the financial services industry. By advocating the best risk/reward practices, RMA enables each member to build a sound business culture that both safeguards and enhances value. www.rmahq.com
120